Announcing Graylog Illuminate v7.0.5

Release Date: April 7th, 2026

ADDED

• Microsoft Defender for Endpoint: Added Security Core support. (3398)
  ○ Added GIM event type code 300000 (ids_detection / detection.network_detection) to all Microsoft Defender for Endpoint alert events, replacing detection.default (309999). Required fields are set via first_non_null.
• PfSense: Added new fields and features to support Security Core (3378)
  ○ Added the field network_protocol with the value http to traffic logs
  ○ Improved Squid proxy support
  ○ Changed GIM code from 129999 to 180300 (web proxy)
  ○ Added event_action and network_transport lookups
  ○ Renamed fields for better GIM alignment
  ○ Added http_request_path extraction
  ○ Improved Snort, sshguard, and Suricata support
  ○ Changed GIM code from 309999 to 300001 (network detection)
  ○ Added sshguard alert as a recognized event type
  ○ Added alert and reference fields
  ○ Fixed quoted field extraction issues
  ○ Improved DNS support and named (BIND) compatibility
  ○ Added Blocking → blocked mapping
• Sysmon: Added user_name and user_domain parsing for event_code 13. (3336)
• Snort: Changed GIM code from 309999 to 300001 to better support Security Core (3426)
• Linux: Added Security Core support. (3377)
  ○ Added GIM categorization across authentication, IAM, service, and process
  ○ Improved event_action mapping
  ○ Fixed SSH, PAM, login, cron, and systemd assignments
• Missing Field(s) – Microsoft Windows Security 4624 (1620)
  ○ Added Elevated Token check
  ○ Added Special Logon categorization
  ○ Assigned privileged user_category
• Sysmon: Added user_name and user_domain parsing for event_code 10. (3339)
• Apache HTTPD: Added network_protocol field with value http for access logs. (3376)
• Cisco Meraki: Added Security Core support, VPN parsing, and expanded GIM categorization. (3403)
  ○ Refined authentication, flow, and detection event mappings
  ○ Expanded lookup coverage
• Apache Tomcat: Added Security Core support. (3380)
  ○ Added service lifecycle GIM codes
  ○ Added network_protocol field
• Illuminate Core: Updated static accounts table (3305)
  ○ Added more default accounts
• Microsoft Defender Antivirus: Added Security Core support and ASR processing. (3385)
  ○ Added service lifecycle mappings
  ○ Added ASR and tamper protection handling
  ○ Added malware and real-time protection coverage
• Squid Proxy Content Pack (3243)
  ○ Added documentation and description
• Microsoft AppLocker: Added Security Core support and WDAC processing. (3401)
  ○ Added detection categorization
  ○ Added WDAC event support
• Illuminate: Add Security Core content (3586)
• Ubiquiti UniFi: Added Security Core support and CEF parsing. (3402)
  ○ Added firewall and IPS detection mapping
• Windows Security: Updates to support Security Core. (3375)
  ○ Expanded event coverage and field extraction
  ○ Improved IAM and RDP enrichment
• Cisco Umbrella: Added Security Core support for blocked events. (3407)
  ○ Added DNS and proxy detection categorization
• PowerShell: Added GIM categorization for Winlogbeat and NXLog. (3384)
  ○ Added lookup tables and pipeline rules
  ○ Fixed NXLog processing
• Sophos Central: Added Security Core support and categorization. (3411)
  ○ Added event group mappings
• Microsoft DHCP: Added Security Core support. (3400)
  ○ Expanded DHCP event categorization
• Sysmon: Updates to support Security Core. (3381)
  ○ Added IP/MAC list handling
• NetFlow: Added Security Core support. (3394)
  ○ Added network connection categorization
• Palo Alto 11: Added support for UDP input. (3227)
• Cisco ASA: Added Security Core support. (3388)
  ○ Refined GIM mappings and normalization
• Cisco IOS: Updates to support Security Core. (3391)
  ○ Added new event parsing
• Cisco ASA: Added support for additional event codes. (3282)
• Mimecast: Added parsing for archive_search logs. (3104)
• PostgreSQL Content Pack (3298)
  ○ Added PostgreSQL support
• AWS Security Lake: Added Security Core support and OCSF v1.1.0 support. (3392)
  ○ Added categorization and finding support
• Microsoft 365: Added Security Core support. (3395)
  ○ Added credential validation mapping
• Cisco ISE: Added Security Core support and fixes. (3396)
  ○ Updated authentication mappings
• Added network_intrusion stream category (3352)
• NGINX Web Server: Added Security Core support. (3389)
  ○ Added service error categorization
• Palo Alto 11x: Added Security Core support. (3397)
  ○ Added GlobalProtect authentication mapping

FIXED

• Stream category network_traffic not assigned (3338)
• Added dns stream category (3358)
  ○ Applied across multiple packs
• user_type:computer underscore issue (3097)
• Illuminate, Bind inconsistencies (3370)
  ○ Added query error extraction
• Packetbeat multiple IP handling (3155)
  ○ Fixed list vs single-value handling

CHANGED

• Microsoft 365: Updated pack name (3157)
• Core: Updated MITRE ATT&CK to v18 (3233)
  ○ Removed ICS and Mobile
• Curated Alerts: Reduced false positives (2524)
• CrowdStrike Falcon: Refined GIM mappings (3410)
• SonicWall NGFW: Improved GIM mappings and parsing (3415)
• Fortigate: Updated event_id mapping (567)
• Windows DNS Server: Improved categorization (3383)
• Windows: Updated field mapping (3281)
• PowerShell: Updated pack name (3293)
• HAProxy: Refined GIM mappings (3405)
• Check Point: Updated pack name (3290)
• Microsoft AppLocker: Updated pack name (3292)
• Security Core: Fixed group/user normalization (3252)
• Cloudflare: Improved GIM mapping and actions (3406)
• FortiGate: Expanded Security Core compatibility (3379)
• Carbon Black Defense: Refined mappings (3409)
• Removed spotlight metadata (2833)
• Linux Auditbeat: Improved coverage (3382)
• Caddy: Updated pack name (3294)
• AWS VPC: Updated pack name (3289)
• Linux Auditd: Updated pipelines (3386)
• Bind DNS: Improved parsing (3250)
• Windows: Updated privilege lookup (3369)

Let us know what you’d like to have included in our GitHub issue tracker.