Announcing Graylog Illuminate v3.3

Announcing Graylog Illuminate 3.3

  • Updated default user and device priority level assignments in static_accounts.csv (#1248)
    • Severity and priority levels have been changed to be aligned
    • Account and device prioity levels are: 1=low, 2=medium, 3=high, 4=critical
    • All severity levels are now 1=informational, 2=low, 3=medium, 4=high, 5=critical
  • This release requires Graylog 5.0.0 or later system with a valid Security or Operations license
  • New Illuminate content included with Illuminate 3.3.0:
    • Snort 3 IDS Processing and Spotlight Packs (#1204)
    • Checkpoint Firewalls Processing Pack (#1053)
    • pfSense/OPNsense Firewall Processing and Spotlight Packs (#1208)
  • Spotlight files are now included in the Illuminate bundle
  • The following Graylog Illuminate Spotlight packs have changed:
    • Core: Added Network Traffic dashboard (#148)


Released: 2023-05-18


  • Core
    • Added checks to verify proper values assigned to user and device priority levels (#1248)
    • Entity enrichment lookup allows unsafe value entries (#1245)
  • Microsoft Defender
    • Extraction pattern breaking when encountering empty User field (#1278)
  • Microsoft Windows Security
    • Parsing breaking due to localization of keywords fields (#1212)
  • Meraki
    • Fixed parsing of flow logs when hostname present in log header (#1239)
  • Cisco ASA
    • “vendor_event_outcome” used where it should be “vendor_event_action” (#1187)
    • Fixed logic issues destination_reference selection rule criteria (#1299)
  • Apache HTTPD:
    • Added support for CentOS/Redhat/FreeBSD default log filenames (#1271)
    • vendor_event_severity_level should be vendor_event_severity (#1272)


  • Added Winlogbeat version 8.x support for Windows Security, Sysmon, and Microsoft Defender content (#755)
  • Core
    • Added src_ip, src_port, dst_ip, dst_port mappings to Sigma mapping table (#1218)
    • Added automatic mappings for event_severity to event_severity_level and visa versa (#1222)

Known Issues:

  • Auditbeat cannot process events with multiple values assigned to vendor_event_action (#622)


Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.