Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >>

The Graylog blog

Announcing Graylog Illuminate v3.5

GRAYLOG ILLUMINATE 3.5

Released: 2023-08-24

Fixed

  • Windows default log processing is not normalizing base Windows event log fields for all Windows event log messages (#1441)
  • Normalized Sysmon Event ID 10 GrantedAccess as vendor_granted_access (#806)
  • Fixed Meraki authentication logs not parsing (#591)
  • Added placeholder user_name for Windows Kerberos 4769 events with 0x20 error codes and empty usernames (#729)
    • Windows will sometimes log Security event ID 4769 (A Kerberos service ticket was requested) with an empty user and the error 0x20. These are of no security value according to Microsoft and simply indicate that the TGS has exired. These also trigger GIM errors when GIM enforcement is enabled. Adding a placeholder value (USER_NAME_NOT_DEFINED) will prevent the GIM enforcement pack from marking these as errors.
  • Fixed Checkpoint dashboard, alert level and severity is inverted (#1390)
  • Potential criteria logic issue with Windows auth failure anomaly detection rule (#1101)
    • This is potentially a breaking change, it may lead to a temporary change in the frequency of authentication failure anomaly detections.
  • The user_domain field is not being extracted from some Windows Security event logs (#1369)
  • Multiple Meraki MX device log types not parsing correctly (#1405)
  • Watchguard Firebox content enhancements (#904)
    • An event severity lookup was added, pattern updates and additions (vpn_pattern, signature_pattern, etc.).
  • Stormshield event_severity mapping assigns incorrect value (#1397)
  • Parsed the O365 client IP when the client port is not defined (#736)

 

Added

  • Updated WatchGuard Firebox Spotlight, adding new saved search and a status tab in the WatchGuard Firebox Overview dashboard (#1486)
  • Added normalization for Sysmon Event IDs 28 and 29 (#1313)
  • Mapped network_icmp_type when only network_icmp_type_number exists (#1447)
  • Added agent.activity event type antivirus and malware scan, gim_event_type_code 280001. (#1512)
  • Added logic to extract and normalize agent SIGD update events 2E02-0065/0066/0067/0069 and to categorize these events as agent activity (#1477)
  • Added a saved search to the Zeek spotlight that allows you to pivot from any UID type field to a log view showing all logs with that specific UID. (#1413)
  • Added new technology pack for Juniper SRX Series Firewalls (#1069)
    • This pack is developed for Juniper SRX devices running Junos OS 17.4 and above. This commit adds a new content pack.
  • Added new content pack for Sophos Firewall (SFOS) (#1403)
    • This pack is developed with SFOS version 19.5 for Sophos Firewall. It is expected that software version 18.x and higher work, but not fully tested. General parsing for 17.x and lower may work, but some field names have changed and correct GIM assignment may not work. This Commit adds a new content pack.
  • Support for new Cisco Meraki MX event types firewall, vpn_firewall, and cellular_firewall (#1446)
    • Meraki devices as of MX18.101 no longer use the “flows” datatype and now instead have the events “firewall”, “vpn_firewall”, and “cellular_firewall”. Illuminate will support both the legacy “flows” event type and the new event type.

 

Changed

  • Modified GIM event type code for http and conn back to a lookup (#1377)
    • Rather than looking for the existence or non-existence of a field to assign an event type code, rely on a lookup – any missing fields are anomalies.
  • removed event_action field requirement for category Agent, status and default subcategories (#1497)
  • Updated Meraki processing of security_events security_filtering_file_scanned to add event_severity, making it compliant with the Alerts category. (#1424)
  • Extract event_created from Cisco Meraki logs (#1379)
    • This will convert the field currently extracted as event_epoch_time, converts it to millisecond format, and will now extract it as event_created.
  • The dashboard for pfSense had a too complicate name. (#1445)
    • Changed the name from Illuminate:pfSense/OPNsense Filterlog_Alert_Device_Authentication to Illuminate:pfSense/OPNsense Firewall, Device and Alert.
  • Normalize event_action and network_direction from Cisco Meraki network messages (#1448)
  • Defined event_action possible values as blocked, allowed, started, completed, stopped, disabled, enabled, modified, deleted, paused, resumed (graylog-schema#122)
  • Split Windows Security group membership (4627), privileges changes (4703), and instances of privilege lists into separate values (#1374)

 

Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.