Announcing Graylog Illuminate 4.0

• Installing this Illuminate release will cause any currently running Anomaly Detection jobs to be disabled. Please identify which Anomaly Detection jobs are running prior to activating this release and enable them after this version has been activated. (graylog-plugin-enterprise#6090)

 

GRAYLOG ILLUMINATE 4.0

Released: 2023-11-01

 

Fixed

• Cisco ASA: Some Authentication messages have GIM errors, logoff are wrong categorized (1421)
  • Added the missing destination_reference field for ASA authentication messages between 606001 and 606004. Logout messages are now categorizes as logout messages and vendor_event_action is now success.
• Sophos Firewall: Spotlight widgets including non-Sophos data (1686)
• SonicWall saved search widget modification and dashboard spelling correction (1557)
  • The Message Count by Severity widget in the SonicWall NGFW Log Viewer – Filtered saved search had a confusing sort order. Corrected to sort by vendor_event_severity_level. Also, fixed the spelling of the Dashboard – previously started with Illuminate:* and corrected to Illuminate:*
• Sysmon: add file_is_executable extraction for Event ID 28 (1552)
• ASA dashboard has confusing severity levels (1559)
• Stormshield Bugfixes and Enhancement (1610)
  • Updated bugfix rule to account for logs that contain a cat_site AND arg field. An existing Stormshield bug adds an extra quotation mark to the cat_site field value which breaks parsing.
• Sysmon: Normalize Event Type to vendor_event_type for all related Sysmon events (1576)
• Cisco ASA:Alert severity not assigned for some 338002 messages (1420)
  • All dynamic filter messages 338001 to 338204 now get an alert severity even if the message does not have this field. Renamed field vendor_alert_severity1 to vendor_alert_severity
• Added check for previously identified messages to Checkpoint (1612)
• Illuminate: Added event_error_code mapping as keyword (1674)
  • NOTE: This may cause a short-term mapping conflict in dashboards where mapping type are updated (such as with Palo Alto) but this conflict will resolve over time. Some products produce an error code as an integer value, some produce codes in other formats such as hex. This field is expected to be a keyword type, but implicit mappings result in mapping conflicts where integer values are mapped as type “long”. The static mapping of event_error_code as keyword will resolve this mapping conflict.
• Windows Security: Event 4663 not handled properly (803)
  • Windows 4663 was categorized as a file change but 4663 can reflect changes to multiple components on a system in addition to the file system. Illuminate will now categorize a system based upon the component identified in event ID 4663.
• Sysmon extracting target process name incorrectly (1575)
  • The field was being extracted incorrectly as target_process_name, now extracting it as process_target_name
• Symantec Endpoint: Spotlight Alert destinations widget uses source fields (1679)
• Moved Cisco ASA identification rules from stage 2 to stage 5 (1613)
• Fortigate: fixed event_severity & event_severity_level for informational and low (1642)
  • The Fortigate event severity for informational events properly maps to a value of 1 for event_severity_level and informational for event_severity. Additionally, for the notice Fortigate events, the event_severity_level has been corrected with a value of 2 (low).
• Cisco ASA: Add support for user names with an @ in them. (1661)
• Checkpoint: Fixed processing of text for severity levels (1688)

 

Added

• Added Ubiquiti UniFi Overview dashboard to go along with the existing Ubiquiti UniFi Illuminate pack. (1296)
• Added new technology pack NGINX Webserver (1207)
  • This pack adds support for NGINX Webserver. It is tested with version 1.18/1.24 with the combined log format.
• Added Asset pack to Illuminate Security editions (graylog-plugin-enterprise#5097)
  • Adds the Asset processing pack needed to add the associated_assets field to messages used by the Assets feature, available only in Graylog Security.
• Added support for Audit Security System Extension Windows events (216)
  • Added support for additional Windows Security Event IDs 4610, 4611, 4614, 4622, 4697 which are enabled by the Audit Security System Extension policy in Windows. See Audit Security System Extension – Windows Security for additional information about these events.
• Core MITRE lookup that allows the mapping of technique UID to name (1622)
  • Added a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.
• Updated Juniper documentation to include required input setting for proper processing (1569)
• Added full support for Cisco Firepower (1449)
  • Adding full parsing for Cisco Firepower FTD events. Event IDs between 430001 and 430005 are now fully supported. This Illuminate pack will process the Cisco Firepower logs delivered to Graylog via Syslog and is not for use with the Cisco Firepower Event Streamer (eStreamer)/eNcore agents. The pack supports %FTD, %NGIPS, %NGFW (and %ASA) logs.
• Illuminate: The http_response_code field now gets enriched. The new field http_response describes the response code. (1633)
• Windows Security: Add access list enrichment (1644)
  • Windows 4663 contains codes that reflect the types of accesses requested. Add an enrichment that will provide a plain text description of these access list codes in the field vendor_access_type.
• CrowdStrike Falcon Technology Pack (1483)
  • CrowdStrike Falcon technology pack release. Supports alerts and authentication events received by the CrowdStrike input, and includes a spotlight pack with an overview tab, authentication tab, and alert tab.
• Microsoft Defender for Endpoint Technology Pack (1540)
  • Microsoft Defender for Endpoint technology pack release. Supports ‘alerts’ events received by the Microsoft Defender for Endpoint Graylog input. Also adds a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

 

Changed

• Added Ubiquiti UniFi Overview dashboard to go along with the existing Ubiquiti UniFi Illuminate pack. (1296)
• Added new technology pack NGINX Webserver (1207)
  • This pack adds support for NGINX Webserver. It is tested with version 1.18/1.24 with the combined log format.
• Added Asset pack to Illuminate Security editions (graylog-plugin-enterprise#5097)
  • Adds the Asset processing pack needed to add the associated_assets field to messages used by the Assets feature, available only in Graylog Security.
• Added support for Audit Security System Extension Windows events (216)
  • Added support for additional Windows Security Event IDs 4610, 4611, 4614, 4622, 4697 which are enabled by the Audit Security System Extension policy in Windows. See Audit Security System Extension – Windows Security for additional information about these events.
• Core MITRE lookup that allows the mapping of technique UID to name (1622)
  • Added a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.
• Updated Juniper documentation to include required input setting for proper processing (1569)
• Added full support for Cisco Firepower (1449)
  • Adding full parsing for Cisco Firepower FTD events. Event IDs between 430001 and 430005 are now fully supported. This Illuminate pack will process the Cisco Firepower logs delivered to Graylog via Syslog and is not for use with the Cisco Firepower Event Streamer (eStreamer)/eNcore agents. The pack supports %FTD, %NGIPS, %NGFW (and %ASA) logs.
• Illuminate: The http_response_code field now gets enriched. The new field http_response describes the response code. (1633)
• Windows Security: Add access list enrichment (1644)
  • Windows 4663 contains codes that reflect the types of accesses requested. Add an enrichment that will provide a plain text description of these access list codes in the field vendor_access_type.
• CrowdStrike Falcon Technology Pack (1483)
  • CrowdStrike Falcon technology pack release. Supports alerts and authentication events received by the CrowdStrike input, and includes a spotlight pack with an overview tab, authentication tab, and alert tab.
• Microsoft Defender for Endpoint Technology Pack (1540)
  • Microsoft Defender for Endpoint technology pack release. Supports ‘alerts’ events received by the Microsoft Defender for Endpoint Graylog input. Also adds a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

 

Removed

• Removed Winlogbeat 6.x processing logic (1439)
  • Winlogbeat 6.x support was deprecated and the Winlogbeat 6.x agents are EOL since February 2022.
• Removed Geolocation packs from Illuminate (1215)
  • The functionality in the Illuminate Geolocation/AS packs is redundant, the preferred method for Geolocation/AS enrichment is to use the built-in Graylog Geolocation processor plugin. Enable and configure the Geo-Location processor plugin with the option to “Enforce default Graylog schema” enabled and for the GeoIP Resolver message processor to process messages after the Illuminate processor.
• Removed gl2 field alias mappings (1438)
  • Illuminate 2.0.0, released in October of 2021, began using the prefix “gim_” for Illuminate metadata fields instead of the “gl2_” prefix. In order to maintain continuity a set of alias mappings for the legacy “gl2_” prefix fields was made to the new fields. This alias mapping is no longer needed.

 

Let us know what you’d like to have included in our GitHub issue tracker.