Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >>

Try Graylog
See Demo

The Graylog blog

Announcing Graylog Illuminate v4.2

Announcing Graylog Illuminate 4.2

  • IMPORTANT VERSION NOTE: The minimum version required for this version of Illuminate is 5.1.11 or 5.2.4. (1808)
    • If you are running a Graylog 5.1.x version prior to 5.1.11, or a Graylog 5.2.x version prior to 5.2.4, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

     

GRAYLOG ILLUMINATE 4.2

Released: 2024-02-08

Added

  • Sysmon:Add source_reference selection for DNS query events (Sysmon Event ID 22). (1843)
  • AWS Security Lake: Added support for Security Lake (1724)
    • The input supports the following objects: actor,anwers,api,attack,cloud,compliance,connection_info,cve,device,dns_answer,dns_query,email,endpoint,file,finding,http_request,http_response,identity,malware,metadata,process,resources,network_proxy,proxy,query,user,dst_endpoint,traffic,src_endpoint 
  • Added optional Core pack to enrich events with DNS query_request or DNS query_response fields with additional data. (1676)
    • When enabled this pack will identify any messages processed by core which have the DNS message query fields “query_request” or “query_response” and enrich those fields. Messages with “query_request” will have the fields “query_request_length” and “query_request_entropy” added. Messages with “query_response” will have the field “query_response_length” added. 
  • Checkpoint FW:Add rule and layer widgets to Spotlight (1833)

 

Fixed

  • Fortigate:Convert identification rule to regex instead of grok (1858)
  • Anomaly Detection: Fix pack titles (1707)
  • Windows:Non-Security event logs sent with NXlog are not processed (1867)
  • Sysmon:DNS events assigned legacy code 140100 (1826)
  • BIND DNS:Normal queries not extracted to schema fields and not categorized (1835)
  • Checkpoint FW: Vendor action “Reject” not mapped to event_action (1832)

 

Changed

  • Sysmon:Split DNS responses in to individual values (1828)
  • Checkpoint FW:layered treestructure dropped during processing (1823)
    • Checkpoint Firewall events sometimes contained multiple values for some fields but only the first value was extracted. The following fields now contain a full list of extracted values: rule_name, rule_id, vendor_layer_name, vendor_layer_id, vendor_match_id, vendor_parent_rule, vendor_rule_action. 
  • Move DNS query request and response length calculations out of GIM enforcement (1730)
  • Sysmon:Spotlight dashboards updated to use the DNS response GIM event type code (140200) instead of the DNS transaction code (140100). (1837)

 

Let us know what you’d like to have included in our GitHub issue tracker.

The Graylog Product Team

The Graylog Product Team

View More Posts By The Graylog Product Team

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.

Read Now

Products

Graylog Security
Graylog Operations
Graylog Open
Graylog Cloud
Graylog API Security
Graylog Small Business
Pricing

Features

Alerting
Anomaly Detection ML / UEBA
Archiving
Audit Logs
Content Packs
Correlation Engine
Dashboards
Forwarder
GELF
Incident Investigations
Illuminate
Log View
Multi-threaded Search
Reporting
Rest API
Search Parameters
Search Workflows
Sidecar
Teams Management

LEARN

Resource Hub
Blog
Videos
Webinars
Events
Community

SUPPORT

Customer Support
Documentation
Graylog Academy
Open Community

Company

About
Leadership
Partners
Careers
News & Awards
Contact

[email protected]

Follow Us:

Facebook-f Linkedin Github Youtube Reddit-alien

GRAYLOG HEADQUARTERS

1301 Fannin St, Ste. 2000
Houston, TX 77002

GRAYLOG COLORADO

1919 14th Street, Suite 700, Office 18
Boulder, CO 80302

GRAYLOG LONDON

35 New Broad Street
London, EC2M 1NH
United Kingdom

GRAYLOG GERMANY GMBH

Poolstraße 21
20355 Hamburg, Germany

© 2024 Graylog, Inc. All rights reserved

Privacy Policy | Legal | Sitemap