Cyber Defense with MITRE Framework | Graylog + SOC Prime | On-Demand Webinar >> ​

Announcing Graylog Illuminate v4.2

Announcing Graylog Illuminate 4.2

  • IMPORTANT VERSION NOTE: The minimum version required for this version of Illuminate is 5.1.11 or 5.2.4. (1808)
    • If you are running a Graylog 5.1.x version prior to 5.1.11, or a Graylog 5.2.x version prior to 5.2.4, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.



Released: 2024-02-08


  • Sysmon:Add source_reference selection for DNS query events (Sysmon Event ID 22). (1843)
  • AWS Security Lake: Added support for Security Lake (1724)
    • The input supports the following objects: actor,anwers,api,attack,cloud,compliance,connection_info,cve,device,dns_answer,dns_query,email,endpoint,file,finding,http_request,http_response,identity,malware,metadata,process,resources,network_proxy,proxy,query,user,dst_endpoint,traffic,src_endpoint 
  • Added optional Core pack to enrich events with DNS query_request or DNS query_response fields with additional data. (1676)
    • When enabled this pack will identify any messages processed by core which have the DNS message query fields “query_request” or “query_response” and enrich those fields. Messages with “query_request” will have the fields “query_request_length” and “query_request_entropy” added. Messages with “query_response” will have the field “query_response_length” added. 
  • Checkpoint FW:Add rule and layer widgets to Spotlight (1833)



  • Fortigate:Convert identification rule to regex instead of grok (1858)
  • Anomaly Detection: Fix pack titles (1707)
  • Windows:Non-Security event logs sent with NXlog are not processed (1867)
  • Sysmon:DNS events assigned legacy code 140100 (1826)
  • BIND DNS:Normal queries not extracted to schema fields and not categorized (1835)
  • Checkpoint FW: Vendor action “Reject” not mapped to event_action (1832)



  • Sysmon:Split DNS responses in to individual values (1828)
  • Checkpoint FW:layered treestructure dropped during processing (1823)
    • Checkpoint Firewall events sometimes contained multiple values for some fields but only the first value was extracted. The following fields now contain a full list of extracted values: rule_name, rule_id, vendor_layer_name, vendor_layer_id, vendor_match_id, vendor_parent_rule, vendor_rule_action. 
  • Move DNS query request and response length calculations out of GIM enforcement (1730)
  • Sysmon:Spotlight dashboards updated to use the DNS response GIM event type code (140200) instead of the DNS transaction code (140100). (1837)


Let us know what you’d like to have included in our GitHub issue tracker.

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog blog delivered to your inbox once a month.