Announcing Graylog Illuminate 5.0

GRAYLOG ILLUMINATE 5.0

Released: 2024-05-07

Added

• Packetbeat: New content request from the customer (1851)
  • With this addition, we will be supporting all packetbeat logs, but we are currently focusing on enriching DNS, HTTP, and Flow logs sepcifically as well as adding a spotlight with three tabs: An overview tab, Flow network overview tab, and an HTTP overview tab as well.
• Added support for Windows Security Event ID 1108 (827)
  • See The event logging service encountered an error – Windows 10  for additional information about the event.
• Added extraction for process information for Event Ids 4798, 4799 (266)
  • Added NXLog and WLB7 field processing for process_path/id values from events.
• Symantec Endpoint Security (SES):Initial technology pack (1732)
  • Symantec Endpoint Security is a cloud and hybrid-managed solution that provides the protection of SEP, attack detection of EDR, and other technologies to secure devices.
• Add Network subcategory for ICMP (1696)
• HAProxy: Added support for HAProxy (1854)
  • This HAProxy content pack supports default, TCP, HTTP, HTTPS and Error logs.
• Added Microsoft Windows Security – User Activity Sigma Rules (1852)
  • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team’s findings.
• Add new field gl2_processing_duration_ms to Illuminate field mapping templates (1891)
• Graylog API Security Content Pack (1937)
  • Initial Graylog API Security Spotlight which includes an Overview tab highlighting API calls and alerts. Please see the Graylog documentation for more information on the spotlight pack and how to configure API Security to send logs to your Graylog instance: Security Content Packs

 

Fixed

• Sophos:Field normalization failure due to space in field name (1963)
• Winlogbeat provides timestamp fields that are detected as dates but cause indexing failures (1902)
  • This will disable date detection on all Winlogbeat “event data” fields. These fields are dynamically parsed by the winlogbeat agent in to individual fields. This addresses an issue where some event log messages may be rejected due to an index mapping type conflict related to some fields. This is due to the event data fields are either occasionally timestamps, or are timestamps but contain different timestamp formats, likely due to local system settings. This change will cause all Winlogbeat “event data” fields to be indexed with the mapping type “keyword”. The side effect of this change is that some event data fields may be limited in how they can be analyzed in aggregate, or search. This change will not impact non-event data fields, or any fields that have been renamed by Illuminate.
• Windows Security:fixed process_path renaming (1841)
  • Windows security processing sets the process_name path with a value that is the full path of the process. This should be instead extracted to process_path, for both NXlog and Winlogbeat agents.
• Symantec EP:Virus found logs not processed (1932)
• CBDefense: Key value extraction generates illegal key name (1964)
• SEPM: Updated dashboard to use detection instead of Alert. (1952)(1956)(1959)
  • We are changing the way we use the word alert, which will be handled more so by the new curated alerts that will be coming soon, and so we want to start changing all the usages of the word alert to be detection. The first pack we are focusing on is the SEPM dashboards. We also added scoped streams to this dashboard as well.
• Windows Security:Improve accuracy of user_type identification pattern (1879)
  • The Illuminate Windows Security event processing was not identifying likely computer names which began with a number. The Illuminate process of setting a user type based on the format of the logs is a best effort process, there is no way to precisely identify if an account is a user or machine account based on log data alone.
• Auditbeat:Will not process events with multiple vendor_event_action values (622)
• O365:Updated messages incorrectly identified as legacy messages (1967)
• Sonicwall assigning legacy GIM event code (1822)
• Windows: nxlog process_id not extracted properly (1926)
• Palo Alto:Global Protect categorization uses legacy GIM code (1818)
• Cisco ASA: SFIMS message normalization target fields contain spaces (1966)

 

Changed

• Changed vendor_message to message for Watchguard firebox (1496)
  • The message field contains a lot of data that is extracted into other fields. Removing this and rewriting the message will: Reduce storage utilization, Reduce duplication of data, Lower computational cost for the pattern-based extraction

 

Removed

• GIM Enforcement: Removed field enforcement of DNS transaction events (1739)
  • The DNS transaction event type has been removed. DNS events that contain both query and answer data are now assigned the relevant GIM codes for each of those events.
• Removed event_source enforcement from GIM enforcement rules (1782)
  • The event_source field is deprecated and will be removed entirely from Illuminate 6.0.

 

Let us know what you’d like to have included in our GitHub issue tracker.