Announcing Graylog Illuminate 5.1

GRAYLOG ILLUMINATE 5.1

Released: 2024-06-06

 

Added

• Symantec EDR: Symantec Endpoint Detection and Response (EDR) Content Pack (1853)
  • Symantec Endpoint Detection and Response is used to detect advanced attacks using machine learning and global threat intelligence to minimize false positives and help ensure high levels of productivity for security teams.
• Core: Added lookup for SMTP descriptions (2024)
• NGINX: Added support of filebeat_application_name as application_name. (2061)
• Cisco IOS: Added support for Cisco IOS (1944)
  • Cisco IOS (Internetwork Operating System): Proprietary software used in Cisco routers and switches, enabling robust management of network traffic, including data, voice, and video across various communications environments.
• Apache: Added support of filebeat_application_name as application_name. (2061)
• MITRE ATT&CK Tactic Lookup (1847)
  • In addition to the existing attacks_technique_uid to attacks_technique_name lookup, core will now map attacks_tactic_uid to attacks_tactic_name
• Add Illuminate Compliance Spotlight (1979)
  • This addition provides an Illuminate Spotlight pack designed to assist with compliance-related activities that are commonly supported by SIEM / log aggregation.
• Postfix: Added support for Postfix (1970)
  • This Postfix content pack supports most available logs. The content pack also includes a dashboard with four tabs (General Overview, EMail messages, TLS and SMTP).

 

Fixed

• Duplicate message summaries for gim_event_subcategory:authentication.credential validation (1339)
• Fortigate:Handle structured Syslog messages in Illuminate Processing (2005)
  • This fixes an issue with Fortigate processing where the message format causes the Syslog input to parse the message in addition to Illuminate parsing the message, leading to fields being extracted multiple times. When the Syslog input parses a Fortigate message Illuminate will now use the fields generated by the input.
• Core: Update built-in static accounts list (2085)
  • Update the built-in static accounts enrichments, adding all built-in groups listed by Microsoft at Appendix B – Privileged Accounts and Groups in Active Directory .
• Agent message summary view incomplete (1555)
• Fortigate:The field wifi_channel is always created (2089)

 

Changed

• Symantec Endpoint Security (SES): Deduplication of attacks_tactic_uid field and removal of attacks_tactic_id. (2070)
  • In some SES logs, the attacks_tactic_uid field can contain similar values. Added logic to de-duplicate those values. The attacks_tactic_id field has been removed which is better represented by attacks_tactic_uid.
• Allow merging of user/device category fields (167)
  • Graylog Illuminate Core has provided two lookup tables to define account and device category and priority data, but any category data defined prior to Illuminate Core running would prevent data in the static device/account lookups from being added. The category data in the Illuminate Core static accounts and devices lookups will now be merged, with any duplicate values being removed, when it has been detected.
• Symantec Endpoint Security (SES): MITRE Tactic ID & UID Extraction Update (1991)
• Core: Enrich all events with a user field with category and priority data (2086)
  • Remove the requirement to categorize a message before enriching events with user fields (user_name, source_user_name, target_user_name) with category and priority information.
• Symantec Endpoint Security (SES): Force vendor_data_entity_uid to be indexed as a string, no matter the subtype. (2058)
  • This change requires rotating the SES index to incorporate the updated field type.
• Add support for postfix-style timestamps (2035)

 

Let us know what you’d like to have included in our GitHub issue tracker.