Announcing Graylog Illuminate 6.2

Released: 2024-02-06

Added

• MS365: Extract host_name from AzureActiveDirectory (EntraID) Endpoint message metadata (2599)

• Illuminate Core: Add Internal/Enterprise Networks process/feature (2584)

  • This change adds a lookup named “core_networks” to Illuminate core.  Illuminate customers can customize the adapter “core_networks_adapter”, adding a CIDR-notation IP range and category values. Illuminate will detect when source_ip/destination_ip/host_ip matches these CIDR ranges and add a related category field, source_category/destination_category/host_category, with the values provided in the lookup.

• MS365: Extract email metadata from Exchange events (2577)

  • Extract Email metadata from Exchange events, including email subject and email parent folder path.

• Windows Security: Added parsing for Linked Logon ID (user_linked_session_id) – event 4624 (1890)

• Sonicwall: Added and changed parsing for some fields (2556)

  • Added parsing for destination_nat_ip, source_nat_ip, destination_nat_port and source_nat_port. Renamed vendor_referer to http_referrer and vendor_icmpCode to network_icmp_code_number. Added support for IPv6.

• Linux: Added parsing for UFW logs (2623)

• Windows Security: Add support for Windows Event ID 4696 and 4703 (2053)

• Linux: Added parsing for IPTable logs (2634)

• Core: Added lookup table that maps query_record_type to query_record_type_code. (2478)

• Sonicwall: Added support for the new detection category in the dashboard (2553)

• AppLocker: Windows AppLocker Content Pack (2607)

  • Windows AppLocker enables administrators to control which applications and files users can run,  including executables, dynamic-link libraries (DLLs), scripts, installers and packaged apps.

• MS365: Added parsing for Exchange Item Group auditing activity. (2601)

  • This activity details information when multiple mailbox items are accessed or modified as part of one consolidated action and includes e-mail attachment extraction.

• MS365: Added parsing for Teams privacy setting changes to a team. (2586)

• Curated Alerts: Adding Windows Threat Campaigns – Sigma Rules (2547)

  • A collection of Sigma rules selected from TruKno’s Threat Detection Marketplace and curated by the Illuminate team.

• Sonicwall: Added and changed categorization for some event codes. (2548)

  • The following event_codes are now categorized: 14, 36, 97, 263, 355, 356, 524, 526, 1573. The following event_code has been changed: 1226 is now 129999 and not 180200, 120000.

Fixed

• Cloudflare: Possible indexing errors with vendor_edge_response_compression_ratio data type (2613)

• Windows Security: Fixed the typos for ProcessCreation and AADInternals. (2578)

• Updated stream routing rules with match pass logic where applicable. (2612)

  • Stream routing rules should be set to match pass to take advantage of the _skip_default_gl_routing_ field when set.

• Curated Alerts: Make Webserver and Linux pack visible (2620)

  • The bundle now contains the Webserver and Linux Curated Alert packs.

Changed

• Sonicwall: Lowered license utilization (2550)

  • The message field is now the vendor msg field to avoid data duplication. The following fields are now deleted if they are zero: destination_bytes_sent, destination_packets_sent, source_bytes_sent, source_packets_sent.

• MS365: Update Exchange parent folder item processing to extract individual fields (2580)

• Checkpoint FW: Properly named count related metric widget(s) in spotlight. (2527)

• Core: Updated description for the core-sigma-field-map_adapter data adapter so it accurately reflects the required key and value. (2568)

• Curated Alerts: Added a gl- prefix to the SIGMA IDs (2637)

• Meraki: Properly named count related metric widget(s) in spotlight. (2530)

• MS365: Removed event_log_name field. (2600)

  • Removed the event_log_name field which is better represented by vendor_record_type_code and the lookup enhancements that come with it.

Let us know what you’d like to have included in our GitHub issue tracker.