Announcing Graylog Illuminate 6.3

Special Note:

To upgrade to this Illuminate V6.3 Release, you must be already running minimum Graylog-Enterprise V6.1 first.

Illuminate 6.3.0 – April 28th, 2025

Added

• NetFlow: NetFlow Content Pack (2646)
  • NetFlow is a network protocol used for collecting, analyzing, and monitoring network traffic. It provides insights into who is communicating with whom, how much data is being transferred, and over which protocols.
• Windows Security Alerting Pack: Added an ID to one of the alerts. (2609)
  • Updated the rule Illuminate – Windows Security – Possible Initial Access By Phishing With File Extensions As TLD (via dns). Added an ID.
• CarbonBlack/cb defense: Added categorization, changed field names and added alert_severity. (340)
  • Carbon Black Active_Threat and Malware_Prevention messages are now categorized as Alert Default. Non schema fields now have the prefix vendor_. vendor_event_description is now alert_signature. vendor_transaction_type is now vendor_event_type. Messages now have an alert_severity and an alert_severity_level.
• Checkpoint NGFW: Added severity level normalization rule. (2298)
  • Added event_severity mapping for the 17 most common subtypes.
• Windows: Windows DNS Server Content Pack (2647)
  • This content pack provides enhanced visibility into Windows DNS Server activity by leveraging audit event logs and analytic logs via Event Tracing for Windows (ETW). It includes parsers, normalization, enrichment, and dashboards designed to help monitor DNS operational and transactional events efficiently.
• Apache Tomcat Content Pack (2747)
  • Apache Tomcat is an open-source Java servlet container developed by the Apache Software Foundation. It enables Java-based web applications by handling servlets and JavaServer Pages (JSP). Added parsing for access and some catalina logs.
• GitLab: GitLab Content Pack (2645)
  • GitLab is a DevOps platform that provides source code management, CI/CD pipelines, and security features for software development. It enables teams to collaborate, automate workflows, and manage repositories in a single application.
• Windows AppLocker: Added spotlight widgets and parsing for file base paths. (2694)
  • Added parsing for file base paths as vendor_file_base_path and created spotlight widgets to visualize commonality/rarity of base paths.
• Checkpoint NGFW: Added a saved search to the spotlight that highlights the different syslog levels. (1558)
• Added support for Microsoft Sysmon Events (811)
• Graylog Compliance: Unified Visibility Spotlight (Preview) (2767)
  • This preview compliance pack provides targeted visibility into Identification & Authentication (IAC), Network (NET), and Endpoint (END) events that support control requirements shared across NIST SP 800-53 Rev 5, PCI DSS v4.0, and US CMMC 2.0 Level 1. The spotlight includes dashboards and a daily report template with tailored widgets for compliance reporting.
• Cisco ISE: Cisco ISE Content Pack (2412)
  • Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure network access to end users and devices. It enables organizations to enforce secure access policies for endpoints and users across wired, wireless, and VPN networks.
• Paloalto 11x: Added support for Paloalto 11x (489)
• Sophos Central: Added parsing for endpoint API logs (394)

Fixed

• Cisco ASA: Fixed misspelling for vendor_event_description. (2720)
• Linux System Logs: Add missing syslog header field extractions for Filebeat-forwarded messages. (2709)
• Linux System Logs: Fixed (source_)user_name parsing to account for possible (source_)user_domain. (2735)
• Sigma User Activity Alerting Pack: Changed a rule to avoid false positives. (2570)
  • Updated the rule A Logon was Attempted Using Explicit Credentials by Suspicious Process (via audit) creates high amounts of false positives. Exclude the source_user_session_uid 00000000 0000 0000 0000 000000000000.
• Juniper SRX – Identification rule performance on non-Juniper messages is slow (2726)
• Sonicwall: Parse out the correct user_name value for event_code 29, 30, 261 and 262. (2657)

Changed

• Checkpoint FW: Changed the two reference fields. (2666)
  • Changed incorrect reference field names for destination from USER_NAME_NOT_DEFINED to DESTINATION_REFERENCE_NOT_DEFINED and source from SOURCE_NOT_DEFINED to SOURCE_REFERENCE_NOT_DEFINED.
• NGINX Web: Renamed client_ip to source_ip in error logs. (2643)

Removed

• Linux Auditbeat: Removed the source and destination reference fields creation from the pack. (2665)
• Cisco IOS: Removed the redundant field vendor_event_type for all Cisco IOS messages. (2277)

Let us know what you’d like to have included in our GitHub issue tracker.