API Security adds Continuous Discovery and Risk Scoring PLUS a Free Version | LEARN MORE>

The Graylog blog

Today we are excited to announce Graylog Illuminate v1.6. This release includes the Illuminate Sysmon Spotlight.

More Granularity, More Clarification

As with the other Illuminate spotlights, the Sysmon Spotlight reduces the signal-to-noise ratio so you can understand what happened and determine how to prevent it from happening again. It does this by standardizing the processing, tagging, categorization, organization, and extrapolation of relevant data for your windows log sources. It gives you the ability to work faster and more efficiently because you can quickly drill down and do root cause analyses on Windows events. 

Productivity in Minutes

After deploying the spotlight, you have all of your Sysmon endpoint logs in one place for one alert. You can see things like see things like process activity on different systems on different systems instead of checking each one individually. This allows your network to scale with company growth and needs. 


  •  Added additional codes to the ntstatus lookup enrichment (#175)
  •  Converted GIM processing in core to per-category pipelines (#158)


  • Windows: Accounted for NXLog overwriting the ProcessID field (#162)
  •  Core: Fixed source_user_category enrichment rule logic error (#166)
  •  Windows: Fixed source_reference mapping logic with Windows Security event 4648 with Winlogbeat 7 (#170)
  •  Windows: Fixed incorrect aggregation field used in Windows dashboard (#173)
  •  Windows: Fixed use of incorrect field with Windows Security event id 4689 (#176)
  •  Added process fields to Illuminate ES template (#128)
  •  Core: Default category placeholder value is spelled incorrectly (#153)
  •  Palo Alto: Dashboard widget had rollup enabled (#155)
  •  Core: network_transport placeholder value assignment incorrect (#157)
  •  Windows: Simplified message routing logic (#190)
  •  Core: Set device investigation dashboard auth time window to 1 day (#188)
  •  Core: Added endpoint data to device investigation dashboard (#187)
  •  Renamed stream “Illuminate:Okta Events” to “Illuminate:Okta Messages” (#185)
  •  Renamed Stream “Illuminate:O365” to “Illuminate:O365 Messages” (#184)
  •  Renamed Rule “Illuminate:Okta;Messag_ Routing:00;Route_All_Event_Log_Messages” to “Illuminate:Okta;Message_Routing:00;Route_All_Event_Log_Messages” (#180)
  • Windows: Fixed issue with authentication dashboard widget “Failures by Source (24h)” time window (#194)”

Get the Monthly Tech Blog Roundup

Subscribe to the latest in log management, security, and all things Graylog Blog delivered to your inbox once a month.