Blog

Announcing Graylog Illuminate v5.2

Announcing Graylog Illuminate 5.2

GRAYLOG ILLUMINATE 5.2

Released: 2024-08-07

 

Added

  • MS365: Added processing for Security & Compliance Center events (2104)
  • MS Defender for Endpoint: Added user, hostname, and MITRE widgets to spotlight (2185)
    • Added two new widgets to spotlight – alert count by user_name and host_hostname to the Overview page and moved the MITRE technique widget to it’s own page which also now includes a MITRE/process_name heat map widget. Also, all widgets are now scoped to the Microsoft Defender for Endpoint stream.
  • MS365: Added processing for ListBaseType objects. (2139)
  • Added new GIM category: Detection (2021)
    • The new “detection” category will replace the “Alert” category which has been deprecated and will be removed in Illuminate 7.0.0. This has been added to clear up confusion around the term “alerts”. Detections is an assignment for detections generated by security monitoring solutions, such as IDS/IPS, DLP, or Antivirus/Malware, or other indications that potentially malicious or unwanted activity has been detected.
  • Sendmail: Added support for Sendmail mail server (2065)
    • Sendmail is a free and open-source mail transfer agent (MTA) used to route and deliver email on Unix-based systems. This content pack supports most common logs and features dashboards to visualize sender/recipient activity, delivery status, ruleset rejections, authentication, and processing statistics.
  • Added Microsoft Windows Security – Windows Activity Sigma Rules (2067)
    • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team’s findings.
  • Windows: Added Winlogbeat Event Original Retention content pack. (1358)
    • Enabling this pack retains the winlogbeat_event_original field in Winlogbeat-forwarded messages.
  • Postfix: Added support if application_name starts with postfix (2134)
    • Rsyslog sends as application_name always postfix, but other log forwarders will attach the daemon/module.
  • MS365: Added processing for Teams events (2151)
  • MS365: Added processing for Compliance Posture Management events (2158)
  • Anomaly: Extended MS365 authentication AD rule to include all authentication (2229)
    • The previous anomaly detection rule to track MS365 authentication only looked at failed logins. The updated Anomaly Detection Spotlight includes an updated MS365 with features for both all authentication and failed authentication.

 

Fixed

  • Illuminate Core allows duplicate gim_event_subcategory values (2030)
  • Lookup-related performance issues (2167)
  • Training Illuminate anomaly detection rules can cause excessive resource utilization (2068)
    • A new pack has been added which provides updates to the existing anomaly detection rules. The updated rules will only use the current write indices for training, whereas the previous rules contained no such limit. This change may lengthen the time that training the anomaly detection rules takes but will reduce the CPU and memory utilization during training. These rules are provided as a new pack in order to allow a smoother transition from the legacy rules to the updated rules. The legacy rules Spotlight pack is deprecated, and will be removed from Illuminate 7.0.0.
  • O365: AzureAD/EntraID application_name properly extracted (2168)
    • The application_name field is now properly extracted from .Workload within the JSON message. Previously, the o365_application_id UID was being used and was inaccurate.
  • Renamed the Bluecoat Anomaly Detection rule to Symantec (2218)
    • Updated the anomaly detection rule name for the ProxySG product in the new Anomaly Detection Spotlight.
  • Postfix: event_created timestamps without year indexed with year set to 1970 (2039)
  • Apache: vendor_event_severity parsed incorrectly in some error logs (2147)
    • The vendor_event_severity field is now properly extracted from some error log message types. Previously, vendor_event_severity would sometimes be assigned to vendor_apache_error_module.
  • CISCO_IOS: added support if the user_name is empty in login logs (2211)
  • MS Defender for Endpoint: Added rule to remove the evidence_array field which is not needed after procecssing. (2201)

 

Changed

  • Fortigate: Scope dashboard widgets to Fortigate Messages stream. (2188)
  • MS Defender for Endpoint: Removed group by aggregation for alert count widgets (2184)
  • MS365: Scope dashboard widgets to O365 Messages stream. (2110)
  • Postfix: This change improves titles of Spotlight widgets to better represent messages sent and messages not delivered. (2115)
  • Anomaly: Combined the Windows file activity anomaly detection rules into one (2230)
    • The original anomaly detection pack provided three separate rules related to Windows file activity, one rule each for file access, writes, and deletes. These rules are all based off of the same event data and can be combined in to one job.
  • MS365: Processing modifications and renames. (2106)
    • Input derived vendor_event_description now gets set as message, vendor_event_description gets set via a lookup if data exists in the lookup.

 

Let us know what you’d like to have included in our GitHub issue tracker.

The post Announcing Graylog Illuminate v5.2 appeared first on Graylog.