The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

The Anomaly Detection Add-on technology pack, and the associated Anomaly Detection spotlight, provide useful components that are required when taking advantage of the anomaly detection feature in Graylog Security. The Anomaly Detection spotlight provides predefined anomaly detection rules that can be used in conjunction with different Illuminate packs.

Supported Version(s)

Requirements

  • A valid Graylog Security license

Anomaly Detection Add-on

The anomaly detection add-on provides the stream and index set for anomaly detection rules and is required to utilize the anomaly detection rules that are provided in the Anomaly Detection spotlight. The add-on should be enabled if you are utilizing the anomaly detection feature, even if you are not using the anomaly detection rules provided by the Illuminate Anomaly Detection spotlight.

Anomaly Feature Fields

The Anomaly Detection Add-on includes pipelines that add feature fields used by the anomaly detection rules included in the Anomaly Detection spotlight. These are usually product-specific fields that indicate a specific type of event has occurred, such as a failed logon, with field names that begin with the prefix anomdet_.

Stream Configuration

This technology pack includes one stream:

  • "Graylog Anomaly Detection Messages"

Index Set Configuration

This technology pack includes one index set definition:

  • "Graylog Anomaly Detection Messages"

Anomaly Detection Spotlight Content Pack

Anomaly Detection Rules

The Anomaly Detection spotlight provides pre-defined anomaly detection rules designed to work with the existing Illuminate processing packs. For a detailed list of included rules, see the relevant documentation.

Anomaly Detection Rule Updates

Warning: Read the following instructions in full prior to updating the Anomaly Detection rules!

Illuminate 5.2.0 and later include a new Anomaly Detection spotlight pack that contains updated versions of the rules previously included in Illuminate versions prior to Illuminate 5.2.0.

The previous Anomaly Detection Spotlight pack has been renamed to "Core:Anomaly Detection Spotlight (Legacy)" and the updated rules are in the Illuminate pack titled "Core:Anomaly Detection Spotlight."

For a full list of the previously implemented rules and their updated counterparts, see the updated rules matrix.

Updating the Anomaly Detection Rules

If you have enabled and are running any of the anomaly detection rules from versions of Illuminate prior to Illuminate 5.2.0, complete the following sequence to enable the newly released rules included in this content pack:

  1. Navigate to the Illuminate installer page under the Enterprise menu of your Graylog web interface.
  2. Download and install the most recent version of Illuminate if you have not already.
  3. Enable the Illuminate pack "Core:Anomaly Detection Spotlight" but do not disable the "Core:Anomaly Detection Spotlight (Legacy)" pack.
  4. Navigate to the Anomalies page under the Security menu of your Graylog web interface. Note here that a new set of anomaly detection rules are listed.
  5. Record which anomaly detection rules are currently running.
  6. Then, refer to the updated rules list to determine which updated rule corresponds with each legacy rules.
  7. One rule at a time, for each currently running legacy rule:
    1. Enable the updated version of the corresponding rule.
    2. Wait for the newly enabled rule to complete training, which may take at least 24 hours.
    3. Disable the legacy rule(s). (Some updated single rules replace multiple legacy rules.)
  8. Repeat this process until all of the legacy anomaly detection rules have been updated and disabled
  9. After all of the updated legacy rules have been disabled and the corresponding updated rules enabled, return to the Illuminate installer page and disable the pack "Core:Anomaly Detection Spotlight (Legacy)."