Anomaly Detectors

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

This article contains a full list of all available detectors included in the Graylog anomaly detection tool.

For a complete index of all the common message fields populated in each event log message generated by anomaly detection, see the corresponding guide.

Hint: This list of anomaly detectors is current for Illuminate 5.2. For a list of all previous detectors for versions of Illuminate prior to 5.2, see the list of legacy detectors.

Detector Index

Detector Name	Description	Index Pattern	Requires	Anomaly-Specific Fields
Linux Auditbeat - File Deletion V2	This detection monitors for unusual file deletion activity in your environment’s Linux hosts.	`gl_linux_auditbeat_deflector`	1. Linux Auditbeat configured with the system module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog server Beats input(s) 2. Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled	Monitored field: `anomdet_file_deleted` Added field: `files_deleted_count`
Windows Security Event Log - Failed Authentication v2	This detection rule looks for anomalies in the number of failed authentication attempts by user.	`gl_windows_security_deflector`	1. A supported agent configured and sending logs to Graylog: ( a.) Winlogbeat sending logs to the Graylog server Beats input(s), ( b.) NXlog sending logs to the Graylog Server GELF input(s) 2. Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled 3. Windows systems configured to audit user authentication failures	Monitored field: `anomdet_windows_auth_failure`. Added field: `anomaly_user_authentication_failed`
Windows Security Event Log - User File Activity	This detection monitors for anomalous numbers file activity (read, write, delete) in your environment’s Windows hosts by monitoring Windows Event ID 4663.	`gl_windows_security_deflector`	1. A supported agent configured and sending logs to Graylog: ( a.) Winlogbeat sending logs to the Graylog server Beats input(s), ( b.) NXlog sending logs to the Graylog Server GELF input(s) 2. Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled 3. Windows systems configured to audit object access	Monitored field: `anomdet_windows_file_write` Added field: `file_write_count` Monitored field: `anomdet_windows_file_delete` Added field: `file_delete_count` Monitored field: `anomdet_windows_file_read` Added field: `file_read_count`
Windows Security Event Log - Object Permissions Change V2	This detection monitors for object permissions changes activity in your environment’s Windows hosts by monitoring Windows Event ID 4670.	`gl_windows_security_deflector`	1. A supported agent configured and sending logs to Graylog: ( a.) Winlogbeat sending logs to the Graylog server Beats input(s), ( b.) NXlog sending logs to the Graylog Server GELF input(s) 2. Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled 3. Windows systems configured to object permissions changes	Feature: `permissions_change_count` Field Name: `anomdet_windows_permissions_change` Aggregation Type: `sum()` Monitored field: `anomdet_windows_permissions_change` Added field: `permissions_change_count`
Linux Auditbeat - Failed Authentication V2	This detection monitors for unusual logon activity in your environment’s Linux hosts by monitoring failed logons.	`gl_linux_auditbeat_deflector`	1. Linux Auditbeat configured with the system module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog server Beats input(s) 2. Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled	Feature: `authentication_failure_count` Field Name: `anomdet_linux_auditbeat_logon_failed` Aggregation Type: `sum()` Monitored field: `anomdet_linux_auditbeat_logon_failed` Added field: `authentication_failure_count`
Linux Auditbeat - Unusual Data Transfer V2	This detection monitors for unusual network activity in your environment’s Linux hosts by monitoring the total volume of network traffic.	`gl_linux_auditbeat_deflector`	1. Linux Auditbeat configured with the system module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog server Beats input(s) 2. Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled	Monitored field: `network_bytes` Added field: `total_network_bytes`
Office 365 - Authentication Activity V2	This detection monitors for unusual authentication or authentication failure patterns by Microsoft 365 user.	`gl_o365_deflector`	1. Graylog is configured to collect logs from the Microsoft 365 service 2. Illuminate 2.2.2 with the O365 processing pack and the Anomaly Detection add-on pack enabled	Monitored field: `anomdet_o365_authentication` Added field: `anomaly_user_authentication` Monitored field: `anomdet_o365_logon_failed` Added field: `anomaly_user_authentication_failed`
Okta - Failed Authentication V2	This detection monitors for unusual user authentication failure patterns in Okta events.	`gl_okta_deflector`	1. A supported agent configured and sending logs to Graylog: ( a.) Winlogbeat sending logs to the Graylog Server Beats input(s), ( b.) NXlog sending logs to the Graylog server GELF input(s) 2. Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled 3. Windows systems configured to audit file write activity	Monitored field: `anomdet_okta_logon_failed` Added field: `anomaly_user_authentication_failed`
Symantec ProxySG - Data Exfiltration V2	This detection monitors Bluecoat ProxySG logs for any unusual data transfers between hosts. Anomaly analysis is performed per user; events are aggregated by the categorical fields `user_name` and `destination_ip`.	`gl_symantec_deflector`	1. Bluecoat ProxySG sending logs to the Graylog server 2. Illuminate 2.2.2 or greater with the Symantec ProxySG technology pack and the Anomaly Detection add-on pack enabled	Monitored field: `source_bytes_sent` Added field: `total_source_types_sent`
Fortigate - Unusual Data Transfer V2	This detection monitors the amount of traffic associated with Fortinet Fortigate firewalls. Anomaly analysis is performed per host; events are aggregated by the categorical field `source_ip`.	`gl_fortinet_deflector`	1. Fortinet Fortigate configured and sending logs to the Graylog server 2. Illuminate 2.2.2 or greater installed with the Fortinet Fortigate technology pack and the Anomaly Detection add-on pack enabled	Monitored field: `network_bytes` Added field: `total_network_bytes`
Cisco ASA - Unusual Data Transfer V2	This detection monitors the amount of traffic reported by Cisco ASA devices. Anomaly analysis is performed per network connection; events are aggregated by the fields `source_ip`.	`gl_cisco_deflector`	1. Cisco ASA devices configured and enabled and sending logs to the Graylog server 2. Illuminate 2.2.2 or greater with the Cisco ASA technology pack and the Anomaly Detection add-on pack enabled	Monitored field: `network_bytes` Added field: `network_bytes`
Palo Alto - Data Exfiltration V2	This detection monitors Palo Alto logs for any unusual data transfers between hosts. Anomaly analysis is performed per host; events are aggregated by the fields `source_ip` and `destination_ip`.	`gl_paloalto_deflector`	1. Palo Alto devices running 9.1.x or greater sending logs to the Graylog server 2. Illuminate 2.2.2 with the Palo Alto processing pack and the Anomaly Detection add-on pack enabled	Monitored field: `source_bytes_sent` Added field: `total_source_bytes_sent`
Palo Alto - Failed Authentication V2	This detection monitors the amount of authentication activity for failed logon attempts associated with Palo Alto GlobalProtect clients. Anomaly analysis is performed per user; events are aggregated by the field `user_name`.	`gl_paloalto_deflector`	1. A supported agent configured and sending logs to Graylog: ( a.) Winlogbeat sending logs to the Graylog server Beats input(s), ( b.) NXlog sending logs to the Graylog Server GELF input(s) 2. Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled 3. Windows systems configured to audit file write activity	Monitored field: `anomdet_paloalto_logon_failed` Added field: `anomaly_user_authentication_failed`