The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.
For a complete index of all the common message fields populated in each event log message generated by anomaly detection, see the corresponding guide.
Updated Rules Matrix
The following list details which legacy anomaly detectors are now supported by updated anomaly detectors released with Illuminate 5.2. For details on how to enable new anomaly detectors for installations currently utilizing legacy anomaly detectors, see the documentation on Illuminate anomaly detection.
Legacy Anomaly Detection Rule | Updated Anomaly Detection Rule |
---|---|
Cisco ASA - Unusual Data Transfer | Cisco ASA - Unusual Data Transfer V2 |
Fortigate - Unusual Data Transfer | Fortigate - Unusual Data Transfer V2 |
Linux Auditbeat - Failed Authentication | Linux Auditbeat - Failed Authentication V2 |
Linux Auditbeat - File Deletion | Linux Auditbeat - File Deletion V2 |
Office 365 - Failed Authentication | Office 365 - Authentication Activity V2 |
Okta - Failed Authentication | Okta - Failed Authentication V2 |
Palo Alto - Data Exfiltration | Palo Alto - Data Exfiltration V2 |
Palo Alto - Failed Authentication | Palo Alto - Failed Authentication V2 |
Bluecoat Web Proxy - Data Exfiltration | Symantec ProxySG - Data Exfiltration V2 |
Windows Security Event Log - Failed Authentication | Windows Security Event Log - Failed Authentication v2 |
Windows Security Event Log - File Permissions Change | Windows Security Event Log - Object Permissions Change V2 |
Windows Security Event Log - File Enumeration | Windows Security Event Log - User File Activity |
Windows Security Event Log - File Write | Windows Security Event Log - User File Activity |
Windows Security Event Log - File Deletion | Windows Security Event Log - User File Activity |
Detector Index
The following is a list of legacy anomaly detectors included in versions of Illuminate prior to 5.2. This list is included as a reference only. We strongly recommend you upgrade to the currently supported anomaly detection rules for use with Illuminate 5.2+.
Detector Name | Description | Indices | Requires | Anomaly-Specific Fields |
---|---|---|---|---|
Palo Alto - Data Exfiltration | This detection monitors Palo Alto logs for any unusual data transfers between hosts. Anomaly analysis is performed per host; events are aggregated by the fields source_ip and destination_ip . |
Palo Alto Logs (Index Prefix: gl_paloalto*) | Palo Alto devices running 9.1.x or greater sending logs to the Graylog Server. Illuminate 2.2.2 with the Palo Alto processing pack and the Anomaly Detection add-on pack enabled. | Monitored fields: source_bytes_sent Added fields: anomaly_total_source_bytes_sent |
Fortigate - Unusual Data Transfer | This detection monitors the amount of traffic associated with Fortinet Fortigate firewalls. Anomaly analysis is performed per host; events are aggregated by the field source_ip . |
Fortinet Event Log Messages (Index Prefix: gl_forti*) | Fortinet Fortigate configured and sending logs to the Graylog Server. Illuminate 2.2.2 or greater installed with the Fortinet Fortigate technology pack and the Anomaly Detection add-on pack enabled. | Monitored fields: network_bytes Added fields: anomaly_total_network_bytes |
Windows Security Event Log - File Deletion | This detection monitors for changes to file deletions in your environment’s Windows hosts by monitoring Windows Event ID 4663. Events are aggregated by the field user_name . |
Windows Event Log Messages (prefix: gl_windows*) | A supported agent configured and sending logs to Graylog. Winlogbeat sending logs to the Graylog Server Beats input(s). NXlog sending logs to the Graylog Server GELF input(s). Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled. Windows systems configured to audit file deletion activity. | Categorical Fields: file_delete_count |
Linux Auditbeat - Unusual Data Transfer | This detection monitors the amount of traffic associated with Linux hosts. Anomaly analysis is performed per host; events are aggregated by the field host_hostname . |
Linux Auditbeat Logs (Index Prefix: gl_linux_auditbeat*) | Linux Auditbeat configured with the System module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog Server Beats input(s). Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled. | Monitored fields: network_bytes Added fields: anomaly_total_network_bytes |
Palo Alto - Failed Authentication | This detection monitors the amount of authentication activity for failed logon attempts associated with Palo Alto GlobalProtect clients. Anomaly analysis is performed per user; events are aggregated by the field user_name . |
Palo Alto Logs (Index Prefix: gl_paloalto*) | Palo Alto devices running 9.1.x or greater sending logs to the Graylog Server. Illuminate 2.2.2 with the Palo Alto processing pack and the Anomaly Detection add-on pack enabled. | Monitored fields: anomdet_paloalto_logon_failed Added fields: total_logon_failure_count |
Windows Security Event Log - Failed Authentication | This detection monitors failed authentication for Windows systems. This can include Windows Security Event ID 4625, Event ID 4771, or Event ID 4776 (Failure). Events are aggregated by the field user_name . |
Windows Security Event Log Messages (prefix: gl_windows_security*) | A supported agent configured and sending logs to Graylog. Winlogbeat sending logs to the Graylog Server Beats input(s). NXlog sending logs to the Graylog Server GELF input(s). Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled. Windows systems configured to audit logon and authentication activity. | Categorical Fields: anomaly_total_windows_authentication_failures |
Office 365 - Failed Authentication | This detection monitors failed authentication for Windows systems. This can include Windows Security Event ID 4625, Event ID 4771, or Event ID 4776 (Failure). Events are aggregated by the field user_name . |
Windows Security Event Log Messages (prefix: gl_windows_security*) | O365 service sending logs to the Graylog Server. Illuminate 2.2.2 with the O365 processing pack and the Anomaly Detection add-on pack enabled | Monitored Fields: anomdet_windows_auth_failure Categorical Fields: total_windows_authentication_failures |
Windows Security Event Log - File Permissions Change | This detection monitors for changes to file permissions in your environment’s Windows hosts by monitoring Windows Event ID 4670. Events are aggregated by the field user_name . |
Windows Event Log Messages (prefix: gl_windows*) | A supported agent configured and sending logs to Graylog. Winlogbeat sending logs to the Graylog Server Beats input(s). NXlog sending logs to the Graylog Server GELF input(s). Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled. Windows systems configured to audit logon and authentication activity. | Added Fields: anomaly_file_perm_change_count |
Linux Auditbeat - File Deletion | Linux Auditbeat - File DeletionThis detection monitors for changes to file deletions associated with Linux hosts. Anomaly analysis is performed per host; events are aggregated by the field host_reference . |
Linux Auditbeat Logs (Index Prefix: gl_linux_auditbeat*) | Linux Auditbeat configured with the System module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog Server. Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled. | Added fields: anomaly_total_linux_auditbeat_logon_failed |
Windows Security Event Log - File Write | This detection monitors for changes to file-write events in your environment’s Windows hosts by monitoring Windows Event ID 4663. Events are aggregated by the field user_name . |
Windows Event Log Messages (prefix: gl_windows*) | A supported agent configured and sending logs to Graylog. Winlogbeat sending logs to the Graylog Server Beats input(s). NXlog sending logs to the Graylog Server GELF input(s). Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled. Windows systems configured to audit file write activity. | Categorical Fields: anomaly_file_write_count |
Linux Auditbeat - Failed Authentication | This detection monitors the amount of authentication activity for failed logon attempts associated with Linux hosts. Anomaly analysis is performed per host; events are aggregated by the field user_name . |
Linux Auditbeat Logs (Index Prefix: gl_linux_auditbeat*) | Linux Auditbeat configured with the System module (not part of Beats OSS) and Sockets Dataset enabled and sending logs to the Graylog Server. Illuminate 2.2.2 or greater with the Linux Auditbeat technology pack and the Anomaly Detection add-on pack enabled. | Added fields: anomaly_files_deleted_count |
Okta - Failed Authentication | This detection monitors the amount of authentication activity for failed logon attempts associated with Okta clients. Anomaly analysis is performed per user; events are aggregated by the field user_name . |
Okta Logs (Index Prefix: gl_okta*) | Okta service sending logs to the Graylog Server. Illuminate 2.2.2 with the Okta processing pack and the Anomaly Detection add-on pack enabled. | Added fields: anomaly_total_okta_logon_failed |
Bluecoat Web Proxy - Data Exfiltration | This detection monitors Bluecoat ProxySG logs for any unusual data transfers between hosts. Anomaly analysis is performed per user; events are aggregated by the fields user_name and destination_ip . |
Symantec Event Log Messages (Index Prefix: gl_symantec*) | Bluecoat ProxySG sending logs to the Graylog Server. Illuminate 2.2.2 with the Symantec ProxySG technology pack and the Anomaly Detection add-on pack enabled. | Monitored fields: source_bytes_sent Added fields: anomaly_total_source_bytes_sent |
Cisco ASA - Unusual Data Transfer | This detection monitors the amount of traffic reported by Cisco ASA devices. Anomaly analysis is performed per network connection; events are aggregated by the fields source_reference and destination_reference . |
Cisco Devices Event Log Messages (Index Prefix: gl_cisco*) | Cisco ASA devices configured and enabled and sending logs to the Graylog Server. Illuminate 2.2.2 or greater with the Cisco ASA technology pack and the Anomaly Detection add-on pack enabled. | Monitored fields: network_bytes Added fields: total_network_bytes |
Windows Security Event Log - File Enumeration | This detection monitors for read events to files in your environment’s Windows hosts by monitoring Windows Event ID 4663. Events are aggregated by the fields user_name and process_name . |
Windows Event Log Messages (prefix: gl_windows*) | A supported agent configured and sending logs to Graylog. Winlogbeat sending logs to the Graylog Server Beats input(s). NXlog sending logs to the Graylog Server GELF input(s). Illuminate 2.2.2 or greater with the Windows technology pack and the Anomaly Detection add-on pack enabled. Windows system(s) configured to audit file deletion activity. | Categorical Fields: anomaly_file_read_count |