Illuminate 6.3.0

Released 2025-04-28

Known Issues

Important Version Note: Modified Graylog server minimum version support requirement for Illuminate 6.3.0 bundles. (2764).

• Periodically, for Illuminate to take advantage of updated and new functionality built into newer versions of Graylog, the minimum supported version(s) of Graylog must be updated. For Illuminate 6.3.0, the minimum Graylog server version has been updated to 6.1.0. DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to the minimum supported version (6.1.0) or higher. Please note that the Illuminate hub will enforce this requirement.

Added

• NetFlow: NetFlow Content Pack (2646)

  • NetFlow is a network protocol used for collecting, analyzing, and monitoring network traffic. It provides insights into who is communicating with whom, how much data is being transferred, and over which protocols.

• Windows Security Alerting Pack: Added an ID to one of the alerts. (2609)

  • Updated the rule "Illuminate - Windows Security - Possible Initial Access By Phishing With File Extensions As TLD (via dns)." Added an ID.

• CarbonBlack/CB Defense: Added categorization, changed field names and added alert_severity. (340)

  • Carbon Black active_threat and malware_prevention messages are now categorized as alert_default. Non schema fields now have the prefix vendor_. vendor_event_description is now alert_signature. vendor_transaction_type is now vendor_event_type. Messages now have an alert_severity and an alert_severity_level.

• Checkpoint NGFW: Added severity level normalization rule. (2298)

  • Added event_severity mapping for the 17 most common subtypes.

• Windows: Windows DNS Server Content Pack (2647)

  • This content pack provides enhanced visibility into Windows DNS Server activity by leveraging audit event logs and analytic logs via Event Tracing for Windows (ETW). It includes parsers, normalization, enrichment, and dashboards designed to help monitor DNS operational and transactional events efficiently.

• Apache Tomcat Content Pack (2747)

  • Apache Tomcat is an open-source Java servlet container developed by the Apache Software Foundation. It enables Java-based web applications by handling servlets and JavaServer Pages (JSP). Added parsing for access and some Catalina logs.

• GitLab: GitLab Content Pack (2645)

  • GitLab is a DevOps platform that provides source code management, CI/CD pipelines, and security features for software development. It enables teams to collaborate, automate workflows, and manage repositories in a single application.

• Windows AppLocker: Added spotlight widgets and parsing for file base paths. (2694)

  • Added parsing for file base paths as vendor_file_base_path and created Spotlight widgets to visualize commonality/rarity of base paths.

• Checkpoint NGFW: Added a saved search to the spotlight that highlights the different Syslog levels. (1558)

  • Added support for Microsoft Sysmon Events. (811)

• Graylog Compliance: Unified Visibility Spotlight (Preview) (2767)

  • This preview compliance pack provides targeted visibility into Identification & Authentication (IAC), Network (NET), and Endpoint (END) events that support control requirements shared across NIST SP 800-53 Rev 5, PCI DSS v4.0, and US CMMC 2.0 Level 1. The spotlight includes dashboards and a daily report template with tailored widgets for compliance reporting.

• Cisco ISE: Cisco ISE Content Pack (2412)

  • Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure network access to end users and devices. It enables organizations to enforce secure access policies for endpoints and users across wired, wireless, and VPN networks.

• Paloalto 11x: Added support for Paloalto 11x. (489)

• Sophos Central: Added parsing for endpoint API logs. (394)

Fixed

• Cisco ASA: Fixed misspelling for vendor_event_description. (2720)

• Linux System Logs: Added missing Syslog header field extractions for Filebeat-forwarded messages. (2709)

• Linux System Logs: Fixed (source_)user_name parsing to account for possible (source_)user_domain. (2735)

• Sigma User Activity Alerting Pack: Changed a rule to avoid false positives. (2570)

• Updated the rule "A Logon was Attempted Using Explicit Credentials by Suspicious Process (via audit)" creating high amounts of false positives. Excludes the source_user_session_uid 00000000 0000 0000 0000 000000000000.

• Juniper SRX: Identification rule performance on non-Juniper messages was slow. (2726)

• Sonicwall: Parsed out the correct user_name value for event_code 29, 30, 261 and 262. (2657)

Changed

• Checkpoint FW: Changed the two reference fields. (2666)

• Changed incorrect reference field names for destination from USER_NAME_NOT_DEFINED to DESTINATION_REFERENCE_NOT_DEFINED and source from SOURCE_NOT_DEFINED to SOURCE_REFERENCE_NOT_DEFINED.

• NGINX Web: Renamed client_ip to source_ip in error logs. (2643)

Removed

• Linux Auditbeat: Removed the source and destination reference fields creation from the pack. (2665)

• Cisco IOS: Removed the redundant field vendor_event_type for all Cisco IOS messages. (2277)

Illuminate 6.2.0

Released: 2025-02-06

Added

• MS365: Extract host_name from AzureActiveDirectory (EntraID) Endpoint message metadata. (2599)

• Illuminate Core: Add Internal/Enterprise Networks process/feature. (2584)

  • This change adds a lookup named core_networks to Illuminate core. Illuminate customers can customize the adapter core_networks_adapter, adding a CIDR-notation IP range and category values. Illuminate will detect when source_ip/destination_ip/host_ip matches these CIDR ranges and add a related category field, source_category/destination_category/host_category, with the values provided in the lookup.

• MS365: Extract email metadata from Exchange events. (2577)

  • Extract Email metadata from Exchange events, including email subject and email parent folder path.

• Windows Security: Added parsing for Linked Logon ID (user_linked_session_id) - event 4624. (1890)

• Sonicwall: Added and changed parsing for some fields. (2556)

  • Added parsing for destination_nat_ip, source_nat_ip, destination_nat_port, and source_nat_port. Renamed vendor_referer to http_referrer and vendor_icmpCode to network_icmp_code_number. Added support for IPv6.

• Linux: Added parsing for UFW logs. (2623)

• Windows Security: Add support for Windows Event ID 4696 and 4703. (2053)

• Linux: Added parsing for IPTable logs. (2634)

• Core: Added lookup table that maps query_record_type to query_record_type_code. (2478)

• Sonicwall: Added support for the new detection category in the dashboard. (2553)

• AppLocker: Windows AppLocker Content Pack (2607)

  • Windows AppLocker enables administrators to control which applications and files users can run, including executables, dynamic-link libraries (DLLs), scripts, installers and packaged apps.

• MS365: Added parsing for Exchange Item Group auditing activity. (2601)

  • This activity details information when multiple mailbox items are accessed or modified as part of one consolidated action and includes e-mail attachment extraction.

• MS365: Added parsing for Teams privacy setting changes to a team. (2586)

• Curated Alerts: Adding Windows Threat Campaigns - Sigma Rules (2547)

  • A collection of Sigma rules selected from TruKno's Threat Detection Marketplace and curated by the Illuminate team.

• Sonicwall: Added and changed categorization for some event codes. (2548)

  • The following event_codes are now categorized: 14, 36, 97, 263, 355, 356, 524, 526, 1573. The following event_code has been changed: 1226 is now 129999 and not 180200, 120000.

Fixed

• Cloudflare: Possible indexing errors with vendor_edge_response_compression_ratio data type. (2613)

• Windows Security: Fixed the typos for ProcessCreation and AADInternals. (2578)

• Updated stream routing rules with match pass logic where applicable. (2612)

  • Stream routing rules should be set to match pass to take advantage of the _skip_default_gl_routing_ field when set.

• Curated Alerts: Make Webserver and Linux pack visible (2620)

  • The bundle now contains the Webserver and Linux Curated Alert packs.

Changed

• Sonicwall: Lowered license utilization. (2550)

  • The message field is now the vendor message field to avoid data duplication. The following fields are now deleted if they are zero: destination_bytes_sent, destination_packets_sent, source_bytes_sent, source_packets_sent.

• MS365: Update Exchange parent folder item processing to extract individual fields. (2580)

• Checkpoint FW: Properly named count related metric widget(s) in spotlight. (2527)

• Core: Updated description for the core-sigma-field-map_adapter data adapter so it accurately reflects the required key and value. (2568)

• Curated Alerts: Added a gl- prefix to the Sigma IDs (2637)

• Meraki: Properly named count related metric widget(s) in spotlight. (2530)

• MS365: Removed event_log_name field. (2600)

  • Removed the event_log_name field which is better represented by vendor_record_type_code and the lookup enhancements that come with it.

Illuminate 6.1.0

Released: 2024-11-21

Added

• Sysmon: Added user_name parsing for event_code 16. (2309)

• Sophos: Added support for new firewall file names. (2508)

  • Sophos changed the field names vendor_packets_sent and vendor_packets_received in firewall logs. Renamed vendor_dst_mac to destination_mac.

• Bitdefender: Bitdefender GravityZone Content Pack (2362)

  • Bitdefender GravityZone is an enterprise security solution offering centralized management for endpoint protection, network security, and cloud security. It consists of about 45 modules.

• MS365: Added additional vendor_event_action to lookup. (2157)

  • The addition of numerous vendor_event_action to the related lookup will allow other fields to be populated where info exists. Other fields being vendor_event_category, gim_event_type_code, and vendor_event_description.

• MS365: Added GIM categorization for additional DLPEndpoint file related events. (2254)

• MS365: Process role assignment and removal events (2483)

  • This change processes the MS365 role removal and assignment events. The roles assigned/removed will be extracted to the fields privilege_added_name, privilege_added_id, privilege_removed_name, privilege_removed_id.

• Sophos: Added Sophos stream to dashboard scope. (2500)

• Windows: Categorize Security Event ID 4703, 4704, 4705 as privilege added and privilege removed. (2532)

• Cloudflare: Cloudflare Content Pack (2363)

  • Cloudflare is a web infrastructure and security company that provides services such as content delivery, DDoS protection, internet security, and domain name server (DNS) solutions to enhance website performance and protect against cyber threats.

• Sysmon Spotlight: Added support for EventID 28/29. (1554)

• Ubiquiti UniFi: Added parsing for kernel logs noting received packets with identical addresses. (2475)

• Compliance: Add privilege changes to Compliance Spotlight dashboard. (2542)

• Sophos: Added event_action parsing for events. (2515)

• Some event_types events include an action. Adding parsing for failed login attempts.

• MS365: Added a Security Posture Management tab to the Office 365 Overview spotlight. (2318)

  • The Security Posture Management Overview tab includes assessment and regulatory compliance information which details your environment security posture.

• Windows: Process privilege token assignments in windows using the privilege fields (2519)

  • Process security tokens in Windows event logs using privilege fields. Windows Security event log messages that list security tokens will now use the fields privilege_assigned_name, privilege_removed_name, and privilege name based on the event. Additionally an enrichment has been added to define privilege category (privilege_assigned_category, privilege_removed_category, privilege_category), which will assign the value elevated_privilege to identify tokens that allow an account to perform sensitive system activities.

• Sophos: Added categorization for HTTP logs and added parsing according to the Graylog schema (2422)

  • Sophos logs with the event component HTTP are now categorized as network network.connection and http.default. Firewall Authentication logs for failed logon are categorized as authentication.logoff. Blocked appliance logs are categorized as authentication.logon Changed fields from http_uri to http_request_path, vendor_http_status to http_response_code, vendor_http_user_agent to http_user_agent, vendor_con_id to connection_id.

Fixed

• MS365: Updated user_name parsing and added user_domain extraction. (2321)

  • User names formatted as user-at-domain.com or DOMAIN-backslash-USER will now extract the user_name and user_domain as separate fields.

• Postfix: 12-postfix_event_created_normalization rule can't handle extra space.(2414)

• Updated the event_created extraction logic for Postfix. The pack will now attempt to parse multiple date formats. In order to prevent indexing errors related to unexpected date formats in event_created it will now perform the initial extraction of the date field as vendor_event_created, then the pack will attempt to parse this date field and assign the value to event_created. If it is unable to, then vendor_event_created will be indexed as a keyword type field that will not prevent indexing of the message, but this field will not be able to be used in ranged searches.

• MS365: Group names are extracted as o365_group_name_new or o365_group_name_old but context is missing. (2413)

  • Removed these fields for IAM events where only one or the other exists, in that case they are assigned to the field group_name.

• Cisco ASA: Fixed parsing and categorization for 113004, 113005, 113006, and 113007. (2400)

  • Added categorization for 113004 and 113005 (authentication.logon) and changed parsing host_ip/host_hostname to source_ip/source_hostname. Changed categorization for 113006 from authentication.logon to authentication.logoff. Changed categorization for 113007 from authentication.logon to account.unlocked and changed parsing from vendor_admin_user_name to source_user_name.

• MS365: AzureAD/Entra ID ExtendedProperties User Agent Field Extraction (2269)

  • The http_user_agent field extracted from AzureAD/Entra ID logs is now extracted as a single string capable of being processed by additional functions.

• MS365: Entra ID Sign-In Failures and Reason by Top 5 Users Widget Fix (2506)

  • The group by column field associated with this widget has been updated to vendor_event_action, which better represents the intent of the widget.

• MS365: user_name field is value list for IAM group change events. (2411)

• Crowdstrike: Fixed issue with spotlight by removing unsupported dependency. (2574)

Changed

• NGINX: Scope dashboard widgets to NGINX Messages stream. (2450)

• Fortigate: Changed dashboard widget times to 1hr. (2197)

• Cisco ASA: Scope dashboard widgets to Cisco ASA Messages stream. (2433)

• Sysmon: Scope dashboard widgets to Sysmon Messages stream. (2505)

• Snort IDS: Scope dashboard widgets to Snort IDS Messages stream. (2496)

• Checkpoint: Scope dashboard widgets to Checkpoint Messages stream. (2484)

• Watchguard: Scope dashboard widgets to Watchguard Messages stream. (2512)

• Ubiquiti Unifi: Scope dashboard widgets to Ubiquiti Unifi Messages stream. (2510)

• Okta: Scope dashboard widgets to Okta Messages stream. (2453)

• Windows Security: Scope dashboard widgets to Windows Security Messages stream. (2513)

• Juniper SRX: Scope dashboard widgets to Juniper SRX Messages stream. (2437)

• Stormshield: Scope dashboard widgets to Stormshield Messages stream. (2501)

• Zeek: Scope dashboard widgets to Zeek Messages stream. (2518)

• MS Defender AV: Scope dashboard widgets to MS Defender AV Messages stream. (2488)

• Fortigate: Forward subtype logs now categorized as network connections. (2236)

• Linux Auditbeat: Scope dashboard widgets to Linux Auditbeat Messages stream. (2439)

• Sonicwall: Scope dashboard widgets to Sonicwall Messages stream. (2498)

• AWS Security Lake: Scope dashboard widgets to AWS Securtiy Lake Messages stream. (2430)

• Sophos: Reducing Graylog license utilization for Sophos (2490)

• Message field is now shortened to avoid data duplication. Deleted fields related to ports and packets if their value is 0.

• Unifi Spotlight: Updated the time range for all spotlight widgets to 1 hour. (2417)

• Pfsense: Scope dashboard widgets to Pfsense Messages stream. (2493)

• Powershell: Scope dashboard widgets to Powershell Messages stream. (2494)

• Palo Alto: Scope dashboard widgets to Palo Alto Messages stream. (2455)

• Meraki: Scope dashboard widgets to Meraki Messages stream. (2442)

Illuminate 6.0.1

Released: 2024-10-24

Fixed

• O365: Spotlight error when installed. (2445)

Illuminate 6.0.0

Released: 2024-10-21

Added

• Google Workspace: Google Workspace Content Pack (2064)

  • Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet, Chat, Drive, and Google Docs. Admin-related logs are included.

• Graylog Compliance: Add remote access dashboard (2342)

• Windows Security: Added parsing for Event ID 5379 (2170)

• Cisco Umbrella: Added support for Cisco Umbrella (2066)

  • Cisco Umbrella is a cloud-delivered security platform that provides threat intelligence, secure access, and protection against internet-based threats.

• Added Curated Alerts - Webserver (2235)

  • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.

• Windows Security: Added parsing for Windows Event ID 5145 (728)

• Windows Security: Added support for Event ID 4660 and 4658 (2216)

• Illuminate: Added Open edition bundle (2300)

• Added Curated Alerts - Linux (2241)

  • Adds a spotlight pack containing Sigma-formatted Linux alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.

• Windows Security: Added support for Windows Event ID 4656 (1973)

• Curated Alerts: Remote Desktop From Internet: added 172.22.x range and fixed GIM field (2212)

• Renamed non existing GIM field from source_is_reserved to existing GIM field source_reserved_ip

• MS365: Added processing of Endpoint subtype events (2108)

  • Added processing for MS365 Endpoint file events: FileModified, FileCreated, FileDeleted, FileRenamed, FileDownloadedFromBrowser, ArchiveCreated, DlpRuleMatch, FileRead, FileCopiedToRemovableMedia. This includes field extraction, categorization, and updating the message field with a brief event summary.

• Core: Added 16 new sigma mappings (1292)

• Linux System Logs: Initial technology pack (2217)

  • Linux is a widely-used, open-source operating system that powers everything from servers and cloud infrastructure to desktop systems and embedded devices. For its initial release, this technology pack supports common Syslog and auth logs from Debian/Ubuntu distributions.

Fixed

• MS365: CompliancePostureManagement events not being processed (2302)

• Curated Alerts: Improved rule: Illuminate - Windows Security - Remote Desktop From Internet (2246)

  • Changed the source_reference field in this sigma rule to source_ip field to reduce the number of false-positives.

• Fortigate: Fixed wrong event_action mapping (2327)

  • The event_action for server-rst and client-rst set to allowed. The field utmaction was set to vendor_event_action but changed to vendor_utm_action.

• Crowdstrike: Content and spotlight improvements (2140)

  • Revamped our Crowdstrike Falcon dashboards to improve alert focus, expanded coverage for additional alert subtypes, and resolved the misidentification of API events as authentication events, resulting in more accurate and comprehensive alert tracking.

• MS365: Fixed logic for pipeline rule execution related to setting the message field (2289)

  • Pipeline processing order logic was preventing the message field from being properly set.

• MS365: source_port no longer set to 0 when no source port exists in source JSON (2270)

Changed

• Windows Security: Change Request-Add remote_access GIM tag for RDP sessions (2332)

• MS365: Replaced occurrences of vendor_event_type with vendor_event_action in Spotlight (2274)

  • Changes to processing now rely on vendor_event_action; vendor_event_type is now considered a legacy field.

• Palo Alto: Add GIM tag remote_access for Global Protect logs (2340)

Illuminate 5.2.0

Released: 2024-08-07

Added

• MS365: Add processing for Security & Compliance Center events. (2104)

• MS Defender for Endpoint: Added user, hostname, and MITRE widgets to spotlight. (2185)

  • Added two new widgets to spotlight: alert count by user_name and host_hostname to the Overview page and moved the MITRE technique widget to it's own page, which also now includes a MITRE process_name heat map widget. Also, all widgets are now scoped to the Microsoft Defender for Endpoint stream.

• MS365: Add processing for ListBaseType objects. (2139)

• Add new GIM category: Detection. (2021)

  • The new "detection" category will replace the "Alert" category which has been deprecated and will be removed in Illuminate 7.0.0. This has been added to clear up confusion around the term "alerts." Detections is an assignment for detections generated by a security monitoring solutions, such as IDS/IPS, DLP, or antivirus/malware, or other indications that potentially malicious or unwanted activity has been detected.

• Sendmail: Added support for Sendmail mail server. (2065)

  • Sendmail is a free and open-source mail transfer agent (MTA) used to route and deliver email on Unix-based systems. This content pack supports most common logs and features dashboards to visualize sender/recipient activity, delivery status, ruleset rejections, authentication, and processing statistics.

• Added Microsoft Windows Security - Windows Activity Sigma Rules. (2067)

  • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.

• Windows: Add Winlogbeat Event Original Retention content pack. (1358)

  • Enabling this pack retains the winlogbeat_event_original field in Winlogbeat-forwarded messages.

• Postfix: Added support if application_name starts with postfix. (2134)

  • Rsyslog sends as application_name always postfix, but other log forwarders will attach the daemon/module.

• MS365: Add processing for Teams events. (2151)

• MS365: Add processing for Compliance Posture Management events. (2158)

• Anomaly: Extend MS365 authentication AD rule to include all authentication. (2229)

  • The previous anomaly detection rule to track MS365 authentication only looked at failed logins. The updated Anomaly Detection Spotlight includes an updated MS365 with features for both all authentication and failed authentication.

Fixed

• Illuminate Core allows duplicate gim_event_subcategory values. (2030)

• Lookup-related performance issues. (2167)

• Training Illuminate anomaly detection rules can cause excessive resource utilization. (2068)

  • A new pack has been added which provides updates to the existing anomaly detection rules. The updated rules will only use the current write indices for training, where the previous rules contained no such limit. This change may lengthen the time that training the anomaly detection rules takes but will reduce the CPU and memory utiltization during training. These rules are provided as a new pack in order to allow a smoother transition from the legacy rules to the updated rules. The legacy rules spotlight pack is deprecated, and will be removed from Illuminate 7.0.0.

• O365: AzureAD/EntraID application_name properly extracted. (2168)

  • The application_name field is now properly extracted from .Workload within the JSON message. Previously, the o365_application_id UID was being used and was inaccurate.

• Rename the Bluecoat Anomaly Detection rule to Symantec. (2218)

  • Update the anomaly detection rule name for the ProxySG product in the new Anomaly Detection spotlight.

• Postfix: event_created timestamps without year indexed with year set to 1970. (2039)

• Apache: vendor_event_severity parsed incorrectly in some error logs. (2147)

  • The vendor_event_severity field is now properly extracted from some error log message types. Previously, vendor_event_severity would sometimes be assigned to vendor_apache_error_module.

• CISCO_IOS: added support if the user_name is empty in login logs. (2211)

• MS Defender for Endpoint: Added rule to remove the evidence_array field which is not needed after processing. (2201)

Changed

• Fortigate: Scope dashboard widgets to Fortigate Messages stream. (2188)

• MS Defender for Endpoint: Removed group by aggregation for alert count widgets. (2184)

• MS365: Scope dashboard widgets to O365 Messages stream. (2110)

• Postfix: This change improves titles of Spotlight widgets to better represent messages sent and messages not delivered. (2115)

• Anomaly: Combine the Windows file activity anomaly detection rules into one. (2230)

  • The original anomaly detection pack provided three separate rules related to Windows file activity, one rule each for file access, writes, and deletes. These rules are all based off of the same event data and can be combined in to one job.

• MS365: Processing modifications and renames. (2106)

  • Input derived vendor_event_description now gets set as message, vendor_event_description gets set via a lookup if data exists in the lookup.

Illuminate 5.1.0

Released: 2024-06-06

Added

• Symantec EDR: Symantec Endpoint Detection and Response (EDR) Content Pack (1937)

  • Symantec Endpoint Detection and Response is used to detect advanced attacks using machine learning and global threat intelligence to minimize false positives and help ensure high levels of productivity for security teams.

• Core: Added lookup for SMTP descriptions (2024)

• NGINX: Added support of filebeat_application_name as application_name. (2061)

• Cisco IOS: Added support for Cisco IOS (1944)

  • Cisco IOS (Internetwork Operating System): Proprietary software used in Cisco routers and switches, enabling robust management of network traffic, including data, voice, and video across various communications environments.

• Apache: Added support of filebeat_application_name as application_name. (2061)

• MITRE ATT&CK Tactic Lookup (1847)

  • In addition to the existing attacks_technique_uid to attacks_technique_name lookup, core will now map attacks_tactic_uid to attacks_tactic_name.

• Add Illuminate Compliance Spotlight (1979)

  • This addition provides an Illuminate Spotlight pack designed to assist with compliance-related activities that are commonly supported by SIEM/log aggregation.

• Postfix: Added support for Postfix (1970)

  • This Postfix content pack supports most available logs. The content pack also includes a dashboard with four tabs (General Overview, Email Messages, TLS, and SMTP).

Fixed

• Duplicate message summaries for gim_event_subcategory:authentication.credential validation. (1339)

• Fortigate: Handle structured Syslog messages in Illuminate processing (2005)

  • This fixes an issue with Fortigate processing where the message format causes the Syslog input to parse the message in addition to Illuminate parsing the message, leading to fields being extracted multiple times. When the Syslog input parses a Fortigate message, Illuminate will now use the fields generated by the input.

• Core: Update built-in static accounts list (2085)

  • Update the built-in static accounts enrichments, adding all built-in groups listed by Microsoft.

• Agent message summary view incomplete (1555)

• Fortigate: The field wifi_channel is always created (2089)

Changed

• Symantec Endpoint Security (SES): Deduplication of attacks_tactic_uid field and removal of attacks_tactic_id. (2070)

  • In some SES logs, the attacks_tactic_uid field can contain similar values. Added logic to de-duplicate those values. The attacks_tactic_id field has been removed, which is better represented by attacks_tactic_uid.

• Allow merging of user/device category fields (167)

  • Graylog Illuminate core has provided two lookup tables to define account and device category and priority data, but any category data defined prior to Illuminate Core running would prevent data in the static device/account lookups from being added. The category data in the Illuminate core static accounts and devices lookups will now be merged with any duplicate values being removed when detected.

• Symantec Endpoint Security (SES): MITRE Tactic ID & UID Extraction Update (1991)

• Core: Enrich all events with a user field with category and priority data (2086)

  • Remove the requirement to categorize a message before enriching events with user fields (user_name, source_user_name, target_user_name) with category and priority information.

• Symantec Endpoint Security (SES): Force vendor_data_entity_uid to be indexed as a string, no matter the subtype. (2058)

  • This change requires rotating the SES index to incorporate the updated field type.

• Add support for Postfix-style timestamps (2035)

Illuminate 5.0.1

Released: 2024-05-14

Fixed

• Symantec Endpoint Security (SES): Spotlight Not Defining Minimum Version. (1942)

• Windows Security: Curated Alerts Spotlight Not Defining Minimum Version. (2013)

• Windows Security:NXLog not extracting process parent information from 4688. (2010)

• Windows Security:Event process ID is not reliably extracted from Window Security logs. (2016)

Illuminate 5.0.0

Released: 2024-05-06

Added

• Packetbeat: New content request from the customer (1851)

  • With this addition, we will be supporting all Packetbeat logs, but we are currently focusing on enriching DNS, HTTP, and Flow logs specifically as well as adding a spotlight with three tabs: An overview tab, Flow network overview tab, and an HTTP overview tab as well.

• Added support for Windows Security Event ID 1108 (827)

  • See Microsoft documentation for additional information about the event.

• Added extraction for process information for Event Ids 4798, 4799 (266)

  • Added NXLog and WLB7 field processing for process_path/id values from events.

• Symantec Endpoint Security (SES):Initial technology pack (1732)

  • Symantec Endpoint Security is a cloud and hybrid-managed solution that provides the protection of SEP, attack detection of EDR, and other technologies to secure devices.

• Add Network subcategory for ICMP (1696)

• HAProxy: Added support for HAProxy (1854)

  • This HAProxy content pack supports default, TCP, HTTP, HTTPS and Error logs.

• Added Microsoft Windows Security - User Activity Sigma Rules (1852)

  • Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.

• Add new field gl2_processing_duration_ms to Illuminate field mapping templates (1891)

• Graylog API Security Content Pack (1937)

  • Initial Graylog API Security Spotlight which includes an Overview tab highlighting API calls and alerts. Please see the Graylog documentation for more information on the spotlight pack and how to configure API Security to send logs to your Graylog instance.

Fixed

• Sophos:Field normalization failure due to space in field name (1963)

• Winlogbeat provides timestamp fields that are detected as dates but cause indexing failures (1902)

  • This will disable date detection on all Winlogbeat "event data" fields. These fields are dynamically parsed by the winlogbeat agent in to individual fields. This addresses an issue where some event log messages may be rejected due to an index mapping type conflict related to some fields. This is due to the event data fields are either occasionally timestamps, or are timestamps but contain different timestamp formats, likely due to local system settings. This change will cause all Winlogbeat "event data" fields to be indexed with the mapping type "keyword." The side effect of this change is that some event data fields may be limited in how they can be analyzed in aggregate, or search. This change will not impact non-event data fields, or any fields that have been renamed by Illuminate.

• Windows Security:fixed process_path renaming (1841)

  • Windows security processing sets the process_name path with a value that is the full path of the process. This should be instead extracted to process_path for both NXlog and Winlogbeat agents.

• Symantec EP:Virus found logs not processed (1932)

• CBDefense: Key value extraction generates illegal key name (1964)

• SEPM: Updated dashboard to use detection instead of Alert. (1952)(1956)(1959)

  • We are changing the way we use the word alert, which will be handled more so by the new curated alerts that will be coming soon, and so we want to start changing all the usages of the word alert to be detection. The first pack we are focusing on is the SEPM dashboards. We also added scoped streams to this dashboard as well.

• Windows Security:Improve accuracy of user_type identification pattern (1879)

  • The Illuminate Windows Security event processing was not identifying likely computer names which began with a number. The Illuminate process of setting a user type based on the format of the logs is a best effort process, there is no way to precisely identify if an account is a user or machine account based on log data alone.

• Auditbeat:Will not process events with multiple vendor_event_action values (622)

• O365:Updated messages incorrectly identified as legacy messages (1967)

• Sonicwall assigning legacy GIM event code (1822)

• Windows: nxlog process_id not extracted properly (1926)

• Palo Alto:Global Protect categorization uses legacy GIM code (1818)

• Cisco ASA: SFIMS message normalization target fields contain spaces (1966)

Changed

• Changed vendor_message to message for Watchguard firebox (1496)

  • The message field contains a lot of data that is extracted into other fields. Removing this and rewriting the message will: Reduce storage utilization Reduce duplication of data Lower computational cost for the pattern-based extraction

Removed

• GIM Enforcement:Removed field enforcement of DNS transaction events (1739)

  • The DNS transaction event type has been removed. DNS events that contain both query and answer data are now assigned the relevant GIM codes for each of those events.

• Removed event_source enforcement from GIM enforcement rules (1782)

  • The event_source field is deprecated and will be removed entirely from Illuminate 6.0.

Illuminate 4.2.0

Released: 2024-02-08

Known Issues

• The minimum Graylog version required for this version of Illuminate is Graylog 5.1.11 or 5.2.4. (1808)

• If you are running a Graylog 5.1.x version prior to 5.1.11 or a Graylog 5.2.x version prior to 5.2.4, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

• Sysmon:Add source_reference selection for DNS query events (Sysmon Event ID 22). (1843)

• AWS Security Lake: Added support for Security Lake. (1724)

• The input supports the following objects: actor, anwers, api, attack, cloud, compliance, connection_info, cve, device, dns_answer, dns_query, email, endpoint, file, finding, http_request, http_response, identity, malware, metadata, process, resources, network_proxy, proxy, query, user, dst_endpoint, traffic, and src_endpoint.

• Added optional Core pack to enrich events with DNS query_request or DNS query_response fields with additional data. (1676)

• When enabled this pack will identify any messages processed by core which have the DNS message query fields query_request or query_response and enrich those fields. Messages with query_request will have the fields query_request_length and query_request_entropy added. Messages with query_response will have the field query_response_length added.

• Checkpoint FW: Add rule and layer widgets to Spotlight. (1833)

Fixed

• Fortigate: Convert identification rule to regex instead of grok. (1858)

• Anomaly Detection: Fix pack titles. (1707)

• Windows: Non-Security event logs sent with NXlog are not processed. (1867)

• Sysmon: DNS events assigned legacy code 140100. (1826)

• BIND DNS: Normal queries not extracted to schema fields and not categorized. (1835)

• Checkpoint FW: Vendor action "Reject" not mapped to event_action. (1832)

Changed

• Sysmon: Split DNS responses in to individual values. (1828)

• Checkpoint FW: Layered treestructure dropped during processing. (1823)

• Checkpoint Firewall: Events sometimes contained multiple values for some fields but only the first value was extracted. The following fields now contain a full list of extracted values: rule_name, rule_id, vendor_layer_name, vendor_layer_id, vendor_match_id, vendor_parent_rule, vendor_rule_action.

• Move DNS query request and response length calculations out of GIM enforcement. (1730)

• Sysmon: Spotlight dashboards updated to use the DNS response GIM event type code (140200) instead of the DNS transaction code (140100). (1837)

Illuminate 4.1.0

Released: 2024-01-04

Known Issues

• The minimum version required for this version of Illuminate is Graylog 5.1.10 or 5.2.3. (1808)

  • If you are running a Graylog 5.1.x version prior to 5.1.10, or a Graylog 5.2.x version prior to 5.2.3, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

• Okta: Switch from using the field vendor_event_action to using the field vendor_event_type. (1789)

• Okta: Extract user_domain from user_name. (1751)

• Powershell: If the registry gets changed via a reg command, the fields registry_type and registry_path are parsed out and get categorized. (633)

  • Logging for event_id 4104 must be enabled (script block logging).

• Added parsing for Cisco Meraki MR logs. (788)(1687)

  • Added support for Meraki association, disassociation, wpa_auth, wpa_deauth, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers, and device_packet_flood MR events. All ports are now numeric values.

• O365: Add record type enrichment. (1806)

  • Added an enrichment that provides a description of the Office 365 record type. This enrichment is only available on the updated Office 365 inputs, available in Graylog after X.X.X, or for prior versions of the Office 365 inputs with the full_message option enabled.

Fixed

• BIND: Add support for severity_level mapping and support new log types. (1669)(1725)

  • Mapped all severity levels to our schema and added support for BIND security log type.

• O365: User email field contains the user ID value. (1749)

  • This has been addressed in the updated Illuminate Office 365 processing but still exists with the Office 365 integration prior to 5.1.10 without the full_message capability enabled.

• O365: Update Illuminate Pack Titles (1704)

• SEPM: Fix a client traffic log issue where having a null Remote Host Name broke parsing. (1784)

• Okta: Problems with policy.evaluate_sign_on processing. (1794)

  • Change categorization of the policy evaluation rule policy.evaluate_sign_on to authentication.default.

• O365: Alerts generating GIM errors (1425)

• O365: Exchange ModifyFolderPermissions incorrectly categorized as iam.object modify. (1803)

• Okta: Categorize user.authentication.sso as credential validation event. (1752)

• Ubiquiti Unifi: Dnsmasq events using legacy GIM type multi-code assignment. (1746)

Changed

• Removed alert_severity_level mapping functions/lookups. (1718)

  • Removed alert_severity_level mapping functions/lookups. Snort3 pack now relies on core to map alert_severity_level from alert_severity. alert_severity_level should no longer be a string as well.

• Removed rules that processed logs and fields tied to the initial Snort3 filebeat configuration. (1715)

  • The initial release of the Snort3 pack did not set the target field in the Filebeat configuration. Current documentation notes adding 'target: "snort3"' which is required for proper log processing. This release now fully requires that field to be set.

• Meraki: Renamed WiFi fields to match the schema. (1719)

• Okta: Update Illuminate processing to support updates to the Okta input. (1789)

  • Parsing of Okta messages will be moved from the Graylog Okta input to Illuminate. This will allow for more rapid response to Okta message processing requests as they can now be provided by Illuminate updates, which can be released more frequently, instead of relying on Graylog Enterprise updates. This pack will maintain support for the legacy Okta inputs until Illuminate 6.0 is released. At that time, the support for the legacy Okta input message format will be removed. Support for the enhanced processing can be enabled on the Okta legacy input by enabling the full_message feature in the Okta input configuration.

• O365: Add logic to support parsing full message. (1769)

  • Parsing of Office 365 messages will be moved from the Graylog Office 365 integration input to Illuminate. Migrating the parsing out of the integration input improves the ability to update the parsing rules on a more frequent basis. Support for the updated Office 365 message processing can be enabled on the Office 365 legacy input by enabling the full_message feature in the Office 365 input configuration.

• Sophos :Renamed WiFi fields to match the schema. (1721)

• Modified the Zeek message field construction to only use the even description field which is derived from a lookup. (1329)

  • The message field is now only composed of the event description (derived from lookup). The prefix 'Zeek - ' will no longer be appended and vendor_event_log_description is removed. (now message).

• Defender EP: Added logic to dedup the user_name field. (1693)

  • Previously, the user_name field array could contain the same user_name multiple times. Added logic to dedup similar names.

• Okta: Improve handling of vendor client geo information. (1795)

  • Normalize Okta-provided geolocation enrichment data to fields with the prefix vendor_client_geo. This will prevent the Okta-provided geolocation enrichments from colliding with the Graylog-provided Geolocation enrichments.

• Fortigate: Renamed WiFi fields to match the schema. (1717)

Removed

• O365:Remove Skype Office 365 tab (1806)

  • Skype For Business was retired in July of 2021.

Illuminate 4.0.0

Released: 2023-11-01

Known Issues

• Installing this Illuminate release will cause any currently running Anomaly Detection jobs to be disabled. Please identify which Anomaly Detection jobs are running prior to activating this release and enable them after this version has been activated.

Fixed

• Cisco ASA: Some Authentication messages have GIM errors, logoff are wrong categorized (1421)

• Added the missing destination_reference field for ASA authentication messages between 606001 and 606004. Logout messages are now categorizes as logout messages and vendor_event_action is now success.

• Sophos Firewall: Spotlight widgets including non-Sophos data (1686)

• SonicWall saved search widget modification and dashboard spelling correction (1557)

• The Message Count by Severity widget in the SonicWall NGFW Log Viewer - Filtered saved search had a confusing sort order. Corrected to sort by vendor_event_severity_level. Also, fixed the spelling of the Dashboard - previously started with Illuminate:* and corrected to Illuminate:*

• Sysmon: add file_is_executable extraction for Event ID 28 (1552)

• ASA dashboard has confusing severity levels (1559)

• Stormshield Bugfixes and Enhancement (1610)

• Updated bugfix rule to account for logs that contain a cat_site AND arg field. An existing Stormshield bug adds an extra quotation mark to the cat_site field value which breaks parsing.

• Sysmon: Normalize Event Type to vendor_event_type for all related Sysmon events (1576)

• Cisco ASA:Alert severity not assigned for some 338002 messages (1420)

• All dynamic filter messages 338001 to 338204 now get an alert severity even if the message does not have this field. Renamed field vendor_alert_severity1 to vendor_alert_severity

• Added check for previously identified messages to Checkpoint (1612)

• Illuminate: Added event_error_code mapping as keyword (1674)

  NOTE: This may cause a short-term mapping conflict in dashboards where mapping type are updated (such as with Palo Alto) but this conflict will resolve over time. Some products produce an error code as an integer value, some produce codes in other formats such as hex. This field is expected to be a keyword type, but implicit mappings result in mapping conflicts where integer values are mapped as type "long." The static mapping of event_error_code as keyword will resolve this mapping conflict.

• Windows Security: Event 4663 not handled properly (803)

• Windows 4663 was categorized as a file change but 4663 can reflect changes to multiple components on a system in addition to the file system. Illuminate will now categorize a system based upon the component identified in event ID 4663.

• Sysmon extracting target process name incorrectly (1575)

• The field was being extracted incorrectly as target_process_name, now extracting it as process_target_name

• Symantec Endpoint: Spotlight Alert destinations widget uses source fields (1679)

• Moved Cisco ASA identification rules from stage 2 to stage 5 (1613)

• Fortigate: fixed event_severity & event_severity_level for informational and low (1642)

• The Fortigate event severity for informational events properly maps to a value of 1 for event_severity_level and informational for event_severity. Additionally, for the notice Fortigate events, the event_severity_level has been corrected with a value of 2 (low).

• Cisco ASA: Add support for user names with an @ in them. (1661)

• Checkpoint: Fixed processing of text for severity levels (1688)

Added

• Added Ubiquiti UniFi Overview dashboard to go along with the existing Ubiquiti UniFi Illuminate pack. (1296)

• Added new technology pack NGINX Webserver (1207)

• This pack adds support for NGINX Webserver. It is tested with version 1.18/1.24 with the combined log format.

• Added Asset pack to Illuminate Security editions

• Adds the Asset processing pack needed to add the associated_assets field to messages used by the Assets feature, available only in Graylog Security.

• Added support for Audit Security System Extension Windows events (216)

• Added support for additional Windows Security Event IDs 4610, 4611, 4614, 4622, 4697 which are enabled by the Audit Security System Extension policy in Windows. See https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension for additional information about these events.

• Core MITRE lookup that allows the mapping of technique UID to name (1622)

• Added a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

• Updated Juniper documentation to include required input setting for proper processing (1569)

• Added full support for Cisco Firepower (1449)

• Adding full parsing for Cisco Firepower FTD events. Event IDs between 430001 and 430005 are now fully supported. This Illuminate pack will process the Cisco Firepower logs delivered to Graylog via Syslog and is not for use with the Cisco Firepower Event Streamer (eStreamer)/eNcore agents. The pack supports %FTD, %NGIPS, %NGFW (and %ASA) logs.

• Illuminate: The http_response_code field now gets enriched. The new field http_response describes the response code. (1633)

• Windows Security: Add access list enrichment (1644)

• Windows 4663 contains codes that reflect the types of accesses requested. Add an enrichment that will provide a plain text description of these access list codes in the field vendor_access_type.

• CrowdStrike Falcon Technology Pack (1483)

• CrowdStrike Falcon technology pack release. Supports alerts and authentication events received by the CrowdStrike input, and includes a spotlight pack with an overview tab, authentication tab, and alert tab.

• Microsoft Defender for Endpoint Technology Pack (1540)

• Microsoft Defender for Endpoint technology pack release. Supports 'alerts' events received by the Microsoft Defender for Endpoint Graylog input. Also adds a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

Changed

• GIM Enforcement:Change enforced source and destination fields for events categorized as network messages (1524)

• Reference fields (source_reference, destination_reference) are selected from a list of possible source fields such as source_ip, destination_ip, and source_hostname. Defining the required fields for the network category to use these reference fields instead of only the IP fields will allow more messages to be categorized as network messages. Some sources will provide hostnames or mac addresses instead of IPs, changing the required field to use a reference field enables those messages to also be categorized as network messages.

• Core: Revised reference field processing (1685)

• Reference fields (host_reference, source_reference, destination_reference) are now processed for any message with candidate fields and not just categorized messages. Any messages with source/host/destination IP, hostname, or MAC fields will now have associated reference fields added. For example, a message with host_ip, host_hostname, or host_mac will have a host_reference field generated.

• Convert Illuminate Spotlight content IP fields to instead use reference fields (1673)

• Many existing Illuminate dashboards use the IP fields (source_ip, destination_ip, host_ip) for aggregations but the use of fields with the IP mappings commonly run into aggregation errors. Converting the IP field use in aggregations to instead the "reference" fields (source_reference, destination_reference, host_reference) will use keyword-mapped fields while retaining the ability to search the IP-based fields with CIDR functions and ranged searches, which will reduce the number of aggregations errors when viewing Illuminate content. Reference fields are selected from multiple potential fields (such as source_ip, source_hostname, source_mac, and others) but will typically contain the original IP field data as that field as the IP field is typically the first choice selected when it exists.

• Converted gim_event_type_code assignments to support multiple values (1504)

• The assignment of a `gim_event_type_code` value has been limited to one value. With this change the `gim_event_type_code` field is now a list of values and multiple codes can be assigned. This change requires Graylog 5.1.5 or greater.

• Rename original Microsoft Defender content to Microsoft Defender Antivirus (1654)