Illuminate Changelogs

Illuminate 7.0.0

Released 2025-11-06

Added

Symantec Proxysg: Added alert_severity_level mapping based on event_action where applicable. (419)
Checkpoint FW: Added support for additional vendor_event_action values, important ones being encrypt and decrypt. (2917)
- Additionally, restructured EXISTING vendor fields to better align with log output for existing action/outcome related fields: vendor_event_outcome is now vendor_event_action, vendor_event_outcome_reason is now vendor_event_action_reason, vendor_event_action is now vendor_event_operation.
Bitdefender GravityZone: Added support for New Extended Incident logs. (3059)
- Added basic parsing for RPC formatted GravityZone logs for a possible future extension. A matching RPC GravityZone Push input does not exist, but parsing can be tested via filebeat.
Windows Security: Added support for status code 0xC0000413 - STATUS_AUTHENTICATION_FIREWALL_DENIED. (2836)
Microsoft IIS Content Pack (1067)
- Microsoft IIS (Internet Information Services) is a flexible, secure, and manageable web server developed by Microsoft for hosting websites, web applications, and services on Windows. It supports HTTP, HTTPS, FTP, FTPS, and more, and integrates tightly with ASP.NET, Windows authentication, and the broader Windows Server ecosystem.
AWS Kinesis Content Pack (3076)
- Amazon Kinesis is a managed AWS service for real-time data streaming that lets you collect, process, and analyze large streams of data continuously. It is commonly used for analytics, log ingestion, and event-driven applications requiring near-instant processing. This pack parses and categorizes AWS VPC Flow logs via AWS Kinesis. Support for other log types might be added later.
1Password Content Pack (2993)
- 1Password is a secure password manager and secret vault used to store and manage credentials, API keys, and sensitive information. It uses strong encryption to protect data, supports secret references for easy retrieval, and ensures sensitive values are never exposed in plain text. By centralizing secrets, 1Password improves security, reduces the risk of leaks, and simplifies credential management.
Cisco Business 350 Series (CBS): Cisco Business 350 Series Content Pack (2263)
- The Cisco Business 350 Series Switches are managed Layer 3 network switches designed for small and medium-sized businesses, offering advanced features like VLAN segmentation, static routing, and enhanced security in a simple, intuitive interface.
F5 BIG-IP: Added a Content Pack that supports the AFM and ASM module. (1137)

Fixed

NetFlow: Fixed IPFIX message identification and added support for different set fields. (2851)
Bitdefender: Fixed wrong input name. (3115)
Cisco ISE: Modified base extraction regex to make syslog header info optional. This will allow sending to a syslog or raw tcp input. (3004)
Symantec ProxySG: Moved alert_severity_level lookup data to its own .csv to address lookup complaint of duplicate values. (3125)
Linux Auditbeat: Corrected issue mapping vendor_event_type: changed-promiscuous-mode-on-device. (2928)
Cisco ISE: Fixed CmdSet parsing so the full command is returned as vendor_cmdset, dropping CmdAV and CmdArgAV. (3019)
Bitdefender GravityZone: Fixed wrong search path in the New Incidents Count widget. (3007)
Curated Alerts: Improved rule: Illuminate - Windows Security - Active Directory Database Snapshot Via ADExplorer. (2583)
- The detector now covers execution of the 64-bit variant of ADExplorer to create database snapshots.
Core DNS Processing: Fixed filter causing inconsistent results in the dashboard. (2675)

Changed

NetFlow: Changed NetFlow IPv4/IPv6 renames and field types. (3074)
Cisco IOS: Streamlined identification rule logic to be more efficient. (2823)
Powershell: converted the use of multiple grok patterns per rule to use multi_grok. (2669)
Microsoft Defender Antivirus: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2563)
Snort: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2567)
Stormshield: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2559)
Palo Alto: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2564)
Postfix: Converted the use of multiple grok patterns per rule to use multi_grok. (2667)
Meraki: Converted the use of multiple grok patterns per rule to use multi_grok. (2668)
SEPM: Converted the use of multiple grok patterns per rule to use multi_grok. (2673)
Palo Alto: Renamed spotlight title. (2824)
Sophos Firewall: Converted the use of multiple grok patterns per rule to use multi_grok. (2671)
Sonicwall: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2553)
Schema: Modified index templates to copy hash-related fields to associated_hash. (1940)
- Prior to this change, Illuminate only supported a number of common hash fields (hash_md5, hash_sha256, etc.) as part of the schema. Because hashes can be related to multiple types of sources (files, processes, etc.), a dynamic field mapping has been added that will copy any hash field (process_hash_*, process_parent_hash_*, file_hash_*, hash_md5) to associated_hash. This will provide additional context to all hash objects.
Cisco Meraki: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2557)
Symantec Endpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype anomaly from alert to detection. (2561)
Palo Alto 11: Updated colors for widgets that reference event_action to reflect schema. (687)
Fortigate: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as virus, anomaly, and ips from alert to detection. (2376)
AWS Security Lake: Changed gim_event_category from alert to detection. (2314)
- The dashboard now supports gim_event_categories alert and detection. The event codes 200100, 200101, 200102, and 200199 changed the gim_category from alert (179999) to detection (309999).
Microsoft Defender Endpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype virus from alert to detection. (2971)
Microsoft 365: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as dlp and anomaly from alert to detection. (2565)
Bitdefender Telemetry: Change GIM code for network events. (2950)
- GIM codes for network events updated from 129999 (default) to 120200 (open) and 120300 (close) events.
Illuminate: Disabled dynamic date detection for all Illuminate indices. (3008)
- Dynamic date detection, enabled by default in OpenSearch, has lead to numerous reports of mapping errors due to a race condition with fields that do not use consistent formats, or even values. This change disables that behavior and makes it so that any date field must be explicitly mapped by the Illuminate index mapping templates.
Sophos Firewall: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as virus, ATP, components anomaly, and signatures from alert to detection. (2558)
Cisco ASA: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as ips, malware, AMP verdicts, and file inspection from alert to detection. (2374)
Okta: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype anomaly from alert to detection. (2441)
Pfsense: Standardized gim_event_type_code mappings to align with detection categories. Reclassified event types such as snort, suricata, and sshguard attack from alert to detection. (2566)
Checkpoint: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ips from alert to detection. (2315)
Linux Auditbeat: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype violated-apparmor-policy from alert to detection. (2377)
Zeek: Changed DNS request categorization to exclude NBSTAT. (2618)
Symantec SES: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtype ids from alert to detection. (2562)
Symantec EDR: Standardized gim_event_type_code mappings to align with detection categories. Reclassified subtypes such as reputation, ips, sonar, antivirus, sandbox, and ioc from alert to detection. (2560)
Crowdstrike: Standardized gim_event_type_code mappings to align with detection categories. Reclassified default from alert to detection. (2399)
Core: Support MITRE ATT&CK Enterprise attacks_technique_uid & attacks_tactic_uid string values. (1711)
- MITRE ATT&CK Enterprise attacks_technique_uid & attacks_tactic_uid field values will now be enriched if their values are multi-value or strings. Previously, the enrichment only handled multi-value data.

Removed

Microsoft 365: Removed redundant type assignment in 22-o365_scc_categorize_alerts rule. (2957)
Bitdefender GravityZone: Removed a possible leading forward slash for the source field. (3058)
- The input creates a forward slash if the hostname is empty and will attach it to the IP. This fix removes the added forward slash.
Compliance Content: Removed deprecated 'Compliance Content Spotlight (Deprecated)' spotlight. (2959)

Deprecated

Palo Alto 9.1x (2716)
- The Palo Alto 9.1x Spotlight and associated processing content have been deprecated.
- Support for version 9.1x will be discontinued and the content will eventually be removed from Illuminate.
- Users should transition to the Palo Alto 11 Content Pack, which includes updated Spotlight content.

Illuminate 6.4.0

Released 2025-06-17

Added

Apache HTTP: Added a dashboard for Access and Error logs. (2846)
Windows Security: Added parsing and categorization for Event ID 5136. (2763)
Bitdefender: Added support for Syslog Telemetry and Syslog On Premise events. (2774)
Mimecast Content Pack (2242)
- Mimecast is a cloud-based cybersecurity provider specializing in email security, offering protection against phishing, malware, spam, and data leaks. It also delivers services for archiving, continuity, and threat intelligence to help organizations secure their communications and ensure compliance.
Linux Auditbeat: Added a lookup that maps the vendor_network_direction field to the standardized network_direction field. (2243)
- This update aligns with the Graylog schema to ensure consistency in field naming across content packs. The spotlight has also been updated to reflect this change, making it easier to search and filter by normalized network direction values.
Linux AuditD: Added pack to process Linux AuditD events. (2775)
- This pack adds support for processing Linux AuditD events.
Caddy Webserver: Caddy Webserver Content Pack (2772)
- Caddy is a modern, open-source web server that automatically manages HTTPS certificates using Let's Encrypt. It serves static files, proxies requests, and supports advanced configurations with minimal effort.
pfSense: Added support for Kea DHCP logs. (2572)
Fortigate: Add categorization for event_id 32044 (delete event logs). (2795)
Linux System Logs: Add support for additional pam/sshd authentication logs. (2808)
Sophos Central: Added a spotlight. (2783)
- This spotlight supports endpoint events. It includes Overview and Threat Event tabs for quick visibility into diagnostic, application control, DLP, and threat detection events.

Fixed

Illuminate: Assets processing doesn't work. (2641)
Fortigate: Changed field renaming. (2864)
- Changed the following field names: vendor_destination_device_mac to destination_mac.
Core: Reserved IP address ranges out of date/missing ranges. (2653)
Sophos Central: Fixed the event_severity level mapping values. (2812)
Crowdstrike: Fixed the alert_severity_level from 3 to 2 in the Low Severity Detections widget in the Detections tab. (2794)
Linux System Logs: Unhandled empty username in some SSH connection logs. (2793)
- SSH connection logs containing empty usernames now assign the user_name field the value _NULL_. In addition, relevant connection messages are now GIM categorized as 109999 (authentication.default). These messages could indicate intent to authenticate that failed or scanning activity where the connection was cut short by the client before authentication was prompted. Both cases are useful for monitoring.

Changed

Fortigate: Changed field names and remove empty fields. (2778)
- Changed the following field names: vendor_policyname to policy_name, vendor_dstserver to vendor_destination_server, vendor_dsthwvendor to vendor_destination_hw_interface, vendor_dstintfrole to vendor_destination_interface_role, vendor_srchwvendor to vendor_source_hw_interface, vendor_srcintfrole to vendor_source_interface_role, vendor_dstserver to vendor_destination_server, and vendor_poluuid to policy_uid. Removed vendor_destination_server and vendor_source_server if they are 0.
Core DNS Processing: Updated DNS Messages by Approval Over Time dashboard widget to use static color assignments for clarity. (2656)
Bitdefender: Migrate from the deprecated alert category to the detection category. (2840)
Bitdefender: Using the correct more specific hash field names, e.g. hash_md5 is now file_hash_md5. (2551)

Illuminate 6.3.0

Released 2025-04-28

Known Issues

Important Version Note: Modified Graylog server minimum version support requirement for Illuminate 6.3.0 bundles. (2764).

Periodically, for Illuminate to take advantage of updated and new functionality built into newer versions of Graylog, the minimum supported version(s) of Graylog must be updated. For Illuminate 6.3.0, the minimum Graylog server version has been updated to 6.1.0. DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to the minimum supported version (6.1.0) or higher. Please note that the Illuminate hub will enforce this requirement.

Added

NetFlow: NetFlow Content Pack (2646)
- NetFlow is a network protocol used for collecting, analyzing, and monitoring network traffic. It provides insights into who is communicating with whom, how much data is being transferred, and over which protocols.
Windows Security Alerting Pack: Added an ID to one of the alerts. (2609)
- Updated the rule "Illuminate - Windows Security - Possible Initial Access By Phishing With File Extensions As TLD (via dns)." Added an ID.
CarbonBlack/CB Defense: Added categorization, changed field names and added alert_severity. (340)
- Carbon Black active_threat and malware_prevention messages are now categorized as alert_default. Non schema fields now have the prefix vendor_. vendor_event_description is now alert_signature. vendor_transaction_type is now vendor_event_type. Messages now have an alert_severity and an alert_severity_level.
Checkpoint NGFW: Added severity level normalization rule. (2298)
- Added event_severity mapping for the 17 most common subtypes.
Windows: Windows DNS Server Content Pack (2647)
- This content pack provides enhanced visibility into Windows DNS Server activity by leveraging audit event logs and analytic logs via Event Tracing for Windows (ETW). It includes parsers, normalization, enrichment, and dashboards designed to help monitor DNS operational and transactional events efficiently.
Apache Tomcat Content Pack (2747)
- Apache Tomcat is an open-source Java servlet container developed by the Apache Software Foundation. It enables Java-based web applications by handling servlets and JavaServer Pages (JSP). Added parsing for access and some Catalina logs.
GitLab: GitLab Content Pack (2645)
- GitLab is a DevOps platform that provides source code management, CI/CD pipelines, and security features for software development. It enables teams to collaborate, automate workflows, and manage repositories in a single application.
Windows AppLocker: Added spotlight widgets and parsing for file base paths. (2694)
- Added parsing for file base paths as vendor_file_base_path and created Spotlight widgets to visualize commonality/rarity of base paths.
Checkpoint NGFW: Added a saved search to the spotlight that highlights the different Syslog levels. (1558)
- Added support for Microsoft Sysmon Events. (811)
Graylog Compliance: Unified Visibility Spotlight (Preview) (2767)
- This preview compliance pack provides targeted visibility into Identification & Authentication (IAC), Network (NET), and Endpoint (END) events that support control requirements shared across NIST SP 800-53 Rev 5, PCI DSS v4.0, and US CMMC 2.0 Level 1. The spotlight includes dashboards and a daily report template with tailored widgets for compliance reporting.
Cisco ISE: Cisco ISE Content Pack (2412)
- Cisco Identity Services Engine (ISE) is a security policy management platform that provides secure network access to end users and devices. It enables organizations to enforce secure access policies for endpoints and users across wired, wireless, and VPN networks.
Paloalto 11x: Added support for Paloalto 11x. (489)
Sophos Central: Added parsing for endpoint API logs. (394)

Fixed

Cisco ASA: Fixed misspelling for vendor_event_description. (2720)
Linux System Logs: Added missing Syslog header field extractions for Filebeat-forwarded messages. (2709)
Linux System Logs: Fixed (source_)user_name parsing to account for possible (source_)user_domain. (2735)
Sigma User Activity Alerting Pack: Changed a rule to avoid false positives. (2570)
Updated the rule "A Logon was Attempted Using Explicit Credentials by Suspicious Process (via audit)" creating high amounts of false positives. Excludes the source_user_session_uid 00000000 0000 0000 0000 000000000000.
Juniper SRX: Identification rule performance on non-Juniper messages was slow. (2726)
Sonicwall: Parsed out the correct user_name value for event_code 29, 30, 261 and 262. (2657)

Changed

Checkpoint FW: Changed the two reference fields. (2666)
Changed incorrect reference field names for destination from USER_NAME_NOT_DEFINED to DESTINATION_REFERENCE_NOT_DEFINED and source from SOURCE_NOT_DEFINED to SOURCE_REFERENCE_NOT_DEFINED.
NGINX Web: Renamed client_ip to source_ip in error logs. (2643)

Removed

Linux Auditbeat: Removed the source and destination reference fields creation from the pack. (2665)
Cisco IOS: Removed the redundant field vendor_event_type for all Cisco IOS messages. (2277)

Illuminate 6.2.0

Released: 2025-02-06

Added

MS365: Extract host_name from AzureActiveDirectory (EntraID) Endpoint message metadata. (2599)
Illuminate Core: Add Internal/Enterprise Networks process/feature. (2584)
- This change adds a lookup named core_networks to Illuminate core. Illuminate customers can customize the adapter core_networks_adapter, adding a CIDR-notation IP range and category values. Illuminate will detect when source_ip/destination_ip/host_ip matches these CIDR ranges and add a related category field, source_category/destination_category/host_category, with the values provided in the lookup.
MS365: Extract email metadata from Exchange events. (2577)
- Extract Email metadata from Exchange events, including email subject and email parent folder path.
Windows Security: Added parsing for Linked Logon ID (user_linked_session_id) - event 4624. (1890)
Sonicwall: Added and changed parsing for some fields. (2556)
- Added parsing for destination_nat_ip, source_nat_ip, destination_nat_port, and source_nat_port. Renamed vendor_referer to http_referrer and vendor_icmpCode to network_icmp_code_number. Added support for IPv6.
Linux: Added parsing for UFW logs. (2623)
Windows Security: Add support for Windows Event ID 4696 and 4703. (2053)
Linux: Added parsing for IPTable logs. (2634)
Core: Added lookup table that maps query_record_type to query_record_type_code. (2478)
Sonicwall: Added support for the new detection category in the dashboard. (2553)
AppLocker: Windows AppLocker Content Pack (2607)
- Windows AppLocker enables administrators to control which applications and files users can run, including executables, dynamic-link libraries (DLLs), scripts, installers and packaged apps.
MS365: Added parsing for Exchange Item Group auditing activity. (2601)
- This activity details information when multiple mailbox items are accessed or modified as part of one consolidated action and includes e-mail attachment extraction.
MS365: Added parsing for Teams privacy setting changes to a team. (2586)
Curated Alerts: Adding Windows Threat Campaigns - Sigma Rules (2547)
- A collection of Sigma rules selected from TruKno's Threat Detection Marketplace and curated by the Illuminate team.
Sonicwall: Added and changed categorization for some event codes. (2548)
- The following event_codes are now categorized: 14, 36, 97, 263, 355, 356, 524, 526, 1573. The following event_code has been changed: 1226 is now 129999 and not 180200, 120000.

Fixed

Cloudflare: Possible indexing errors with vendor_edge_response_compression_ratio data type. (2613)
Windows Security: Fixed the typos for ProcessCreation and AADInternals. (2578)
Updated stream routing rules with match pass logic where applicable. (2612)
- Stream routing rules should be set to match pass to take advantage of the _skip_default_gl_routing_ field when set.
Curated Alerts: Make Webserver and Linux pack visible (2620)
- The bundle now contains the Webserver and Linux Curated Alert packs.

Changed

Sonicwall: Lowered license utilization. (2550)
- The message field is now the vendor message field to avoid data duplication. The following fields are now deleted if they are zero: destination_bytes_sent, destination_packets_sent, source_bytes_sent, source_packets_sent.
MS365: Update Exchange parent folder item processing to extract individual fields. (2580)
Checkpoint FW: Properly named count related metric widget(s) in spotlight. (2527)
Core: Updated description for the core-sigma-field-map_adapter data adapter so it accurately reflects the required key and value. (2568)
Curated Alerts: Added a gl- prefix to the Sigma IDs (2637)
Meraki: Properly named count related metric widget(s) in spotlight. (2530)
MS365: Removed event_log_name field. (2600)
- Removed the event_log_name field which is better represented by vendor_record_type_code and the lookup enhancements that come with it.

Illuminate 6.1.0

Released: 2024-11-21

Added

Sysmon: Added user_name parsing for event_code 16. (2309)
Sophos: Added support for new firewall file names. (2508)
- Sophos changed the field names vendor_packets_sent and vendor_packets_received in firewall logs. Renamed vendor_dst_mac to destination_mac.
Bitdefender: Bitdefender GravityZone Content Pack (2362)
- Bitdefender GravityZone is an enterprise security solution offering centralized management for endpoint protection, network security, and cloud security. It consists of about 45 modules.
MS365: Added additional vendor_event_action to lookup. (2157)
- The addition of numerous vendor_event_action to the related lookup will allow other fields to be populated where info exists. Other fields being vendor_event_category, gim_event_type_code, and vendor_event_description.
MS365: Added GIM categorization for additional DLPEndpoint file related events. (2254)
MS365: Process role assignment and removal events (2483)
- This change processes the MS365 role removal and assignment events. The roles assigned/removed will be extracted to the fields privilege_added_name, privilege_added_id, privilege_removed_name, privilege_removed_id.
Sophos: Added Sophos stream to dashboard scope. (2500)
Windows: Categorize Security Event ID 4703, 4704, 4705 as privilege added and privilege removed. (2532)
Cloudflare: Cloudflare Content Pack (2363)
- Cloudflare is a web infrastructure and security company that provides services such as content delivery, DDoS protection, internet security, and domain name server (DNS) solutions to enhance website performance and protect against cyber threats.
Sysmon Spotlight: Added support for EventID 28/29. (1554)
Ubiquiti UniFi: Added parsing for kernel logs noting received packets with identical addresses. (2475)
Compliance: Add privilege changes to Compliance Spotlight dashboard. (2542)
Sophos: Added event_action parsing for events. (2515)
Some event_types events include an action. Adding parsing for failed login attempts.
MS365: Added a Security Posture Management tab to the Office 365 Overview spotlight. (2318)
- The Security Posture Management Overview tab includes assessment and regulatory compliance information which details your environment security posture.
Windows: Process privilege token assignments in windows using the privilege fields (2519)
- Process security tokens in Windows event logs using privilege fields. Windows Security event log messages that list security tokens will now use the fields privilege_assigned_name, privilege_removed_name, and privilege name based on the event. Additionally an enrichment has been added to define privilege category (privilege_assigned_category, privilege_removed_category, privilege_category), which will assign the value elevated_privilege to identify tokens that allow an account to perform sensitive system activities.
Sophos: Added categorization for HTTP logs and added parsing according to the Graylog schema (2422)
- Sophos logs with the event component HTTP are now categorized as network network.connection and http.default. Firewall Authentication logs for failed logon are categorized as authentication.logoff. Blocked appliance logs are categorized as authentication.logon Changed fields from http_uri to http_request_path, vendor_http_status to http_response_code, vendor_http_user_agent to http_user_agent, vendor_con_id to connection_id.

Fixed

MS365: Updated user_name parsing and added user_domain extraction. (2321)
- User names formatted as user-at-domain.com or DOMAIN-backslash-USER will now extract the user_name and user_domain as separate fields.
Postfix: 12-postfix_event_created_normalization rule can't handle extra space.(2414)
Updated the event_created extraction logic for Postfix. The pack will now attempt to parse multiple date formats. In order to prevent indexing errors related to unexpected date formats in event_created it will now perform the initial extraction of the date field as vendor_event_created, then the pack will attempt to parse this date field and assign the value to event_created. If it is unable to, then vendor_event_created will be indexed as a keyword type field that will not prevent indexing of the message, but this field will not be able to be used in ranged searches.
MS365: Group names are extracted as o365_group_name_new or o365_group_name_old but context is missing. (2413)
- Removed these fields for IAM events where only one or the other exists, in that case they are assigned to the field group_name.
Cisco ASA: Fixed parsing and categorization for 113004, 113005, 113006, and 113007. (2400)
- Added categorization for 113004 and 113005 (authentication.logon) and changed parsing host_ip/host_hostname to source_ip/source_hostname. Changed categorization for 113006 from authentication.logon to authentication.logoff. Changed categorization for 113007 from authentication.logon to account.unlocked and changed parsing from vendor_admin_user_name to source_user_name.
MS365: AzureAD/Entra ID ExtendedProperties User Agent Field Extraction (2269)
- The http_user_agent field extracted from AzureAD/Entra ID logs is now extracted as a single string capable of being processed by additional functions.
MS365: Entra ID Sign-In Failures and Reason by Top 5 Users Widget Fix (2506)
- The group by column field associated with this widget has been updated to vendor_event_action, which better represents the intent of the widget.
MS365: user_name field is value list for IAM group change events. (2411)
Crowdstrike: Fixed issue with spotlight by removing unsupported dependency. (2574)

Changed

NGINX: Scope dashboard widgets to NGINX Messages stream. (2450)
Fortigate: Changed dashboard widget times to 1hr. (2197)
Cisco ASA: Scope dashboard widgets to Cisco ASA Messages stream. (2433)
Sysmon: Scope dashboard widgets to Sysmon Messages stream. (2505)
Snort IDS: Scope dashboard widgets to Snort IDS Messages stream. (2496)
Checkpoint: Scope dashboard widgets to Checkpoint Messages stream. (2484)
Watchguard: Scope dashboard widgets to Watchguard Messages stream. (2512)
Ubiquiti Unifi: Scope dashboard widgets to Ubiquiti Unifi Messages stream. (2510)
Okta: Scope dashboard widgets to Okta Messages stream. (2453)
Windows Security: Scope dashboard widgets to Windows Security Messages stream. (2513)
Juniper SRX: Scope dashboard widgets to Juniper SRX Messages stream. (2437)
Stormshield: Scope dashboard widgets to Stormshield Messages stream. (2501)
Zeek: Scope dashboard widgets to Zeek Messages stream. (2518)
MS Defender AV: Scope dashboard widgets to MS Defender AV Messages stream. (2488)
Fortigate: Forward subtype logs now categorized as network connections. (2236)
Linux Auditbeat: Scope dashboard widgets to Linux Auditbeat Messages stream. (2439)
Sonicwall: Scope dashboard widgets to Sonicwall Messages stream. (2498)
AWS Security Lake: Scope dashboard widgets to AWS Securtiy Lake Messages stream. (2430)
Sophos: Reducing Graylog license utilization for Sophos (2490)
Message field is now shortened to avoid data duplication. Deleted fields related to ports and packets if their value is 0.
Unifi Spotlight: Updated the time range for all spotlight widgets to 1 hour. (2417)
Pfsense: Scope dashboard widgets to Pfsense Messages stream. (2493)
Powershell: Scope dashboard widgets to Powershell Messages stream. (2494)
Palo Alto: Scope dashboard widgets to Palo Alto Messages stream. (2455)
Meraki: Scope dashboard widgets to Meraki Messages stream. (2442)

Illuminate 6.0.1

Released: 2024-10-24

Fixed

O365: Spotlight error when installed. (2445)

Illuminate 6.0.0

Released: 2024-10-21

Added

Google Workspace: Google Workspace Content Pack (2064)
- Google Workspace is a collection of cloud computing, productivity and collaboration tools, software and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet, Chat, Drive, and Google Docs. Admin-related logs are included.
Graylog Compliance: Add remote access dashboard (2342)
Windows Security: Added parsing for Event ID 5379 (2170)
Cisco Umbrella: Added support for Cisco Umbrella (2066)
- Cisco Umbrella is a cloud-delivered security platform that provides threat intelligence, secure access, and protection against internet-based threats.
Added Curated Alerts - Webserver (2235)
- Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.
Windows Security: Added parsing for Windows Event ID 5145 (728)
Windows Security: Added support for Event ID 4660 and 4658 (2216)
Illuminate: Added Open edition bundle (2300)
Added Curated Alerts - Linux (2241)
- Adds a spotlight pack containing Sigma-formatted Linux alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.
Windows Security: Added support for Windows Event ID 4656 (1973)
Curated Alerts: Remote Desktop From Internet: added 172.22.x range and fixed GIM field (2212)
Renamed non existing GIM field from source_is_reserved to existing GIM field source_reserved_ip
MS365: Added processing of Endpoint subtype events (2108)
- Added processing for MS365 Endpoint file events: FileModified, FileCreated, FileDeleted, FileRenamed, FileDownloadedFromBrowser, ArchiveCreated, DlpRuleMatch, FileRead, FileCopiedToRemovableMedia. This includes field extraction, categorization, and updating the message field with a brief event summary.
Core: Added 16 new sigma mappings (1292)
Linux System Logs: Initial technology pack (2217)
- Linux is a widely-used, open-source operating system that powers everything from servers and cloud infrastructure to desktop systems and embedded devices. For its initial release, this technology pack supports common Syslog and auth logs from Debian/Ubuntu distributions.

Fixed

MS365: CompliancePostureManagement events not being processed (2302)
Curated Alerts: Improved rule: Illuminate - Windows Security - Remote Desktop From Internet (2246)
- Changed the source_reference field in this sigma rule to source_ip field to reduce the number of false-positives.
Fortigate: Fixed wrong event_action mapping (2327)
- The event_action for server-rst and client-rst set to allowed. The field utmaction was set to vendor_event_action but changed to vendor_utm_action.
Crowdstrike: Content and spotlight improvements (2140)
- Revamped our Crowdstrike Falcon dashboards to improve alert focus, expanded coverage for additional alert subtypes, and resolved the misidentification of API events as authentication events, resulting in more accurate and comprehensive alert tracking.
MS365: Fixed logic for pipeline rule execution related to setting the message field (2289)
- Pipeline processing order logic was preventing the message field from being properly set.
MS365: source_port no longer set to 0 when no source port exists in source JSON (2270)

Changed

Windows Security: Change Request-Add remote_access GIM tag for RDP sessions (2332)
MS365: Replaced occurrences of vendor_event_type with vendor_event_action in Spotlight (2274)
- Changes to processing now rely on vendor_event_action; vendor_event_type is now considered a legacy field.
Palo Alto: Add GIM tag remote_access for Global Protect logs (2340)

Illuminate 5.2.0

Released: 2024-08-07

Added

MS365: Add processing for Security & Compliance Center events. (2104)
MS Defender for Endpoint: Added user, hostname, and MITRE widgets to spotlight. (2185)
- Added two new widgets to spotlight: alert count by user_name and host_hostname to the Overview page and moved the MITRE technique widget to it's own page, which also now includes a MITRE process_name heat map widget. Also, all widgets are now scoped to the Microsoft Defender for Endpoint stream.
MS365: Add processing for ListBaseType objects. (2139)
Add new GIM category: Detection. (2021)
- The new "detection" category will replace the "Alert" category which has been deprecated and will be removed in Illuminate 7.0.0. This has been added to clear up confusion around the term "alerts." Detections is an assignment for detections generated by a security monitoring solutions, such as IDS/IPS, DLP, or antivirus/malware, or other indications that potentially malicious or unwanted activity has been detected.
Sendmail: Added support for Sendmail mail server. (2065)
- Sendmail is a free and open-source mail transfer agent (MTA) used to route and deliver email on Unix-based systems. This content pack supports most common logs and features dashboards to visualize sender/recipient activity, delivery status, ruleset rejections, authentication, and processing statistics.
Added Microsoft Windows Security - Windows Activity Sigma Rules. (2067)
- Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.
Windows: Add Winlogbeat Event Original Retention content pack. (1358)
- Enabling this pack retains the winlogbeat_event_original field in Winlogbeat-forwarded messages.
Postfix: Added support if application_name starts with postfix. (2134)
- Rsyslog sends as application_name always postfix, but other log forwarders will attach the daemon/module.
MS365: Add processing for Teams events. (2151)
MS365: Add processing for Compliance Posture Management events. (2158)
Anomaly: Extend MS365 authentication AD rule to include all authentication. (2229)
- The previous anomaly detection rule to track MS365 authentication only looked at failed logins. The updated Anomaly Detection Spotlight includes an updated MS365 with features for both all authentication and failed authentication.

Fixed

Illuminate Core allows duplicate gim_event_subcategory values. (2030)
Lookup-related performance issues. (2167)
Training Illuminate anomaly detection rules can cause excessive resource utilization. (2068)
- A new pack has been added which provides updates to the existing anomaly detection rules. The updated rules will only use the current write indices for training, where the previous rules contained no such limit. This change may lengthen the time that training the anomaly detection rules takes but will reduce the CPU and memory utiltization during training. These rules are provided as a new pack in order to allow a smoother transition from the legacy rules to the updated rules. The legacy rules spotlight pack is deprecated, and will be removed from Illuminate 7.0.0.
O365: AzureAD/EntraID application_name properly extracted. (2168)
- The application_name field is now properly extracted from .Workload within the JSON message. Previously, the o365_application_id UID was being used and was inaccurate.
Rename the Bluecoat Anomaly Detection rule to Symantec. (2218)
- Update the anomaly detection rule name for the ProxySG product in the new Anomaly Detection spotlight.
Postfix: event_created timestamps without year indexed with year set to 1970. (2039)
Apache: vendor_event_severity parsed incorrectly in some error logs. (2147)
- The vendor_event_severity field is now properly extracted from some error log message types. Previously, vendor_event_severity would sometimes be assigned to vendor_apache_error_module.
CISCO_IOS: added support if the user_name is empty in login logs. (2211)
MS Defender for Endpoint: Added rule to remove the evidence_array field which is not needed after processing. (2201)

Changed

Fortigate: Scope dashboard widgets to Fortigate Messages stream. (2188)
MS Defender for Endpoint: Removed group by aggregation for alert count widgets. (2184)
MS365: Scope dashboard widgets to O365 Messages stream. (2110)
Postfix: This change improves titles of Spotlight widgets to better represent messages sent and messages not delivered. (2115)
Anomaly: Combine the Windows file activity anomaly detection rules into one. (2230)
- The original anomaly detection pack provided three separate rules related to Windows file activity, one rule each for file access, writes, and deletes. These rules are all based off of the same event data and can be combined in to one job.
MS365: Processing modifications and renames. (2106)
- Input derived vendor_event_description now gets set as message, vendor_event_description gets set via a lookup if data exists in the lookup.

Illuminate 5.1.0

Released: 2024-06-06

Added

Symantec EDR: Symantec Endpoint Detection and Response (EDR) Content Pack (1937)
- Symantec Endpoint Detection and Response is used to detect advanced attacks using machine learning and global threat intelligence to minimize false positives and help ensure high levels of productivity for security teams.
Core: Added lookup for SMTP descriptions (2024)
NGINX: Added support of filebeat_application_name as application_name. (2061)
Cisco IOS: Added support for Cisco IOS (1944)
- Cisco IOS (Internetwork Operating System): Proprietary software used in Cisco routers and switches, enabling robust management of network traffic, including data, voice, and video across various communications environments.
Apache: Added support of filebeat_application_name as application_name. (2061)
MITRE ATT&CK Tactic Lookup (1847)
- In addition to the existing attacks_technique_uid to attacks_technique_name lookup, core will now map attacks_tactic_uid to attacks_tactic_name.
Add Illuminate Compliance Spotlight (1979)
- This addition provides an Illuminate Spotlight pack designed to assist with compliance-related activities that are commonly supported by SIEM/log aggregation.
Postfix: Added support for Postfix (1970)
- This Postfix content pack supports most available logs. The content pack also includes a dashboard with four tabs (General Overview, Email Messages, TLS, and SMTP).

Fixed

Duplicate message summaries for gim_event_subcategory:authentication.credential validation. (1339)
Fortigate: Handle structured Syslog messages in Illuminate processing (2005)
- This fixes an issue with Fortigate processing where the message format causes the Syslog input to parse the message in addition to Illuminate parsing the message, leading to fields being extracted multiple times. When the Syslog input parses a Fortigate message, Illuminate will now use the fields generated by the input.
Core: Update built-in static accounts list (2085)
- Update the built-in static accounts enrichments, adding all built-in groups listed by Microsoft.
Agent message summary view incomplete (1555)
Fortigate: The field wifi_channel is always created (2089)

Changed

Symantec Endpoint Security (SES): Deduplication of attacks_tactic_uid field and removal of attacks_tactic_id. (2070)
- In some SES logs, the attacks_tactic_uid field can contain similar values. Added logic to de-duplicate those values. The attacks_tactic_id field has been removed, which is better represented by attacks_tactic_uid.
Allow merging of user/device category fields (167)
- Graylog Illuminate core has provided two lookup tables to define account and device category and priority data, but any category data defined prior to Illuminate Core running would prevent data in the static device/account lookups from being added. The category data in the Illuminate core static accounts and devices lookups will now be merged with any duplicate values being removed when detected.
Symantec Endpoint Security (SES): MITRE Tactic ID & UID Extraction Update (1991)
Core: Enrich all events with a user field with category and priority data (2086)
- Remove the requirement to categorize a message before enriching events with user fields (user_name, source_user_name, target_user_name) with category and priority information.
Symantec Endpoint Security (SES): Force vendor_data_entity_uid to be indexed as a string, no matter the subtype. (2058)
- This change requires rotating the SES index to incorporate the updated field type.
Add support for Postfix-style timestamps (2035)

Illuminate 5.0.1

Released: 2024-05-14

Fixed

Symantec Endpoint Security (SES): Spotlight Not Defining Minimum Version. (1942)
Windows Security: Curated Alerts Spotlight Not Defining Minimum Version. (2013)
Windows Security:NXLog not extracting process parent information from 4688. (2010)
Windows Security:Event process ID is not reliably extracted from Window Security logs. (2016)

Illuminate 5.0.0

Released: 2024-05-06

Added

Packetbeat: New content request from the customer (1851)
- With this addition, we will be supporting all Packetbeat logs, but we are currently focusing on enriching DNS, HTTP, and Flow logs specifically as well as adding a spotlight with three tabs: An overview tab, Flow network overview tab, and an HTTP overview tab as well.
Added support for Windows Security Event ID 1108 (827)
- See Microsoft documentation for additional information about the event.
Added extraction for process information for Event Ids 4798, 4799 (266)
- Added NXLog and WLB7 field processing for process_path/id values from events.
Symantec Endpoint Security (SES):Initial technology pack (1732)
- Symantec Endpoint Security is a cloud and hybrid-managed solution that provides the protection of SEP, attack detection of EDR, and other technologies to secure devices.
Add Network subcategory for ICMP (1696)
HAProxy: Added support for HAProxy (1854)
- This HAProxy content pack supports default, TCP, HTTP, HTTPS and Error logs.
Added Microsoft Windows Security - User Activity Sigma Rules (1852)
- Adds a spotlight pack containing Sigma-formatted alerts provided by SOC Prime and curated by the Graylog team. This may include some modifications of the source rules to align with the GIM schema and the Graylog team's findings.
Add new field gl2_processing_duration_ms to Illuminate field mapping templates (1891)
Graylog API Security Content Pack (1937)
- Initial Graylog API Security Spotlight which includes an Overview tab highlighting API calls and alerts. Please see the Graylog documentation for more information on the spotlight pack and how to configure API Security to send logs to your Graylog instance.

Fixed

Sophos:Field normalization failure due to space in field name (1963)
Winlogbeat provides timestamp fields that are detected as dates but cause indexing failures (1902)
- This will disable date detection on all Winlogbeat "event data" fields. These fields are dynamically parsed by the winlogbeat agent in to individual fields. This addresses an issue where some event log messages may be rejected due to an index mapping type conflict related to some fields. This is due to the event data fields are either occasionally timestamps, or are timestamps but contain different timestamp formats, likely due to local system settings. This change will cause all Winlogbeat "event data" fields to be indexed with the mapping type "keyword." The side effect of this change is that some event data fields may be limited in how they can be analyzed in aggregate, or search. This change will not impact non-event data fields, or any fields that have been renamed by Illuminate.
Windows Security:fixed process_path renaming (1841)
- Windows security processing sets the process_name path with a value that is the full path of the process. This should be instead extracted to process_path for both NXlog and Winlogbeat agents.
Symantec EP:Virus found logs not processed (1932)
CBDefense: Key value extraction generates illegal key name (1964)
SEPM: Updated dashboard to use detection instead of Alert. (1952)(1956)(1959)
- We are changing the way we use the word alert, which will be handled more so by the new curated alerts that will be coming soon, and so we want to start changing all the usages of the word alert to be detection. The first pack we are focusing on is the SEPM dashboards. We also added scoped streams to this dashboard as well.
Windows Security:Improve accuracy of user_type identification pattern (1879)
- The Illuminate Windows Security event processing was not identifying likely computer names which began with a number. The Illuminate process of setting a user type based on the format of the logs is a best effort process, there is no way to precisely identify if an account is a user or machine account based on log data alone.
Auditbeat:Will not process events with multiple vendor_event_action values (622)
O365:Updated messages incorrectly identified as legacy messages (1967)
Sonicwall assigning legacy GIM event code (1822)
Windows: nxlog process_id not extracted properly (1926)
Palo Alto:Global Protect categorization uses legacy GIM code (1818)
Cisco ASA: SFIMS message normalization target fields contain spaces (1966)

Changed

Changed vendor_message to message for Watchguard firebox (1496)
- The message field contains a lot of data that is extracted into other fields. Removing this and rewriting the message will: Reduce storage utilization Reduce duplication of data Lower computational cost for the pattern-based extraction

Removed

GIM Enforcement:Removed field enforcement of DNS transaction events (1739)
- The DNS transaction event type has been removed. DNS events that contain both query and answer data are now assigned the relevant GIM codes for each of those events.
Removed event_source enforcement from GIM enforcement rules (1782)
- The event_source field is deprecated and will be removed entirely from Illuminate 6.0.

Illuminate 4.2.0

Released: 2024-02-08

Known Issues

The minimum Graylog version required for this version of Illuminate is Graylog 5.1.11 or 5.2.4. (1808)
If you are running a Graylog 5.1.x version prior to 5.1.11 or a Graylog 5.2.x version prior to 5.2.4, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

Sysmon:Add source_reference selection for DNS query events (Sysmon Event ID 22). (1843)
AWS Security Lake: Added support for Security Lake. (1724)
The input supports the following objects: actor, anwers, api, attack, cloud, compliance, connection_info, cve, device, dns_answer, dns_query, email, endpoint, file, finding, http_request, http_response, identity, malware, metadata, process, resources, network_proxy, proxy, query, user, dst_endpoint, traffic, and src_endpoint.
Added optional Core pack to enrich events with DNS query_request or DNS query_response fields with additional data. (1676)
When enabled this pack will identify any messages processed by core which have the DNS message query fields query_request or query_response and enrich those fields. Messages with query_request will have the fields query_request_length and query_request_entropy added. Messages with query_response will have the field query_response_length added.
Checkpoint FW: Add rule and layer widgets to Spotlight. (1833)

Fixed

Fortigate: Convert identification rule to regex instead of grok. (1858)
Anomaly Detection: Fix pack titles. (1707)
Windows: Non-Security event logs sent with NXlog are not processed. (1867)
Sysmon: DNS events assigned legacy code 140100. (1826)
BIND DNS: Normal queries not extracted to schema fields and not categorized. (1835)
Checkpoint FW: Vendor action "Reject" not mapped to event_action. (1832)

Changed

Sysmon: Split DNS responses in to individual values. (1828)
Checkpoint FW: Layered treestructure dropped during processing. (1823)
Checkpoint Firewall: Events sometimes contained multiple values for some fields but only the first value was extracted. The following fields now contain a full list of extracted values: rule_name, rule_id, vendor_layer_name, vendor_layer_id, vendor_match_id, vendor_parent_rule, vendor_rule_action.
Move DNS query request and response length calculations out of GIM enforcement. (1730)
Sysmon: Spotlight dashboards updated to use the DNS response GIM event type code (140200) instead of the DNS transaction code (140100). (1837)

Illuminate 4.1.0

Released: 2024-01-04

Known Issues

The minimum version required for this version of Illuminate is Graylog 5.1.10 or 5.2.3. (1808)
- If you are running a Graylog 5.1.x version prior to 5.1.10, or a Graylog 5.2.x version prior to 5.2.3, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

Okta: Switch from using the field vendor_event_action to using the field vendor_event_type. (1789)
Okta: Extract user_domain from user_name. (1751)
Powershell: If the registry gets changed via a reg command, the fields registry_type and registry_path are parsed out and get categorized. (633)
- Logging for event_id 4104 must be enabled (script block logging).
Added parsing for Cisco Meraki MR logs. (788)(1687)
- Added support for Meraki association, disassociation, wpa_auth, wpa_deauth, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers, and device_packet_flood MR events. All ports are now numeric values.
O365: Add record type enrichment. (1806)
- Added an enrichment that provides a description of the Office 365 record type. This enrichment is only available on the updated Office 365 inputs, available in Graylog after X.X.X, or for prior versions of the Office 365 inputs with the full_message option enabled.

Fixed

BIND: Add support for severity_level mapping and support new log types. (1669)(1725)
- Mapped all severity levels to our schema and added support for BIND security log type.
O365: User email field contains the user ID value. (1749)
- This has been addressed in the updated Illuminate Office 365 processing but still exists with the Office 365 integration prior to 5.1.10 without the full_message capability enabled.
O365: Update Illuminate Pack Titles (1704)
SEPM: Fix a client traffic log issue where having a null Remote Host Name broke parsing. (1784)
Okta: Problems with policy.evaluate_sign_on processing. (1794)
- Change categorization of the policy evaluation rule policy.evaluate_sign_on to authentication.default.
O365: Alerts generating GIM errors (1425)
O365: Exchange ModifyFolderPermissions incorrectly categorized as iam.object modify. (1803)
Okta: Categorize user.authentication.sso as credential validation event. (1752)
Ubiquiti Unifi: Dnsmasq events using legacy GIM type multi-code assignment. (1746)

Changed

Removed alert_severity_level mapping functions/lookups. (1718)
- Removed alert_severity_level mapping functions/lookups. Snort3 pack now relies on core to map alert_severity_level from alert_severity. alert_severity_level should no longer be a string as well.
Removed rules that processed logs and fields tied to the initial Snort3 filebeat configuration. (1715)
- The initial release of the Snort3 pack did not set the target field in the Filebeat configuration. Current documentation notes adding 'target: "snort3"' which is required for proper log processing. This release now fully requires that field to be set.
Meraki: Renamed WiFi fields to match the schema. (1719)
Okta: Update Illuminate processing to support updates to the Okta input. (1789)
- Parsing of Okta messages will be moved from the Graylog Okta input to Illuminate. This will allow for more rapid response to Okta message processing requests as they can now be provided by Illuminate updates, which can be released more frequently, instead of relying on Graylog Enterprise updates. This pack will maintain support for the legacy Okta inputs until Illuminate 6.0 is released. At that time, the support for the legacy Okta input message format will be removed. Support for the enhanced processing can be enabled on the Okta legacy input by enabling the full_message feature in the Okta input configuration.
O365: Add logic to support parsing full message. (1769)
- Parsing of Office 365 messages will be moved from the Graylog Office 365 integration input to Illuminate. Migrating the parsing out of the integration input improves the ability to update the parsing rules on a more frequent basis. Support for the updated Office 365 message processing can be enabled on the Office 365 legacy input by enabling the full_message feature in the Office 365 input configuration.
Sophos :Renamed WiFi fields to match the schema. (1721)
Modified the Zeek message field construction to only use the even description field which is derived from a lookup. (1329)
- The message field is now only composed of the event description (derived from lookup). The prefix 'Zeek - ' will no longer be appended and vendor_event_log_description is removed. (now message).
Defender EP: Added logic to dedup the user_name field. (1693)
- Previously, the user_name field array could contain the same user_name multiple times. Added logic to dedup similar names.
Okta: Improve handling of vendor client geo information. (1795)
- Normalize Okta-provided geolocation enrichment data to fields with the prefix vendor_client_geo. This will prevent the Okta-provided geolocation enrichments from colliding with the Graylog-provided Geolocation enrichments.
Fortigate: Renamed WiFi fields to match the schema. (1717)

Removed

O365:Remove Skype Office 365 tab (1806)
- Skype For Business was retired in July of 2021.

Illuminate 4.0.0

Released: 2023-11-01

Known Issues

Installing this Illuminate release will cause any currently running Anomaly Detection jobs to be disabled. Please identify which Anomaly Detection jobs are running prior to activating this release and enable them after this version has been activated.

Fixed

Cisco ASA: Some Authentication messages have GIM errors, logoff are wrong categorized (1421)
Added the missing destination_reference field for ASA authentication messages between 606001 and 606004. Logout messages are now categorizes as logout messages and vendor_event_action is now success.
Sophos Firewall: Spotlight widgets including non-Sophos data (1686)
SonicWall saved search widget modification and dashboard spelling correction (1557)
The Message Count by Severity widget in the SonicWall NGFW Log Viewer - Filtered saved search had a confusing sort order. Corrected to sort by vendor_event_severity_level. Also, fixed the spelling of the Dashboard - previously started with Illuminate:* and corrected to Illuminate:*
Sysmon: add file_is_executable extraction for Event ID 28 (1552)
ASA dashboard has confusing severity levels (1559)
Stormshield Bugfixes and Enhancement (1610)
Updated bugfix rule to account for logs that contain a cat_site AND arg field. An existing Stormshield bug adds an extra quotation mark to the cat_site field value which breaks parsing.
Sysmon: Normalize Event Type to vendor_event_type for all related Sysmon events (1576)
Cisco ASA:Alert severity not assigned for some 338002 messages (1420)
All dynamic filter messages 338001 to 338204 now get an alert severity even if the message does not have this field. Renamed field vendor_alert_severity1 to vendor_alert_severity
Added check for previously identified messages to Checkpoint (1612)
Illuminate: Added event_error_code mapping as keyword (1674)

NOTE: This may cause a short-term mapping conflict in dashboards where mapping type are updated (such as with Palo Alto) but this conflict will resolve over time. Some products produce an error code as an integer value, some produce codes in other formats such as hex. This field is expected to be a keyword type, but implicit mappings result in mapping conflicts where integer values are mapped as type "long." The static mapping of event_error_code as keyword will resolve this mapping conflict.
Windows Security: Event 4663 not handled properly (803)
Windows 4663 was categorized as a file change but 4663 can reflect changes to multiple components on a system in addition to the file system. Illuminate will now categorize a system based upon the component identified in event ID 4663.
Sysmon extracting target process name incorrectly (1575)
The field was being extracted incorrectly as target_process_name, now extracting it as process_target_name
Symantec Endpoint: Spotlight Alert destinations widget uses source fields (1679)
Moved Cisco ASA identification rules from stage 2 to stage 5 (1613)
Fortigate: fixed event_severity & event_severity_level for informational and low (1642)
The Fortigate event severity for informational events properly maps to a value of 1 for event_severity_level and informational for event_severity. Additionally, for the notice Fortigate events, the event_severity_level has been corrected with a value of 2 (low).
Cisco ASA: Add support for user names with an @ in them. (1661)
Checkpoint: Fixed processing of text for severity levels (1688)

Added

Added Ubiquiti UniFi Overview dashboard to go along with the existing Ubiquiti UniFi Illuminate pack. (1296)
Added new technology pack NGINX Webserver (1207)
This pack adds support for NGINX Webserver. It is tested with version 1.18/1.24 with the combined log format.
Added Asset pack to Illuminate Security editions
Adds the Asset processing pack needed to add the associated_assets field to messages used by the Assets feature, available only in Graylog Security.
Added support for Audit Security System Extension Windows events (216)
Added support for additional Windows Security Event IDs 4610, 4611, 4614, 4622, 4697 which are enabled by the Audit Security System Extension policy in Windows. See https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension for additional information about these events.
Core MITRE lookup that allows the mapping of technique UID to name (1622)
Added a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.
Updated Juniper documentation to include required input setting for proper processing (1569)
Added full support for Cisco Firepower (1449)
Adding full parsing for Cisco Firepower FTD events. Event IDs between 430001 and 430005 are now fully supported. This Illuminate pack will process the Cisco Firepower logs delivered to Graylog via Syslog and is not for use with the Cisco Firepower Event Streamer (eStreamer)/eNcore agents. The pack supports %FTD, %NGIPS, %NGFW (and %ASA) logs.
Illuminate: The http_response_code field now gets enriched. The new field http_response describes the response code. (1633)
Windows Security: Add access list enrichment (1644)
Windows 4663 contains codes that reflect the types of accesses requested. Add an enrichment that will provide a plain text description of these access list codes in the field vendor_access_type.
CrowdStrike Falcon Technology Pack (1483)
CrowdStrike Falcon technology pack release. Supports alerts and authentication events received by the CrowdStrike input, and includes a spotlight pack with an overview tab, authentication tab, and alert tab.
Microsoft Defender for Endpoint Technology Pack (1540)
Microsoft Defender for Endpoint technology pack release. Supports 'alerts' events received by the Microsoft Defender for Endpoint Graylog input. Also adds a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

Changed

GIM Enforcement:Change enforced source and destination fields for events categorized as network messages (1524)
Reference fields (source_reference, destination_reference) are selected from a list of possible source fields such as source_ip, destination_ip, and source_hostname. Defining the required fields for the network category to use these reference fields instead of only the IP fields will allow more messages to be categorized as network messages. Some sources will provide hostnames or mac addresses instead of IPs, changing the required field to use a reference field enables those messages to also be categorized as network messages.
Core: Revised reference field processing (1685)
Reference fields (host_reference, source_reference, destination_reference) are now processed for any message with candidate fields and not just categorized messages. Any messages with source/host/destination IP, hostname, or MAC fields will now have associated reference fields added. For example, a message with host_ip, host_hostname, or host_mac will have a host_reference field generated.
Convert Illuminate Spotlight content IP fields to instead use reference fields (1673)
Many existing Illuminate dashboards use the IP fields (source_ip, destination_ip, host_ip) for aggregations but the use of fields with the IP mappings commonly run into aggregation errors. Converting the IP field use in aggregations to instead the "reference" fields (source_reference, destination_reference, host_reference) will use keyword-mapped fields while retaining the ability to search the IP-based fields with CIDR functions and ranged searches, which will reduce the number of aggregations errors when viewing Illuminate content. Reference fields are selected from multiple potential fields (such as source_ip, source_hostname, source_mac, and others) but will typically contain the original IP field data as that field as the IP field is typically the first choice selected when it exists.
Converted gim_event_type_code assignments to support multiple values (1504)
The assignment of a `gim_event_type_code` value has been limited to one value. With this change the `gim_event_type_code` field is now a list of values and multiple codes can be assigned. This change requires Graylog 5.1.5 or greater.
Rename original Microsoft Defender content to Microsoft Defender Antivirus (1654)