The Illuminate Content Hub displays all Illuminate content packs, including packs you have already enabled as well as packs available to enable. New content packs as well as existing packs that have been updated appear automatically at the top of this list.

This topic guides you through how to find specific content packs and how to enable packs for your environment.

Prerequisites

Before proceeding, ensure that the following prerequisites are met:

• Graylog Enterprise or Security license with Illuminate.

• You must be a Graylog administrator to access Illuminate content.

New Content Interval

Navigate to the Illuminate Content Hub by selecting Enterprise > Illuminate. When new Illuminate content packs are released, they are automatically included here in the list of available packs. New content packs as well as updated content packs are shown with the New label and are sorted at the top of the list. By default, Graylog checks for new content every 12 hours.

If you want to change this interval, you can update the illuminate_hub_new_version_check_interval property in your server.conf file. For information about how to update server.conf, see Graylog Server Configuration.

Find Content Packs

The Content Hub provides many content packs for you to choose from at Enterprise > Illuminate. Click any content pack in the list to view details about that pack. The description explains what logs or other enrichment the content pack provides. The detail pane also shows any dependencies, such as Graylog version requirements and other content packs that need to be enabled as well.

To find specific content packs for your environment, you can enter keywords in the search field, and you can apply filters. The filters available are:

• Status: Apply this filter to toggle between packs that are Enabled or Disabled in your environment.

• New: Select True to show content packs that are new or include new content, or False to show only packs not tagged as new.

• Type: Use this filter to view either all Processing or all Spotlight content packs.

• Tags: Select a tag from the list, which represents a MITRE tactic category. You can also use the search field on the filter to enter a specific term or tactic number to see if there is matching Illuminate content.

If you are looking for a specific content pack, enter the title or keyword in the search box. You can also use search together with filters to better target your results.

Enable Content Packs

To enable content packs for your environment:

1. Locate the pack you want to install in the list, then select the check box on the left. The pack you selected is added to the Selected Packs sidebar on the right.

2. (Optional) Add additional packs if you plan to install multiple packs. Each pack is added to the list in Selected Packs.

3. Click Install Packs.

4. Verify that you have the correct packs, including their dependencies. The dialog box shows each pack you selected. If a pack has dependencies, you can expand that line to review the specific requirements. When the dependency is another content pack, you can select it here to add it to the installation.

   Hint: Illuminate allows you to install content packs without required dependencies. For instance, you can install a spotlight pack without enabling the requisite processing pack. However, that pack is not useful without its dependent pack. Therefore, it is recommended to install related packs together.

5. Click Confirm to begin installation. The screen shows the installation progress. When all packs are installed, the screen returns to the Content Hub.