The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

Illuminate Lookup Tables can be used from within core Graylog processing. This means that users running Illuminate can now use Illuminate Lookup Tables in their own pipelines.

All Illuminate Lookup Tables, Data Adapters, and Caches are read-only and can be seen by navigating to System > Lookup Tables.

Overview

When Illuminate processing packs are installed or activated, Graylog automatically handles the creation of required streams, index sets, and the installation of new Elastic templates.

Your selected processing packs automatically apply to matching messages, and you will no longer see Illuminate processing pipelines and rules on the Pipeline Management page.

Prerequisites

  • Upgrade to Graylog 4.2 with Illuminate if running an earlier version.
  • Remove old processing pipelines and rules found in the Processing Pipelines chapter.
  • Remove all unnecessary content packs, as outlined in Delete Packs.

Lookup Table Customization

Illuminate is equipped with lists of pre-defined data (lookup tables) that include content, such as important hostnames, accounts, and usernames. The data is comprised of a key column with a corresponding column of values.

In the UI, you can change or override default tables shipped with Illuminate. In addition, you can add data to the desired table(s).

Using msdefender-severity-map-adapter as an example, modify or edit these tables with the instructions below:

  1. Navigate to the "Illuminate" screen from the Enterprise menu item.
  2. Click the Customization button; this takes you to a screen titled Illuminate Customization.
  3. Identify your desired lookup table by Title to modify, e.g. msdefender-severity-map-adapter.
  4. Click the corresponding Edit button under the Actions column; this generates a modal called *Custom Values for msdefender-severity-map-adapter.
  5. Add values to both Key and Value fields.
  6. Click the green and white + button to add more key-value data (optional).
  7. Click the red and white trash can button to remove each value (optional).