Illuminate 4.2.0

Released: 2021-02-08

Known Issues

  • The minimum Graylog version required for this version of Illuminate is Graylog 5.1.11 or 5.2.4. (1808)

  • If you are running a Graylog 5.1.x version prior to 5.1.11 or a Graylog 5.2.x version prior to 5.2.4, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

  • Sysmon:Add source_reference selection for DNS query events (Sysmon Event ID 22). (1843)

  • AWS Security Lake: Added support for Security Lake. (1724)

  • The input supports the following objects: actor, anwers, api, attack, cloud, compliance, connection_info, cve, device, dns_answer, dns_query, email, endpoint, file, finding, http_request, http_response, identity, malware, metadata, process, resources, network_proxy, proxy, query, user, dst_endpoint, traffic, and src_endpoint.

  • Added optional Core pack to enrich events with DNS query_request or DNS query_response fields with additional data. (1676)

  • When enabled this pack will identify any messages processed by core which have the DNS message query fields query_request or query_response and enrich those fields. Messages with query_request will have the fields query_request_length and query_request_entropy added. Messages with query_response will have the field query_response_length added.

  • Checkpoint FW: Add rule and layer widgets to Spotlight. (1833)

Fixed

  • Fortigate: Convert identification rule to regex instead of grok. (1858)

  • Anomaly Detection: Fix pack titles. (1707)

  • Windows: Non-Security event logs sent with NXlog are not processed. (1867)

  • Sysmon: DNS events assigned legacy code 140100. (1826)

  • BIND DNS: Normal queries not extracted to schema fields and not categorized. (1835)

  • Checkpoint FW: Vendor action "Reject" not mapped to event_action. (1832)

Changed

  • Sysmon: Split DNS responses in to individual values. (1828)

  • Checkpoint FW: Layered treestructure dropped during processing. (1823)

  • Checkpoint Firewall: Events sometimes contained multiple values for some fields but only the first value was extracted. The following fields now contain a full list of extracted values: rule_name, rule_id, vendor_layer_name, vendor_layer_id, vendor_match_id, vendor_parent_rule, vendor_rule_action.

  • Move DNS query request and response length calculations out of GIM enforcement. (1730)

  • Sysmon: Spotlight dashboards updated to use the DNS response GIM event type code (140200) instead of the DNS transaction code (140100). (1837)

Illuminate 4.1.0

Released: 2024-01-04

Known Issues

  • The minimum version required for this version of Illuminate is Graylog 5.1.10 or 5.2.3. (1808)

    • If you are running a Graylog 5.1.x version prior to 5.1.10, or a Graylog 5.2.x version prior to 5.2.3, DO NOT ENABLE THIS BUNDLE until your Graylog systems are upgraded to one of the supported versions.

Added

  • Okta: Switch from using the field vendor_event_action to using the field vendor_event_type. (1789)

  • Okta: Extract user_domain from user_name. (1751)

  • Powershell: If the registry gets changed via a reg command, the fields registry_type and registry_path are parsed out and get categorized. (633)

    • Logging for event_id 4104 must be enabled (script block logging).

  • Added parsing for Cisco Meraki MR logs. (788)(1687)

    • Added support for Meraki association, disassociation, wpa_auth, wpa_deauth, 8021x_eap_failure, 8021x_deauth, 8021x_auth, 8021x_eap_success, splash_auth, mac_spoofing, multiple_servers, and device_packet_flood MR events. All ports are now numeric values.

  • O365: Add record type enrichment. (1806)

    • Added an enrichment that provides a description of the Office 365 record type. This enrichment is only available on the updated Office 365 inputs, available in Graylog after X.X.X, or for prior versions of the Office 365 inputs with the full_message option enabled.

Fixed

  • BIND: Add support for severity_level mapping and support new log types. (1669)(1725)

    • Mapped all severity levels to our schema and added support for BIND security log type.

  • O365: User email field contains the user ID value. (1749)

    • This has been addressed in the updated Illuminate Office 365 processing but still exists with the Office 365 integration prior to 5.1.10 without the full_message capability enabled.

  • O365: Update Illuminate Pack Titles (1704)

  • SEPM: Fix a client traffic log issue where having a null Remote Host Name broke parsing. (1784)

  • Okta: Problems with policy.evaluate_sign_on processing. (1794)

    • Change categorization of the policy evaluation rule policy.evaluate_sign_on to authentication.default.

  • O365: Alerts generating GIM errors (1425)

  • O365: Exchange ModifyFolderPermissions incorrectly categorized as iam.object modify. (1803)

  • Okta: Categorize user.authentication.sso as credential validation event. (1752)

  • Ubiquiti Unifi: Dnsmasq events using legacy GIM type multi-code assignment. (1746)

Changed

  • Removed alert_severity_level mapping functions/lookups. (1718)

    • Removed alert_severity_level mapping functions/lookups. Snort3 pack now relies on core to map alert_severity_level from alert_severity. alert_severity_level should no longer be a string as well.

  • Removed rules that processed logs and fields tied to the initial Snort3 filebeat configuration. (1715)

    • The initial release of the Snort3 pack did not set the target field in the Filebeat configuration. Current documentation notes adding 'target: "snort3"' which is required for proper log processing. This release now fully requires that field to be set.

  • Meraki: Renamed WiFi fields to match the schema. (1719)

  • Okta: Update Illuminate processing to support updates to the Okta input. (1789)

    • Parsing of Okta messages will be moved from the Graylog Okta input to Illuminate. This will allow for more rapid response to Okta message processing requests as they can now be provided by Illuminate updates, which can be released more frequently, instead of relying on Graylog Enterprise updates. This pack will maintain support for the legacy Okta inputs until Illuminate 6.0 is released. At that time, the support for the legacy Okta input message format will be removed. Support for the enhanced processing can be enabled on the Okta legacy input by enabling the full_message feature in the Okta input configuration.

  • O365: Add logic to support parsing full message. (1769)

    • Parsing of Office 365 messages will be moved from the Graylog Office 365 integration input to Illuminate. Migrating the parsing out of the integration input improves the ability to update the parsing rules on a more frequent basis. Support for the updated Office 365 message processing can be enabled on the Office 365 legacy input by enabling the full_message feature in the Office 365 input configuration.

  • Sophos :Renamed WiFi fields to match the schema. (1721)

  • Modified the Zeek message field construction to only use the even description field which is derived from a lookup. (1329)

    • The message field is now only composed of the event description (derived from lookup). The prefix 'Zeek - ' will no longer be appended and vendor_event_log_description is removed. (now message).

  • Defender EP: Added logic to dedup the user_name field. (1693)

    • Previously, the user_name field array could contain the same user_name multiple times. Added logic to dedup similar names.

  • Okta: Improve handling of vendor client geo information. (1795)

    • Normalize Okta-provided geolocation enrichment data to fields with the prefix vendor_client_geo. This will prevent the Okta-provided geolocation enrichments from colliding with the Graylog-provided Geolocation enrichments.

  • Fortigate: Renamed WiFi fields to match the schema. (1717)

Removed

  • O365:Remove Skype Office 365 tab (1806)

    • Skype For Business was retired in July of 2021.

Illuminate 4.0.0

Released: 2023-11-01

Known Issues

  • Installing this Illuminate release will cause any currently running Anomaly Detection jobs to be disabled. Please identify which Anomaly Detection jobs are running prior to activating this release and enable them after this version has been activated.

Fixed

  • Cisco ASA: Some Authentication messages have GIM errors, logoff are wrong categorized (1421)

  • Added the missing destination_reference field for ASA authentication messages between 606001 and 606004. Logout messages are now categorizes as logout messages and vendor_event_action is now success.

  • Sophos Firewall: Spotlight widgets including non-Sophos data (1686)

  • SonicWall saved search widget modification and dashboard spelling correction (1557)

  • The Message Count by Severity widget in the SonicWall NGFW Log Viewer - Filtered saved search had a confusing sort order. Corrected to sort by vendor_event_severity_level. Also, fixed the spelling of the Dashboard - previously started with Illuminate:* and corrected to Illuminate:*

  • Sysmon: add file_is_executable extraction for Event ID 28 (1552)

  • ASA dashboard has confusing severity levels (1559)

  • Stormshield Bugfixes and Enhancement (1610)

  • Updated bugfix rule to account for logs that contain a cat_site AND arg field. An existing Stormshield bug adds an extra quotation mark to the cat_site field value which breaks parsing.

  • Sysmon: Normalize Event Type to vendor_event_type for all related Sysmon events (1576)

  • Cisco ASA:Alert severity not assigned for some 338002 messages (1420)

  • All dynamic filter messages 338001 to 338204 now get an alert severity even if the message does not have this field. Renamed field vendor_alert_severity1 to vendor_alert_severity

  • Added check for previously identified messages to Checkpoint (1612)

  • Illuminate: Added event_error_code mapping as keyword (1674)

    NOTE: This may cause a short-term mapping conflict in dashboards where mapping type are updated (such as with Palo Alto) but this conflict will resolve over time. Some products produce an error code as an integer value, some produce codes in other formats such as hex. This field is expected to be a keyword type, but implicit mappings result in mapping conflicts where integer values are mapped as type "long." The static mapping of event_error_code as keyword will resolve this mapping conflict.

  • Windows Security: Event 4663 not handled properly (803)

  • Windows 4663 was categorized as a file change but 4663 can reflect changes to multiple components on a system in addition to the file system. Illuminate will now categorize a system based upon the component identified in event ID 4663.

  • Sysmon extracting target process name incorrectly (1575)

  • The field was being extracted incorrectly as target_process_name, now extracting it as process_target_name

  • Symantec Endpoint: Spotlight Alert destinations widget uses source fields (1679)

  • Moved Cisco ASA identification rules from stage 2 to stage 5 (1613)

  • Fortigate: fixed event_severity & event_severity_level for informational and low (1642)

  • The Fortigate event severity for informational events properly maps to a value of 1 for event_severity_level and informational for event_severity. Additionally, for the notice Fortigate events, the event_severity_level has been corrected with a value of 2 (low).

  • Cisco ASA: Add support for user names with an @ in them. (1661)

  • Checkpoint: Fixed processing of text for severity levels (1688)

Added

  • Added Ubiquiti UniFi Overview dashboard to go along with the existing Ubiquiti UniFi Illuminate pack. (1296)

  • Added new technology pack NGINX Webserver (1207)

  • This pack adds support for NGINX Webserver. It is tested with version 1.18/1.24 with the combined log format.

  • Added Asset pack to Illuminate Security editions

  • Adds the Asset processing pack needed to add the associated_assets field to messages used by the Assets feature, available only in Graylog Security.

  • Added support for Audit Security System Extension Windows events (216)

  • Added support for additional Windows Security Event IDs 4610, 4611, 4614, 4622, 4697 which are enabled by the Audit Security System Extension policy in Windows. See https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-security-system-extension for additional information about these events.

  • Core MITRE lookup that allows the mapping of technique UID to name (1622)

  • Added a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

  • Updated Juniper documentation to include required input setting for proper processing (1569)

  • Added full support for Cisco Firepower (1449)

  • Adding full parsing for Cisco Firepower FTD events. Event IDs between 430001 and 430005 are now fully supported. This Illuminate pack will process the Cisco Firepower logs delivered to Graylog via Syslog and is not for use with the Cisco Firepower Event Streamer (eStreamer)/eNcore agents. The pack supports %FTD, %NGIPS, %NGFW (and %ASA) logs.

  • Illuminate: The http_response_code field now gets enriched. The new field http_response describes the response code. (1633)

  • Windows Security: Add access list enrichment (1644)

  • Windows 4663 contains codes that reflect the types of accesses requested. Add an enrichment that will provide a plain text description of these access list codes in the field vendor_access_type.

  • CrowdStrike Falcon Technology Pack (1483)

  • CrowdStrike Falcon technology pack release. Supports alerts and authentication events received by the CrowdStrike input, and includes a spotlight pack with an overview tab, authentication tab, and alert tab.

  • Microsoft Defender for Endpoint Technology Pack (1540)

  • Microsoft Defender for Endpoint technology pack release. Supports 'alerts' events received by the Microsoft Defender for Endpoint Graylog input. Also adds a new core lookup that maps attacks_technique_uid (MITRE ID) to attacks_technique_name (MITRE name). These are new fields.

Changed

  • GIM Enforcement:Change enforced source and destination fields for events categorized as network messages (1524)

  • Reference fields (source_reference, destination_reference) are selected from a list of possible source fields such as source_ip, destination_ip, and source_hostname. Defining the required fields for the network category to use these reference fields instead of only the IP fields will allow more messages to be categorized as network messages. Some sources will provide hostnames or mac addresses instead of IPs, changing the required field to use a reference field enables those messages to also be categorized as network messages.

  • Core: Revised reference field processing (1685)

  • Reference fields (host_reference, source_reference, destination_reference) are now processed for any message with candidate fields and not just categorized messages. Any messages with source/host/destination IP, hostname, or MAC fields will now have associated reference fields added. For example, a message with host_ip, host_hostname, or host_mac will have a host_reference field generated.

  • Convert Illuminate Spotlight content IP fields to instead use reference fields (1673)

  • Many existing Illuminate dashboards use the IP fields (source_ip, destination_ip, host_ip) for aggregations but the use of fields with the IP mappings commonly run into aggregation errors. Converting the IP field use in aggregations to instead the "reference" fields (source_reference, destination_reference, host_reference) will use keyword-mapped fields while retaining the ability to search the IP-based fields with CIDR functions and ranged searches, which will reduce the number of aggregations errors when viewing Illuminate content. Reference fields are selected from multiple potential fields (such as source_ip, source_hostname, source_mac, and others) but will typically contain the original IP field data as that field as the IP field is typically the first choice selected when it exists.

  • Converted gim_event_type_code assignments to support multiple values (1504)

  • The assignment of a `gim_event_type_code` value has been limited to one value. With this change the `gim_event_type_code` field is now a list of values and multiple codes can be assigned. This change requires Graylog 5.1.5 or greater.

  • Rename original Microsoft Defender content to Microsoft Defender Antivirus (1654)