ADDED: New Content Packs & Features
Symantec Proxysg (419)
Added
alert_severity_levelmapping based onevent_actionwhere applicable.Checkpoint FW (2917)
Added support for additional
vendor_event_actionvalues, includingencryptanddecrypt. Restructured existing vendor fields to better align with log output:vendor_event_outcomeis nowvendor_event_action;vendor_event_outcome_reasonis nowvendor_event_action_reason;vendor_event_actionis nowvendor_event_operation.Bitdefender GravityZone (3059)
Added support for New Extended Incident logs. Included basic parsing for RPC formatted GravityZone logs for possible future extension via Filebeat testing.
Windows Security (2836)
Added support for status code
0xC0000413 – STATUS_AUTHENTICATION_FIREWALL_DENIED.Microsoft IIS Content Pack (1067)
New content pack for Microsoft IIS (Internet Information Services), which is used for hosting web applications and services on Windows. Integrates tightly with ASP.NET and Windows Server ecosystem.
AWS Kinesis Content Pack (3076)
New pack for Amazon Kinesis, supporting the parsing and categorization of AWS VPC Flow logs via AWS Kinesis for real-time data streaming and analysis. Future support for other log types may be added.
1password Content Pack (2993)
New content pack for 1Password logs, supporting the centralized storage and management of credentials, API keys, and sensitive information for improved security and simplified credential management.
Cisco Business 350 Series (CBS) (2263)
New content pack for Cisco Business 350 Series Switches, supporting managed Layer 3 network switches designed for small and medium-sized businesses.
F5 BIG-IP (1137)
Added a Content Pack that supports the AFM and ASM module.
FIXED: Bugs and Issues
NetFlow (2851)
Fixed IPFIX message identification and added support for different set fields.
Bitdefender (3115)
Fixed wrong input name.
Cisco ISE (3004)
Modified base extraction regex to make syslog header info optional, enabling sending to a syslog or raw tcp input.
Symantec ProxySG (3125)
Moved
alert_severity_levellookup data to its own .csv to address lookup complaint of duplicate values.Linux Auditbeat (2928)
Corrected issue mapping
vendor_event_type:changed-promiscuous-mode-on-device.Cisco ISE (3019)
Fixed CmdSet parsing so the full command is returned as
vendor_cmdset, dropping CmdAV and CmdArgAV.Bitdefender GravityZone (3007)
Fixed wrong search path in the New Incidents Count widget.
Curated Alerts (2583)
Improved rule: Illuminate – Windows Security – Active Directory Database Snapshot Via ADExplorer. The detector now covers execution of the 64-bit variant of ADExplorer.
Core DNS Processing (2675)
Fixed filter causing inconsistent results in the dashboard.
CHANGED: Updates and Streamlining
NetFlow (3074)
Changed NetFlow IPv4/IPv6 renames and field types.
Cisco IOS (2823)
Streamlined identification rule logic to be more efficient.
PowerShell, Postfix, Meraki, SEPM, Sophos, Sonicwall, Cisco Meraki, Symantec Endpoint (Multiple IDs)
Converted the use of multiple grok patterns per rule to use multi_grok for efficiency. Also, standardized
gim_event_type_codemappings to align with detection categories and reclassified subtypes from alert to detection across multiple packs (e.g., Defender, Snort, Stormshield, Palo Alto, Fortigate, etc.).Palo Alto (2824)
Renamed spotlight title.
Schema (1940)
Modified index templates to copy hash related fields (e.g.,
hash_md5,file_hash_) toassociated_hash. This provides additional context to hash objects.Palo Alto 11 (687)
Updated colors for widgets that reference
event_actionto reflect schema.AWS Security Lake (2314)
Changed
gim_event_categoryfrom alert to detection. The dashboard now supports both categories.Bitdefender Telemetry (2950)
Changed GIM codes for network events from
129999(default) to120200(open) and120300(close).Illuminate Core (3008)
Disabled dynamic date detection for all Illuminate indices to fix mapping errors caused by inconsistent field formats.
Zeek (2618)
Changed DNS request categorization to exclude NBSTAT.
Core (1711)
Added support for MITRE ATT&CK Enterprise
attacks_technique_uid&attacks_tactic_uidstring values.
REMOVED / DEPRECATED Content
o365 (2957)
Removed redundant type assignment in
22-o365_scc_categorize_alertsrule.Bitdefender GravityZone (3058)
Removed a possible leading forward slash for the source field (fixes issue when hostname is empty).
Compliance Content (2959)
Removed deprecated ‘Compliance Content Spotlight (Deprecated)’ spotlight.
Palo Alto 9.1x (2716)
DEPRECATED: The Palo Alto 9.1x Spotlight and associated processing content have been deprecated. Users should transition to the Palo Alto 11 Content Pack.
About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.
About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.