Axon 2023.04 Release Notes
Welcome to the April 2023 release of LogRhythm Axon! There are many exciting updates included in this release that we hope you'll like. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
Detections
Observation Clustering
Axon intelligently combines observations with minimal tuning to identify the most meaningful observations and alert the analyst to those that need attention. Observations and other key events are automatically grouped into a cluster. When these rows are visible in a grid view, they display a new cluster icon . Opening the inspector shows details of the cluster, including how they were related and details of the peers within the cluster.
For more information on Observation Clustering, refer to Clusters.
Analyst Experience
Donut Chart Update
The Donut widget for Dashboards and Search pages has been updated to aid in readability. When configured to display submetric values, the value labels will appear as sections within the primary metric value. Clicking on a label or same-color section will drill down into that section. Small values are grouped into # Items
slices, and primary metric values too small to label are listed as # Groups
. This section can also be expanded to fill the chart and see smaller values.
Assisted Search
A new search experience has been released to make construction of search queries faster and more accurate. Clicking into Add filter...
in the Quick Search Bar will allow the user to start typing a field name, and then make a selection from the suggested list. Field names with spaces can be accessed by using a dot instead of a space (Host IP becomes host.ip). Operators can be selected from a drop-list, with a default of IS (=). Values can then be entered in the Value...
field. Pressing enter executes the search and moves the query to the Search Bar on the Search Page. Pressing tab adds a second clause.
Users can return to the text-based search experience through the Search Settings icon.
For more information on Assisted Search functionality, refer to the Search topic.
Single Metric Widget
The single metric widget is a new visualization that simply displays a count of values matching a query, with an underlying trend line to help the user understand the context of the value.
There are two main modes of operation - Count and Numeric Aggregation. From the configuration panel, choosing Count displays a total count and optional trend line. This can be used to display the number of results matching a saved search.
Configuring the visualization to perform a numeric aggregation (average, minimum, maximum, or standard deviation) presents a list of numeric fields to aggregate on, such as Bytes Total. The visualization can then be configured to display additional numeric aggregations at the bottom.
For more information on the single metric widget, refer to Single Metric Widget.
Data Collection
Axon Agent for Linux
Axon Agents can now be installed on Linux hosts. When creating an Axon Agent Profile, you can now choose Linux as the target operating system. This allows Axon to secure even more types of hosts.
For more information on creating an Agent Profile using the Linux operating system, refer to Axon Agent Profiles.
Axon Agent Improvements
Axon Windows Agent has undergone performance enhancements that allow logs to be collected faster. The logging level can also be configured from the Agent configuration to assist with agent support.
New Log Sources Supported
Akamai | Cisco Secure Web | Mimecast Email Security |
AWS Amazon Elasticache | Cisco Umbrella | Netskope |
AWS Amazon Workdocs | Cloudflare | Oracle Cloud Infrastructure Audit |
AWS Application Migration Service | Darktrace | Palo Alto Cortex Data Lake |
AWS Cloud9 | Digital Shadows Searchlight | Palo Alto Corex XDR |
AWS Cloud Formation | Dragos | Palo Alto Prisma Cloud |
AWS Elastic Container Service | F5 Big-IP AFP, APM, ASM | RSA SecureID Cloud |
AWS Guard Duty | FireEye Web Malware Protection System | Windows Management Instrumentation |
AWS IoT Analytics | Forcepoint CASB | Symantec DLP |
AWS Route 53 | Forcepoint Secure Gateway | Trend Micro Cloud App Security |
AWS Amazon Simple Notification Service | Fortinet Authenticator | Trend Micro Deep Discovery |
AWS Virtual Private Cloud | Gmail Message Tracking | Trend Micro Email Security |
Cisco Meraki | Google Workspace | Zscaler Internet Access |
Cisco Meraki Cloud | Imperva Cloud WAF | Zscaler Private Access |
Cisco Secure Access | IronNet IronDefense | |
Cisco Secure Endpoint | Microsoft IIS |
Platform Improvements
Status Page Enhancements
Two new metrics have been added to the Axon status page at https://logrhythm.statuspage.io/. These metrics automatically report whether the Ingest API is healthy and available and whether a User can execute a search and retrieve results.
We also re-organized the structure of the status page to prepare for when we have multiple Axon instances in the future. The new structure will consist of a hierarchical tree, where the top level is the Axon instance region (e.g. us-west-2 Oregon) and the items nested underneath are the metrics pertaining to that region. For example:
- us-west-2 (Oregon)
- Axon - Web App Authentication
- Axon - API Server
- Axon - Ingest API
- Axon - Search
- <future region>
- Axon - Web App Authentication
- Axon - API Server
- Axon - Ingest API
- Axon - Search
For more information on the Axon status page and how to subscribe to updates, refer to Axon Status Page.
Documentation Updates
The following documentation topics (not including those mentioned above) have been added or updated since the previous release.
Topic | Explanation | Documentation Link |
---|---|---|
Supported Log Source Types | This topic will be updated consistently to show all log source types that are currently supported within Axon. | Supported Log Source Types |
Generic REST Collector Documentation | Detailed documentation for configuring a generic REST collector within Axon. | Generic REST Collector |
Collector Configuration Guides | Existing collector configuration guides have been updated with screenshots and additional details. | Collector Configuration Guides |
Single Sign-On Configuration Guides | Three new configuration guides have been created showing how to setup Azure and Okta SSO configurations in the third-party portal and in Axon. | Single Sign-On (SSO) |
Resolved Issues
The following issues have been resolved with this release.
Bug ID | Release Notes |
---|---|
ENG-23192 | Transmission to the Axon platform is now done in 10MB chunks to avoid "payload too large" errors. |
ENG-29218 | Syslog headers are no longer stripped off and are correctly transmitted to the Axon platform for processing. |
ENG-23302 | A series of enhancements were made to the configuration to make the Axon Agent more reliable. |
ENG-6363 | Spooled files are now correctly identified and transmitted to the Axon platform. |
ENG-25021 | The Axon Agent now collects utf-8 data without errors. |
ENG-26906 | Collectors are no longer unable to be retired in certain situations. |
ENG-28598 | The Generic REST Collector no longer sets variable values in the transit's host field - this value will remain constant. |
ENG-25264 | The trend chart widget no longer fails to display data in certain situations. |
Resolved Issues - Security-Related
Resolved security-related issues are available for customers to view on the Community.