Axon 2023.10 Release Notes
Welcome to the October 2023 release of LogRhythm Axon! We are pleased to announce numerous exciting updates and changes for this quarter’s release that we hope you’ll enjoy. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
Detections
New Rule Builder Block
A new Count Unique Values Observed Rule Block has been added to the Rule Builder. This block can be used in rules to detect when a count of unique values is seen in a specified metadata field within a given time range.
For example, if the Unique Value Count Threshold is set to 5, and the Unique Value is origin.account.name, if five unique origin account names are contained in the results of the configured Filter Query during the configured Timeframe, the rule will trigger.
Signal Replay
Signal Replay functionality has been added to Axon. Signal Replay collectors within Axon operate differently than other collectors - it can be used to purposefully push logs through Axon in order to demonstrate the capabilities of out-of-the-box Threat Detection Rules, as well as to test any Rules that you may have created yourself using the Axon Rule Builder.
Analyst Experience
Case Management
The new Axon Case Management feature allows you to increase security operations center (SOC) efficiency by automating incident response and investigative workflows through automatically creating cases from analytics rules for faster response times. Prioritize workflows by assigning threat severity levels to surface which events require immediate attention and always stay on top of case activity via the case management dashboard and email notifications.
Common Event & Special Characters Search
Axon now supports searching for special characters such as brackets, parentheses, equals sign, and dollar sign as criteria. If searching for a special character, the query sting needs to be in quotes.
Common Event Names are available for use in widgets and in search. Easily see what activity logs represent at a glance. You can find the list of Common Events with corresponding descriptions at Axon Common Events List.
Search now supports the ability to search using regular expression. For information on building searches using RegEx and Common Events, see Build a Search Query.
Inspector Improvements
The Inspector has been improved to simplify the view by adding a new pinned field area, which contains important fields and also removes fields that are not as relevant to the analyst, such as GUIDs.
Search Improvements
Searches initiated from the Visualization tab now remain on the Visualization tab rather than swapping back to the Logs tab.
Data Collection
Axon Agent
Axon Agents version 1.1.6 and later now support RHEL 9 and Ubuntu 22.04 Linux distributions.
Sophos Cloud Collector
The Sophos Collector is now available, allowing you to configure the collection of Sophos Central logs in Axon.
AWS S3 Collector Improvements
The AWS S3 Collector now supports JSONL files and improves CloudTrail collection.
New Log Processing Policies
A10 Network Next-Gen Firewall | Fortigate v7.0, Cisco Umbrella (API) | NGINX |
Axon Agent service logs | Linux Audit | Oracle OCI |
Azure Administrative | Microsoft Active Directory Federated Service | Recorded Future |
Checkpoint Legacy | Microsoft Office 365 Management Activity | pfSense Plus |
Cisco IOS | Microsoft Office 365 Security Alerts | SentinelOne CEF |
CyberArk | Microsoft Windows Application | SentinelOne Cloud Funnel |
F5-BIG IP Syslog | Microsoft Windows Directory Domain Service | Snort |
FortiNet FortiNAC | Netflow |
New Schema Fields
The following new schema fields have been added:
Cert Thumbprint
Resource Image
Resource Group
Resource Type
Resource Region
Copy List Identifiers
“Copy list identifiers” buttons have been added to the Overview page for all Lists. Use these buttons to copy the unique identifiers for the List and the List column you want to search against, simplifying the process of creating a query. Queries built in this way can also be used to define filter criteria for rule blocks in the Analytics Rule Builder. For more information on how to reference lists in your queries, refer to the List Search section of the Build a Search Query documentation.
Role Mapping
Admins now have the ability to map identity provider groups to Axon roles. When role mapping is configured as part of your connection to an SSO provider, Axon will automatically assign users the appropriate role(s) based on IdP group membership. For more information, refer to the Single Sign-On Role Mapping section of the Single Sign-On (SSO) documentation.
Platform Improvements
Tenant Identifier
There is now a tenant identifier present in the UI and in the browser tab to make it easy to confirm your tenant ID. This information is needed when working with the Axon APIs.
Licensing Information
The Licensing Overview page has been updated to display the relevant information for Axon’s new ingest-based licensing metric.
Resolved Issues
The following issues have been resolved since the July 2023 release of Axon:
Issue ID | Release Notes |
|---|---|
ENG-39318 | Analytics rules no longer fail to trigger in certain situations when the evaluation timeframe for the rule is less than a minute. |
ENG-41395 | Application of a time range filter no longer causes CSV generation of reports to fail. |
ENG-37789 | The AWS S3 Collector now correctly requires an AWS Region to be entered in order to save the configuration. |
ENG-42182 | Widgets with custom configurations no longer display default information for an extended period of time when reloading the Dashboard. |
ENG-38577 | Saved Dashboards can now correctly be modified as expected. |
ENG-34484 | Windows Event Logs no longer show as unidentified in certain situations where there is already a parsing policy configured for the logs. |
ENG-37059, | The Policy Builder Sequence Editor now correctly allows for the selection of the time stamp in a log message. |
ENG-38589 | Resizing certain Dashboard widgets no longer causes the Dashboard to produce an error. |
ENG-37412 | Accepting the End User License Agreement (EULA) no longer causes the Dashboard to fail to load data. |
ENG-38584 | Generating CSV reports no longer produces a 500 Internal Error in certain situations. |
ENG-41398 | Logs viewed in the Inspector now correctly highlight when selected. |
ENG-35546 | The O365 Message Tracking policy now correctly parses logs as expected. |
ENG-42747 | Saved Searches no longer fail to save timeframe settings in certain situations. |
ENG-37615 | Search results no longer fail to display in certain situations where there are 10,000+ results. |