Axon 2024.01 Release Notes
Welcome to the January 2024 release of LogRhythm Axon! We are pleased to announce numerous exciting updates and changes for this quarter’s release that we hope you’ll enjoy. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
Detections
Automatic Case Creation
In the October release of Axon, Case Management was introduced, allowing you to track and record evidence for issues discovered. These cases could be created manually in a variety of ways. In this release, we have added the ability to automatically create cases when rules created using Axon Rule Builder are triggered. With this feature, any time one of your rules that has been configured to create cases is fired, a new case is added to the Case List with the name, description, and owner of your choosing.
For more information, refer to the Automatically Create Cases with Rule Builder section of the Add a New Case documentation.
Analytics Content
New LogRhythm-authored MITRE content has been added to out-of-the-box Analytics Rules, including:
T1189: Drive-By Compromise
T1083: File and Directory Discovery
T1566.001: Spearphishing Attachment
T1566.002: Spearphishing Link
T1114.003: Email Forwarding Rule
T1070.006: Timestomp: Update
Analyst Experience
Single Screen Case Investigation Workflow
Now you can view case evidence without the hassle of shifting between multiple tabs. When looking at case evidence, instead of being redirected to the search page, the new log list panel will display. By clicking a row in this panel, the log inspector will display all the information about this log. Now you can see the case detail panel, evidence list panel, and the log inspector panel side by side.
For more information, refer to the Case Search Panel section of the Manage Cases topic.
Bulk Case Management
From the Case List, a user can change the owner, status, and priority on multiple cases at once. This gives users a way to manage cases in case of duplicates or team changes. Check off cases in the case grid and select an action from the top menu.
See the Modify Multiple Cases section of the Case List documentation for more information.
Case Management API Documentation
Leverage the API documentation to manage cases through the Case Management API. This empowers users to integrate their workflow with third-party tools or scripting.
Assisted Search - List Integration
Searching using lists has become more user-friendly, eliminating the need to memorize IDs or syntax. When using the IN or NOT IN operators, you'll now receive prompts for list names containing values that correspond to the field you're searching. Upon choosing a list name, relevant columns matching the data type will be automatically suggested, completing the query for you.
For more information, refer to the Assisted Search Tips section of the Search documentation.
Data Collection
Axon Agent Diagnostic Bundles
To assist with supporting Axon Agents, we have introduced a way to collect diagnostic data on Windows and Linux platforms. These diagnostic scripts can be generated before you create a ticket with LogRhythm Customer Support, and then attached to the ticket to give our support representatives a better idea of what exactly the issue might be before helping you to resolve it.
For more information, see the Diagnostic Script Usage sections of the Axon Agent Windows Troubleshooting Guide and the Axon Agent Linux Troubleshooting Guide.
O365 Management Activity Collector
The O365 Management Activity Collector is now available, allowing you to configure the collection of Microsoft Office 365 Management Activity logs in Axon.
New Log Processing Policies
Akamai SIEM CEF | Microsoft Defender Advanced Hunting |
Apache Airflow | Microsoft DNS Server |
Arista Switch | Mimecast LEEF |
Cisco Wireless Controller | Juniper Firewall |
F5 BIG IP TMM | strongSwan |
F5-BIG IP System | VMWare ESX |
Resolved Issues
The following issues have been resolved since the October 2023 release of Axon:
Issue ID | Release Notes |
|---|---|
ENG-42286 | It is no longer possible for the customer to edit the Axon Agent File Collector to change the file collection entry. The field is now read-only and has a "OK" or "Cancel" button. |
ENG-43054 | Configuration details for the Axon Agent Collector are visible with the OK button but are not editable. |
ENG-48260 | Carbon Black Policy Enforcement is now working properly. |
ENG-48708 | Axon Agent logging now filters out any log that does not start with a timestamp. |
ENG-48782 | Azure Active Directory Authentication logs no longer show success and failure common events on the same log. |
ENG-48815 | Analytics rules created with a list filter now work as expected. |
ENG-48895 | An issue with heat map timeframes in the search visualization window has been resolved. |
ENG-49154 | The Bar Chart widget now correctly generates saved search data as expected. |
ENG-49206 | Saved search data is no longer still present in widgets after the saved search has been deleted. |
ENG-49534 | Filters using arrayable CDO fields can now be used in analytics rules as expected. |
ENG-49602 | Searches initiated from the saved search tab no longer fail in certain situations. |
ENG-49668, | Azure logs now correctly parse “results” values other than 0. |
ENG-49669 | Windows Security EVID 4932 and 4933 no longer show as unidentified when a policy to identify the logs is present. |
ENG-49740 | Users authenticated for Okta parsing once no longer automatically receive authorization success for subsequent request to access resources. |
ENG-49758 | Many missing Okta platform event types have now been added to the policy. |
ENG-49805 | An upstream connect error that would appear when configuring Google Drive logs has been fixed. |
ENG-49892 | CrowdStrike is now correctly sending logs to Axon. |
ENG-49899, | All saved searches can now correctly be displayed and filtered in a widget's saved searches dropdown menu. |
ENG-50011 | An issue with certain Cisco Umbrella logs being collected but not identified has been resolved. |
ENG-50052 | The ability to filter saved searches has been removed. |
ENG-50109 | An issue with Microsoft Powershell and Microsoft System logs being recorded as “unidentified” despite a policy existing for them has been resolved. |
ENG-50269 | An issue with filters not working when used in an analytics rule has been resolved. |
ENG-50323 | Parsing improvements have been made for Azure Event Hub and FortiGate logs. |
ENG-50914 | Parsing improvements have been made for Okta logs so that new user created data can be retrieved. |
ENG-50916 | Parsing improvements have been made for Azure logs so that the “add user” value is parsed as an activity, not an application. |
ENG-50940 | Analysts now can see all enabled analytics rules listed in the Analytics Rules Notification grid. |
ENG-51191 | Parsing improvements have been made for Windows Security Logs so that the Origin IP Address is correctly parsed. |
ENG-52002 | The Graph API Collector no longer produces intermittent errors when logs are being collected as expected, and errors that are produced are more detailed. |
ENG-52033 | Clicking on a case no longer displays the incorrect case data in certain situations. |
ENG-52220 | An issue with custom rules seemingly ignoring common event filters in certain situations has been resolved. |
ENG-52259 | Comments can now be made on cases that have a status of “waiting.” |
ENG-52332 | An issue with the Cisco Firepower Threat Defense log source type’s policies not correctly being parsed has been resolved. |