Axon 2024.04 Release Notes
Welcome to the April 2024 release of LogRhythm Axon! We are pleased to announce numerous exciting updates and changes for this quarter’s release that we hope you’ll enjoy. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
Detections
Analytics Rule Suppression
In certain cases, rules can fire multiple times in quick succession, creating a lot of extra “noise” in the form of observations and cases that contain duplicate information. To help with this, users can now suppress an analytics rule’s output to one observation for a period of time up to 24 hours.
For additional information, refer to the Analytics Rule Builder documentation.
Analytics Content
New LogRhythm-authored MITRE content has been added to out-of-the-box Analytics Rules, including:
T1090.001:Proxy
T1136.003:Cloud Account
T1199:Trusted Relationship
T1078.001:Default Accounts
T1078.003:Local Accounts
T1078.004:Cloud Accounts
T1059.001:PowerShell:ProviderLifeCycle
T1621:MFA Request Generation
T1558.003:Kerberoasting
For more information on recently-added threat detection rules, refer to the Threat Detection Rules documentation.
Analyst Experience
Import and Export Dashboards
With the new Import and Export Dashboards feature, you’ll be able to bring custom dashboards that are used by certain compliance policies into your Axon tenant instantly. This feature can also be used to share Dashboards among other users, with the eventual goal of creating a hub for user-created Dashboards.
For more information, refer to the Export a Custom Dashboard and Import a Custom Dashboard sections of the Manage Dashboards documentation.
Case Management Metrics
The Case Management screen now includes aggregate metrics, showing open and unassigned case counts, as well as breakdowns by case priority and status.
For more information, refer to the Case List Metrics section of the Case Management documentation.
PCI-DSS Compliance Module
An Axon-specific module has been created to allow Axon users to maintain full compliance with the Payment Card Industry Data Security Standard (PCI-DSS) 4.0. This module includes custom lists, dashboards, and reports that will give you all of the information you need to ensure that you remain in compliance with ease.
For more information, refer to the module at Axon PCI Compliance Bundle.
Case Management Log List Panel
The Case Management log list panel has been updated to more accurately highlight the important data that matters most to you.
Updates to Reports
Reports have received an overhaul for this release. Notably, the cover page for exported PDF reports has been redesigned to be more appealing. Additionally, exported CSV files containing search grid results have been improved to be more reliable and user-friendly.
Search Changes
Search column layout changes are now persistent across multiple searches. Additionally, saved searches maintain the original saved layout. These changes have made the process of creating multiple searches back-to-back much more user-friendly and efficient.
Data Collection
New Log Processing Policies
Jamf Pro | Forecpoint Secure Web Gateway | F5 BIG IP TMM |
Windows Group Policy | GCP PubSub | VMWare VSphere |
Sysdig Secure | Forcepoint Secure Web Gateway CEF | AWS Elastic Load Balancing |
Axon Agent Improvements
Axon Agent releases are now tracked separately from these general release notes to bring greater attention to this massive area of focus within the Axon product. During this quarter, Axon Agent versions 1.2 and 2.0 were released, and the current version of 2.0.0 perfects many of the changes that have been made to Axon Agents since the launch of Axon, including the Secure Syslog Collector.
For more information on the release of Axon Agent v1.2, refer to the Axon Agent v1.2 Release Notes.
For more information on the release of Axon Agent v2.0, refer to the Axon Agent v2.0 Release Notes.
Platform Improvements
Alert Manager & Silent Log Source Alerts
It is important that all log sources are up to date so that the latest data is fed into analytics and is available for search. To improve visibility into any log sources that may have fallen behind, Admins can now configure email alerts to be sent when one or more log sources fail to send new data within a configurable amount of time. Silent Log Source alerts can be configured to repeat automatically if the source continues to be silent, and they will stop automatically based on the time window selected.
Refer to the Alert Manager topic for more information.
LogRhythm System Lists
LogRhythm now publishes lists, both populated and unpopulated out of the box, to power analytics and compliance use cases. LogRhythm system lists can be identified by reviewing the Author column of the Lists grid; any list with an Author of LogRhythm was developed by our in-house threat research team and pushed to your tenant. Add list items that are relevant to your organization to the unpopulated lists, and then they will be ready to be referenced by analytics rules or searches. An inventory of system lists along with the use cases they were developed to satisfy can be found in the System Lists section of the Lists documentation.
Resolved Issues & Improvements
The following customer-found issues and improvement requests have been resolved/completed since the January 2024 release of Axon:
Issue ID | Release Notes |
|---|---|
ENG-52473 | Axon Collectors now correctly display the Last Log Message timestamp. |
ENG-53254 | MS Security logs now correctly separate IP addresses in log message results. |
ENG-53316 | Enrolled Axon Agents no longer fail to appear in the Axon UI in certain situations. |
ENG-53628 | The Origin Host IP and Target Host IP no longer swap in Cisco logs. |
ENG-37665 | Axon Agents that have not connected now appear correctly when sorting by the Last Active column. |
ENG-41729, | Axon Agents no longer display Fluentd errors in certain situations. |
ENG-41957 | An error no longer displays when importing certain processing policies. |
ENG-49913 | An “unsupported log source” error for certain Axon agents has been resolved. |
ENG-50056 | A winlog.json error has been resolved for certain Axon agents. |
ENG-51294 | The reporting service infrastructure has been adjusted in order to improve the success of .CSV downloads. |
ENG-52845 | Drilling down on a saved search in a Dashboard widget no longer appends an unnecessary timestamp to the end of the search. |
ENG-53983, | Updated the MS Security log parsing for EVIDs 4624 and 4625 to include the WorkstationName. |
ENG-54119 | An issue with Windows logs not fully parsing has been resolved. |
ENG-54165 | Updated the Foritnet FortiGate Firewall log parsing to include the dstintetsvc and profile. |
ENG-54011 | An issue with the search button resetting the search timeframe in certain situations has been resolved. |
ENG-54173 | An issue with the analytics rule notification emails not linking properly has been resolved. |
ENG-54192 | An issue with Automatic Case Creation not functioning in certain situations has been resolved. |
ENG-54240 | A “cursor key name” error displaying for Cisco AMP collectors in certain situations has been resolved. |
ENG-54363 | The “username” field now parses correctly in Palo Alto logs. |
ENG-54545 | The Cisco Meraki Security Events parsing policy has been updated to correctly parse source and destination IP addresses. |
ENG-54547 | The SentinelOne CEF parsing policy has been updated to include additional fields. |
ENG-54572 | The Office 365 parsing policy has been updated to correctly fully parse logs. |
ENG-54627 | The Palo Alto authentication log parsing policy has been updated to correctly parse additional fields. |
ENG-54643 | An issue with the search grid incorrectly doubling results when it is refreshed has been resolved. |
ENG-55413 | The Cisco Meraki Security parsing policy has been updated to include previously unidentified logs. |
ENG-55590 | The MS Windows Security parsing policy for EVID 4662 has been updated to correctly parse the AccessMask field. |
ENG-55591 | The Azure AD parsing policy has been updated to correctly parse the AppID and deviceDetail.browser fields. |
ENG-55714 | The MS Windows Security parsing policy for EVID 4625 has been updated to include the TargetUserSid, TargetUserName, TargetDomainName, and WorkstationName fields. |
ENG-54548 | The Azure AD parsing policy has been updated for the Policy Azure AD-SignIn log source to include required fields. |
ENG-54808 | An issue with data from the Notes widget being carried over between dashboards has been resolved. |
ENG-55644 | An issue with the “Open in Search” button not working for certain logs has been resolved. |
ENG-55661 | An issue with the dashboard crashing when resizing certain widgets has been resolved. |
ENG-55699 | An issue with the search page requiring excess scrolling to the right when numerous tabs are open has been resolved. |
ENG-55994 | Updated the Azure Events Hub collector parsing policy to include the “groups” vendor field. |
ENG-55999 | An issue with retrieving logs and opening case evidence in search within Case Management has been resolved. |
ENG-56265 | Checking the “include all columns with data” option when exporting a search to CSV now functions as expected. |
ENG-56370 | The CrowdStrike parsing policy has been updated to include new field mappings. |
ENG-50754 | An issue with the “Reset 2FA Device” option being accessible from the three-dot menu in the Users table has been resolved. This option is only accessible from within the User Details page. |
ENG-52001 | An issue with the Observation Alerts screen not showing all rules as available for email notifications has been resolved. |
ENG-52735 | An issue with saved searches not appearing when configuring widgets has been resolved. |
ENG-52849 | The “split parameter” option now functions as expected in the Amazon AWS S3 collector. |
ENG-53866 | An issue with enrolling Axon agents on systems with a large number of CPU cores or very slow I/O has been resolved. |