Axon 2024.07 Release Notes
Welcome to the July 2024 release of LogRhythm Axon! We are pleased to announce numerous exciting updates and changes for this quarter’s release that we hope you’ll enjoy. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
Detections
Advanced Correlation for Axon Analytics
Users now have the ability to correlate suspicious activity by defining the linking relationship between rule blocks in the Analytics Rule Builder. Previously, mapping relationships and groupings were performed at the rule-level and applied to the entire rule. Now, these links and relationships can be made on a per-rule block basis. This will enable more use cases and result in higher fidelity detections with greater threat coverage.
For information on using Axon’s Rule Builder, refer the Rule Builder documentation.
Analyst Experience
Single Screen Investigation
Previously introduced in the Case Management screen, analysts can now utilize paneling within the search screen to investigate threats seamlessly while maintaining the context of your search. This includes a new log summary card and dedicated user and host panels.
For more information on the content available when using these single-screen investigation panels, refer the Search Results Grid Inspector documentation.
Resizable Bar Chart Labels
The label column for the bar chart widget is now resizable, allowing users to increase the area if the values are too large. This change will be saved when the dashboard is saved.
.gif?inst-v=ef0ea3db-4801-4ce3-b2c6-a9c490be965b)
Compliance Modules
An Axon-specific module has been created to allow Axon users to maintain full compliance with the following compliance regulations:
These modules include custom lists, dashboards, and reports that will give you all of the information you need to ensure that you remain in compliance with ease.
Data Collection
Axon “Over-the-Top” Agent Upgrades
As of Axon Agent 1.2.4, installing a new version of the Axon Agent “over the top” of an existing install is supported on both Windows and Linux operating systems.
This type of installation only works when upgrading to a newer Axon Agent version. For example, an existing 1.2.4 installation can have a 2.0.0 Agent installed over the top without requiring an uninstall first.
For more information on these upgrades, refer the Download and Install Axon Agents documentation.
Platform Improvements
Data Export
Streaming data export allows Axon to copy your log data into an Amazon S3 bucket in order to retain your data outside of Axon for business requirements, such as:
Satisfying compliance requirements in case of an audit;
Enabling long-term forensic search options; and
Shipping data to a third-party tool.
For more information on configuring and using data export, refer the Axon Data Export documentation.
Case Created Alerts via Alert Manager
Admins can now configure email alerts to be automatically sent each time a case is created via the “Create Case” option in the Analytics Rule builder. Configuring the alerts via Alert Manager allows for emails to be distributed based on Axon role, user ID, or email address.
For more information on configuring these alerts, refer the Case Created Alerts documentation.
List Enhancements
Axon now enforces a limit of 65,000 items per list, ensuring greater accuracy in analytics and search outputs. Lists can also be deleted to reduce clutter and allow admins to focus only on relevant records.
For more information on lists, refer the Lists documentation.
Resolved Issues & Improvements
The following customer-found issues and improvement requests have been resolved/completed since the April 2024 release of Axon:
Issue ID | Release Notes |
|---|---|
ENG-57447 | The Donut Dashboard widget no longer crashes when resized. |
ENG-58944 | The Active Collectors page now loads all the available data correctly. |
ENG-58304 | The Zscaler log parsing policy has been updated to parse additional fields. |
ENG-56925 | An error no longer occurs in certain situations when the Axon Agent installer is run on Ubuntu 22. |
ENG-57115 | The Axon Agent now collects Cisco Umbrella logs without any errors. |
ENG-58034 | The Axon Agent no longer fails to install in non-English Windows OS. |
ENG-57519 | The Axon Agent installation script has been updated to function without stopping the POS software in Windows 10. |
ENG-56448 | Issues with pulling Config data in Axon Agents have been resolved once you upgrade to agent version 2.0. |
ENG-58139 | The SentinelOne CEF parsing policy has been updated to include additional fields. |
ENG-57283 | The Foritnet FortiGate Firewall log parsing policy has been updated to include additional fields. |
ENG-57291 | The MS Windows Group parsing policy for vendor message ID 8007 has been updated to include additional fields. |
ENG-58330 | Updated the MS Security log parsing for EVID 4725 to map Origin Account Name to the correct policy. |
ENG-57976 | The AWS Secrets Manager log parsing policy has been updated by remapping certain fields. |
ENG-58301 | Updates have been made to all the 23 log policies of AWS Secrets Manager. |
ENG-57917 | The Palo Alto NGFW log parsing policy has been updated by unmapping certain fields. |
ENG-57576 | The Amazon Elastic Cloud Compute parsing policy has been updated to include additional fields. |
ENG-59233 | A new policy, SentinelOne_ACTIVITY_LOG, has been created under the SentinelOne Cloud Funnel log source type to parse the logs as expected. |
ENG-60345 | An issue with certain Dashboard widgets requesting too many searches and looping infinitely has been resolved. |
ENG-59166 | The AWS S3 API Sentinelone Cloudfunnel identification policy has been updated to support the File category. |
ENG-59284 | A new policy, ListInstanceAssociations, has been created under the AWS Systems Manager log source type to parse the logs as expected. |
ENG-58028 | The Azure Active Director Audit Logs parsing policy has been updated to correctly parse the user role field. |
ENG-55994 | The Azure Event Hub parsing policy has been updated by changing a few mappings to parse correctly. |
ENG-57287 | Updated the Checkpoint Firewall log policy to fix mappings and create new policies. |
ENG-58050 | Policy changes have been made to the Cisco ASA log source to correctly map the Observer Host IP and the Observer Host Name. |
ENG-57852 | The Cisco ASA policy common events have been updated. |
ENG-58570 | A new policy has been created under the Cisco ASA log source type to parse IP details correctly after parsing date and time. |
ENG-58471 | A new policy has been created using sequence under the Cisco Firepower log source type to support certain logs. |
ENG-57288 | Two new policies have been created under the Cisco Firepower log source type to support two new Events. |
ENG-58048 | Two existing policies have been updated and one new policy is created under Cisco Firepower Threat Defense log source. |
ENG-57280 | Updated 13 policies in the Google Workspace log source to parse logs correctly. |
ENG-58932 | Updated the Juniper MX104 log source by creating a new policy to fix certain issues. |
ENG-56328 | The LogRhythm NetMon parsing policy has been updated to correctly parse the URL Domain and URL Path fields. |
ENG-59214 | The MS Office 365 Management Activity parsing policy has been updated to parse logs correctly. |
ENG-58473 | Two Common Events have been added to the MS Windows Application policy to produce reliable results. |
ENG-57289 | The MS Windows Security parsing policy for EVID 4776 has been updated with a new set of Common Events specific to their result codes. |
ENG-58475 | Updated the MS Windows System log policy to extract KB Articles and map it correctly. |
ENG-57284 | A new policy has been created for MicrosoftGraphActivityLogs in the MS Graph API log source. |
ENG-58026 | Some remapping has been done in the Threat Intelligence policy for the MS Office 365 Management Activity log source. |
ENG-57973 | Updated the Palo Alto parsing policy to support new “Dynamic Update” subtype system events. |
ENG-59165 | In the Palo Alto NGFW log source, some of the field mappings have been removed to avoid incorrect mapping. |
ENG-58027 | The SentinelOne CEF Syslog parsing policy has been updated to parse additional data. |
ENG-58119 | Updated the mapping for Eventlog 6005 policy in the System log source. |
ENG-58875 | The MemberSID is now mapped correctly with the Target Account ID in the Windows Security log source. |
ENG-58217 | The Windows Security parsing policy has been updated to map certain fields correctly. |
ENG-58568 | New policies are created for SysMon, Group Policy, and System log sources to support new log samples. |
ENG-58273 | Updated the 1063-DHCP-Server policy under the MS Windows System log source to parse logs correctly. |
ENG-58283 | The parser now correctly includes and processes the URL field and other missing data for Checkpoint Log Exporter and Checkpoint Legacy log sources. |
ENG-58619 | Two Common Events, “Authentication Failure” and “Authentication Success”, have been added to the Firepower Audit Logs policy in the Cisco FirePower Threat Defense log source. |
ENG-58808 | The parser now correctly includes and processes the UserID field for Cisco FirePower log source. |
ENG-58300 | Missing entities from the observer hostname for the Cisco IOS parsing policy have been updated and mapped correctly. |
ENG-58685 | Updated the Identifier to support the “EppDetectionSummaryEvent” in the CrowdStrike Events log source. |
ENG-59150 | Three new policies are created and the “postfix/smtpd” policy has been updated under the Linux OS log source type for reliable results. |
ENG-59058 | Four new policies, cron_messages_Linux_OS, osc/CROND-Linux_OS_messages, postfix_smtp, and postfix/cleanup, are created under the Linux OS log source type. |
ENG-58984 | A new policy has been created under the Cisco Adaptive Security Appliance log source to correctly parse the Cisco ASA logs related to Event ID 303002. |
ENG-59147 | Five new policies have been created under the Linux OS log source type to match logs to supported sources. |
ENG-58368 | The MS Windows System log source has been updated and remapped to display the correct file version. |
ENG-52498 | Axon Reports now populate data for all widgets and the PDF generation has been enhanced as the occurrence of loading graphs are greatly reduced. |
ENG-56996 | The RegEx search filter in Axon now produces results as expected. |
ENG-56908 | New policies have been created for three events in the Cisco FirePower Threat Defense log source to parse logs correctly. |
ENG-58180 | The URL of the Cisco AMP Collector is now exposed in the Log Collection Endpoint field. |
ENG-57911 | The Network Direction field now correctly populates as “External” when both the Origin and Target Host IPs are public. |
ENG-57537 | Dispatcher-svc now processes batches of logs even if one of the suppression GroupBys exceeds the character limit of the database field. |
ENG-56265 | Checking the “include all columns with data” option when exporting a search to CSV now functions as expected. |
ENG-55607 | Users can now perform a title search on the Rules page using “t1078” as their search term and the search produces results as expected. |
ENG-57905 | The Search Panel no longer disappears in the Inspect section when the menu is opened for any corresponding field. |
ENG-57416 | An issue with zooming out and back in on the search visualization tab not resizing to normal in certain situations has been resolved. |
ENG-57898 | The Analytic and UEBA dashboards no longer crash when loading. |
ENG-58847 | Updated the Windows System log policy to support EVID 8019. |
ENG-58822 | Updated the Identification policies to support the UserAudit and ResourceAudit logs. |
ENG-56922 | An issue with all the saved searches not appearing when configuring a widget has been resolved. |
ENG-57401 | Updated the Azure Active Directory-SignIn policy under the Azure Active Directory log source to include additional fields. |
ENG-57632 | An issue with the PDF report cover page not showing the dates covered by the report is now fixed. |
ENG-59118 | Logs that match existing processing policies are now correctly identified/parsed by rebuilding the policy cache. |
ENG-57080 | Policy and mapping changes have been made to parse certain logs correctly. |
ENG-58741 | Widgets are now displayed correctly in the Visualization tab without any issues in the time filter. |
ENG-56828 | The notification-svc now checks if a user is enabled before sending any notification. Due to caching, it may take up to 60 minutes before notification-svc recognizes a user status change. |
ENG-56772 | An SLO rule with a filter searching for common event name triggers is now run both in dispatcher-svc and streaming-analytics-app. |
ENG-57578 | Null characters are now removed from Axon agent flat files during collection. |
ENG-56867 | An issue with inconsistencies in search results for different time ranges has been resolved. |
ENG-55840 | The single metric widget now queries search to get metrics correctly. |
ENG-56324 | The Axon UI now accurately displays log data even when it contains multiple adjacent whitespaces. |
ENG-57365 | Reduced the label area of the bar chart so that the tool tip is more available. |
ENG-58732 | A new policy, Postfix/smtpd, has been created under the Postfix log source. |
ENG-57631 | An issue with all lists not being displayed in the list window while searching is now fixed. |
ENG-57462 | Two new policies have been created under the ZScaler log source with additional mappings. |
ENG-56712 | Updated the mapping and parsing policy in the ZScaler syslog firewall parser to parse data correctly. |
ENG-54778 | Updates have been made to the ZScaler log source to stop extracting white space during SPS processing. |