7.12.0 GA Release Notes - 3 April 2023

Introducing LogRhythm SIEM 7.12! In this version, we improved the process for collecting and monitoring new security data sources. We streamlined these administrative tasks to give users more time to respond to and investigate detected threats. Brief explanations of the updates are grouped into the following sections:

Key highlights include:

Sections on maintenance and upgrades:

Analyst Experience

In the last release, LR SIEM 7.11, LogRhythm introduced SecondLook in the Web Console for LogRhythm Cloud customers who purchased archive storage. This new SecondLook UI lets LogRhythm Cloud customers configure and run SecondLook restores directly from the Web Console. In 7.12, we added a quick search function that allows users to retrieve completed SecondLook restore results with the click of a button.

An inactive search icon is now displayed in the actions column of each restore. When the restore status moves from In Progress to Completed, the icon activates.

Select the icon to quickly run a search for the logs restored by SecondLook.

Each search is pre-populated with the filter criteria used in the corresponding saved SecondLook restore settings, and it works like all other searches. The history of past searches is updated whenever you click the SecondLook quick search icon, giving you easy access to modify pre-populated filters.

Automation

Over the past several SIEM versions, LogRhythm has released additional endpoints for the Admin API that enable integration and automation workflows for log source and agent onboarding. Version 7.12 further extends these capabilities by adding endpoints that allow you to programmatically:

Retrieve additional log source details, including:
- Last Log Message
- Silent Log Source configurations
- System Monitor name
- System Monitor ID
Create and update virtual log sources from a template
Update existing log source virtualization templates
Manage log processing policies
Manage log source types

For more details on all the available endpoints, refer to the API Documentation. New to the API and wondering how to get started? Learn more on the Community!

Data Collection

Version 7.12 improves log source onboarding workflows with log source visibility in the Web Console and enhancements to the Open Collector's OC Admin.

Added Beats Support in OC Admin

Collecting data from API log sources is faster and easier with OC Admin. In 7.12, we added support to the following LogRhythm Beats:

Prisma
Symantec Web Secure Service (WSS)
Microsoft Graph API
Carbon Black Cloud
Cisco AMP
DUO
Proofpoint

Open Collector Administration

Monitoring collectors across the enterprise just became easier. LogRhythm SIEM 7.12 introduces light administration capabilities within OC Admin.

Live statistics (CPU, memory, network, storage, and processes consumption) are available for the containers running on a given Open Collector host.

On the Open Collector Manage page, customers can perform a series of actions on the Beats and Open Collector components, including: starting and stopping, importing and exporting configurations, exporting logs as files, and viewing high-level configurations or real time logs in the UI.

Finally, we added support for exporting and tracking Open Collector and Beats internal logs in real time.

Log Sources Page in the Web Console

In the Web Console, global and restricted administrators now have a Log Sources option in the Administration menu.

On the Log Sources page, administrators can quickly check the status and health of log sources in the Web Console. They can easily see if a log source is active or retired, along with the timestamp of the last log received.

The Log Source Grid shows a dynamic display of log sources based on the access granted to the user.

Restricted administrators can only view the effective log sources defined in their user profile.

The Log Source Grid helps administrators immediately identify problematic log sources with Silent Log Source highlighting. In environments that contain thousands of log sources, admins can filter down to view just the log sources that matter. Filters include:

- Name
- Entity
- Log Source Type
- Log Source Host
- Collection Agent
- Silent Log Source status
- Last Log Message

Automatic Restored Archive Maintenance

Administrators can now configure Automatic Maintenance of restored archives in LogRhythm SIEM 7.12. In the Configuration Manager, they can toggle automatic maintenance on or off. They can also set time to live (TTL) and maximum disk utilization parameters. When enabled, restored archive indices on the Data Indexer (indices labeled "logsar-") will be deleted based on whichever condition is met first - the specified TTL or the maximum disk utilization. When the maximum disk utilization condition is triggered, the oldest restored index is deleted first.

SecondLook Role-based Access Controls (RBAC)

For LogRhythm Cloud customers, role-based access controls now provide more granular options for allowing access to SecondLook. Within a user profile, administrators can grant a user access to the SecondLook tool in the Client Console, in the Web Console, or in both consoles.

Upgrade Considerations

Upgrade considerations for all 7.12.x releases are available on the LogRhythm Release Notes main page.

LogRhythm 7.9.0 introduced support for Microsoft SQL Server 2019 and Windows Server 2019 on standard deployments. If your deployment is running SQL Server 2016 Standard or Windows Server 2016, there is no need to upgrade to 2019.

For more information on the optional upgrades, see:

Resolved Issues

Bug #	Component	Description
ENG-6389	AI Engine	An issue with AIE Alarms being delayed or not firing at all for some users after an upgrade to 7.10 has been resolved.
ENG-23628	AI Engine	Importing an AIE rule as a Restricted Admin no longer produces an error message in certain situations.
ENG-25735	AI Engine	AIE Alarms no longer experience delays in firing in certain situations.
ENG-10785 (DE16001)	APIs	Data visible in the Web Console is no longer missing from API calls in certain situations.
ENG-11138 (DE14716)	APIs	The Alarm API DB query timeout is now configurable.
ENG-11180 (DE16701)	APIs	The Alarm API no longer produces an error in certain situations when trying to update the status of multiple alarms.
ENG-23714	APIs	The Search API no longer produces SQL Exception errors in certain situations.
ENG-23726	APIs	The Alarm API no longer interferes with and causes timeouts in the Alarming Response Manager.
ENG-23684	APIs	The Search API no longer fails with SQL Exceptions in certain situations.
ENG-11120 (DE13422)	Client Console	The entity delete functionality no longer results in an error in certain situations.
ENG-11136 (DE13599)	Client Console	Restricted Admins/Analysts can no longer view and select log sources to which they were not given permissions in certain situations.
ENG-23205 (DE11499)	Client Console	When DNStoIP is enabled on the Data Processor and the DNS name doesn't have a host record, the host field now correctly shows the host name in both the Client Console and Web Console.
ENG-23240	Data Indexer	The Transporter no longer fails to index when a field is larger than the maximum length allowed.
ENG-23988	LR Cloud	The creator of a user record can now correctly see all records they have created.
ENG-11208 (DE16564)	Mediator	Duplicate entity "Fullnames" no longer cause the Mediator to fail to start in certain situations.
ENG-22883 (DE16816)	Mediator	The MemoryThresholdSuspend feature is now optional and disabled by default to prevent unnecessary suspensions.
ENG-23094	Mediator	The Mediator now correctly reads RealtimeQueue.dat files.
ENG-10811 (DE16240)	Reporting	The Log Volume Report no longer produces an error stating that values are too large in certain situations.
ENG-22879 (DE16706)	Reporting	Report fields are no longer truncated in certain situations.
ENG-23352 (DE15428)	System Monitor Agents	Upgrading an agent via the System Monitor Package Manager no longer creates unnecessary scheduled tasks.
ENG-23240	Transporter	The Transporter no longer displays an error message relating to immense terms in log fields in certain situations.
ENG-11166 (DE15763)	Web Console	The “Component Status” widget now shows the component name correctly.
ENG-22873 (DE12714)	Web Console	Drill down results in the Web Console are no longer hidden when the last selected Analyzer page dashboard has a filter.
ENG-22886 (DE16590)	Web Console	Web Console SSO no longer produces an error when trying to sign on in certain situations.
ENG-24283	Web Console	Executing a saved search after clicking "Edit" on the saved search no longer returns incorrect results.
ENG-22866 (DE12262)	Web Console	The Web Console no longer automatically applies contextualization on User (Origin) or User (Impacted) fields.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view on the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #	Found In Version	Components	Description	Release Notes
ENG-11165 (DE16414)	7.9	Client Console	Client console search queries including the Host IP Address criteria are timing out in large databases.	Expected Results: Log source searches should be completed without performance issues. Workaround: There is currently no workaround for this issue.
ENG-22882 (DE10768)	7.4.9	Common Components	In certain circumstances, the Data Processor runs slowly and the non-paged pool uses significant system memory. This can cause a large unprocessed logs queue or other backlog in the system.	Expected Results: The non-paged pool should not increase and cause system performance issues. Workaround: Restart the LogRhythm API Gateway service.
ENG-11108 (DE12153)	7.6.0	Common Components	In some cases after a Data Indexer install, the Service Registry may not be able to communicate with the Platform Manager, causing alarms and errors in the Service Registry log.	Expected Results: Communication to the Platform Manager should be maintained after an install. Workaround: Restart Service Registry on each node in the cluster after the installation is complete.
ENG-22881 (DE12218)	7.6.0	Data Indexer	The Transporter can fail to fully start after restart at UTC midnight, causing indexing and performance issues. (This issue only impacts Linux clusters.)	Expected Results: The Transporter should continue to run after a restart signal is sent. Workaround: Restart the Transporter service.
ENG-11175 (DE16040)	7.6.0	Data Indexer	Data is being indexed in lower case, ignoring the case of the original logs.	Expected Results: Data should be stored in the format in which it was sent. Workaround: There is currently no workaround for this issue.
ENG-22862 (DE13480)	N/A	Data Indexer	Alarm drilldowns fail as a result of changes to daylight savings in Chile. The failure is temporary and only lasts a few hours.	Expected Results: Searching should work. Workaround: Either wait for the issue to naturally pass or manually adjust system clocks.
ENG-11150 (DE15289)	N/A	Infrastructure	Weekday maintenance is taking much longer than expected.	Expected Results: The weekday maintenance task should perform in a reasonable amount of time. Workaround: There is currently no workaround for this issue.
ENG-11173 (DE15601)	7.9.0	Installation Components	DR SQL transaction logs are filling the L: drive when unable to sync to secondary nodes.	Expected Results: Transaction logs should be truncated by frequent scheduled backups throughout the day. Workaround: There is currently no workaround for this issue.
ENG-11142 (DE15089)	7.9.0	Metrics Collection	Telemetry metrics parsing errors from Datadog are present in the metrics collection file.	Expected Results: Datadog's telemetry metrics parsing errors should not be present in the metrics collection file. Workaround: There is currently no workaround for this issue.
ENG-22863 (DE14276)	7.7.0	Web Console	When using a Lucene filter in a Web Console widget, users are unable to filter widget time ranges for originUser.	Expected Results: The Lucene filter should be able to filter time ranges. Workaround: Remove the time filter from the widget to show all data.