7.15.0 GA Release Notes - 4 January 2024
Getting data into your LogRhythm instance is crucial, and LogRhythm is intensely focused on making that easy to do. LogRhythm SIEM 7.15 builds on the innovation we delivered in the previous releases.
What’s new in SIEM 7.15:
Simplified onboarding for Windows Event logs
Improved analyst workflow when reviewing alarm notifications
New LogRhythm SIEM in-app tutorials
Additional Beats supported in the Web Console
New and updated log sources
Key Highlights
Maintenance
Onboard New Log Sources in the Web Console
Onboarding new log sources should be easy. That’s why we’ve expanded the number of Beats LogRhythm Administrators can manage from the Web Console. By onboarding log sources in the Web Console, you can save time and cut your Beat Administration workload in half. In this latest release, LogRhythm now supports management for six additional Beats including:
Gmail Message Tracking
GSuite
Okta
Darktrace
Sophos
Qualys FIM
Platform Enhancements
Managing a SIEM platform isn’t always easy, so our team has made your experience even better. LogRhythm 7.15 features platform improvements that enhance your workflows, save you time, and reduce the number of steps your team takes to complete a task.
Migration Path to Rocky Linux
As CentOS 7 reaches the end of life from the Red Hat organization, we understand the importance of providing an alternative operating system to migrate Data Indexer (DX) and Open Collector (OC) machines. That’s why LogRhythm created a detailed guide for migrating to Rocky Linux. This migration path offers customers continued support from the OS vendor to address security and bug fixes.
Automatic Flat File Path Population for Windows Event Logs
To make the workflow and tasks easier for LogRhythm SIEM users, we’ve changed a setting to auto-populate the flat file path for Windows Event Log-based log sources. For example, when users add Windows PowerShell or Windows SysMon Event logs, LogRhythm SIEM now auto-updates that field. This update saves users time and provides a more streamlined experience.
Web Console Log Export in Users’ Local Time
LogRhythm has made it easier to convert time zones when exporting logs from the Web Console to a CSV file. Customers can now export CSV files in their local time zone versus having to convert from the Coordinated Universal Time (UTC) time zone. Now users don’t have to go through the cumbersome conversion process to identify the correct time, improving their experience with the SIEM platform.
URL Links in Alarm Notifications
Navigating to an alarm from a notification is easier than ever. Our team improved the experience to direct you to alarm details even if you previously weren’t logged into the Web Console. After clicking a URL in a notification and logging into the Web Console, LogRhythm now automatically routes you to the correct alarm. This update saves you time and removes the hassle of searching for important notifications.
In-Platform Resource Center Tutorials
In SIEM 7.15, we’re continuing to improve the Resource Center. We’ve added in-app tutorials to help new users quickly understand how to leverage the power of LogRhythm. Our newest tutorials are listed in the Onboarding section of the Resource Center. Onboarding topics include Dashboards, Searches, Case Management, Alarm Management, and Beat Management. These topics will help a new LogRhythm SIEM Analyst or Administrator understand the key principles of LogRhythm SIEM. With the Resource Center, users can quickly view in-app Announcements and Onboarding tutorials and easily access Documentation, Community, and Support.
Log Source Enhancements
We are constantly enhancing our ability to help our customers collect and receive value from log sources in their environment. A big part of that is constantly making updates to our parsing policies via KB updates.
We get it, technology changes at a rapid pace. This often means LogRhythm needs to revisit log sources we already support and help customers derive more value by accounting for changes and quickly evolving.
LogRhythm is continuing to review our supported log sources and make updates to strengthen our correlation and analysis. Our new and enhanced methods of ingestion include:
Source | LogRhythm Enhancement |
|---|---|
Fortinet FortiNAC | New log support for FortiNAC, which protects against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events. |
strongSwan VPN | New log support for strongSwan, which is a complete IPsec solution providing encryption and authentication to servers and clients. |
F5 BIG-IP System | New log support for BIG-IP System, which is a set of application delivery products that work together to ensure high availability, improved performance, application security, and access control. |
Tenable OT | New policies help prevent classification errors and provide more consistent parsing of log source data for Tenable Operational Technology (OT). And new MPE rules parse log metadata to the correct schema fields and classify highly complex log source data. |
QRadar | New log support for QRadar Network Security, which is used to detect hidden threats on your networks with deep, broad visibility and advanced analytics. |
Mimecast | Updated policies and workflow for collecting logs from Mimecast. |
Imperva Database Activity Monitor (DAM) | Updated policies help prevent classification errors and provide more consistent parsing of log source data for Imperva Database Activity Monitor (DAM). Andd new MPE rules parse log metadata to the correct schema fields and classify highly complex log source data. |
Palo Alto Cortex Data Lake | Updated policies for schema changes to help prevent classification errors and provide more consistent parsing of log source data for Palo Alto Networks® Cortex Data Lake, which provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR. |
Enhancements & Resolved Issues
Bug # | Component | Description |
|---|---|---|
ENG-48893 | Active Directory | SQL script was updated to delete duplicate AD users. |
ENG-49732 | Agents | Transparent framing logs are now processed as expected. |
ENG-51112 | Agents | Log collection works as expected without establishing multiple connections to each beat, and scsm.ini files are no longer becoming corrupt on Agents. |
ENG-49544 | Agents: Beats Collection | Log collection works as expected without establishing multiple connections to each beat. |
ENG-49540 | Agents: GCP SCC Log Collection | Agent hostname is no longer parsed into sname. |
ENG-48506 | Agents: Licenses | After purchasing and importing new licenses into SIEM, customers can now view their new licenses after they have been installed. |
ENG-50963 | Agents: Linux | Linux agents are now working as intended. |
ENG-47116 | Agents: MSGraph API Log Collection | Parsing improvement for logs ingested via the MSGraph API Beat. |
ENG-48257 | Agents: Office 365 Log Collection | When multiple O365 Message Tracking log sources are configured on a single System Monitor Agent, the logs are now organized under the correct log source. |
ENG-48448 | Agents: Qualys Log Collection | Log collection from a Qualys log source now works as expected. |
ENG-37629 | Agents: Windows Event Log Collection | When adding a Windows Event Log source manually or when using the Windows Host Wizard, the target file path automatically populates. If a path cannot be populated, the user is prompted to populate it and is given the proper format. |
ENG-11167 | AI Engine | When evaluation frequency is set to 20 minutes or longer, AIE rules are now reliably triggering alarms. |
ENG-35141 | AI Engine: MPE Rules | The MPE Rule Builder no longer hyperlinks text. |
ENG-49323 | AI Engine: MPE Rules | Users no longer get an error when sorting custom MPE Rules with Rule Sorter. |
ENG-50440 | AI Engine: MPE Rules | Users no longer get an error when sorting custom MPE Rules with Rule Sorter. |
ENG-49660 | Client Console | When users click “Compare With” in SysMon Version History, they no longer receive an error. |
ENG-50411 | Client Console | Users can now create a new root entity without receiving timeout errors. |
ENG-36384 | Configuration Manager | The Configuration Manager now correctly references UEBA settings instead of CloudAI. |
ENG-52641 | DP Pooling | Logs are now spread more evenly among Data Processors within a DP Pool. |
ENG-52545 | Documentation | Added callout to REST API docs confirming that only Global Admins can access third-party applications. |
ENG-52546 | Documentation | Updated the first line of Deployment Monitor documentation to specify Global Admins. |
ENG-52751 | Documentation | Updated documentation covering how to upgrade the Data Indexer to mitigate upgrade failures. |
ENG-50491 | Infrastructure: Database Scripts and Upgrade Scripts | Running LRII to upgrade a deployment no longer fails or returns errors when overwriting a backup file. |
ENG-51491 | Mediator | The Mediator cache refresh logic was adjusted in large LRCloud deployments with many System Monitor Agents and Data Processors. The new logic mitigates overloading the deployment with too many cache refreshes. |
ENG-42221 | Search API | The Search API no longer fails when the LogRhythmWebUI account password is changed to a non-default password. |
ENG-47026 | Search API | The Search API no longer fails when the LogRhythmWebUI account password is changed to a non-default password. |
ENG-49316 | SecondLook | When a SecondLook search is executed on the Web Console, the saved search now shows the correct owner name. |
ENG-23073 | SysMon | Windows agents no longer stop sending heartbeats or logs after a Mediator reconnection. |
ENG-32389 | SysMon | Multiple enhancements have been made to improve the performance of the Linux Agent. |
ENG-41674 | SysMon | Memory issue in Windows agent is now fixed by reducing the TCP and TLS file sizes in the suspense folder. |
ENG-42344 | SysMon | Setting the Host EntityID to 0 in the System Monitor Agent configuration no longer keeps the Agent from connecting to the Data Processor. Instead, the setting reverts back to the original EntityID. |
ENG-48483 | SysMon | Log collection works as expected without establishing multiple connections to each beat. |
ENG-41830 | Tools | The LogRhythm Diagnostics Agent no longer consumes memory when it has not been configured. |
ENG-24178 | Web Indexer | On high log volume systems, the Web Indexer no longer fails with “Out of Memory heap” exception. |
ENG-47915 | Web Console | The Log Sources list now displays properly in the Web Console UI. |
ENG-26705 | Web Console | On systems with a large number of log sources, the Web Console dashboard now loads without displaying errors. |
ENG-31933 | Web Console | The Web Console Analyzer no longer displays a deleted set of logs, nor does it display blank values when logs are present. |
ENG-11135 | Web Console | When performing a search or AIE drill down in the Web Console, users no longer need to refresh the page to view the results. |
ENG-11145 | Web Console | After users make changes to the Web Console Settings, the updated settings now persist when navigating throughout the user interface. |
ENG-11166 | Web Console | The "Component Status" widget now correctly shows the component name along with other values in the "Component Widget" status in version 7.9. |
ENG-22874 | Web Console | When users click on an alarm link in an external application like an email notification, the link now opens the alarm page after required credentials have been verified. |
ENG-40010 | Web Console | When a Restricted Admin has permissions to manage an Entity in management settings, they can now create a dashboard for that Entity in the Web Console. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view in the Community.
Known Issues
The following issues have each been found and reported by multiple users.
Bug # | Found In Version | Components | Description | Release Notes |
|---|---|---|---|---|
ENG-43218 | N/A | Alarm API | When using the XSOAR integration with Alarm API, requests periodically return a 500 internal server error. | Expected Results: The integration should work without returning an error. Workaround: Retry the request until it succeeds. |
ENG-38849 | N/A | Knowledge Base | When parsing logs associated with Syslog Linux Host, the Mediator returns the following error message: “Regex rule match timed out.” | Expected Results: The regex rule should parse successfully without timing out. Workaround: There is currently no workaround for this issue. |
ENG-38594 | 7.11 | SmartResponse Plugins | When SmartResponse Plugin scripts are modified but not triggered for 7 days, the custom changes are deleted and the SRP reverts to default settings. | Expected Results: When SRP scripts are modified, the changes should be retained. Workaround: There is currently no workaround for this issue. |
ENG-41651 | 7.12 7.13 | Web Console | After upgrading to 7.12 or 7.13, the CAC authorization used to log in to the Web Console stops working. | Expected Results: The CAC authorization should work when logging in to the Web Console. Workaround: There is currently no workaround for this issue. |