Skip to main content
Skip table of contents

7.15.0 GA Release Notes - 4 January 2024

Getting data into your LogRhythm instance is crucial, and LogRhythm is intensely focused on making that easy to do. LogRhythm SIEM 7.15 builds on the innovation we delivered in the previous releases.

What’s new in SIEM 7.15:

  • Simplified onboarding for Windows Event logs

  • Improved analyst workflow when reviewing alarm notifications

  • New LogRhythm SIEM in-app tutorials

  • Additional Beats supported in the Web Console

  • New and updated log sources

Key Highlights

Maintenance

Onboard New Log Sources in the Web Console

Onboarding new log sources should be easy. That’s why we’ve expanded the number of Beats LogRhythm Administrators can manage from the Web Console. By onboarding log sources in the Web Console, you can save time and cut your Beat Administration workload in half. In this latest release, LogRhythm now supports management for six additional Beats including:

  • Gmail Message Tracking

  • GSuite

  • Okta

  • Darktrace

  • Sophos

  • Qualys FIM

GmailMsgTrackingBeat.gif

Platform Enhancements

Managing a SIEM platform isn’t always easy, so our team has made your experience even better. LogRhythm 7.15 features platform improvements that enhance your workflows, save you time, and reduce the number of steps your team takes to complete a task. 

Migration Path to Rocky Linux  

As CentOS 7 reaches the end of life from the Red Hat organization, we understand the importance of providing an alternative operating system to migrate Data Indexer (DX) and Open Collector (OC) machines. That’s why LogRhythm created a detailed guide for migrating to Rocky Linux. This migration path offers customers continued support from the OS vendor to address security and bug fixes.  

Automatic Flat File Path Population for Windows Event Logs 

To make the workflow and tasks easier for LogRhythm SIEM users, we’ve changed a setting to auto-populate the flat file path for Windows Event Log-based log sources. For example, when users add Windows PowerShell or Windows SysMon Event logs, LogRhythm SIEM now auto-updates that field. This update saves users time and provides a more streamlined experience. 

AddWindowsEventLog.gif

Web Console Log Export in Users’ Local Time 

LogRhythm has made it easier to convert time zones when exporting logs from the Web Console to a CSV file. Customers can now export CSV files in their local time zone versus having to convert from the Coordinated Universal Time (UTC) time zone. Now users don’t have to go through the cumbersome conversion process to identify the correct time, improving their experience with the SIEM platform. 

LogExport.gif

URL Links in Alarm Notifications 

Navigating to an alarm from a notification is easier than ever. Our team improved the experience to direct you to alarm details even if you previously weren’t logged into the Web Console. After clicking a URL in a notification and logging into the Web Console, LogRhythm now automatically routes you to the correct alarm. This update saves you time and removes the hassle of searching for important notifications. 

In-Platform Resource Center Tutorials

In SIEM 7.15, we’re continuing to improve the Resource Center. We’ve added in-app tutorials to help new users quickly understand how to leverage the power of LogRhythm. Our newest tutorials are listed in the Onboarding section of the Resource Center. Onboarding topics include Dashboards, Searches, Case Management, Alarm Management, and Beat Management. These topics will help a new LogRhythm SIEM Analyst or Administrator understand the key principles of LogRhythm SIEM. With the Resource Center, users can quickly view in-app Announcements and Onboarding tutorials and easily access Documentation, Community, and Support.

Log Source Enhancements

We are constantly enhancing our ability to help our customers collect and receive value from log sources in their environment. A big part of that is constantly making updates to our parsing policies via KB updates.  

We get it, technology changes at a rapid pace. This often means LogRhythm needs to revisit log sources we already support and help customers derive more value by accounting for changes and quickly evolving. 

LogRhythm is continuing to review our supported log sources and make updates to strengthen our correlation and analysis. Our new and enhanced methods of ingestion include:    

Source

LogRhythm Enhancement

Fortinet FortiNAC

New log support for FortiNAC, which protects against IoT threats, extends control to third-party devices, and orchestrates automatic responses to a wide range of networking events.

strongSwan VPN

New log support for strongSwan, which is a complete IPsec solution providing encryption and authentication to servers and clients.

F5 BIG-IP System

New log support for BIG-IP System, which is a set of application delivery products that work together to ensure high availability, improved performance, application security, and access control.

Tenable OT

New policies help prevent classification errors and provide more consistent parsing of log source data for Tenable Operational Technology (OT). And new MPE rules parse log metadata to the correct schema fields and classify highly complex log source data.

QRadar

New log support for QRadar Network Security, which is used to detect hidden threats on your networks with deep, broad visibility and advanced analytics.

Mimecast

Updated policies and workflow for collecting logs from Mimecast.

Imperva Database Activity Monitor (DAM)

Updated policies help prevent classification errors and provide more consistent parsing of log source data for Imperva Database Activity Monitor (DAM). Andd new MPE rules parse log metadata to the correct schema fields and classify highly complex log source data.

Palo Alto Cortex Data Lake

Updated policies for schema changes to help prevent classification errors and provide more consistent parsing of log source data for Palo Alto Networks® Cortex Data Lake, which provides cloud-based, centralized log storage and aggregation for your on-premise, virtual (private cloud and public cloud) firewalls, for Prisma Access, and for cloud-delivered services such as Cortex XDR.

Enhancements & Resolved Issues

Bug #

Component

Description

ENG-48893

Active Directory

SQL script was updated to delete duplicate AD users.

ENG-49732

Agents

Transparent framing logs are now processed as expected.

ENG-51112

Agents

Log collection works as expected without establishing multiple connections to each beat, and scsm.ini files are no longer becoming corrupt on Agents.

ENG-49544

Agents: Beats Collection

Log collection works as expected without establishing multiple connections to each beat.

ENG-49540

Agents: GCP SCC Log Collection

Agent hostname is no longer parsed into sname.

ENG-48506

Agents: Licenses

After purchasing and importing new licenses into SIEM, customers can now view their new licenses after they have been installed.

ENG-50963

Agents: Linux

Linux agents are now working as intended.

ENG-47116

Agents: MSGraph API Log Collection

Parsing improvement for logs ingested via the MSGraph API Beat.

ENG-48257

Agents: Office 365 Log Collection

When multiple O365 Message Tracking log sources are configured on a single System Monitor Agent, the logs are now organized under the correct log source.

ENG-48448

Agents: Qualys Log Collection

Log collection from a Qualys log source now works as expected.

ENG-37629

Agents: Windows Event Log Collection

When adding a Windows Event Log source manually or when using the Windows Host Wizard, the target file path automatically populates. If a path cannot be populated, the user is prompted to populate it and is given the proper format.

ENG-11167

AI Engine

When evaluation frequency is set to 20 minutes or longer, AIE rules are now reliably triggering alarms.

ENG-35141

AI Engine: MPE Rules

The MPE Rule Builder no longer hyperlinks text.

ENG-49323

AI Engine: MPE Rules

Users no longer get an error when sorting custom MPE Rules with Rule Sorter.

ENG-50440

AI Engine: MPE Rules

Users no longer get an error when sorting custom MPE Rules with Rule Sorter.

ENG-49660

Client Console

When users click “Compare With” in SysMon Version History, they no longer receive an error.

ENG-50411

Client Console

Users can now create a new root entity without receiving timeout errors.

ENG-36384

Configuration Manager

The Configuration Manager now correctly references UEBA settings instead of CloudAI.

ENG-52641

DP Pooling

Logs are now spread more evenly among Data Processors within a DP Pool.

ENG-52545

Documentation

Added callout to REST API docs confirming that only Global Admins can access third-party applications.

ENG-52546

Documentation

Updated the first line of Deployment Monitor documentation to specify Global Admins.

ENG-52751

Documentation

Updated documentation covering how to upgrade the Data Indexer to mitigate upgrade failures.

ENG-50491

Infrastructure: Database Scripts and Upgrade Scripts

Running LRII to upgrade a deployment no longer fails or returns errors when overwriting a backup file.

ENG-51491

Mediator

The Mediator cache refresh logic was adjusted in large LRCloud deployments with many System Monitor Agents and Data Processors. The new logic mitigates overloading the deployment with too many cache refreshes.

ENG-42221

Search API

The Search API no longer fails when the LogRhythmWebUI account password is changed to a non-default password.

ENG-47026

Search API

The Search API no longer fails when the LogRhythmWebUI account password is changed to a non-default password.

ENG-49316

SecondLook

When a SecondLook search is executed on the Web Console, the saved search now shows the correct owner name.

ENG-23073

SysMon

Windows agents no longer stop sending heartbeats or logs after a Mediator reconnection.

ENG-32389

SysMon

Multiple enhancements have been made to improve the performance of the Linux Agent.

ENG-41674

SysMon

Memory issue in Windows agent is now fixed by reducing the TCP and TLS file sizes in the suspense folder.

ENG-42344

SysMon

Setting the Host EntityID to 0 in the System Monitor Agent configuration no longer keeps the Agent from connecting to the Data Processor. Instead, the setting reverts back to the original EntityID.

ENG-48483

SysMon

Log collection works as expected without establishing multiple connections to each beat.

ENG-41830

Tools

The LogRhythm Diagnostics Agent no longer consumes memory when it has not been configured.

ENG-24178

Web Indexer

On high log volume systems, the Web Indexer no longer fails with “Out of Memory heap” exception.

ENG-47915

Web Console

The Log Sources list now displays properly in the Web Console UI.

ENG-26705

Web Console

On systems with a large number of log sources, the Web Console dashboard now loads without displaying errors.

ENG-31933

Web Console

The Web Console Analyzer no longer displays a deleted set of logs, nor does it display blank values when logs are present.

ENG-11135

Web Console

When performing a search or AIE drill down in the Web Console, users no longer need to refresh the page to view the results.

ENG-11145

Web Console

After users make changes to the Web Console Settings, the updated settings now persist when navigating throughout the user interface.

ENG-11166

Web Console

The "Component Status" widget now correctly shows the component name along with other values in the "Component Widget" status in version 7.9.

ENG-22874

Web Console

When users click on an alarm link in an external application like an email notification, the link now opens the alarm page after required credentials have been verified.

ENG-40010

Web Console

When a Restricted Admin has permissions to manage an Entity in management settings, they can now create a dashboard for that Entity in the Web Console.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view in the Community.

Known Issues

The following issues have each been found and reported by multiple users.

Bug #

Found In Version

Components

Description

Release Notes

ENG-43218

N/A

Alarm API

When using the XSOAR integration with Alarm API, requests periodically return a 500 internal server error.

Expected Results: The integration should work without returning an error.

Workaround: Retry the request until it succeeds.

ENG-38849

N/A

Knowledge Base

When parsing logs associated with Syslog Linux Host, the Mediator returns the following error message:

“Regex rule match timed out.”

Expected Results: The regex rule should parse successfully without timing out.

Workaround: There is currently no workaround for this issue.

ENG-38594

7.11

SmartResponse Plugins

When SmartResponse Plugin scripts are modified but not triggered for 7 days, the custom changes are deleted and the SRP reverts to default settings.

Expected Results: When SRP scripts are modified, the changes should be retained.

Workaround: There is currently no workaround for this issue.

ENG-41651

7.12

7.13

Web Console

After upgrading to 7.12 or 7.13, the CAC authorization used to log in to the Web Console stops working.

Expected Results: The CAC authorization should work when logging in to the Web Console.

Workaround: There is currently no workaround for this issue.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.