7.21.0 GA Release Notes - 1 July 2025

Experience the power of next-level security with LogRhythm SIEM 7.21! Accelerate your workflows with advanced alarm filtering, instant log access from Dashboards, seamless MITRE ATT&CK® framework alignment, and a streamlined developer portal for effortless API integration. Discover how these enhancements empower your team to detect threats faster and respond with confidence.

What’s new in SIEM 7.21:

• New Alarm Filters

• Triaging Alarms by MITRE ATT&CK TTPs

• View Logs from Data Indexer Dashboards

• SIEM Developer Portal

• Log Source Enhancements

• Threat Intelligence Service Updates

Maintenance

• Platform Updates

• Deprecation Notice

• Resolved Issues and Improvements

• Known Issues

Surface Critical Threats With 14 New Alarm Filters 

Security teams often need greater agility when investigating alerts, especially when pinpointing activity linked to specific users, hosts, or IP addresses. LogRhythm SIEM 7.21 answers this need with 14 new alarm filters, more than doubling the options available in previous releases. These expanded filters empower analysts to drill down with precision and gain sharper, more actionable insights into critical events.

With this update, analysts can now filter by the following additional fields: 

• Classification 

• Common Event 

• Log Source 

• Entity (Origin/Impacted) 

• IP Address (Origin/Impacted) 

• Hostname (Origin/Impacted) 

• User (Origin/Impacted) 

• Location (Origin/Impacted) 

• VMID 

For more information on the new alarm filter fields and how to use them, refer to Alarm Filters and Use Dynamic Alarm Filters.

Filter Alarms by MITRE ATT&CK TTPs 

Unlock deeper threat detection with LogRhythm SIEM 7.21’s MITRE ATT&CK® alarm filters. Instantly filter alarms by specific ATT&CK tactics to pinpoint high-risk activity. By mapping Common Events to analytics rules, analysts can quickly organize and highlight incidents by ATT&CK phase, streamlining triage and enabling teams to spot threat patterns with greater speed and accuracy.

For more information on linking Common Events to analytics rules, refer to Create Common Events.

Instant Log Access in Data Indexer Dashboards 

Easily transition from visual data to the underlying log details with just a single click in LogRhythm SIEM 7.21. Say goodbye to the hassle of opening new tabs or running manual searches. Everything you need is at your fingertips with the View Logs option! Get ready to enhance your threat hunting workflows with this dynamic and interactive investigation tool.

For more information, refer to the Data Indexer (DX) Dashboards topic.

New LogRhythm SIEM Developer Portal 

Speed up automation and development with the new Exabeam Developer Portal. This centralized, user-friendly environment streamlines development with prebuilt code samples, multi-language support, and clean documentation. The Developer Portal helps security teams: 

• Automate repetitive tasks,

• Accelerate integration timelines, and

• Reduce API troubleshooting and scripting errors.

Log Source Enhancements and Updates

LogRhythm SIEM 7.21 introduces updates designed to enhance the speed, consistency, and compatibility of data collection with third-party platforms. These enhancements include:

• A new Mimecast SIEM Beat for the Open Collector,

• Improvements for Google Workspaces log collection, and 

• Updated AWS service parsing.

New and Updated Log Sources

This past quarter of bi-weekly LogRhythm SIEM Knowledge Base updates included 40 enhanced or improved log sources, and five newly introduced log sources. This allows customers to expand their security capabilities by increasing log visibility within the LogRhythm SIEM.

The following log sources have been added or updated:

The following Log Sources have been renamed:

Threat Intelligence Service Updates

The LogRhythm Threat Intelligence Service (TIS) has been updated to version 1.9.7 as a part of this release! The following new features and improvements are included in the 1.9.7 release.

Added Support for TAXII 2.0

Pagination is implemented via multiple requests using Range headers and the added_after filter to ensure only recent and relevant data is ingested.

Added Support for TAXII 2.1

Pagination follows the TAXII 2.1 specification, using the next link and hasMore flag to manage feed retrieval.

MaxRecordsToFetch Configuration Setting

A new configuration setting, MaxRecordsToFetch, allows users to control the maximum number of STIX objects ingested per session (capped at 100,000).

TIS Improvements/Enhancements

The following new features/improvements are also included in the release:

• UI-level enhancement introduces a “Fetch Feeds Added After” date filter for V2 providers, with validation to ensure data stays within the configured retention window.

• The system handles large datasets without memory/time-out issues.

• The HailaTAXII feature has been deprecated due to the service no longer being active.

Platform Updates

LogRhythm 7.21 is packed with platform updates to improve security, performance, and stability. Spend more time hunting for threats and less time managing the platform.

Security Improvements

The following enhancements were made to improve the overall security standing of the SIEM product:

• Increased encryption key length to 3072 bits,

• Implemented SHA-256 signing for installers, and

• Added support for TLS 1.3 for Web Console.

Dependency Updates

As part of our ongoing commitment to maintaining third-party dependencies for stability and security improvements, the following packages have been updated:

• Web-Indexer Java Corretto JDK updated to 21.0.7

• Data-Indexer Java Corretto JRE updated to 8.0.452

• .NET 8 Core updated to 8.0.15

• Grafana updated to 11.6.1

• Telegraf update to 1.34.1

• Web-Console NGINX updated to 1.28.0

• NodeJS update for Web Console UI, Web Console Services Host API, Authentication API and API Gateway to 22.14

An API Gateway NodeJS update was partially released for Windows only. Note that NodeJS no longer supports CentOS 7. Customers are advised to upgrade their Linux-based Data Indexers, as CentOS 7 support will cease in a future LogRhythm SIEM release. Refer to the Notice of Eventual Deprecation section for more information.

• Go Update to 1.24.2 for DX Services, Admin API, Metrics API and True Identity Sync Client

Data Indexer Improvements

The following improvements to the Data Indexer have been made for version 7.21:

• Added Metrics collection and tracking of node shard counts for monitoring limits,

• Increased default disk High Watermark to 90% for SSD-based DXs,

• Maximum Ultra-Warm TTL is now configurable up to six months (180 days),

• Increased Transporter threading to increase max indexing throughput on nodes with available hardware capacity, and

• Improvements to warm tier search handling for a more reliable user experience.

Updated the Web Indexer Java Development Kit

The Java Development Kit (JDK) used by the LogRhythm Web Indexer service has been updated form JDK8 to JDK21, which includes a migration from Lucene 4 to 9. This upgrade greatly enhances searching and indexing in the following ways:

• 10x improvement in query response times for TopX widget requests,

• Improved average search rendering latency of 200–350ms (down from 400ms) for web console widgets,

• 50% improvement to Web Indexer indexing rate,

• 70% reduction in memory consumption under heavy loads, and

• 45% reduction in CPU consumption of the Web Indexer service.

System Monitor Agents and Multiple LogRhythm Services Updated to .NET 8

Windows System Monitor Agents can now be built using .NET 8 Core, bundled as an optional add-on within the Installation Wizard. With up to 20% improvement in agent data throughput, this update gives teams faster access to insights with less overhead.

Additionally, the following third-party DLLs were upgraded: Newtonsoft.json; nsoftware; SmartThreadPool; and Xceed.

LogRhythm services built with .NET Core (AIE, Data Processor, ARM, and SMA) will now ship with .NET version 8.0.15, to be updated quarterly going forward.

Collection of API log sources on .NET 8 SMA is not supported. System Monitor Agents using .NET 4 will continue to collect API log sources.

System Monitor Agent Silent Installer Improvement

Windows System Monitor Agents (SMAs) now have a new silent install switch, EntityID, allowing for the silent installer to inform the platform with which root entity the pending SMA should be associated.

Refer to Silently Install a System Monitor on Windows for silent installer configurations.

System Monitor Agent JSON Output Improvement

When using the JSON Listener, the JSON Policy name and System Monitor Agent version are now included in the Syslog output from the Agent. These fields are not parsed or used by the LogRhythm SIEM, but can be referenced when debugging or testing JSON Processing Policies.

Notice of Eventual CentOS 7 and RHEL 7 Deprecation

Due to compatibility issues with dependency services that no longer support older operating systems, CentOS 7 and RHEL 7 will reach end-of-life for Data Indexer support beginning with LogRhythm SIEM version 7.23 (January 2026). Beginning with version 7.22 (October 2025), additional features will be added to perform operating system (OS) version checking with data indexer (DX) services and provide warnings for users to upgrade their DX OS versions.

Because the end-of-life for CentOS 7 was June 30, 2024, meaning that the operating system no longer receives security updates, it is strongly recommended to upgrade your Data Indexer operating systems as soon as possible.

For more information about migrating your DXs from CentOS/RHEL7 to Rocky/RHEL 9, refer to the Data Indexer CentOS to Rocky Upgrades guide.

Resolved Issues & Improvements

The following issues have been resolved either via a defect fix or a platform improvement in LogRhythm SIEM 7.21.

Resolved Issues - Security

Security-related issues resolved with this release are available for customers to view in the Community.

Known Issues

The following issues have each been found and reported by multiple users.