Falcon LogScale 1.131.3 LTS (2024-09-24)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.131.3 | LTS | 2024-09-24 | Cloud On-Prem | 2025-04-30 | No | 1.106.0 | 1.112.0 | No |
Download: https://repo.humio.com/repository/maven-releases/com/humio/server/1.131.3/server-1.131.3.tar.gz
Hide file hashes
| TAR Checksum | Value | Hash File |
|---|---|---|
| MD5 | 210df32b488b5a75d9a1ea779dc40e04 | Â |
| SHA1 | 0b918f757936770508e55e5f479cad6dc4f72c6b | Â |
| SHA256 | 58b9c5744497f965a524aba0f8549b6eee6d6c003b6bd9c24509d2cf70a27382 | Â |
| SHA512 | 8af1dbb4a5bfe06cf4f619e1d69176c0bef74aa7d6cbf34b59fc8b85bdaa6e6c0ea236280c8c9a6b4beb109ad131bb526900d35a88c1a984a66d339d09c67493 | Â |
| Docker Image | Included JDK | SHA256 Checksum | Hash File |
|---|---|---|---|
| humio | 21 | a1a61becd5ff90e86da3550ec313f6d74d32b77f76b8e354d43cc0f99da882c3 | Hash file |
| humio-core | 21 | 72c441c0a6e8a662ee978764a4922f994cdad462865818dc1688135c65637156 | Hash file |
| kafka | 21 | 483a01f8c46b359456ef99af08687613ff5fe65ab33d98409ff44c2951bdc6ec | Hash file |
| zookeeper | 21 | f811b7648ca568ddf6b7fde65a91664017f08aad7edb7fcca32bef51eda1de69 | Hash file |
These notes include entries from the following previous releases: 1.131.1, 1.131.2, 1.131.1, 1.131.2
Bug fixes and updates.
Removed
Items that have been removed as of this release.
GraphQL API
The enabledFeatures() query has been removed from GraphQL schema. Use featureFlags() query instead.
Deprecation
Items that have been deprecated and may be removed in a future release.
In the GraphQL API, the
ChangeTriggersAndActionenum value for both the Permission and ViewAction enum is now deprecated and will be removed in version 1.136 of LogScale.In the GraphQL API, the
nameargument to theparserfield on the Repository datatype has been deprecated and will be removed in version 1.136 of LogScale.We are deprecating the
humio/kafkaandhumio/zookeeperDocker images due to low use. The planned final release for these images will be with LogScale 1.148.0.Better alternatives are available going forward. We recommend the following:
If you still require
humio/kafkaorhumio/zookeeperfor needs that cannot be covered by these alternatives, please contact Support and share your concerns.The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The following GraphQL queries and mutations for interacting with parsers are deprecated and scheduled for removal in version 1.142.
The deprecated
createParser()mutation is replaced by createParserV2() . The differences between the old and new mutation are:
testDatainput field is replaced bytestCases, which can contain more data than the old tests could. This includes adding assertions to the output of a test. These assertions are not displayed in the UI yet. To emulate the old API, you can take the old test string and put it in theParserTestEventInputinside theParserTestCaseInput, and they will behave the same as before.
fieldsToBeRemovedBeforeParsingcan now be specified as part of the parser creation.
forcefield is renamed toallowOverwritingExistingParser.
sourceCodefield is renamed toscript.
tagFieldsfield is renamed tofieldsToTag.
languageVersionis no longer an enum, but aLanguageVersionInputTypeinstead.The mutation returns a
Parser, instead of aParserwrapped in an object.The mutation fails when a parser has more than 2,000 test cases, or the test input in a single test case exceeds 40,000 characters.
The deprecated
removeParser()mutation is replaced by deleteParser(). The difference between the old and new mutation is:
The mutation returns boolean to represent success or failure, instead of a
Parserwrapped in an object.The deprecated
testParser()mutation is replaced by testParserV2() . The differences between the old and new mutation are:
The test cases are now structured types, instead of just being strings. To emulate the old API, take the test string and put it in the
ParserTestEventInputinside theParserTestCaseInput, and they will behave the same as before.The new test cases can contain assertions about the contents of the output.
The mutation output is significantly different from before, as it provides more detailed information on how a test case has failed.
The mutation now accepts both a language version and list of fields to be removed before parsing.
The
parserScriptfield is renamed toscript.The
tagFieldsfield is renamed tofieldsToTag.The deprecated
updateParser()mutation is replaced by updateParserV2() where more extensive test cases can be set. Continuing to use the previous API may result in test information on parsers being lost. To ensure information is not unintentionally erased, please migrate away from the deprecated APIs for both reading and updating parser test cases and use updateParserV2() instead. The differences between the previous and the new mutation are:
testDatainput field is replaced bytestCases, which can contain more data than the old tests could. This includes adding assertions to the output of a test. These assertions are not displayed in the UI yet. To emulate the old API, you can take the old test string and put it in theParserTestEventInputinside theParserTestCaseInput, and they will behave the same as before.
sourceCodefield, used to updating the parser script, is changed to thescriptfield, which takes aUpdateParserScriptInputobject. This updates the parser script and the language version together.
tagFieldsfield is renamed tofieldsToTag.The
languageVersionis located inside theUpdateParserScriptInputobject, and is no longer an enum, but aLanguageVersionInputTypeinstead.The
repositoryNameandidfields are now correctly marked as mandatory in the schema. Previously this wasn't the case, even though the mutation would fail without them.The mutation returns a
Parser, instead of aParserwrapped in an object.The old mutation had a bug where it would overwrite the
languageVersionwith a default value in some cases, which is fixed in the new one.The mutation fails when a parser has more than 2,000 test cases, or the test input in a single test case exceeds 40,000 characters.
On the Parser type:
testDatafield is deprecated and replaced bytestCases.
sourceCodefield is deprecated and replaced byscript.
tagFieldsfield is deprecated and replaced byfieldsToTag.For more information, see DeleteParserInput , LanguageVersionInputType , createParserV2() , testParserV2() , updateParserV2() , Parser .
The
assetTypeGraphQL field on Alert, Dashboard, Parser, SavedQuery and ViewInteraction datatypes has been deprecated and will be removed in version 1.136 of LogScale.The
anyargument to thetypeparameter ofsort()andtable()has been deprecated and will be removed in version 1.142.Warnings prompts will be shown in queries that fall into either of these two cases:
If you are explicitly supplying an
anyargument, please either simply remove both the parameter and the argument, for example changesort(..., type=any)tosort(...)or supply the argument fortypethat corresponds to your data.If you are sorting hexadecimal values by their equivalent numerical values, please change the argument of
typeparameter tohexe.g.sort(..., type=hex).In all other cases, no action is needed.
The new default value for
sort()andtable()will benumber. Both functions will fall back to lexicographical ordering for values that cannot be understood as the provided argument fortype.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Security
DNS caches are now invalidated after 60 seconds instead of never. To override this behavior, set the security policy
networkaddress.cache.ttlin the security manager of the JRE (see Java Networking Properties).Ingestion
It is no longer possible to delete a parser that is being used in an ingest feed. The parser must first be removed from the ingest feed.
For more information, see Delete an Ingest Feed.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The minimum required LogScale version to upgrade from has been raised to 1.106, in order to remove some workarounds for compatibility with old versions.
New features and improvements
Security
Added support for authorizing with an external JWT from an IdP setup in our cloud environment.
Added support for Okta federated IdP OIDC extension to identity providers setup in cloud.
The audience for dynamic OIDC IdPs in our cloud environments are now
logscale-$orgId, where$orgIdis the ID of your organization.
User Interface
Time zone data has been updated to IANA 2024a and has been trimmed to +/- 5 years from the release date of IANA 2024a.
Automation and Triggers
Throttling and field-based throttling have been introduced as optional functionalities in Filter Alerts. The minimum throttling period is 1 minute.
The customizable trigger limit for Filter Alerts is removed. The trigger limit is now automatically determined based on the associated actions. If one or more email actions are associated, the trigger limit will be 15, otherwise, the trigger limit will be 100. Any existing customizable trigger limit of 1 will be treated as a throttling period of 1 minute, all other custom trigger limits will be ignored. This is a non-backwards compatible change to the GraphQL APIs for Filter Alerts, so any automation for these alerts must be updated.
GraphQL API
The new
scopeClaiminput argument has been added to OidcConfigurationInput and UpdateOidcConfigurationInput for dynamic OIDC configurations in our clouds.If the IdP is dynamic, we will try to grab the scope claim based on the value given as an input to either newOIDCIdentityProvider() or updateOIDCIdentityProvider() mutations. It will fallback to the cluster configuration.
Configuration
The new dynamic configuration
MaxOpenSegmentsOnWorkeris implemented to control hard cap on open segment files for the scheduler. The scheduler should in most cases not reach this limit and it only acts as a backstop. Therefore, we recommend that administrators do not modify this setting unless advised to do so by CrowdStrike Support.Authorization attempted via JWT tokens will now only try to grab user information from the user info endpoint if the scope in the access token contains any of the following:
profile,email,openid. If no such scope is located in the token, LogScale will try to extract the username from the token and no other user details will be added. We will extract the scope claim based on the new environment variableOIDC_SCOPE_CLAIM, whose default isscope.
Ingestion
Ingest feeds can read from an AWS SQS queue that has been populated with AWS SNS subscription events.
For more information, see Ingest Data from AWS S3.
New parser APIs have been introduced for more extensive parser testing. In the API, parser test cases now have a new structure.
For more information, see createParserV2() , DeleteParserInput , testParserV2() , updateParserV2() , and Parser .
Queries
Queries are now allowed to be queued for start by the query coordinator for a maximum of 10 minutes.
For more information, see Query Coordination.
Functions
The
parseTimestamp()function is now able to parse timestamps with nanosecond precision.The
setField()query function is introduced. It takes two expressions,targetandvalueand sets the field named by the result of thetargetexpression to the result of thevalueexpression. This function can be used to manipulate fields whose names are not statically known, but computed at runtime.For more information, see
setField().The
getField()query function is introduced. It takes an expression,source, and sets the field defined byasto the result of thesourceexpression. This function can be used to manipulate fields whose names are not statically known, but computed at runtime.For more information, see
getField().
Other
The default IP filter for IdP and RDNS operations is now more restrictive: RDNS now defaults to denying lookups of reserved IP ranges and the filter has been updated to deny additional reserved IP ranges, as specified by the IANA. Self hosted administrators can specify their own filters by using the environment variables
IP_FILTER_IDP,IP_FILTER_RDNS, andIP_FILTER_RDNS_SERVERrespectively.The split by AWS record setting within ingest feeds will now accept numbers with leading zeros.
The
missing-cluster-nodesmetric will now track the nodes that are missing heartbeat data in addition to the nodes that have outdated heartbeat data. The newmissing-cluster-nodes-statefulmetric will track the registered nodes with outdated/missing heartbeat data that can write to global.For more information, see Node-Level Metrics.
Fixed in this release
User Interface
Field aliases could not be read on the sandbox repository. This issue is now fixed.
CSV files produced by LogScale for sending as attachments from email actions or uploaded through a LogScale Repository action could contain values where part of the text was duplicated. This would only happen for values that needed to be quoted. This issue is now fixed.
Automation and Triggers
Filter Alerts with field-based throttling could trigger on two events with the same value for the throttle field, if actions were slow. This issue is now fixed.
Ingestion
Fixed an issue that prevented the creation of Netflow/UDP protocol ingest listeners.
Cloning a parser from the UI would not clone the fields to be removed before parsing. This issue is now fixed.
Dashboards and Widgets
Shared dashboards created on the special humio-search-all view wouldn't load correctly. This issue has now been fixed.
A dashboard with fixed shared time as default would not update correctly when selecting a new relative time. This issue is now fixed.
Queries
Multiple clients might trigger concurrent computation of the result step for a shared query. This issue has been fixed: now only one pending computation is allowed at a time.
Functions
Live queries using Field Aliasing on a repository with Tag Groupings enabled could fail. This issue has now been fixed.
Other
An issue with the IOC Configuration causing the local database to update too often has now been fixed.
Packages
Uploading a package zip would fail on Windows devices. This issue has been fixed.
Updating a package could fail, if one of the assets from the package had been deleted from the view where the package was installed. This issue has been fixed.
When attempting to upload a package disguised as a folder, some browsers would get a generic error messages. To fix this issue, only zip files are accepted now.
Early Access
Functions
A new query function
readFile()is released in Early Access. It allows using a CSV Lookup File as data input for a query.For more information, see
readFile().
Improvement
Storage
Moved the work of creating a global snapshot for upload to bucket storage from the thread coordinating segment uploads/downloads to a separate thread. This improves the reliability of uploading and download the global snapshot to/from bucket storage.
SegmentChangesJobTriggerhas been disabled on nodes configured to not be able to store segments, thus saving some CPU time.
Configuration
The default maximum limit for
groupBy()has been increased from 200,000 to 1,000,000, meaning that this function can now be asked to collect up to a million groups. However, due to stability concerns it will not allowgroupBy()to return the full million rows as a result when this function is the last aggregator: this is governed by theQueryResultRowCountLimitdynamic configuration, which remains unchanged. Therefore, this new limit is best utilized whengroupBy()is used as a computational tool for creating groups that are then later aggressively filtered and/or aggregated down in size. If you experience resource strain or starvation on your cluster, you can reduce the maximum limit via theGroupMaxLimitdynamic configuration.The default value for
AUTOSHARDING_MAXhas changed from 128 to 1,024.The default value for
AUTOSHARDING_TRIGGER_DELAY_MShas changed from 1 hour to 4 hours.The default memory limit for the query coordinator node has been increased from 400 MB to 4 GB. This new limit allows each query to use up to 1 GB of memory and thus produce more results, at the cost of taking up more resources. This in turn indirectly limits the amount of concurrent queries as the query scheduler may choose not to run a given query before existing queries have completed. If you experience resource strain or starvation on your cluster, you can reduce the memory limit by setting the
QueryCoordinatorMemoryLimitdynamic configuration to 400,000,000.
Functions
Live queries now restart and run with the updated version of a saved query when the saved query changes.
For more information, see Saved Searches (User Functions).
Reduction of memory requirements when processing empty arrays in functions that accept them. This helps reduce the memory required to use these functions with empty arrays.
Other
Improved handling of segments being replaced due to either merging or event redaction, to address rare cases of event duplication when segments are replaced multiple times shortly after each other.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.2.0.
Adds the event.outcome field
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files
For more information, see Package cisco/meraki Release Notes.
rubrik/security-cloud has been updated to v1.0.1.
Renames the parser to rubrik-securitycloud.
For more information, see Package rubrik/security-cloud Release Notes.
fortinet/fortigate has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.hosts and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package fortinet/fortigate Release Notes.
cisco/umbrella has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds source.ip, event.action, destination.domain, event.type and rule.uuid fields and more.
Renames the fields under the Vendor namespace from the camelcase to snakecase. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields
Adds support of Firewall logs, Data Loss Prevention (DLP) logs and Intrusion Prevention (IPS) logs.
Renames the parser to cisco-umbrella.
For more information, see Package cisco/umbrella Release Notes.
rubrik/security-cloud has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
For more information, see Package rubrik/security-cloud Release Notes.
aws/cloudtrail has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Parses a timestamp based on the digestStartTime in case there is no eventTime field.
Adds new fields: event.dataset, event.reason, file.name, user.roles, source.ip, host.name and more.
Changes a user.name field values to lowercase.
Sets event.dataset and observer.type based on the event action.
Stops using the csv file to set the event categorization fields.
Renames the parser to aws-cloudtrail
For more information, see Package aws/cloudtrail Release Notes.
microsoft/windows-dns-debug has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds new process.thread.id, event.created, network.transport, network.direction, dns.header_flags fields.
Mapps Opcode field to dns.op_code.
Updates the event.dataset from windows.dns to windows.dns-debug.
Sets the event.id based on XID field.
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/duo has been updated to v1.1.0.
Adds new parser for Trust Monitor events.
Bug fix: Renames the Parser_version to Parser.version
For more information, see Package cisco/duo Release Notes.
aws/s3-server-access has been updated to v1.0.1.
Improves the field extraction and performance.
Bumps parser version to 1.0.1
For more information, see Package aws/s3-server-access Release Notes.
proofpoint/tap-siem-api has been updated to v1.0.0.
Updates the parsers to be compliant with LogScale Parsing Standard.
Renames the parsers.
Removes dashboards from the package. To keep those, stay on the old version of the package.
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package proofpoint/tap-siem-api Release Notes.
zscaler/private-access has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.user, related.hosts and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package zscaler/private-access Release Notes.
microsoft/dhcp-client has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package microsoft/dhcp-client Release Notes.
infoblox/nios has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.host and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package infoblox/nios Release Notes.
citrix/netscaler has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, msg and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Puts the CEF header fields under the Vendor.* prefix
For more information, see Package citrix/netscaler Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
haproxy/haproxy has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package haproxy/haproxy Release Notes.
zoom/qss has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package zoom/qss Release Notes.
trellix/fireeye-nx has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.hosts and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package trellix/fireeye-nx Release Notes.
aws/waf has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Improves the field extraction
For more information, see Package aws/waf Release Notes.
akamai/asec has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package akamai/asec Release Notes.
google/chrome-enterprise-security-events has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
Renames the url.host to url.domain
For more information, see Package google/chrome-enterprise-security-events Release Notes.
fortinet/fortimail has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package fortinet/fortimail Release Notes.
microsoft/windows-dns-debug has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package microsoft/windows-dns-debug Release Notes.
okta/sso has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds event.reason field
Sets the event.kind and event.category fields for threat events.
For more information, see Package okta/sso Release Notes.
imperva/cloud-waf has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.host and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package imperva/cloud-waf Release Notes.
okta/sso has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package okta/sso Release Notes.
cisco/duo has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Removes data_stream fields, since the same information is now standardized in event.dataset
For more information, see Package cisco/duo Release Notes.
zscaler/deception has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package zscaler/deception Release Notes.
forcepoint/dlp has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package forcepoint/dlp Release Notes.
infoblox/nios has been updated to v1.1.1.
Improves event categorization and outcomes via the event.category[] and event.type[] arrays and the event.outcome field.
For more information, see Package infoblox/nios Release Notes.
nozomi/ids has been updated to v1.1.0.
Sets the event categorization fields: event.category, event.type and event.outcome based on the message data coming from the source.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package nozomi/ids Release Notes.
aws/cloudtrail has been updated to v1.0.1.
Improves the field extraction and performance.
Bumps parser version to 1.0.1
For more information, see Package aws/cloudtrail Release Notes.
dell/isilon has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package dell/isilon Release Notes.
claroty/ctd has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.host and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package claroty/ctd Release Notes.
cisco/ise has been updated to v1.0.0.
Removes the Product field
Adds new event.module and Cps.version fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
Adds parsing for several event codes
Restructures and optimizes parsing logic
Categorization updates
For more information, see Package cisco/ise Release Notes.
paloalto/firewall has been updated to v1.1.0.
Adds support for PAN-OS v11.0
Improves the field extraction and performance.
Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds threat.*, event.severity fields and more.
Sets the event.action for Authentication events.
Sets the event.category to intrusion_detection and malware for Colleration events.
Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.
Renames the parser to paloalto-ngfw.
For more information, see Package paloalto/firewall Release Notes.
aws/waf has been updated to v1.0.1.
Supports CAPTCHA and Challenge logs.
For more information, see Package aws/waf Release Notes.
cisco/firepower has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Extracts optional priority field from the syslog header
For more information, see Package cisco/firepower Release Notes.
cisco/meraki has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Rename url.host to url.domain field
For more information, see Package cisco/meraki Release Notes.
cloudflare/zerotrust has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.
Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.
Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.
Renames the parser to cloudflare-one.
For more information, see Package cloudflare/zerotrust Release Notes.
paloalto/firewall has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.hash, related.user, related.hosts, related.ip and message fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package paloalto/firewall Release Notes.
zscaler/internet-access has been updated to v1.1.0.
Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Improves the field extraction and performance.
Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.
Adds new fields: event.id, source.geo.name.
For more information, see Package zscaler/internet-access Release Notes.
netgate/pfsense has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package netgate/pfsense Release Notes.
aws/vpcflow has been updated to v1.1.0.
Sets new field cloud.account.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Renames the parser to aws-vpcflow.
###1.0.0
Normalizes data to CrowdStrike Parsing Standard (CPS) schema.
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Improves the field extraction.
Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.
Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed.
For more information, see Package aws/vpcflow Release Notes.
aws/cloudtrail has been updated to v1.0.0.
This version of the package supersedes both the amazon/cloudtrail package as well as previous version of this package.
If you are migrating here from the amazon/cloudtrail package, the following changes apply:
For more information, see Package aws/cloudtrail Release Notes.
cloudflare/zerotrust has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package cloudflare/zerotrust Release Notes.
aws/s3-server-access has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.ip and related.user fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Improves the field extraction
For more information, see Package aws/s3-server-access Release Notes.
aruba/clearpass has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package aruba/clearpass Release Notes.
island/island has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip and related.user fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
For more information, see Package island/island Release Notes.
asimily/iomt has been updated to v1.0.0.
Removes the Product and related.ip fields
Adds new event.module and Cps.version fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
Bumps ecs.version to 8.11.0
For more information, see Package asimily/iomt Release Notes.
aws/fsx has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package aws/fsx Release Notes.
broadcom/proxysg has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product , related.ip and related.host fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bug fix: Renames the ecs_version to ecs.version
For more information, see Package broadcom/proxysg Release Notes.
microsoft/sysmon has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.ip, related.user, related.hosts and related.hash fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package microsoft/sysmon Release Notes.
infoblox/nios has been updated to v1.1.0.
Simplifies parser logic by removing unnecessary rename operations.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Extracts the dns.answer.* and dns.resolved_ip fields.
Removes the repeat.message field.
For more information, see Package infoblox/nios Release Notes.
nozomi/ids has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product , related.user, related.hash and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package checkpoint/ngfw Release Notes.
zscaler/internet-access has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.ip, related.user and related.host fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bumps parser version to 1.0.0
Bumps ecs.version to 8.11.0
For more information, see Package zscaler/internet-access Release Notes.
cisco/umbrella has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package cisco/umbrella Release Notes.
juniper/srx has been updated to v1.0.0.
Adds new event.module, event.dataset and Cps.version fields
Removes the Product, related.user, related.host and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package juniper/srx Release Notes.
imperva/cloud-waf has been updated to v1.2.0.
Sets the event.category and event.type to threat/indicator for events where an attack took place.
For more information, see Package imperva/cloud-waf Release Notes.
aws/guardduty has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.ip, related.host and related.user fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package aws/guardduty Release Notes.
cisco/ios has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product, related.user and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package cisco/ios Release Notes.
fortinet/fortigate has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Sets the error.code field.
Sets the event.category and rule.description fields based on the event type.
For more information, see Package fortinet/fortigate Release Notes.