Falcon LogScale 1.142.4 LTS (2024-12-17)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.142.4LTS2024-12-17

Cloud

On-Prem

2025-07-31No1.112.01.112.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.142.1, 1.142.3, 1.142.1, 1.142.3

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Functions

    • The limit parameter has been added to the rdns() function. It is controlled by dynamic configurations RdnsMaxLimit and RdnsDefaultLimit. This is a breaking change addition due to incidents caused by the large implicit limit used before.

      For more information, see rdns().

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • The LogScale Launcher Script script for starting LogScale will be modified to change the way CPU core usage can be configured. The -XX:ActiveProcessorCount=n command-line option will be ignored if set. Users that need to configure the core count manually should set CORES=n environment variable instead. This will cause the launcher to configure both LogScale and the JVM properly.

      This change is scheduled for 1.148.0.

      For more information, see LogScale Launcher Script.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following API endpoints are deprecated and marked for removal in 1.148.0:

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment

    • GET /api/v1/clusterconfig/kafka-queues/partition-assignment

    • POST /api/v1/clusterconfig/kafka-queues/partition-assignment/set-replication-defaults

    The deprecated methods are used for viewing and changing the partition assignment in Kafka for the ingest queue. Administrators should use Kafka's own tools for editing partition assignments instead, such as the bin/kafka-reassign-partitions.sh and bin/kafka-topics.sh scripts that ship with the Kafka install.

  • The HUMIO_JVM_ARGS environment variable in the LogScale Launcher Script script will be removed in 1.154.0.

    The variable existed for migration from older deployments where the launcher script was not available. The launcher script replaces the need for manually setting parameters in this variable, so the use of this variable is no longer required. Using the launcher script is now the recommended method of launching LogScale. For more details on the launcher script, see LogScale Launcher Script. Clusters that still set this configuration should migrate to the other variables described at LogScale Launcher Script.

  • We are deprecating the humio/kafka and humio/zookeeper Docker images due to low use. The planned final release for these images will be with LogScale 1.148.0.

    Better alternatives are available going forward. We recommend the following:

    • If your cluster is deployed on Kubernetes: STRIMZI

    • If your cluster is deployed to AWS: MSK

    If you still require humio/kafka or humio/zookeeper for needs that cannot be covered by these alternatives, please contact Support and share your concerns.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • API

    • It is no longer possible to revive a query by polling it after it has been stopped.

      For more information, see Running Query Jobs.

  • Other

    • LogScale deletes humiotmp directories when gracefully shut down, but this can cause tmp directories to leak if LogScale crashes. LogScale now also deletes these directories on startup.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • The JDK included in container deployments has been upgraded to 22.0.2.

    • The Kafka client has been upgraded to 3.7.0. The Kafka server version in the deprecated humio/kafka Docker image is also upgraded to 3.7.0.

    • Bundled JDK upgraded to 22.0.1.

    • The JDK included in container deployments has been upgraded to 23.0.1

New features and improvements

  • Installation and Deployment

    • Changing the NODE_ROLES of a host is now forbidden. A host will now crash if the role it is configured to have doesn't match what is listed in global for that host. People wishing to change the role of a host in a cluster should instead remove that host from the cluster by unregistering it, wipe the data directory of the host, and boot the node back into the cluster as if it were a completely new node. The node will be assigned a new vhost identifier when doing this.

    • Unused modules have been removed from the JDK bundled with LogScale releases, thus reducing the size of release artifacts.

  • User Interface

    • Time zone data has been updated to IANA 2024a and has been trimmed to +/- 5 years from the release date of IANA 2024a.

    • The maximum limit for saved query names has been set to 200 characters.

    • Layout changes have been made in the Connections UI page.

      For more information, see Connections.

    • The warnings for numbers out of the browser's safe number range have been slightly modified.

      For more information, see Troubleshooting: UI Warning: The actual value is different from what is displayed.

    • A new Field list column type has been added in the Event List. It formats all fields in the event in key-value pairs by grouping a field list by prefix.

      For more information, see Column Properties.

  • Automation and Triggers

    • Scheduled Reports can now be created. Scheduled Reports generate reports directly from dashboards and send them to the selected email addresses on a regular schedule.

      For more information, see Schedule PDF Reports.

    • Two new GraphQL fields have been added in the ScheduledSearch datatype:

      • lastExecuted will hold the timestamp of the end of the search interval on the last scheduled search run.

      • lastTriggered will hold the timestamp of the end of the search interval on the last scheduled search run that found results and triggered actions.

      These two new fields are now also displayed in the Scheduled Searches user interface.

      For more information, see Last Executed and Last Triggered Scheduled Search.

  • GraphQL API

    • A new unsetDynamicConfig() GraphQL mutation is introduced to unset dynamic configurations.

    • Added a new GraphQL API generateParserFromTemplate() for decoding a parser YAML template without installing it.

  • API

    • Upgrade to the latest Jakarta Mail API to prevent a warning message from being logged about a missing mail configuration file.

    • Information about files used in a query is now added to the query result returned by the API.

  • Configuration

    • The EXACT_MATCH_LIMIT configuration has been removed. It is no longer needed, since files are limited by size instead of rows.

    • When UNSAFE_RELAX_MULTI_CLUSTER_PROTOCOL_VERSION_CHECK is set to ensure Multi-Cluster Compatibility Across Versions, attempting to search in clusters older than version 1.131.2 is not allowed and a UI message will now be displayed.

    • A new QueryBacktrackingLimit dynamic configuration is available through GraphQL as experimental. It allows to limit a query iterating over individual events too many times (which may happen with an excessive use of copyEvent(), join() and split() functions, or regex() with repeat-flags). The default for this limit is 3,000 and can be modified with the dynamic configuration. At present, the feature flag sets this limit off by default.

  • Ingestion

    • Audit logs related to Event Forwarders no longer include the properties of the event forwarder.

      Event forwarder disablement is now audit logged with type disable instead of enable.

    • The parser assertions can now be written and loaded to YAML files, using the V3 parser format.

    • Self-hosted only: derived tags (like #repo) are now included when executing Event Forwarding Rules. These fields will be included in the forwarded events unless filtered by select() or drop(#repo) in the rule.

  • Dashboards and Widgets

    • A parameter panel widget type has been added to allow users to drag parameters from the top panel and into these panels. Also, a parameter width is now adjustable in the settings.

      For more information, see Parameter Panel Widget.

  • Log Collector

    • Live and Historic options for Fleet Overview are introduced. When Live, the overview will show online collectors and continuously be updated with e.g. new CPU metrics or status changes. The Historic view will display all records of collectors for the last 30 days. In this case the overview will not be updated with new information.

      For more information, see Switch between Live and Historic Overview.

    • Fleet Management now supports ephemeral hosts. If a collector is enrolled with the parameter --ephemeralTimeout, after being offline for the specified duration in hours it will disappear from the Fleet Overview interface and be unenrolled. The feature requires LogScale Collector version 1.7.0 or above.

  • Functions

    • array:filter() has been fixed as performing a filter test on an array field outputted from this function would sometimes lead to no results.

    • The onlyTrue parameter has been added to the bitfield:extractFlags() query function, it allows to output only flags whose value is true.

      For more information, see bitfield:extractFlags().

    • The query editor now gives warnings about certain regex constructs that are valid but suboptimal. Specifically, quantified wildcards in the beginning or end of an (unanchored) regex.

    • Multi-valued arguments can now be passed to a saved query.

      For more information, see Saved Searches (User Functions).

  • Other

    • A new metric max_ingest_delay is introduced to keep track of the current maximum ingest delay across all Kafka partitions.

    • Two new metrics have been introduced:

      • internal-throttled-poll-rate keeps track of the number of times polling workers during query execution was throttled due to rate limiting.

      • internal-throttled-poll-wait-time keeps track of maximum delays per poll round due to rate limiting.

Fixed in this release

  • Storage

    • Taking nodes offline in a cluster that does not use bucket storage could prevent cleanup of mini-segments associated with merge targets owned by the offline nodes, causing global to grow. To solve this, the cluster now moves merge targets that have not yet achieved full replication to follow digest nodes.

    • The Did not query segment error spuriously appearing when the cluster performs digest reassignment has now been fixed.

    • The file synchronization job would stop if upload to bucket storage fails. This issue has been fixed.

  • Dashboards and Widgets

    • Shared dashboards created on the special humio-search-all view wouldn't load correctly. This issue has now been fixed.

    • The execution of dashboard parameter queries has been changed to only run as live when the dashboard itself is live.

    • Dragging a parameter to an empty Parameter Panel Widget would sometimes not move the parameter. This issue has been fixed.

  • Functions

    • The query editor has been fixed as field auto-completions would sometimes not be suggested.

    • The query editor would mark the entire query as erroneous when count() was given with distinct=true parameter but missing an argument for the field parameter. This issue has been fixed.

    • Live queries using Field Aliasing on a repository with Tag Groupings enabled could fail. This issue has now been fixed.

    • The time:xxx() functions have been fixed as they did not correctly use the query's time zone as default. The offset was applied in an opposite manner, such that for example GMT+2 was applied as GMT-2. This has now been fixed.

  • Other

    • A regression introduced in version 1.132 has been fixed, where a file name starting with shared/ would be recognized as a shared file instead of a regular file. However, a shared file should be referred to using exactly /shared/ as a prefix.

    • Fixing a very rare edge case that could cause creation of malformed entities in global when a nested entity — such as a datasource — was deleted.

Improvement

  • User Interface

    • When a saved query is used, the query editor will display the query string when hovering over it.

  • Storage

    • Logging improvements have been made around bucket uploads to assist with troubleshooting slow uploads, which are only seen in clusters with very large data sets.

  • Packages

    • Validate that there are no duplicate names used for each package template type during package installations (for example you cannot use the same name for multiple parsers that are part of the same package).

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • checkpoint/ngfw has been updated to v1.3.0.

      Duplicated vendor fields removed

      Updated parser has been improved to handle field duplication more efficiently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.srcIp) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:

      • Vendor.action

      • Vendor.additional_info

      • Vendor.administrator

      • Vendor.app_risk

      • Vendor.app_rule_id

      • Vendor.app_rule_name

      • Vendor.application

      • Vendor.bytes

      • Vendor.categories

      • Vendor.client_inbound_interface

      • Vendor.client_ip

      • Vendor.conn_direction

      • Vendor.delivery_time

      • Vendor.description

      • Vendor.dlp_file_name

      • Vendor.dlp_rule_name

      • Vendor.dlp_rule_uid

      • Vendor.dns_message_type

      • Vendor.dns_type

      • Vendor.domain_name

      • Vendor.dst

      • Vendor.dst_user_name

      • Vendor.email_message_id

      • Vendor.email_queue_id

      • Vendor.email_subject

      • Vendor.endpoint_ip

      • Vendor.file_id

      • Vendor.file_name

      • Vendor.file_size

      • Vendor.file_type

      • Vendor.first_detection

      • Vendor.from

      • Vendor.ifdir

      • Vendor.ifname

      • Vendor.industry_reference

      • Vendor.information

      • Vendor.inzone

      • Vendor.last_detection

      • Vendor.lastupdatetime

      • Vendor.layer_name

      • Vendor.loguid

      • Vendor.mac_destination_address

      • Vendor.mac_source_address

      • Vendor.malware_action

      • Vendor.malware_rule_id

      • Vendor.malware_rule_name

      • Vendor.matched_category

      • Vendor.method

      • Vendor.objectname

      • Vendor.origin

      • Vendor.origin_ip

      • Vendor.os_name

      • Vendor.os_version

      • Vendor.outzone

      • Vendor.packet_capture

      • Vendor.packets

      • Vendor.parent_process_name

      • Vendor.policy

      • Vendor.process_name

      • Vendor.product

      • Vendor.proto

      • Vendor.received_bytes

      • Vendor.referrer

      • Vendor.resource

      • Vendor.rule_name

      • Vendor.rule_uid

      • Vendor.s_port

      • Vendor.security_outzone

      • Vendor.sent_bytes

      • Vendor.sequencenum

      • Vendor.server_outbound_bytes

      • Vendor.server_outbound_interface

      • Vendor.server_outbound_packets

      • Vendor.service

      • Vendor.service_id

      • Vendor.session_description

      • Vendor.session_uid

      • Vendor.severity

      • Vendor.smartdefence_profile

      • Vendor.sport_svc

      • Vendor.src

      • Vendor.src_user_group

      • Vendor.src_user_name

      • Vendor.start_time

      • Vendor.svc

      • Vendor.to

      • Vendor.type

      • Vendor.uid

      • Vendor.update_version

      • Vendor.url

      • Vendor.user

      • Vendor.user_agent

      • Vendor.user_group

      • Vendor.usercheck_incident_uid

      • Vendor.web_client_type

      • Vendor.xlatedport

      • Vendor.xlatedport_svc

      • Vendor.xlatedst

      • Vendor.xlatesport

      • Vendor.xlatesport_svc

      • Vendor.xlatesrc

      Miscellaneous

      • Bug fix: resolved an issue with the regex used to extract fields from rawstring.

      • Bumps the ecs.version to 8.16.0.

      • Corrects a typo in the event.type field values to comply with ECS. Changed conection to connection and delection to deletion.

      • Removes the destination.service.name field as it was not valid ECS field.

      • Renames the network.app_name to network.application to comply with ECS.

      • Updates the event.dataset from content-awareness to ngfw.content-awareness to comply with CPS.

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/sysmon has been updated to v1.1.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package microsoft/sysmon Release Notes.

    • aruba/clearpass has been updated to v1.1.0.

      • Implements new fields:

        • client.mac

        • client.ip

        • server.ip

        • observer.version

        • observer.ip

        • observer.port

        • event.type

        • event.outcome

      • Parser tests have been improved by adding assertions to the test cases

      • Bumps minimum LogScale version to 1.139 to support parser assertions

      For more information, see Package aruba/clearpass Release Notes.

    • linux/system-logs has been updated to v0.2.0.

      • Updated this package to utilize the LogScale Collector instead of filebeat.

      • Improves the field extraction and performance.

      • Updates saved queries and dashboards to work with data sent through the LogScale Collector.

      • If you are upgrading from older version of this package, note that this update is a large breaking change, where the package uses LogScale Collector to ship logs. If you wish to keep the old parser and dashboard, feel free to keep using the old version of the package.

      • Renamed parser to linux-systemlogs.

      • Bumps minimum LogScale version to 1.40.

      For more information, see Package linux/system-logs Release Notes.

    • cisco/ios has been updated to v1.2.0.

      • Improves the timestamp parsing.

      For more information, see Package cisco/ios Release Notes.

    • imperva/cloud-waf has been updated to v1.3.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package imperva/cloud-waf Release Notes.

    • proofpoint/tap-siem-api has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Maps the clickTime field to @timestamp instead of threatTime field for ClicksBlocked and ClicksPermitted events.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type field.

      For more information, see Package proofpoint/tap-siem-api Release Notes.

    • humio/activity has been updated to v1.4.0.

      • Minimum supported LogScale version bumped to 1.141.0.

      • Added new dashboard Scheduled Reports Overview. This dashboard shows an overview of all scheduled reports - a new feature added to LogScale from version 1.141.0.

      • Added new view interaction Show Scheduled Report Details. This allows navigation from event logs to the Scheduled Reports Overview dashboard with focus on that one report.

      • Added new view interaction Edit Scheduled Report. This allows navigation from event logs to the Scheduled Reports edit page.

      For more information, see Package humio/activity Release Notes.

    • cisco/firepower has been updated to v1.4.0.

      • Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

      • Improves the field extraction and performance

      • Removes the event.code field as it does not conform to CPS standard

      • Further normalisation to ECS fields; observer.ingress.vlan.name, observer.egress.vlan.name, rule.ruleset, rule.category, user_agent.name, user_agent.original, user_agent.version, network.application, http.response.status_code, http.request.referrer

      For more information, see Package cisco/firepower Release Notes.

    • infoblox/nios has been updated to v1.2.1.

      • Adds event.kind field mapped to CPS

      For more information, see Package infoblox/nios Release Notes.

    • cisco/asa has been updated to v0.2.0.

      • Improves the field extraction and performance.

      For more information, see Package cisco/asa Release Notes.

    • humio/activity has been updated to v1.5.0.

      • This version adds support for aggregate alerts - a new type of alert introduced in 1.147.0:

      • Minimum supported LogScale version bumped to 1.147.0.

      • Added new dashboard Alerts Overview. This shows an overview of all alerts with the possibility of filtering on the alert type. Eventually, this dashboard will replace the Filter Alerts Overview and Legacy Alerts Overview dashboards.

      • Added new dashboard Alert Details. This shows details of a single alert. Eventually, this dashboard will replace the Filter Alert Details and Legacy Alert Details dashboards.

      • Added new view interaction Edit Aggregate Alert. This allows navigation from event logs for an aggregate alert to the alert edit page.

      • Added new view interaction Alert Details. This allows navigation from event logs for an alert to the Alert Details dashboard.

      • Renamed the dashboard Standard Alerts Overview to Legacy Alerts Overview.

      • Renamed the dashboard Standard Alert Details to Legacy Alert Details.

      • Renamed the view interaction Edit Standard Alert to Edit Legacy Alert.

      • Removed the view interactions Show Standard Alert Details and Show Filter Alert Details, those are replaced by Show Alert Details.

      For more information, see Package humio/activity Release Notes.

    • paloalto/firewall has been updated to v1.2.0.

      • Adds additional mappings to ECS for: source.geo.country_name, destination.geo.country_name, rule.category, process.command_line, source.ip (for Config logs), network.packets fields.

      • Adds url.* ECS fields for subtype url

      • Adds the field observer.type

      • Adds additional options to Config logs to determine event.outcome

      • Enhancement to parsing for system auth logs

      • Decodes network.transport to include network.iana_numbers

      • Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port

      For more information, see Package paloalto/firewall Release Notes.

    • cisco/firepower has been updated to v1.2.0.

      • Exludes the empty fields when parsing events with kvParse() function.

      For more information, see Package cisco/firepower Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the Vendor.type field based on the event type.

      • Sets the observer.address, observer.name, event.outcome fields and more.

      • Renames the parser to paloalto-prisma-sdwan.

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • zscaler/private-access has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Sets the event.category, event.type and the event.outcome fields based on the source data.

      • Adds observer.type, package.version, server.bytes, event.action fields and more.

      For more information, see Package zscaler/private-access Release Notes.

    • imperva/cloud-waf has been updated to v1.1.0.

      • Sets the event.kind based on the attack name field.

      For more information, see Package imperva/cloud-waf Release Notes.

    • aws/s3-server-access has been updated to v1.0.2.

      • Fixes the parser to no longer drop events which don't contain tls_version and request_uri fields

      For more information, see Package aws/s3-server-access Release Notes.

    • cisco/meraki has been updated to v1.2.1.

      • Removes the references to the lookup file from the parser

      • Bumps the ecs.version to 8.16.0

      For more information, see Package cisco/meraki Release Notes.

    • f5networks/bigip has been updated to v2.0.0.

      • Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.

      • Improves CPS categorization and normalization.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/duo has been updated to v2.1.0.

      • Adds normalization using the Vendor.auth_device.* fields.

      • Updates the field mapping for Cisco Duo Authentication events. To improve the accuracy and consistency of field normalization previously mapped source.user.* fields have been updated to user.* fields. This is a breaking change and some of the search queries, dasbhboards or alers that rely on the source.user.* fields may stop working. Update all affected search queries to use user.* fields to restore functionality.

      For more information, see Package cisco/duo Release Notes.

    • cisco/duo has been updated to v1.1.3.

      • Bug fix: Sets a timestamp format to seconds for Trust Monitor authentication events.

      For more information, see Package cisco/duo Release Notes.

    • darktrace/detect has been updated to v1.1.0.

      • The parser darktrace-detect is an aggregation of the three previous parsers: ai_analyst_alert-syslog, model_breach_alert-syslog, system_status_alert-syslog

      • Handles events with syslog headers in both the RFC 5424 and RFC 3164 formats

      • Deals with large JSON objects within the message

      • Handles the following log types and sets event.dataset accordingly: detect.aianalyst/detect.modelbreach/detect.modeltrigger/detect.systemstatus/detect.antigena

      • CPS normalization that was previously done in separate parsers is carried out based on event.dataset

      • CPS normalization carried out for additional data types - detect.modeltrigger and detect.antigena

      • Added santised examples of all variations of event.dataset and syslog header format

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package darktrace/detect Release Notes.

    • infoblox/nios has been updated to v1.2.2.

      • Improves the dns.* fields extraction.

      • Bumps the ecs.version to 8.16.0

      • Enhacnes the regex to accept hashes in the host.domain field.

      For more information, see Package infoblox/nios Release Notes.

    • citrix/netscaler has been updated to v1.0.1.

      • Bug fix: The citrix-netsaler-syslog parser no longer fails on parsing JSON input

      For more information, see Package citrix/netscaler Release Notes.

    • cisco/ise has been updated to v1.2.0.

      • Adds support for the CISE_Alarm messages.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package cisco/ise Release Notes.

    • humio/activity has been updated to v1.6.0.

      • Added new view interactions Open Alert Docs and Open Scheduled Search Docs which will open the online documentation for messages for alerts and scheduled searches.

      • Added a menu item on the table widgets on the dashboards containing a message for alerts and scheduled searches to open the online documentation for the message.

      For more information, see Package humio/activity Release Notes.

    • juniper/srx has been updated to v1.1.0.

      • Improves the field extraction and performance

      • Sets the event.category, event.type and the event.outcome fields based on the source data

      • Adds observer.* fields, for example: observer.type, observer.product and more

      For more information, see Package juniper/srx Release Notes.

    • paloalto/firewall has been updated to v1.2.1.

      • Adds an additional mapping to ECS for user_agent.original field.

      • Parses user.name out of Admin field from Config logs.

      For more information, see Package paloalto/firewall Release Notes.

    • cisco/meraki has been updated to v1.1.0.

      • Bug fix: updates the mapping for destination.port, source.port fields

      • Normalizing the mac addresses to keep the notation from RFC 7042

      For more information, see Package cisco/meraki Release Notes.