Falcon LogScale 1.153.2 Internal (2024-09-18)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.153.2Internal2024-09-18

Internal Only

2025-09-30No1.112.01.112.0No

Hide file download links

Show file download links

Internal-only release.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The server.tar.gz release artifact has been deprecated. Users should switch to the OS/architecture-specific server-linux_x64.tar.gz or server-alpine_x64.tar.gz, which include bundled JDKs. Users installing a Docker image do not need to make any changes. With this change, LogScale will no longer support bringing your own JDK, we will bundle one with releases instead.

    We are making this change for the following reasons:

    • By bundling a JDK specifically for LogScale, we can customize the JDK to contain only the functionality needed by LogScale. This is a benefit from a security perspective, and also reduces the size of release artifacts.

    • Bundling the JDK ensures that the JDK version in use is one we've tested with, which makes it more likely a customer install will perform similar to our own internal setups.

    • By bundling the JDK, we will only need to support one JDK version. This means we can take advantage of enhanced JDK features sooner, such as specific performance improvements, which benefits everyone.

    The last release where server.tar.gz artifact is included will be 1.154.0.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Functions

    • Prior to LogScale v1.147, the array:length() function accepted a value in the array argument that did not contain brackets [ ] so that array:length("field") would always produce the result 0 (since there was no field named field). The function has now been updated to properly throw an exception if given a non-array field name in the array argument. Therefore, the function now requires the given array name to have [] brackets, since it only works on array fields.

Known Issues

  • Queries

    • A known issue in the implementation of the match() function when using cidr option in the mode parameter, could cause a reduction in performance for the query, and block other queries from executing.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • rubrik/security-cloud has been updated to v1.0.1.

      • Renames the parser to rubrik-securitycloud.

      For more information, see Package rubrik/security-cloud Release Notes.

    • cisco/umbrella has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds source.ip, event.action, destination.domain, event.type and rule.uuid fields and more.

      • Renames the fields under the Vendor namespace from the camelcase to snakecase. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields

      • Adds support of Firewall logs, Data Loss Prevention (DLP) logs and Intrusion Prevention (IPS) logs.

      • Renames the parser to cisco-umbrella.

      For more information, see Package cisco/umbrella Release Notes.

    • aws/cloudtrail has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Parses a timestamp based on the digestStartTime in case there is no eventTime field.

      • Adds new fields: event.dataset, event.reason, file.name, user.roles, source.ip, host.name and more.

      • Changes a user.name field values to lowercase.

      • Sets event.dataset and observer.type based on the event action.

      • Stops using the csv file to set the event categorization fields.

      • Renames the parser to aws-cloudtrail

      For more information, see Package aws/cloudtrail Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds new process.thread.id, event.created, network.transport, network.direction, dns.header_flags fields.

      • Mapps Opcode field to dns.op_code.

      • Updates the event.dataset from windows.dns to windows.dns-debug.

      • Sets the event.id based on XID field.

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • okta/sso has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds event.reason field

      • Sets the event.kind and event.category fields for threat events.

      For more information, see Package okta/sso Release Notes.

    • paloalto/firewall has been updated to v1.1.0.

      • Adds support for PAN-OS v11.0

      • Improves the field extraction and performance.

      • Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds threat.*, event.severity fields and more.

      • Sets the event.action for Authentication events.

      • Sets the event.category to intrusion_detection and malware for Colleration events.

      • Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.

      • Renames the parser to paloalto-ngfw.

      For more information, see Package paloalto/firewall Release Notes.

    • cloudflare/zerotrust has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.

      • Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.

      • Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.

      • Renames the parser to cloudflare-one.

      For more information, see Package cloudflare/zerotrust Release Notes.

    • zscaler/internet-access has been updated to v1.1.0.

      • Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Improves the field extraction and performance.

      • Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.

      • Adds new fields: event.id, source.geo.name.

      For more information, see Package zscaler/internet-access Release Notes.

    • aws/vpcflow has been updated to v1.1.0.

      • Sets new field cloud.account.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Renames the parser to aws-vpcflow.

        ###1.0.0

      • Normalizes data to CrowdStrike Parsing Standard (CPS) schema.

      • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

      • Improves the field extraction.

      • Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.

      • Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed.

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/duo has been updated to v1.1.3.

      • Bug fix: Sets a timestamp format to seconds for Trust Monitor authentication events.

      For more information, see Package cisco/duo Release Notes.

    • infoblox/nios has been updated to v1.1.0.

      • Simplifies parser logic by removing unnecessary rename operations.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Extracts the dns.answer.* and dns.resolved_ip fields.

      • Removes the repeat.message field.

      For more information, see Package infoblox/nios Release Notes.

    • fortinet/fortigate has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the error.code field.

      • Sets the event.category and rule.description fields based on the event type.

      For more information, see Package fortinet/fortigate Release Notes.