Falcon LogScale 1.156.0 GA (2024-09-17)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.156.0GA2024-09-17

Cloud

2025-10-31No1.112.01.112.0No

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Upgraded the Kafka clients to 3.8.0.

New features and improvements

Fixed in this release

  • User Interface

    • The OIDC and SAML configuration pages under Organization settings have been fixed due to a tooltip containing a link that would close before users could click the link.

    • Entering new arguments for Multi-value Parameters in Dashboard Link would not actually insert the new argument into the list of arguments. This issue has now been fixed.

    • Suggestions for parameter values in the Interactions panel would not be able to find fields in the query result. This issue has now been fixed.

  • Storage

    • An issue has been fixed which could cause clusters with too few hosts online to reach the configured segment replication factor to run segment rebalancing repeatedly.

      The rebalancing now disables itself in such a situation, until enough nodes come back online that rebalancing will actually be able to reach the replication factor.

  • Queries

    • A regression issue that occurred in LogScale version 1.142.0 has now been fixed: it could cause LogScale to exceed the limit on off-heap memory when running many queries concurrently.

      Queries hitting the limit on off-heap memory could be deprioritized more strongly than intended. This issue has now been fixed.

  • Other

    • A regression issue where some uploaded files close to 2GB could fail to load has now been fixed.

Known Issues

  • Queries

    • A known issue in the implementation of the match() function when using cidr option in the mode parameter, could cause a reduction in performance for the query, and block other queries from executing.

Improvement

  • User Interface

    • The Amazon S3 archiving UI page now correctly points to the S3 Archiving documentation pages versioned for Self-Hosted and Cloud.

  • Queries

    • The enforcement of the limit on off-heap buffers for segments being queried has been tightened: the limit should no longer exceed the size required for reading a single segment, even in cases where the scheduler is very busy.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • rubrik/security-cloud has been updated to v1.0.1.

      • Renames the parser to rubrik-securitycloud.

      For more information, see Package rubrik/security-cloud Release Notes.

    • cisco/umbrella has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds source.ip, event.action, destination.domain, event.type and rule.uuid fields and more.

      • Renames the fields under the Vendor namespace from the camelcase to snakecase. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields

      • Adds support of Firewall logs, Data Loss Prevention (DLP) logs and Intrusion Prevention (IPS) logs.

      • Renames the parser to cisco-umbrella.

      For more information, see Package cisco/umbrella Release Notes.

    • aws/cloudtrail has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Parses a timestamp based on the digestStartTime in case there is no eventTime field.

      • Adds new fields: event.dataset, event.reason, file.name, user.roles, source.ip, host.name and more.

      • Changes a user.name field values to lowercase.

      • Sets event.dataset and observer.type based on the event action.

      • Stops using the csv file to set the event categorization fields.

      • Renames the parser to aws-cloudtrail

      For more information, see Package aws/cloudtrail Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds new process.thread.id, event.created, network.transport, network.direction, dns.header_flags fields.

      • Mapps Opcode field to dns.op_code.

      • Updates the event.dataset from windows.dns to windows.dns-debug.

      • Sets the event.id based on XID field.

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • okta/sso has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds event.reason field

      • Sets the event.kind and event.category fields for threat events.

      For more information, see Package okta/sso Release Notes.

    • paloalto/firewall has been updated to v1.1.0.

      • Adds support for PAN-OS v11.0

      • Improves the field extraction and performance.

      • Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Adds threat.*, event.severity fields and more.

      • Sets the event.action for Authentication events.

      • Sets the event.category to intrusion_detection and malware for Colleration events.

      • Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.

      • Renames the parser to paloalto-ngfw.

      For more information, see Package paloalto/firewall Release Notes.

    • cloudflare/zerotrust has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.

      • Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.

      • Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.

      • Renames the parser to cloudflare-one.

      For more information, see Package cloudflare/zerotrust Release Notes.

    • zscaler/internet-access has been updated to v1.1.0.

      • Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Improves the field extraction and performance.

      • Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.

      • Adds new fields: event.id, source.geo.name.

      For more information, see Package zscaler/internet-access Release Notes.

    • aws/vpcflow has been updated to v1.1.0.

      • Sets new field cloud.account.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Renames the parser to aws-vpcflow.

        ###1.0.0

      • Normalizes data to CrowdStrike Parsing Standard (CPS) schema.

      • Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type

      • Improves the field extraction.

      • Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.

      • Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed.

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/duo has been updated to v1.1.3.

      • Bug fix: Sets a timestamp format to seconds for Trust Monitor authentication events.

      For more information, see Package cisco/duo Release Notes.

    • infoblox/nios has been updated to v1.1.0.

      • Simplifies parser logic by removing unnecessary rename operations.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Extracts the dns.answer.* and dns.resolved_ip fields.

      • Removes the repeat.message field.

      For more information, see Package infoblox/nios Release Notes.

    • fortinet/fortigate has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the error.code field.

      • Sets the event.category and rule.description fields based on the event type.

      For more information, see Package fortinet/fortigate Release Notes.