Falcon LogScale 1.158.0 GA (2024-10-01)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.158.0 | GA | 2024-10-01 | Cloud | 2025-10-31 | No | 1.112.0 | 1.112.0 | Yes |
Hide file download links
Download
Use docker pull humio/humio-core:1.158.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The following GraphQL mutations and field have been deprecated, since the starring functionality is no longer in use for alerts and scheduled searches:
addStarToAlertV2()
removeStarFromAlertV2()
addStarToScheduledSearch()
removeStarFromScheduledSearch()
isStarredfield on the Alert and ScheduledSearch types.The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Queries
When a digest node is unavailable, a warning is not attached to queries, but the queries are allowed to proceed.
This way, the behaviour of a query is similar to the case where a segment cannot be searched, due to all the owning nodes being unavailable at the time of the query.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
The JDK included in container deployments has been upgraded to 23.
New features and improvements
Security
New view permissions have been added to allow for updating and deleting different types of assets in a view. For instance, granting a user the
UpdateFilespermission in a view will allow the user to update files, but not delete or create files.View permissions added:
UpdateActionsโ Allow updating actionsUpdateDashboardsโ Allow updating dashboardsUpdateFilesโ Allow updating CSV filesUpdateSavedQueriesโ Allow updating saved queriesUpdateScheduledReportsโ Allow updating scheduled reportsUpdateTriggersโ Allow updating alerts and scheduled searchesDeleteActionsโ Allow deleting actionsDeleteDashboardsโ Allow deleting dashboardsDeleteFilesโ Allow deleting CSV filesDeleteSavedQueriesโ Allow deleting scheduled reportsDeleteScheduledReportsโ Allow deleting saved queriesDeleteTriggersโ Allow deleting alerts and scheduled searches
These permissions can currently only be assigned using the LogScale GraphQL API and are not supported in the LogScale UI.
For more information, see Repository and View Permissions.
User Interface
The logging for LogScale Multi-Cluster Search network requests have been improved by adding new endpoints that have the
externalQueryIdin the path and thefederationIdin a query parameter.The proxy endpoints for LogScale Multi-Cluster Search have changed. Specific internal marked endpoints that match the external endpoints for proxying are added. This will improve the ability to track multi-cluster searches in the LogScale requests log.
Documentation
The naming structure and identification of release types has been updated. LogScale is available in two release types:
Generally Available (GA) releases โ includes new functionality. Using a GA release gets you access to the latest features and functionality.
GA releases are deployed in LogScale SaaS environments.
Long Term Support (LTS) releases โ contains the latest features and functionality.
LogScale self-hosted customers are advised to install the LTS releases. LTS releases are provided approximately every six weeks.
Security fixes are applied to the last three LTS releases.
Configuration
The new dynamic configuration parameter
ParserBacktrackingLimithas been added to govern how many new events can be created from a single input event in parsers.This was previously controlled by the
QueryBacktrackingLimitconfiguration parameter, which now applies only to queries, thus allowing for finer control.
Queries
LogScale Regular Expression Engine v2 now improves the optimizer ability to make alternations into decision trees.
For more information, see LogScale Regular Expression Engine V2.
Added optimizations for start-of-text regex expressions with LogScale Regular Expression Engine v2. In particular:
/^X/and:
/\AX/no longer try to match all positions in the string.
When doing tests on large body of text, these optimizations have proven to be faster and shown improvements of ~202%, for example when tested against a collection of works by Mark Twain.
For more information, see LogScale Regular Expression Engine V2.
Fixed in this release
User Interface
A minor UI issue in dropdown windows has been fixed e.g., the Time interval window popping up from the Time Selector would close if any text inside the window fields was selected and the mouse click was released outside the window.
Ingestion
When creating a new event forwarding rule, the editor could not be editable in some cases. This issue has now been fixed.
Dashboards and Widgets
The tooltip description of a widget would be cut off if the widget took up the whole row. This issue has now been fixed.
Functions
Early Access
Configuration
A new dynamic configuration
AggregatorOutputRowLimithas been added, along with the new organisation-levelCancelQueriesExceedingAggregateOutputRowLimitconfiguration, which is currently under feature flag.Aggregate Query Functions in queries that output more rows than the limit specified by the
AggregatorOutputRowLimitconfiguration will get cancelled if theCancelQueriesExceedingAggregateOutputRowLimitconfiguration is enabled.These configuration items are being added to allow LogScale administrators to protect the health of the cluster in cases where queries use runaway amounts of resources in the result phase of query execution, impacting cluster health and availability.
For more information, see Dynamic Configuration Parameters.
Improvement
Automation and Triggers
In the emails sent by email actions, the text
Open in Humiohas been replaced byOpen in LogScale.The error message The alert query did not start within {timeout}. LogScale will retry starting the query. has been fixed to show the actual timeout instead of just {timeout}.
Dashboards and Widgets
Dashboard parameter suggestions of the FixedList Parameter type now follow the order in which they were configured.
Dashboard parameter suggestions of the Query Parameter type now follow the order of the query result.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.2.0.
Adds the event.outcome field
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files
For more information, see Package cisco/meraki Release Notes.
rubrik/security-cloud has been updated to v1.0.1.
Renames the parser to rubrik-securitycloud.
For more information, see Package rubrik/security-cloud Release Notes.
cisco/umbrella has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds source.ip, event.action, destination.domain, event.type and rule.uuid fields and more.
Renames the fields under the Vendor namespace from the camelcase to snakecase. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields
Adds support of Firewall logs, Data Loss Prevention (DLP) logs and Intrusion Prevention (IPS) logs.
Renames the parser to cisco-umbrella.
For more information, see Package cisco/umbrella Release Notes.
aws/cloudtrail has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Parses a timestamp based on the digestStartTime in case there is no eventTime field.
Adds new fields: event.dataset, event.reason, file.name, user.roles, source.ip, host.name and more.
Changes a user.name field values to lowercase.
Sets event.dataset and observer.type based on the event action.
Stops using the csv file to set the event categorization fields.
Renames the parser to aws-cloudtrail
For more information, see Package aws/cloudtrail Release Notes.
microsoft/windows-dns-debug has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds new process.thread.id, event.created, network.transport, network.direction, dns.header_flags fields.
Mapps Opcode field to dns.op_code.
Updates the event.dataset from windows.dns to windows.dns-debug.
Sets the event.id based on XID field.
For more information, see Package microsoft/windows-dns-debug Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
okta/sso has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds event.reason field
Sets the event.kind and event.category fields for threat events.
For more information, see Package okta/sso Release Notes.
infoblox/nios has been updated to v1.1.1.
Improves event categorization and outcomes via the event.category[] and event.type[] arrays and the event.outcome field.
For more information, see Package infoblox/nios Release Notes.
nozomi/ids has been updated to v1.1.0.
Sets the event categorization fields: event.category, event.type and event.outcome based on the message data coming from the source.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package nozomi/ids Release Notes.
paloalto/firewall has been updated to v1.1.0.
Adds support for PAN-OS v11.0
Improves the field extraction and performance.
Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds threat.*, event.severity fields and more.
Sets the event.action for Authentication events.
Sets the event.category to intrusion_detection and malware for Colleration events.
Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.
Renames the parser to paloalto-ngfw.
For more information, see Package paloalto/firewall Release Notes.
cloudflare/zerotrust has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.
Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.
Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.
Renames the parser to cloudflare-one.
For more information, see Package cloudflare/zerotrust Release Notes.
zscaler/internet-access has been updated to v1.1.0.
Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Improves the field extraction and performance.
Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.
Adds new fields: event.id, source.geo.name.
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.1.0.
Sets new field cloud.account.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Renames the parser to aws-vpcflow.
###1.0.0
Normalizes data to CrowdStrike Parsing Standard (CPS) schema.
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Improves the field extraction.
Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.
Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed.
For more information, see Package aws/vpcflow Release Notes.
infoblox/nios has been updated to v1.1.0.
Simplifies parser logic by removing unnecessary rename operations.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Extracts the dns.answer.* and dns.resolved_ip fields.
Removes the repeat.message field.
For more information, see Package infoblox/nios Release Notes.
imperva/cloud-waf has been updated to v1.2.0.
Sets the event.category and event.type to threat/indicator for events where an attack took place.
For more information, see Package imperva/cloud-waf Release Notes.
fortinet/fortigate has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Sets the error.code field.
Sets the event.category and rule.description fields based on the event type.
For more information, see Package fortinet/fortigate Release Notes.