Falcon LogScale 1.159.0 GA (2024-10-08)

Version?Type?Release Date?Availability?End of Support

Security

Updates

Upgrades

From?

Config.

Changes?
1.159.0GA2024-10-08

Cloud

Next LTSNo1.112No

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Ingestion

    • Falcon LogScale now improves decision-making around which segments a digest leader fetches as part of taking over leadership. This should reduce the incidence of small bits of data being replayed from Kafka unncessarily, and may also reduce how often reassignment will trigger a restart of live queries.

      For more information, see Ingestion: Digest Phase.

New features and improvements

  • Security

    • Purpose of the repository&view permission ChangeTriggers has changed: it is now intended for creating, deleting and updating alerts and scheduled searches. This permission is no longer needed to view alerts and scheduled searches in read-only mode from theAlerts page: instead, the ReadAccess permission is required for that.

    • For multiple configured SAML IdP certificates, Falcon LogScale now enforces that at least one of them is valid and not expired. This prevents login failures that have occurred due to the expiration of one of the certificates.

      For more information, see Certificate Rotation.

    • Creating roles that have an empty set of permissions is now supported in the role-permissions.json file file. To allow this, add the following line to the file:

      JAVASCRIPT
      ```"options": { "allowRolesWithNoPermissions": true
        }```

      This ensures compatibility when migrating from previous view-group-permissions.json file, should this contain roles without permissions.

      For more information, see Setting up Roles in a File.

  • Configuration

    • Kafka resets described at Switching Kafka do no longer occur by default. In order to provide safeguard against accidental misconfiguration, the ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS environment variable has been added, which per default ensures that Kafka resets are not allowed. With this variable unset, accidental Kafka resets are avoided until an administrator assents to having a Kafka reset performed.

      To intentionally perform a Kafka reset, administrators should set ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS to an epoch timestamp in near future (for instance now + one hour), which will make sure that the setting is automatically disabled again once the reset is complete.

      For more information, see ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS.

  • Queries

    • Nested repetitions/quantifiers in the Falcon LogScale Regular Expression Engine v2 are now supported. Nested repetitions are constructions that repeat or quantify another regex expression that contains repetition/quantification. For instance, the regex: 

      /(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})/

      makes use of nested repetitions, namely: 

      (?:\d{1,3}\.){3}

      For more information, see LogScale Regular Expression Engine V2.

    • Introducing a regex backtracking limit of 0,5 seconds pr. input for the Falcon LogScale Regex Engine v2. As soon as the regex starts backtracking to find matches, it is timed and cancelled if the backtracking to find a match exceeds 0.5 seconds. This is done to avoid instances of practically infinite backtracking, as can be the case with some regexes.

      For more information, see LogScale Regular Expression Engine V2.

    • Under the hood changes to how the size of certain events is estimated should now make query state size estimates more realistic.

  • Functions

    • Introducing the new query function array:drop(). This function drops all consecutive fields of a given array, starting from index 0.

      For more information, see array:drop().

    • Introducing the new query function coalesce(). This function accepts a list of fields and returns the first value that is not null or empty. Empty values can also be returned by setting a parameter in the function.

      For more information, see coalesce().

Fixed in this release

  • Queries

    • Building tables for a query would block other tables from being built due to an internal cache implementation behaviour, which has now been fixed.

Early Access

  • Security

    • It is now possible to map one IdP group name to multiple Falcon LogScale groups during group synchronization. Activate the OneToManyGroupSynchronization feature flag for this functionality. With the feature flag enabled, Falcon LogScale will map a group name to all Falcon LogScale groups in the organization that have a matching lookupName or displayName, while also performing validation for identical groups. If the multiple mapping feature is not enabled, the existing one-to-one mapping functionality remains unchanged.

      For more information on how feature flags are enabled, see Enabling & Disabling Feature Flags.

      For more information, see Group Synchronization.

Improvement

  • Queries

    • Worker query prioritization is improved in specific cases where a query starts off highly resource-consuming but becomes more efficient as it progresses. In such cases, the scheduler could severely penalize the query, leading to it being unfairly deprioritized.