Falcon LogScale 1.159.0 GA (2024-10-08)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.159.0 | GA | 2024-10-08 | Cloud | 2025-10-31 | No | 1.112.0 | 1.112.0 | Yes |
Hide file download links
Download
Use docker pull humio/humio-core:1.159.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Ingestion
Falcon LogScale now improves decision-making around which segments a digest leader fetches as part of taking over leadership. This should reduce the incidence of small bits of data being replayed from Kafka unnecessarily, and may also reduce how often reassignment will trigger a restart of live queries.
For more information, see Ingestion: Digest Phase.
New features and improvements
Security
For multiple configured SAML IdP certificates, Falcon LogScale now enforces that at least one of them is valid and not expired. This prevents login failures that have occurred due to the expiration of one of the certificates.
For more information, see Certificate Rotation.
Purpose of the
repository&viewpermissionChangeTriggershas changed: it is now intended for creating, deleting and updating alerts and scheduled searches. This permission is no longer needed to view alerts and scheduled searches in read-only mode from theAlertspage: instead, theReadAccesspermission is required for that.Creating roles that have an empty set of permissions is now supported in the
role-permissions.json filefile. To allow this, add the following line to the file:JAVASCRIPT"options": { "allowRolesWithNoPermissions": true }This ensures compatibility when migrating from previous
view-group-permissions.jsonfile, should this contain roles without permissions.For more information, see Set Up Roles in a File.
Configuration
Kafka resets described at Switching Kafka do no longer occur by default. In order to provide safeguard against accidental misconfiguration, the
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MSenvironment variable has been added, which per default ensures that Kafka resets are not allowed. With this variable unset, accidental Kafka resets are avoided until an administrator assents to having a Kafka reset performed.To intentionally perform a Kafka reset, administrators should set
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MSto an epoch timestamp in near future (for instance now + one hour), which will make sure that the setting is automatically disabled again once the reset is complete.For more information, see
ALLOW_KAFKA_RESET_UNTIL_TIMESTAMP_MS.
Queries
Nested repetitions/quantifiers in the Falcon LogScale Regular Expression Engine v2 are now supported. Nested repetitions are constructions that repeat or quantify another regex expression that contains repetition/quantification. For instance, the regex:
/(?<ipv4>(?:\d{1,3}\.){3}\d{1,3})/makes use of nested repetitions, namely:
(?:\d{1,3}\.){3}For more information, see LogScale Regular Expression Engine V2.
Introducing a regex backtracking limit of 0,5 seconds pr. input for the Falcon LogScale Regex Engine v2. As soon as the regex starts backtracking to find matches, it is timed and cancelled if the backtracking to find a match exceeds 0.5 seconds. This is done to avoid instances of practically infinite backtracking, as can be the case with some regexes.
For more information, see LogScale Regular Expression Engine V2.
Under the hood changes to how the size of certain events is estimated should now make query state size estimates more realistic.
Functions
Introducing the new query function
coalesce(). This function accepts a list of fields and returns the first value that is not null or empty. Empty values can also be returned by setting a parameter in the function.For more information, see
coalesce().Introducing the new query function
array:drop(). This function drops all consecutive fields of a given array, starting from index 0.For more information, see
array:drop().
Fixed in this release
Queries
Building tables for a query would block other tables from being built due to an internal cache implementation behaviour, which has now been fixed.
Early Access
Security
It is now possible to map one IdP group name to multiple Falcon LogScale groups during group synchronization. Activate the
OneToManyGroupSynchronizationfeature flag for this functionality. With the feature flag enabled, Falcon LogScale will map a group name to all Falcon LogScale groups in the organization that have a matchinglookupNameordisplayName, while also performing validation for identical groups. If the multiple mapping feature is not enabled, the existing one-to-one mapping functionality remains unchanged.For more information on how feature flags are enabled, see Enabling and Disabling Feature Flags.
For more information, see Group Synchronization.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.2.0.
Adds the event.outcome field
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files
For more information, see Package cisco/meraki Release Notes.
rubrik/security-cloud has been updated to v1.0.1.
Renames the parser to rubrik-securitycloud.
For more information, see Package rubrik/security-cloud Release Notes.
cisco/umbrella has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds source.ip, event.action, destination.domain, event.type and rule.uuid fields and more.
Renames the fields under the Vendor namespace from the camelcase to snakecase. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields
Adds support of Firewall logs, Data Loss Prevention (DLP) logs and Intrusion Prevention (IPS) logs.
Renames the parser to cisco-umbrella.
For more information, see Package cisco/umbrella Release Notes.
aws/cloudtrail has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Parses a timestamp based on the digestStartTime in case there is no eventTime field.
Adds new fields: event.dataset, event.reason, file.name, user.roles, source.ip, host.name and more.
Changes a user.name field values to lowercase.
Sets event.dataset and observer.type based on the event action.
Stops using the csv file to set the event categorization fields.
Renames the parser to aws-cloudtrail
For more information, see Package aws/cloudtrail Release Notes.
palo-alto/prisma-sd-wan has been updated to v1.0.0.
Adds new event.module and Cps.version fields
Removes the Product and related.ip fields
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
For more information, see Package palo-alto/prisma-sd-wan Release Notes.
okta/sso has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds event.reason field
Sets the event.kind and event.category fields for threat events.
For more information, see Package okta/sso Release Notes.
infoblox/nios has been updated to v1.1.1.
Improves event categorization and outcomes via the event.category[] and event.type[] arrays and the event.outcome field.
For more information, see Package infoblox/nios Release Notes.
nozomi/ids has been updated to v1.1.0.
Sets the event categorization fields: event.category, event.type and event.outcome based on the message data coming from the source.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v1.2.0.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds support for JSON format.
Fixes an issue where the timestamp wasn't working if it was +2:00.
Adds a couple of feilds, for example: host.ip, observer.egress.interface.name, observer.ingress.interface.name, destination.user.name and more.
Builds out the event.category and event.type fields.
For more information, see Package checkpoint/ngfw Release Notes.
paloalto/firewall has been updated to v1.1.0.
Adds support for PAN-OS v11.0
Improves the field extraction and performance.
Renames the fields under the Vendor namespace to pascal case notation. It's a breaking change so don't update to this version in case your queries rely on the Vendor specific fields.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Adds threat.*, event.severity fields and more.
Sets the event.action for Authentication events.
Sets the event.category to intrusion_detection and malware for Colleration events.
Classifies events according to a threat taxonomy as the MITRE ATT&CK framework.
Renames the parser to paloalto-ngfw.
For more information, see Package paloalto/firewall Release Notes.
cloudflare/zerotrust has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support parser assertions in yaml files.
Adds support of Network Analytics, Magic IDS and Zone-scoped HTTP Requests logs.
Adds event.reason, message, interface.name, email.from.address, email.sender.address, email.to.address, file.name, file.size, file.sizefile.size, device.id fields and more.
Renames the parser to cloudflare-one.
For more information, see Package cloudflare/zerotrust Release Notes.
zscaler/internet-access has been updated to v1.1.0.
Consolidates dedicated parsers for ZIA feeds into one parser. *This is a breaking change as it forced to rename source fields*. When you install the latest version your search queries which rely on the Vendor specific fields might stop working.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Improves the field extraction and performance.
Extends parser to normalize Audit, Cloud Access Security Broker (CASB) and Data Loss Prevention (DLP) events.
Adds new fields: event.id, source.geo.name.
For more information, see Package zscaler/internet-access Release Notes.
aws/vpcflow has been updated to v1.1.0.
Sets new field cloud.account.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Renames the parser to aws-vpcflow.
###1.0.0
Normalizes data to CrowdStrike Parsing Standard (CPS) schema.
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Improves the field extraction.
Removes old queries and dashboards from the package. To keep those, stay on the old version of the package.
Bumps minimum LogScale version to 1.120 to support AWS S3 ingest feed.
For more information, see Package aws/vpcflow Release Notes.
imperva/cloud-waf has been updated to v1.2.0.
Sets the event.category and event.type to threat/indicator for events where an attack took place.
For more information, see Package imperva/cloud-waf Release Notes.
fortinet/fortigate has been updated to v1.1.0.
Improves the field extraction and performance.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Sets the error.code field.
Sets the event.category and rule.description fields based on the event type.
For more information, see Package fortinet/fortigate Release Notes.