Falcon LogScale 1.164.0 GA (2024-11-12)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.164.0GA2024-11-12

Cloud

2025-12-31No1.112.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Removed

Items that have been removed as of this release.

Configuration

  • The dynamic configuration and related GraphQL API AstDepthLimit has been removed.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

New features and improvements

  • User Interface

    • The Files page now features a new table view with enhanced search and filtering, making it easier to find and manage your files. You can now import multiple files at once.

      For more information, see Lookup Files.

    • When Save Searches, saved queries now appear in sorted order and are also searchable.

  • Automation and Triggers

    • In the activity logs, the exception field now only contains the name of the exception class, as the remainder of what used to be there is already present in the exceptionMessage field.

  • GraphQL API

  • Storage

    • The amount of autoshard increase requests allowed has been reduced, to reduce pressure on global traffic from these requests.

  • Ingestion

    • The toolbar of the Parser editor has been modified to be more in-line with the design of the LogScale layout. You can now find Duplicate, Settings and Export buttons under the ellipsis menu.

      For more information, see Parse Data.

Fixed in this release

  • Dashboards and Widgets

    • Dashboard parameter values were mistakenly not used by saved queries in scenarios with parameter naming overlap and no saved query arguments provided.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • zscaler/private-access has been updated to v1.2.1.

      • Adds support for parsing and processing logs in the default ZPA format.

      • Drops the observer.type field.

      For more information, see Package zscaler/private-access Release Notes.

    • cisco/duo has been updated to v2.0.0.

      Parser renaming and Deprecation notice

      As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified cisco-duo parser. This means the following parsers:

      • duo-authentication-json

      • duo-activity-json

      • duo-admin-json

      • duo-telephony-json

      • duo-trustmonitor-json

        are deprecated and all future changes will only go into the new cisco-duo parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old parsers will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old parsers would duplicate certain fields, which the new cisco-duo parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.access_device.browser

      • Vendor.access_device.browser_version

      • Vendor.access_device.hostname

      • Vendor.access_device.ip

      • Vendor.access_device.location.city

      • Vendor.access_device.location.country

      • Vendor.access_device.location.state

      • Vendor.access_device.os

      • Vendor.access_device.os_version

      • Vendor.access_device.port

      • Vendor.action

      • Vendor.action.name

      • Vendor.activity_id

      • Vendor.actor.details.group.name

      • Vendor.actor.key

      • Vendor.actor.name

      • Vendor.applications

      • Vendor.context

      • Vendor.description.admin_email

      • Vendor.description.email

      • Vendor.description.hostname

      • Vendor.description.ip_address

      • Vendor.description.realname

      • Vendor.description.uname

      • Vendor.description.user_agent

      • Vendor.email

      • Vendor.enabled_by.key

      • Vendor.enabled_by.name

      • Vendor.enabled_for.key

      • Vendor.enabled_for.name

      • Vendor.object

      • Vendor.reason

      • Vendor.sekey

      • Vendor.surfaced_auth.access_device.browser

      • Vendor.surfaced_auth.access_device.browser_version

      • Vendor.surfaced_auth.access_device.hostname

      • Vendor.surfaced_auth.access_device.ip

      • Vendor.surfaced_auth.access_device.location.city

      • Vendor.surfaced_auth.access_device.location.country

      • Vendor.surfaced_auth.access_device.location.state

      • Vendor.surfaced_auth.access_device.os

      • Vendor.surfaced_auth.access_device.os_version

      • Vendor.surfaced_auth.email

      • Vendor.surfaced_auth.reason

      • Vendor.surfaced_auth.user.key

      • Vendor.surfaced_auth.user.name

      • Vendor.telephony_id

      • Vendor.triage_event_uri

      • Vendor.user.key

      • Vendor.user.name

      • Vendor.username

      Miscellaneous

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Includes improved event categorization and outcome determination.

      • Includes improved field normalization.

      For more information, see Package cisco/duo Release Notes.