Falcon LogScale 1.165.0 GA (2024-11-19)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.165.0 | GA | 2024-11-19 | Cloud | 2025-12-31 | No | 1.112.0 | 1.157.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.165.0 to download the latest version
Bug fixes and updates.
Deprecation
Items that have been deprecated and may be removed in a future release.
The
QUERY_COORDINATORenvironment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use thequerynode task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using theINITIAL_DISABLED_NODE_TASKSenvironment variable.For more information, see
INITIAL_DISABLED_NODE_TASKS.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.
Upgrades
Changes that may occur or be required during an upgrade.
Installation and Deployment
Once LogScale has been upgraded to 1.162.0 with the
WriteNewSegmentFileFormatfeature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.
New features and improvements
Security
Users can now see and use saved queries without needing the
CreateSavedQueriesand theUpdateSavedQueriespermissions.Users can now see actions in restricted read-only mode when they have the
ReadAccesspermission on the repository or view.
User Interface
Users with the
ReadAccesspermission on the repository or view can now view scheduled reports in read-only mode.Files grouped by package are now displayed back again on the
Filespage including the Package Name column, which was temporarily unavailable after the recent page overhaul.
GraphQL API
New
yamlTemplatefields have been created for Dashboard and SavedQuery datatypes. They now replace the deprecatedtemplateYamlfields.For more information, see Dashboard , SavedQuery .
API
Implemented support for returning a result over 1GB in size on the
/api/v1/globalsubset/clustervhostendpoint. There is now a limit on the size of 8GB of the returned result.
Configuration
The default value of
INGEST_OCCUPANCY_QUERY_PERMIT_LIMITvariable has been changed from90 %to20 %.
Ingestion
Increased a timeout for loading new CSV files used in parsers to reduce the likelihood of having the parser fail.
Added logging when a parser fails to build and ingest defaults to ingesting without parsing. The log lines start with Failed compiling parser.
Functions
A new parameter
trimhas been added to theparseCsv()function to ignore whitespace before and after values. In particular, it allows quotes to appear after whitespace. This is a non-standard extension useful for parsing data created by sources that do not adhere to the CSV standard.The following new functions have been added:
bitfield:extractFlagsAsString()collects the names of the flags appearing in a bitfield in a string.bitfield:extractFlagsAsArray()collects the names of the flags appearing in a bitfield in an array.
bitfield:extractFlags()can now handle unsigned 64 bit input. It can also handle larger integers, but only the lowest 64 bits will be extracted.
Fixed in this release
Security
OIDC authentication would fail if certain characters in the
statevariable were not properly URL-encoded when redirecting back to LogScale. This issue has been fixed.
GraphQL API
role.users() query has been fixed as it would return duplicate users in some cases.
Storage
Recently ingested data could be lost when the cluster has bucket storage enabled,
USING_EPHEMERAL_DISKSis set tofalse, and a recently ingested segment only exists in bucket storage. This issue has now been fixed.LogScale could spuriously log Found mini segment without replacedBy and a merge target that already exists errors when a repository is undeleted. This issue has been fixed.
Functions
In
defineTable(),startandendparameters did not work correctly when the primary query's end time was a relative timestamp: the sub-query's time was relative tonow, and it has now been fixed to be relative to the primary query's end time.
Other
Query result highlighting would crash cluster nodes when getting filter matches for some regexes. This issue has been fixed.
Known Issues
Ingestion
An issue has been identified where construction of parsers utilizing files may experience timeouts when the Ad-hoc tables feature is enabled. This issue potentially impacts clusters running versions 1.165 through 1.170.
Mitigation: temporarily disable the ad-hoc tables feature on affected clusters.
Solution: upgrade to version 1.171, where this issue has been resolved.
Functions
A known issue in the implementation of the
defineTable()function means it is not possible to transfer generated tables larger than 128MB. The user receives an error if the generated table exceeds that size.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
imperva/cloud-waf has been updated to v1.3.0.
Parser renaming and Deprecation noticeThe old parser cwaf-cef is deprecated, and replaced by the new parser imperva-cloudwaf. While the old parser will remain available during a tranisition period, all future changes will only go into the new imperva-cloudwaf parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cwaf-cef parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old cwaf-cef parser would duplicate certain fields, which the new imperva-cloudwaf parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.act
Vendor.ccode
Vendor.cicode
Vendor.cn1
Vendor.cpt
Vendor.end
Vendor.id
Vendor.in
Vendor.latitude
Vendor.longitude
Vendor.ref
Vendor.requestClientApplication
Vendor.requestMethod
Vendor.severity
Vendor.sip
Vendor.spt
Vendor.src
Vendor.start
For more information, see Package imperva/cloud-waf Release Notes.
microsoft/windows-dns-debug has been updated to v1.2.0.
Parser renaming and Deprecation noticeThe old parser windows-dns is deprecated, and replaced by the new parser microsoft-windows-dns. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-windows-dns parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old windows-dns parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old windows-dns parser would duplicate certain fields, which the new microsoft-windows-dns parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.EventReceivedTime
Vendor.Flags
Vendor.Opcode
Vendor.PacketID
Vendor.QuestionName
Vendor.QuestionType
Vendor.RemoteIP
Vendor.ResponseCode
Vendor.SourceModuleName
Vendor.ThreadID
Vendor.XID
Sets the fields dns.header_flags as an array.
For more information, see Package microsoft/windows-dns-debug Release Notes.
cisco/ios has been updated to v1.3.0.
Parser renaming and Deprecation noticeThe old parser syslog-utc is deprecated, and replaced by the new parser cisco-ios. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-ios parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old syslog-utc parser would duplicate certain fields, which the new cisco-ios parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.eventAction
Vendor.ios.message_count
Vendor.ios.sequence
For more information, see Package cisco/ios Release Notes.
aws/s3-server-access has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser s3access-space-delimited is deprecated, and replaced by the new parser aws-s3serveraccess. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-s3serveraccess parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old s3access-space-delimited parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old s3access-space-delimited parser would duplicate certain fields, which the new aws-s3serveraccess parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.bytes_sent
Vendor.cipher_suite
Vendor.http_status
Vendor.operation
Vendor.referrer
Vendor.remote_ip
Vendor.request_id
Vendor.requester
Vendor.total_time
For more information, see Package aws/s3-server-access Release Notes.
trellix/fireeye-nx has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser fireeye-nx is deprecated, and replaced by the new parser trellix-fireeyenx. While the old parser will remain available during a tranisition period, all future changes will only go into the new trellix-fireeyenx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fireeye-nx parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old fireeye-nx parser would duplicate certain fields, which the new trellix-fireeyenx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.act
Vendor.dpt
Vendor.dst
Vendor.dvc
Vendor.dvchost
Vendor.spt
Vendor.src
For more information, see Package trellix/fireeye-nx Release Notes.
aws/fsx has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser fsx-xml is deprecated, and replaced by the new parser aws-fsx. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-fsx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fsx-xml parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old fsx-xml parser would duplicate certain fields, which the new aws-fsx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.Event.EventData.IpAddress
Vendor.Event.EventData.IpPort
Vendor.Event.EventData.ObjectName
Vendor.Event.EventData.ObjectType
Vendor.Event.EventData.SubjectUserName
Vendor.Event.EventData.SubjectUserSid
Vendor.Event.System.EventID
Vendor.Event.System.Execution._ProcessID
Vendor.Event.System.Execution._ThreadID
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.3.0.
Parser renaming and Deprecation noticeThe old parser firepower-syslog is deprecated, and replaced by the new parser cisco-firepower. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-firepower parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old firepower-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old firepower-syslog parser would duplicate certain fields, which the new cisco-firepower parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.AccessControlRuleAction
Vendor.AccessControlRuleAction
Vendor.AccessControlRuleName
Vendor.AccessControlRuleReason
Vendor.ArchiveFileName
Vendor.DNSQuery
Vendor.DNSResponseType
Vendor.DNS_TTL
Vendor.DeviceUUID
Vendor.DstIP
Vendor.DstPort
Vendor.EgressInterface
Vendor.EgressZone
Vendor.EventPriority
Vendor.FileName
Vendor.FirstPacketSecond
Vendor.IngressInterface
Vendor.IngressZone
Vendor.InitiatorBytes
Vendor.InitiatorPackets
Vendor.InstanceID
Vendor.NAT_InitiatorIP
Vendor.NAT_InitiatorPort
Vendor.NAT_ResponderIP
Vendor.NAT_ResponderPort
Vendor.ResponderBytes
Vendor.ResponderPackets
Vendor.SSLCertificate
Vendor.SSLCipherSuite
Vendor.SSLServerName
Vendor.SSLVersion
Vendor.SrcIP
Vendor.SrcPort
Vendor.URL
Vendor.User
Vendor.mnemonic
Sets the dns.answers as an array.
Bug fix: Updates the field name from file.sha256 to file.hash.sha256 to better align with CPS standard.
Corrects a typo in the value of event.outcome field from sucess to success
For more information, see Package cisco/firepower Release Notes.
netgate/pfsense has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser pfsense-syslog is deprecated, and replaced by the new parser netgate-pfsense. While the old parser will remain available during a tranisition period, all future changes will only go into the new netgate-pfsense parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old pfsense-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old pfsense-syslog parser would duplicate certain fields, which the new netgate-pfsense parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.action
Vendor.dst_ip
Vendor.dst_port
Vendor.logtype
Vendor.pid
Vendor.reason
Vendor.rule_number
Vendor.src_ip
Vendor.src_port
Vendor.syslog.priority
For more information, see Package netgate/pfsense Release Notes.
forcepoint/dlp has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser dlp-cef is deprecated, and replaced by the new parser forcepoint-dlp. While the old parser will remain available during a tranisition period, all future changes will only go into the new forcepoint-dlp parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old dlp-cef parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old dlp-cef parser would duplicate certain fields, which the new forcepoint-dlp parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.caseDescription
Vendor.device.version
Vendor.duser
Vendor.eventId
Vendor.loginName
Vendor.msg
Vendor.name
Vendor.numberOfIncidents
Vendor.riskScore
Vendor.severity
Vendor.severityType
Vendor.sourceIp
Vendor.sourceServiceName
Adds event.type field.
Bug fix: Updated the field name from risk.calculated_score to host.risk.calculated_score to better align with CPS standard.
Bug fix: Renamed the field name from file.bytes to file.size to ensure compliance with CPS standard.
For more information, see Package forcepoint/dlp Release Notes.
aruba/clearpass has been updated to v1.2.0.
Parser renaming and Deprecation noticeThe old parser clearpass-syslog is deprecated, and replaced by the new parser aruba-clearpass. While the old parser will remain available during a tranisition period, all future changes will only go into the new aruba-clearpass parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old clearpass-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old clearpass-syslog parser would duplicate certain fields, which the new aruba-clearpass parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.Action
Vendor.CppmNode.CPPM-Node
Vendor.Endpoint.IP-Address
Vendor.Endpoint.MAC-Address
Vendor.Endpoint.Username
Vendor.eventId
Vendor.RADIUS.Acct-Framed-IP-Address
Vendor.RADIUS.Acct-NAS-IP-Address
Vendor.RADIUS.Acct-NAS-Port
Vendor.RADIUS.Acct-Username
Vendor.TACACS.Request-Type
Vendor.WEBAUTH.Host-IP-Address
Vendor.swVersion
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package aruba/clearpass Release Notes.
broadcom/proxysg has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser syslog-utc is deprecated, and replaced by the new parser broadcom-proxysg. While the old parser will remain available during a tranisition period, all future changes will only go into the new broadcom-proxysg parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old syslog-utc parser would duplicate certain fields, which the new broadcom-proxysg parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.message.clientIp
Vendor.message.csBytes
Vendor.message.csMethod
Vendor.message.rsContentType
Vendor.message.rsStatus
Vendor.message.scBytes
Vendor.message.xCsRefererUri
Sets the event type.
For more information, see Package broadcom/proxysg Release Notes.
zscaler/private-access has been updated to v1.2.1.
Adds support for parsing and processing logs in the default ZPA format.
Drops the observer.type field.
For more information, see Package zscaler/private-access Release Notes.
google/chrome-enterprise-security-events has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser Google_Chrome_Enterprise is deprecated, and replaced by the new parser google-chrome-enterprise. While the old parser will remain available during a tranisition period, all future changes will only go into the new google-chrome-enterprise parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old Google_Chrome_Enterprise parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old Google_Chrome_Enterprise parser would duplicate certain fields, which the new google-chrome-enterprise parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.device_id
Vendor.device_name
Vendor.device_user
Vendor.event
Vendor.event_detail
Vendor.os_platform
Vendor.os_version
Vendor.reason
Vendor.url
Vendor.user_agent
Sets the event.category and event.type fields.
Bug fix: Renamed the field name from Parser_version to Parser.version to ensure compliance with CPS standard.
Bug fix: Renamed the field name from device.name to device.model.name to ensure compliance with CPS standard.
Bug fix: Renamed the field name from device.user to user.name to ensure compliance with CPS standard.
Bug fix: Moved the fields os.type and os.version under the host.* to ensure compliance with CPS standard.
For more information, see Package google/chrome-enterprise-security-events Release Notes.
akamai/asec has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser asec-json is deprecated, and replaced by the new parser akamai-asec. While the old parser will remain available during a tranisition period, all future changes will only go into the new akamai-asec parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old asec-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old asec-json parser would duplicate certain fields, which the new akamai-asec parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.attackData.clientIP
Vendor.geo.city
Vendor.geo.country
Vendor.httpMessage.bytes
Vendor.httpMessage.method
Vendor.httpMessage.path
Vendor.httpMessage.port
Vendor.httpMessage.query
Vendor.httpMessage.requestId
Vendor.httpMessage.requestId
Vendor.httpMessage.status
For more information, see Package akamai/asec Release Notes.
cisco/ise has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser cisco-ise-syslog is deprecated, and replaced by the new parser cisco-ise. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-ise parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cisco-ise-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old cisco-ise-syslog parser would duplicate certain fields, which the new cisco-ise parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.AD-Error-Details
Vendor.AdminIPAddress
Vendor.DestinationIPAddress
Vendor.DestinationPort
Vendor.Detail
Vendor.Device IP Address
Vendor.EPMacAddress
Vendor.EndPointMACAddress
Vendor.FailureReason
Vendor.IpAddress
Vendor.Remote-Address
Vendor.Service-Type
Sets the fields host.ip and host.mac as arrays.
Bug fix: corrected a typo in a field name from eevent.category to event.category.
Removes the host.address as it didn't conform to CPS standard.
Corrects the event categorization for event.category for events with code 52002, which was incorrectly assigned as deletion instead of iam.
For more information, see Package cisco/ise Release Notes.
fortinet/fortimail has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser fortimail is deprecated, and replaced by the new parser fortinet-fortimail. While the old parser will remain available during a tranisition period, all future changes will only go into the new fortinet-fortimail parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fortimail parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old fortimail parser would duplicate certain fields, which the new fortinet-fortimail parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.log.action
Vendor.log.client_ip
Vendor.log.client_name
Vendor.log.direction
Vendor.log.dst_ip
Vendor.log.mailer
Vendor.log.msg
Vendor.log.msg.subject
Vendor.log.msg.user
Vendor.log.pri
Vendor.log.subject
Vendor.log.ui.ip
Vendor.log.user
Resolves an issue where email.subject was incorrectly formatted as an array.
For more information, see Package fortinet/fortimail Release Notes.
juniper/srx has been updated to v1.2.0.
Parser renaming and Deprecation noticeThe old parser srx-syslog is deprecated, and replaced by the new parser juniper-srx. While the old parser will remain available during a tranisition period, all future changes will only go into the new juniper-srx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old srx-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old srx-syslog parser would duplicate certain fields, which the new juniper-srx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.application-risk
Vendor.bytes-from-client
Vendor.bytes-from-server
Vendor.destination-address
Vendor.destination-interface-name
Vendor.destination-port
Vendor.destination-zone-name
Vendor.dst-addr
Vendor.dst-port
Vendor.file-name
Vendor.filename
Vendor.http-host
Vendor.inbound-bytes
Vendor.inbound-packets
Vendor.local-address
Vendor.nat-destination-address
Vendor.nat-destination-port
Vendor.nat-local-address
Vendor.nat-remote-address
Vendor.nat-source-address
Vendor.nat-source-port
Vendor.obj
Vendor.outbound-bytes
Vendor.outbound-packets
Vendor.packet-protocol
Vendor.packets-from-client
Vendor.packets-from-server
Vendor.packets-num
Vendor.policy-name
Vendor.protocol
Vendor.protocol-id
Vendor.protocol-name
Vendor.reason
Vendor.remote-address
Vendor.rule-name
Vendor.rulebase-name
Vendor.sample-sha256
Vendor.source-address
Vendor.source-port
Vendor.source-zone-name
Vendor.src-addr
Vendor.src-port
Vendor.syslog.hostname
Vendor.syslog.msgid
Vendor.syslog.procid
Vendor.urlcategory-risk
Vendor.username
For more information, see Package juniper/srx Release Notes.
nozomi/ids has been updated to v1.2.0.
Parser renaming and Deprecation noticeThe old parser nozomi-syslog is deprecated, and replaced by the new parser nozomi-ids. While the old parser will remain available during a tranisition period, all future changes will only go into the new nozomi-ids parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old nozomi-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old nozomi-syslog parser would duplicate certain fields, which the new nozomi-ids parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.Id
Vendor.Mitre_attack_tactics
Vendor.Mitre_attack_techniques
Vendor.Risk
Vendor.app
Vendor.device.product
Vendor.device.vendor
Vendor.device.version
Vendor.dhost
Vendor.dmac
Vendor.dpt
Vendor.dst
Vendor.dvc
Vendor.dvchost
Vendor.event_class_id
Vendor.label.Name
Vendor.n2os_schema
Vendor.proto
Vendor.severity
Vendor.shost
Vendor.smac
Vendor.src
Vendor.start
Vendor.trigger_id
Vendor.trigger_type
Sets the fields observer.ip, threat.tactic.name and threat.tactic.id as arrays.
Bug fix: Renamed the field name from observer.address to observer.hostname to ensure compliance with CPS standard.
For more information, see Package nozomi/ids Release Notes.
cisco/duo has been updated to v2.0.0.
Parser renaming and Deprecation noticeAs part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified cisco-duo parser. This means the following parsers:
Duplicated vendor fields dropped in new parserduo-authentication-json
duo-activity-json
duo-admin-json
duo-telephony-json
duo-trustmonitor-json
are deprecated and all future changes will only go into the new cisco-duo parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old parsers will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
The old parsers would duplicate certain fields, which the new cisco-duo parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.access_device.browser
Vendor.access_device.browser_version
Vendor.access_device.hostname
Vendor.access_device.ip
Vendor.access_device.location.city
Vendor.access_device.location.country
Vendor.access_device.location.state
Vendor.access_device.os
Vendor.access_device.os_version
Vendor.access_device.port
Vendor.action
Vendor.action.name
Vendor.activity_id
Vendor.actor.details.group.name
Vendor.actor.key
Vendor.actor.name
Vendor.applications
Vendor.context
Vendor.description.admin_email
Vendor.description.email
Vendor.description.hostname
Vendor.description.ip_address
Vendor.description.realname
Vendor.description.uname
Vendor.description.user_agent
Vendor.email
Vendor.enabled_by.key
Vendor.enabled_by.name
Vendor.enabled_for.key
Vendor.enabled_for.name
Vendor.object
Vendor.reason
Vendor.sekey
Vendor.surfaced_auth.access_device.browser
Vendor.surfaced_auth.access_device.browser_version
Vendor.surfaced_auth.access_device.hostname
Vendor.surfaced_auth.access_device.ip
Vendor.surfaced_auth.access_device.location.city
Vendor.surfaced_auth.access_device.location.country
Vendor.surfaced_auth.access_device.location.state
Vendor.surfaced_auth.access_device.os
Vendor.surfaced_auth.access_device.os_version
Vendor.surfaced_auth.email
Vendor.surfaced_auth.reason
Vendor.surfaced_auth.user.key
Vendor.surfaced_auth.user.name
Vendor.telephony_id
Vendor.triage_event_uri
Vendor.user.key
Vendor.user.name
Vendor.username
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
Includes improved event categorization and outcome determination.
Includes improved field normalization.
For more information, see Package cisco/duo Release Notes.
microsoft/sysmon has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser sysmon is deprecated, and replaced by the new parser microsoft-sysmon. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-sysmon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old sysmon parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old sysmon parser would duplicate certain fields, which the new microsoft-sysmon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.EventData.CommandLine
Vendor.EventData.Company
Vendor.EventData.CurrentDirectory
Vendor.EventData.Description
Vendor.EventData.Destination
Vendor.EventData.DestinationIp
Vendor.EventData.DestinationPort
Vendor.EventData.DestinationPortName
Vendor.EventData.Device
Vendor.EventData.FileVersion
Vendor.EventData.Hashes.IMPHASH
Vendor.EventData.Image
Vendor.EventData.ImageLoaded
Vendor.EventData.OriginalFileName
Vendor.EventData.ParentCommandLine
Vendor.EventData.ParentImage
Vendor.EventData.ParentProcessGuid
Vendor.EventData.ParentProcessId
Vendor.EventData.PipeName
Vendor.EventData.ProcessGuid
Vendor.EventData.ProcessId
Vendor.EventData.Product
Vendor.EventData.Protocol
Vendor.EventData.QueryName
Vendor.EventData.RuleName
Vendor.EventData.Signature
Vendor.EventData.SignatureStatus
Vendor.EventData.Signed
Vendor.EventData.SourceImage
Vendor.EventData.SourceIp
Vendor.EventData.SourcePort
Vendor.EventData.SourcePortName
Vendor.EventData.SourceProcessGUID
Vendor.EventData.SourceProcessGuid
Vendor.EventData.SourceProcessId
Vendor.EventData.SourceThreadId
Vendor.EventData.TargetFilename
Vendor.EventData.TargetObject
Bug fix: Renamed the field name from file.code_signature.signed> to file.code_signature.exists to ensure compliance with CPS standard.
For more information, see Package microsoft/sysmon Release Notes.
asimily/iomt has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser asimily-iomt-json is deprecated, and replaced by the new parser asimily-iomt. While the old parser will remain available during a tranisition period, all future changes will only go into the new asimily-iomt parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old asimily-iomt-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old asimily-iomt-json parser would duplicate certain fields, which the new asimily-iomt parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.alertId
Vendor.context
Vendor.deviceModel
Vendor.ipAddress
Vendor.manufacturer
Vendor.os
For more information, see Package asimily/iomt Release Notes.
claroty/ctd has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser cef-latest is deprecated, and replaced by the new parser claroty-ctd. While the old parser will remain available during a tranisition period, all future changes will only go into the new claroty-ctd parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cef-latest parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old cef-latest parser would duplicate certain fields, which the new claroty-ctd parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.ext.CtdCveId
Vendor.ext.CtdCveScore
Vendor.ext.CtdDestinationIp
Vendor.ext.CtdFilePath
Vendor.ext.CtdMessage
Vendor.ext.CtdSourceIp
Categorizes the events based on the event_class_id field.
For more information, see Package claroty/ctd Release Notes.
island/island has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser island is deprecated, and replaced by the new parser island-enterprisebrowser. While the old parser will remain available during a tranisition period, all future changes will only go into the new island-enterprisebrowser parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old island parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old island parser would duplicate certain fields, which the new island-enterprisebrowser parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscellaneousVendor.action
Vendor.message.email
Vendor.message.entityId
Vendor.message.entityName
Vendor.message.publicIp
Vendor.message.sourceIp
Vendor.message.topLevelUrl
Vendor.message.type
Vendor.message.userId
Vendor.message.userName
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package island/island Release Notes.
aws/guardduty has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser guardduty-json is deprecated, and replaced by the new parser aws-guardduty. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-guardduty parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old guardduty-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old guardduty-json parser would duplicate certain fields, which the new aws-guardduty parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved.
For more information, see Package aws/guardduty Release Notes.
f5networks/bigip has been updated to v2.0.0.
Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.
Improves CPS categorization and normalization.
Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.
For more information, see Package f5networks/bigip Release Notes.
dell/isilon has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser isilon-syslog is deprecated, and replaced by the new parser dell-isilon. While the old parser will remain available during a tranisition period, all future changes will only go into the new dell-isilon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old isilon-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old isilon-syslog parser would duplicate certain fields, which the new dell-isilon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.clientIPAddr
Vendor.filename
Vendor.inode
Vendor.userSID
Vendor.username
Sets event.type field.
For more information, see Package dell/isilon Release Notes.
microsoft/dhcp-client has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser windows-dhcp-client is deprecated, and replaced by the new parser microsoft-windows-dhcp-client. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-windows-dhcp-client parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old windows-dhcp-client parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old windows-dhcp-client parser would duplicate certain fields, which the new microsoft-windows-dhcp-client parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.EventRecordId
Vendor.UserID
Vendor.ProcessID
For more information, see Package microsoft/dhcp-client Release Notes.
haproxy/haproxy has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser haproxy-syslog is deprecated, and replaced by the new parser haproxy. While the old parser will remain available during a tranisition period, all future changes will only go into the new haproxy parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old haproxy-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old haproxy-syslog parser would duplicate certain fields, which the new haproxy parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
MiscVendor.bytes_read
Vendor.client_ip
Vendor.method
Vendor.status_code
Adds the Parser.version field to ensure compliance with CPS standard.
For more information, see Package haproxy/haproxy Release Notes.
aws/waf has been updated to v1.1.0.
Parser renaming and Deprecation noticeThe old parser waf-json is deprecated, and replaced by the new parser aws-waf. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-waf parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old waf-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old waf-json parser would duplicate certain fields, which the new aws-waf parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved.
For more information, see Package aws/waf Release Notes.
zscaler/deception has been updated to v1.2.0.
Parser renaming and Deprecation noticeThe old parser deception is deprecated, and replaced by the new parser zscaler-deception. While the old parser will remain available during a transition period, all future changes will only go into the new zscaler-deception parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old deception parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old deception parser would duplicate certain fields, which the new zscaler-deception parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.attacker.name
Vendor.attacker.port
Vendor.linux.command_line
Vendor.linux.pid
Vendor.linux.process_name
Vendor.linux.user
Vendor.network.protocol
Vendor.score
Vendor.ssl.cipher
Vendor.ssl.version
Vendor.type
Vendor.web.host
Vendor.web.method
Vendor.web.scheme
Vendor.web.status
Vendor.web.uri
Vendor.web.user_agent.string
For more information, see Package zscaler/deception Release Notes.