Falcon LogScale 1.168.0 GA (2024-12-10)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.168.0GA2024-12-10

Cloud

2026-02-28No1.136.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

New features and improvements

  • Administration and Management

    • Metrics made available on the Prometheus HTTP API have been modified so that the internal metrics that represent "meters" no longer become type=COUNTER in Prometheus, but instead are type=SUMMARY. The suffix on the name changes from _total to _count due to this. This adds reporting if 1, 5 and 15 minute rates.

  • Storage

    • Cluster statistics such as compressed byte size and compressed file of merged subset only count aux files at most once. Previously, the statistic counted every local aux file in the cluster, which would increase with the replication factor, but that sum of aux file sizes was added to a sum of segment file sizes which did not consider the replication factor.

      From the user point of view, this change does not affect the ingest accounting and measurements, but it does affect the following other items:

      • The semantics of the compressedByteSize, compressedByteSizeOfMerged and dataVolumeCompressed fields in the ClusterStatsType, RepositoryType and OrganizationStats graphql types are changed: now file sizes of both segments and aux files are only counted once.

      • These values are shown for example on the front-page, and will be smaller than the old values.

      • Retention by compressed file size will keep more segments, since we delete segments to keep under the actual limit, which is calculated as the configured limit minus the aux file sizes.

      For more information, see Cluster statistics.

  • Configuration

    • Clusters using an HTTP proxy can now choose to have calls to the token endpoint for Google, Bitbucket, Github and Auth0 providers go through this proxy. This is configured by using the following new configuration values:

      The default value for all of these is false, so there is no change to how existing clusters are configured to use Google, Bitbucket, Github or Auth0.

  • Dashboards and Widgets

    • The Table widget cells will now show a warning along with the original value if decimal places are configured to be below 0 or above 20.

Fixed in this release

  • User Interface

    • The dialog for creating a new group did not close automatically after successfully creating a group. This issue has been fixed.

    • The Saved query dialog has been fixed so that the saved queries are now sorted.

    • The Filter Match Highlighting feature could be deactivated for some regular expression results due to a stack overflow issue in the JavaScript Regular Expression engine. This issue has been fixed and the highlighting now works as expected.

  • API

    • filterQuery in API Query metaData was incorrect when using filters with implicit AND after aggregators. For example, groupBy(x) | y=* z=* would incorrectly give y=* z=* for the filterQuery, whereas * is the correct filterQuery. This issue has existed since 1.160.0 and it has now been fixed. You can work around the issue by explicitly adding | between filters.

  • Dashboards and Widgets

    • In the Time Chart widget, the Step after interpolation method would not display the line or area correctly when used with the Show gaps method for handling missing values.

    • In the Time Chart widget, an issue has been fixed where values below the minimum value of a Logarithmic axis would not be displayed, but values below 0 would.

  • Queries

    • Some queries (especially live queries) would continuously send a warning about missing data. This could happen if the query was planned at a time when there were cluster topology changes. This issue has been fixed and, instead of sending the warning, the query will now automatically restart since there might be more data to search.

    • Queries could sometimes fail and return an IndexOutOfBoundsException error. This issue has been fixed.

  • Functions

    • Fixed an issue where parseCEF() would stop a parser or query upon encountering invalid key-value pairs in the CEF extensions field. For example, in: 

      Jun 09 02:26:06 zscaler-nss CEF:0||||||| xx==

      since the CEF specification dictates that = must be escaped if it is meant as a value, the second = would trigger the issue as it is no longer a valid key-value.

      If such an error is encountered, the event is left unparsed and a parser error field will be added.

Known Issues

  • Ingestion

    • An issue has been identified where construction of parsers utilizing files may experience timeouts when the Ad-hoc tables feature is enabled. This issue potentially impacts clusters running versions 1.165 through 1.170.

      Mitigation: temporarily disable the ad-hoc tables feature on affected clusters.

      Solution: upgrade to version 1.171, where this issue has been resolved.

  • Functions

    • A known issue in the implementation of the defineTable() function means it is not possible to transfer generated tables larger than 128MB. The user receives an error if the generated table exceeds that size.

Improvement

  • Storage

    • Improved performance of replicating IOC files to allow faster replication.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • imperva/cloud-waf has been updated to v1.3.0.

      Parser renaming and Deprecation notice

      The old parser cwaf-cef is deprecated, and replaced by the new parser imperva-cloudwaf. While the old parser will remain available during a tranisition period, all future changes will only go into the new imperva-cloudwaf parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cwaf-cef parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old cwaf-cef parser would duplicate certain fields, which the new imperva-cloudwaf parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.act

      • Vendor.ccode

      • Vendor.cicode

      • Vendor.cn1

      • Vendor.cpt

      • Vendor.end

      • Vendor.id

      • Vendor.in

      • Vendor.latitude

      • Vendor.longitude

      • Vendor.ref

      • Vendor.requestClientApplication

      • Vendor.requestMethod

      • Vendor.severity

      • Vendor.sip

      • Vendor.spt

      • Vendor.src

      • Vendor.start

      For more information, see Package imperva/cloud-waf Release Notes.

    • microsoft/windows-dns-debug has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      The old parser windows-dns is deprecated, and replaced by the new parser microsoft-windows-dns. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-windows-dns parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old windows-dns parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old windows-dns parser would duplicate certain fields, which the new microsoft-windows-dns parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.EventReceivedTime

      • Vendor.Flags

      • Vendor.Opcode

      • Vendor.PacketID

      • Vendor.QuestionName

      • Vendor.QuestionType

      • Vendor.RemoteIP

      • Vendor.ResponseCode

      • Vendor.SourceModuleName

      • Vendor.ThreadID

      • Vendor.XID

      Miscellaneous

      • Sets the fields dns.header_flags as an array.

      For more information, see Package microsoft/windows-dns-debug Release Notes.

    • cisco/ios has been updated to v1.3.0.

      Parser renaming and Deprecation notice

      The old parser syslog-utc is deprecated, and replaced by the new parser cisco-ios. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-ios parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old syslog-utc parser would duplicate certain fields, which the new cisco-ios parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.eventAction

      • Vendor.ios.message_count

      • Vendor.ios.sequence

      For more information, see Package cisco/ios Release Notes.

    • checkpoint/ngfw has been updated to v1.3.0.

      Duplicated vendor fields removed

      Updated parser has been improved to handle field duplication more efficiently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.srcIp) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:

      • Vendor.action

      • Vendor.additional_info

      • Vendor.administrator

      • Vendor.app_risk

      • Vendor.app_rule_id

      • Vendor.app_rule_name

      • Vendor.application

      • Vendor.bytes

      • Vendor.categories

      • Vendor.client_inbound_interface

      • Vendor.client_ip

      • Vendor.conn_direction

      • Vendor.delivery_time

      • Vendor.description

      • Vendor.dlp_file_name

      • Vendor.dlp_rule_name

      • Vendor.dlp_rule_uid

      • Vendor.dns_message_type

      • Vendor.dns_type

      • Vendor.domain_name

      • Vendor.dst

      • Vendor.dst_user_name

      • Vendor.email_message_id

      • Vendor.email_queue_id

      • Vendor.email_subject

      • Vendor.endpoint_ip

      • Vendor.file_id

      • Vendor.file_name

      • Vendor.file_size

      • Vendor.file_type

      • Vendor.first_detection

      • Vendor.from

      • Vendor.ifdir

      • Vendor.ifname

      • Vendor.industry_reference

      • Vendor.information

      • Vendor.inzone

      • Vendor.last_detection

      • Vendor.lastupdatetime

      • Vendor.layer_name

      • Vendor.loguid

      • Vendor.mac_destination_address

      • Vendor.mac_source_address

      • Vendor.malware_action

      • Vendor.malware_rule_id

      • Vendor.malware_rule_name

      • Vendor.matched_category

      • Vendor.method

      • Vendor.objectname

      • Vendor.origin

      • Vendor.origin_ip

      • Vendor.os_name

      • Vendor.os_version

      • Vendor.outzone

      • Vendor.packet_capture

      • Vendor.packets

      • Vendor.parent_process_name

      • Vendor.policy

      • Vendor.process_name

      • Vendor.product

      • Vendor.proto

      • Vendor.received_bytes

      • Vendor.referrer

      • Vendor.resource

      • Vendor.rule_name

      • Vendor.rule_uid

      • Vendor.s_port

      • Vendor.security_outzone

      • Vendor.sent_bytes

      • Vendor.sequencenum

      • Vendor.server_outbound_bytes

      • Vendor.server_outbound_interface

      • Vendor.server_outbound_packets

      • Vendor.service

      • Vendor.service_id

      • Vendor.session_description

      • Vendor.session_uid

      • Vendor.severity

      • Vendor.smartdefence_profile

      • Vendor.sport_svc

      • Vendor.src

      • Vendor.src_user_group

      • Vendor.src_user_name

      • Vendor.start_time

      • Vendor.svc

      • Vendor.to

      • Vendor.type

      • Vendor.uid

      • Vendor.update_version

      • Vendor.url

      • Vendor.user

      • Vendor.user_agent

      • Vendor.user_group

      • Vendor.usercheck_incident_uid

      • Vendor.web_client_type

      • Vendor.xlatedport

      • Vendor.xlatedport_svc

      • Vendor.xlatedst

      • Vendor.xlatesport

      • Vendor.xlatesport_svc

      • Vendor.xlatesrc

      Miscellaneous

      • Bug fix: resolved an issue with the regex used to extract fields from rawstring.

      • Bumps the ecs.version to 8.16.0.

      • Corrects a typo in the event.type field values to comply with ECS. Changed conection to connection and delection to deletion.

      • Removes the destination.service.name field as it was not valid ECS field.

      • Renames the network.app_name to network.application to comply with ECS.

      • Updates the event.dataset from content-awareness to ngfw.content-awareness to comply with CPS.

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/sysmon has been updated to v1.1.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package microsoft/sysmon Release Notes.

    • aws/s3-server-access has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser s3access-space-delimited is deprecated, and replaced by the new parser aws-s3serveraccess. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-s3serveraccess parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old s3access-space-delimited parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old s3access-space-delimited parser would duplicate certain fields, which the new aws-s3serveraccess parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.bytes_sent

      • Vendor.cipher_suite

      • Vendor.http_status

      • Vendor.operation

      • Vendor.referrer

      • Vendor.remote_ip

      • Vendor.request_id

      • Vendor.requester

      • Vendor.total_time

      For more information, see Package aws/s3-server-access Release Notes.

    • imperva/cloud-waf has been updated to v1.3.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package imperva/cloud-waf Release Notes.

    • trellix/fireeye-nx has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser fireeye-nx is deprecated, and replaced by the new parser trellix-fireeyenx. While the old parser will remain available during a tranisition period, all future changes will only go into the new trellix-fireeyenx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fireeye-nx parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old fireeye-nx parser would duplicate certain fields, which the new trellix-fireeyenx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.act

      • Vendor.dpt

      • Vendor.dst

      • Vendor.dvc

      • Vendor.dvchost

      • Vendor.spt

      • Vendor.src

      For more information, see Package trellix/fireeye-nx Release Notes.

    • aws/fsx has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser fsx-xml is deprecated, and replaced by the new parser aws-fsx. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-fsx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fsx-xml parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old fsx-xml parser would duplicate certain fields, which the new aws-fsx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.Event.EventData.IpAddress

      • Vendor.Event.EventData.IpPort

      • Vendor.Event.EventData.ObjectName

      • Vendor.Event.EventData.ObjectType

      • Vendor.Event.EventData.SubjectUserName

      • Vendor.Event.EventData.SubjectUserSid

      • Vendor.Event.System.EventID

      • Vendor.Event.System.Execution._ProcessID

      • Vendor.Event.System.Execution._ThreadID

      For more information, see Package aws/fsx Release Notes.

    • cisco/firepower has been updated to v1.3.0.

      Parser renaming and Deprecation notice

      The old parser firepower-syslog is deprecated, and replaced by the new parser cisco-firepower. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-firepower parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old firepower-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old firepower-syslog parser would duplicate certain fields, which the new cisco-firepower parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.AccessControlRuleAction

      • Vendor.AccessControlRuleAction

      • Vendor.AccessControlRuleName

      • Vendor.AccessControlRuleReason

      • Vendor.ArchiveFileName

      • Vendor.DNSQuery

      • Vendor.DNSResponseType

      • Vendor.DNS_TTL

      • Vendor.DeviceUUID

      • Vendor.DstIP

      • Vendor.DstPort

      • Vendor.EgressInterface

      • Vendor.EgressZone

      • Vendor.EventPriority

      • Vendor.FileName

      • Vendor.FirstPacketSecond

      • Vendor.IngressInterface

      • Vendor.IngressZone

      • Vendor.InitiatorBytes

      • Vendor.InitiatorPackets

      • Vendor.InstanceID

      • Vendor.NAT_InitiatorIP

      • Vendor.NAT_InitiatorPort

      • Vendor.NAT_ResponderIP

      • Vendor.NAT_ResponderPort

      • Vendor.ResponderBytes

      • Vendor.ResponderPackets

      • Vendor.SSLCertificate

      • Vendor.SSLCipherSuite

      • Vendor.SSLServerName

      • Vendor.SSLVersion

      • Vendor.SrcIP

      • Vendor.SrcPort

      • Vendor.URL

      • Vendor.User

      • Vendor.mnemonic

      Miscellaneous

      • Sets the dns.answers as an array.

      • Bug fix: Updates the field name from file.sha256 to file.hash.sha256 to better align with CPS standard.

      • Corrects a typo in the value of event.outcome field from sucess to success

      For more information, see Package cisco/firepower Release Notes.

    • netgate/pfsense has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser pfsense-syslog is deprecated, and replaced by the new parser netgate-pfsense. While the old parser will remain available during a tranisition period, all future changes will only go into the new netgate-pfsense parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old pfsense-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old pfsense-syslog parser would duplicate certain fields, which the new netgate-pfsense parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.action

      • Vendor.dst_ip

      • Vendor.dst_port

      • Vendor.logtype

      • Vendor.pid

      • Vendor.reason

      • Vendor.rule_number

      • Vendor.src_ip

      • Vendor.src_port

      • Vendor.syslog.priority

      For more information, see Package netgate/pfsense Release Notes.

    • forcepoint/dlp has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser dlp-cef is deprecated, and replaced by the new parser forcepoint-dlp. While the old parser will remain available during a tranisition period, all future changes will only go into the new forcepoint-dlp parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old dlp-cef parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old dlp-cef parser would duplicate certain fields, which the new forcepoint-dlp parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.caseDescription

      • Vendor.device.version

      • Vendor.duser

      • Vendor.eventId

      • Vendor.loginName

      • Vendor.msg

      • Vendor.name

      • Vendor.numberOfIncidents

      • Vendor.riskScore

      • Vendor.severity

      • Vendor.severityType

      • Vendor.sourceIp

      • Vendor.sourceServiceName

      Misc

      • Adds event.type field.

      • Bug fix: Updated the field name from risk.calculated_score to host.risk.calculated_score to better align with CPS standard.

      • Bug fix: Renamed the field name from file.bytes to file.size to ensure compliance with CPS standard.

      For more information, see Package forcepoint/dlp Release Notes.

    • aruba/clearpass has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      The old parser clearpass-syslog is deprecated, and replaced by the new parser aruba-clearpass. While the old parser will remain available during a tranisition period, all future changes will only go into the new aruba-clearpass parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old clearpass-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old clearpass-syslog parser would duplicate certain fields, which the new aruba-clearpass parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.Action

      • Vendor.CppmNode.CPPM-Node

      • Vendor.Endpoint.IP-Address

      • Vendor.Endpoint.MAC-Address

      • Vendor.Endpoint.Username

      • Vendor.eventId

      • Vendor.RADIUS.Acct-Framed-IP-Address

      • Vendor.RADIUS.Acct-NAS-IP-Address

      • Vendor.RADIUS.Acct-NAS-Port

      • Vendor.RADIUS.Acct-Username

      • Vendor.TACACS.Request-Type

      • Vendor.WEBAUTH.Host-IP-Address

      • Vendor.swVersion

      Misc

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package aruba/clearpass Release Notes.

    • broadcom/proxysg has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser syslog-utc is deprecated, and replaced by the new parser broadcom-proxysg. While the old parser will remain available during a tranisition period, all future changes will only go into the new broadcom-proxysg parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old syslog-utc parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old syslog-utc parser would duplicate certain fields, which the new broadcom-proxysg parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.message.clientIp

      • Vendor.message.csBytes

      • Vendor.message.csMethod

      • Vendor.message.rsContentType

      • Vendor.message.rsStatus

      • Vendor.message.scBytes

      • Vendor.message.xCsRefererUri

      Miscellaneous

      • Sets the event type.

      For more information, see Package broadcom/proxysg Release Notes.

    • zscaler/private-access has been updated to v1.2.1.

      • Adds support for parsing and processing logs in the default ZPA format.

      • Drops the observer.type field.

      For more information, see Package zscaler/private-access Release Notes.

    • google/chrome-enterprise-security-events has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser Google_Chrome_Enterprise is deprecated, and replaced by the new parser google-chrome-enterprise. While the old parser will remain available during a tranisition period, all future changes will only go into the new google-chrome-enterprise parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old Google_Chrome_Enterprise parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old Google_Chrome_Enterprise parser would duplicate certain fields, which the new google-chrome-enterprise parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.device_id

      • Vendor.device_name

      • Vendor.device_user

      • Vendor.event

      • Vendor.event_detail

      • Vendor.os_platform

      • Vendor.os_version

      • Vendor.reason

      • Vendor.url

      • Vendor.user_agent

      Misc

      • Sets the event.category and event.type fields.

      • Bug fix: Renamed the field name from Parser_version to Parser.version to ensure compliance with CPS standard.

      • Bug fix: Renamed the field name from device.name to device.model.name to ensure compliance with CPS standard.

      • Bug fix: Renamed the field name from device.user to user.name to ensure compliance with CPS standard.

      • Bug fix: Moved the fields os.type and os.version under the host.* to ensure compliance with CPS standard.

      For more information, see Package google/chrome-enterprise-security-events Release Notes.

    • cisco/firepower has been updated to v1.4.0.

      • Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

      • Improves the field extraction and performance

      • Removes the event.code field as it does not conform to CPS standard

      • Further normalisation to ECS fields; observer.ingress.vlan.name, observer.egress.vlan.name, rule.ruleset, rule.category, user_agent.name, user_agent.original, user_agent.version, network.application, http.response.status_code, http.request.referrer

      For more information, see Package cisco/firepower Release Notes.

    • infoblox/nios has been updated to v1.2.1.

      • Adds event.kind field mapped to CPS

      For more information, see Package infoblox/nios Release Notes.

    • akamai/asec has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser asec-json is deprecated, and replaced by the new parser akamai-asec. While the old parser will remain available during a tranisition period, all future changes will only go into the new akamai-asec parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old asec-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old asec-json parser would duplicate certain fields, which the new akamai-asec parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.attackData.clientIP

      • Vendor.geo.city

      • Vendor.geo.country

      • Vendor.httpMessage.bytes

      • Vendor.httpMessage.method

      • Vendor.httpMessage.path

      • Vendor.httpMessage.port

      • Vendor.httpMessage.query

      • Vendor.httpMessage.requestId

      • Vendor.httpMessage.requestId

      • Vendor.httpMessage.status

      For more information, see Package akamai/asec Release Notes.

    • cisco/ise has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser cisco-ise-syslog is deprecated, and replaced by the new parser cisco-ise. While the old parser will remain available during a tranisition period, all future changes will only go into the new cisco-ise parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cisco-ise-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old cisco-ise-syslog parser would duplicate certain fields, which the new cisco-ise parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.AD-Error-Details

      • Vendor.AdminIPAddress

      • Vendor.DestinationIPAddress

      • Vendor.DestinationPort

      • Vendor.Detail

      • Vendor.Device IP Address

      • Vendor.EPMacAddress

      • Vendor.EndPointMACAddress

      • Vendor.FailureReason

      • Vendor.IpAddress

      • Vendor.Remote-Address

      • Vendor.Service-Type

      Miscellaneous

      • Sets the fields host.ip and host.mac as arrays.

      • Bug fix: corrected a typo in a field name from eevent.category to event.category.

      • Removes the host.address as it didn't conform to CPS standard.

      • Corrects the event categorization for event.category for events with code 52002, which was incorrectly assigned as deletion instead of iam.

      For more information, see Package cisco/ise Release Notes.

    • fortinet/fortimail has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser fortimail is deprecated, and replaced by the new parser fortinet-fortimail. While the old parser will remain available during a tranisition period, all future changes will only go into the new fortinet-fortimail parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old fortimail parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old fortimail parser would duplicate certain fields, which the new fortinet-fortimail parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.log.action

      • Vendor.log.client_ip

      • Vendor.log.client_name

      • Vendor.log.direction

      • Vendor.log.dst_ip

      • Vendor.log.mailer

      • Vendor.log.msg

      • Vendor.log.msg.subject

      • Vendor.log.msg.user

      • Vendor.log.pri

      • Vendor.log.subject

      • Vendor.log.ui.ip

      • Vendor.log.user

      Miscellaneous

      • Resolves an issue where email.subject was incorrectly formatted as an array.

      For more information, see Package fortinet/fortimail Release Notes.

    • juniper/srx has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      The old parser srx-syslog is deprecated, and replaced by the new parser juniper-srx. While the old parser will remain available during a tranisition period, all future changes will only go into the new juniper-srx parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old srx-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old srx-syslog parser would duplicate certain fields, which the new juniper-srx parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.application-risk

      • Vendor.bytes-from-client

      • Vendor.bytes-from-server

      • Vendor.destination-address

      • Vendor.destination-interface-name

      • Vendor.destination-port

      • Vendor.destination-zone-name

      • Vendor.dst-addr

      • Vendor.dst-port

      • Vendor.file-name

      • Vendor.filename

      • Vendor.http-host

      • Vendor.inbound-bytes

      • Vendor.inbound-packets

      • Vendor.local-address

      • Vendor.nat-destination-address

      • Vendor.nat-destination-port

      • Vendor.nat-local-address

      • Vendor.nat-remote-address

      • Vendor.nat-source-address

      • Vendor.nat-source-port

      • Vendor.obj

      • Vendor.outbound-bytes

      • Vendor.outbound-packets

      • Vendor.packet-protocol

      • Vendor.packets-from-client

      • Vendor.packets-from-server

      • Vendor.packets-num

      • Vendor.policy-name

      • Vendor.protocol

      • Vendor.protocol-id

      • Vendor.protocol-name

      • Vendor.reason

      • Vendor.remote-address

      • Vendor.rule-name

      • Vendor.rulebase-name

      • Vendor.sample-sha256

      • Vendor.source-address

      • Vendor.source-port

      • Vendor.source-zone-name

      • Vendor.src-addr

      • Vendor.src-port

      • Vendor.syslog.hostname

      • Vendor.syslog.msgid

      • Vendor.syslog.procid

      • Vendor.urlcategory-risk

      • Vendor.username

      For more information, see Package juniper/srx Release Notes.

    • nozomi/ids has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      The old parser nozomi-syslog is deprecated, and replaced by the new parser nozomi-ids. While the old parser will remain available during a tranisition period, all future changes will only go into the new nozomi-ids parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old nozomi-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old nozomi-syslog parser would duplicate certain fields, which the new nozomi-ids parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.Id

      • Vendor.Mitre_attack_tactics

      • Vendor.Mitre_attack_techniques

      • Vendor.Risk

      • Vendor.app

      • Vendor.device.product

      • Vendor.device.vendor

      • Vendor.device.version

      • Vendor.dhost

      • Vendor.dmac

      • Vendor.dpt

      • Vendor.dst

      • Vendor.dvc

      • Vendor.dvchost

      • Vendor.event_class_id

      • Vendor.label.Name

      • Vendor.n2os_schema

      • Vendor.proto

      • Vendor.severity

      • Vendor.shost

      • Vendor.smac

      • Vendor.src

      • Vendor.start

      • Vendor.trigger_id

      • Vendor.trigger_type

      Misc

      • Sets the fields observer.ip, threat.tactic.name and threat.tactic.id as arrays.

      • Bug fix: Renamed the field name from observer.address to observer.hostname to ensure compliance with CPS standard.

      For more information, see Package nozomi/ids Release Notes.

    • cisco/duo has been updated to v2.0.0.

      Parser renaming and Deprecation notice

      As part of our continuous efforts to simplify and improve parser performance, we consolidated all existing parsers in this package into a single unified cisco-duo parser. This means the following parsers:

      • duo-authentication-json

      • duo-activity-json

      • duo-admin-json

      • duo-telephony-json

      • duo-trustmonitor-json

        are deprecated and all future changes will only go into the new cisco-duo parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old parsers will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old parsers would duplicate certain fields, which the new cisco-duo parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.access_device.browser

      • Vendor.access_device.browser_version

      • Vendor.access_device.hostname

      • Vendor.access_device.ip

      • Vendor.access_device.location.city

      • Vendor.access_device.location.country

      • Vendor.access_device.location.state

      • Vendor.access_device.os

      • Vendor.access_device.os_version

      • Vendor.access_device.port

      • Vendor.action

      • Vendor.action.name

      • Vendor.activity_id

      • Vendor.actor.details.group.name

      • Vendor.actor.key

      • Vendor.actor.name

      • Vendor.applications

      • Vendor.context

      • Vendor.description.admin_email

      • Vendor.description.email

      • Vendor.description.hostname

      • Vendor.description.ip_address

      • Vendor.description.realname

      • Vendor.description.uname

      • Vendor.description.user_agent

      • Vendor.email

      • Vendor.enabled_by.key

      • Vendor.enabled_by.name

      • Vendor.enabled_for.key

      • Vendor.enabled_for.name

      • Vendor.object

      • Vendor.reason

      • Vendor.sekey

      • Vendor.surfaced_auth.access_device.browser

      • Vendor.surfaced_auth.access_device.browser_version

      • Vendor.surfaced_auth.access_device.hostname

      • Vendor.surfaced_auth.access_device.ip

      • Vendor.surfaced_auth.access_device.location.city

      • Vendor.surfaced_auth.access_device.location.country

      • Vendor.surfaced_auth.access_device.location.state

      • Vendor.surfaced_auth.access_device.os

      • Vendor.surfaced_auth.access_device.os_version

      • Vendor.surfaced_auth.email

      • Vendor.surfaced_auth.reason

      • Vendor.surfaced_auth.user.key

      • Vendor.surfaced_auth.user.name

      • Vendor.telephony_id

      • Vendor.triage_event_uri

      • Vendor.user.key

      • Vendor.user.name

      • Vendor.username

      Miscellaneous

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Includes improved event categorization and outcome determination.

      • Includes improved field normalization.

      For more information, see Package cisco/duo Release Notes.

    • microsoft/sysmon has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser sysmon is deprecated, and replaced by the new parser microsoft-sysmon. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-sysmon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old sysmon parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old sysmon parser would duplicate certain fields, which the new microsoft-sysmon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.EventData.CommandLine

      • Vendor.EventData.Company

      • Vendor.EventData.CurrentDirectory

      • Vendor.EventData.Description

      • Vendor.EventData.Destination

      • Vendor.EventData.DestinationIp

      • Vendor.EventData.DestinationPort

      • Vendor.EventData.DestinationPortName

      • Vendor.EventData.Device

      • Vendor.EventData.FileVersion

      • Vendor.EventData.Hashes.IMPHASH

      • Vendor.EventData.Image

      • Vendor.EventData.ImageLoaded

      • Vendor.EventData.OriginalFileName

      • Vendor.EventData.ParentCommandLine

      • Vendor.EventData.ParentImage

      • Vendor.EventData.ParentProcessGuid

      • Vendor.EventData.ParentProcessId

      • Vendor.EventData.PipeName

      • Vendor.EventData.ProcessGuid

      • Vendor.EventData.ProcessId

      • Vendor.EventData.Product

      • Vendor.EventData.Protocol

      • Vendor.EventData.QueryName

      • Vendor.EventData.RuleName

      • Vendor.EventData.Signature

      • Vendor.EventData.SignatureStatus

      • Vendor.EventData.Signed

      • Vendor.EventData.SourceImage

      • Vendor.EventData.SourceIp

      • Vendor.EventData.SourcePort

      • Vendor.EventData.SourcePortName

      • Vendor.EventData.SourceProcessGUID

      • Vendor.EventData.SourceProcessGuid

      • Vendor.EventData.SourceProcessId

      • Vendor.EventData.SourceThreadId

      • Vendor.EventData.TargetFilename

      • Vendor.EventData.TargetObject

      Misc

      • Bug fix: Renamed the field name from file.code_signature.signed> to file.code_signature.exists to ensure compliance with CPS standard.

      For more information, see Package microsoft/sysmon Release Notes.

    • asimily/iomt has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser asimily-iomt-json is deprecated, and replaced by the new parser asimily-iomt. While the old parser will remain available during a tranisition period, all future changes will only go into the new asimily-iomt parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old asimily-iomt-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old asimily-iomt-json parser would duplicate certain fields, which the new asimily-iomt parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.alertId

      • Vendor.context

      • Vendor.deviceModel

      • Vendor.ipAddress

      • Vendor.manufacturer

      • Vendor.os

      For more information, see Package asimily/iomt Release Notes.

    • claroty/ctd has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser cef-latest is deprecated, and replaced by the new parser claroty-ctd. While the old parser will remain available during a tranisition period, all future changes will only go into the new claroty-ctd parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old cef-latest parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old cef-latest parser would duplicate certain fields, which the new claroty-ctd parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.ext.CtdCveId

      • Vendor.ext.CtdCveScore

      • Vendor.ext.CtdDestinationIp

      • Vendor.ext.CtdFilePath

      • Vendor.ext.CtdMessage

      • Vendor.ext.CtdSourceIp

      Misc

      • Categorizes the events based on the event_class_id field.

      For more information, see Package claroty/ctd Release Notes.

    • island/island has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser island is deprecated, and replaced by the new parser island-enterprisebrowser. While the old parser will remain available during a tranisition period, all future changes will only go into the new island-enterprisebrowser parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old island parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old island parser would duplicate certain fields, which the new island-enterprisebrowser parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.action

      • Vendor.message.email

      • Vendor.message.entityId

      • Vendor.message.entityName

      • Vendor.message.publicIp

      • Vendor.message.sourceIp

      • Vendor.message.topLevelUrl

      • Vendor.message.type

      • Vendor.message.userId

      • Vendor.message.userName

      Miscellaneous

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package island/island Release Notes.

    • aws/guardduty has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser guardduty-json is deprecated, and replaced by the new parser aws-guardduty. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-guardduty parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old guardduty-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old guardduty-json parser would duplicate certain fields, which the new aws-guardduty parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved.

      For more information, see Package aws/guardduty Release Notes.

    • cisco/meraki has been updated to v1.2.1.

      • Removes the references to the lookup file from the parser

      • Bumps the ecs.version to 8.16.0

      For more information, see Package cisco/meraki Release Notes.

    • f5networks/bigip has been updated to v2.0.0.

      • Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.

      • Improves CPS categorization and normalization.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package f5networks/bigip Release Notes.

    • dell/isilon has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser isilon-syslog is deprecated, and replaced by the new parser dell-isilon. While the old parser will remain available during a tranisition period, all future changes will only go into the new dell-isilon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old isilon-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old isilon-syslog parser would duplicate certain fields, which the new dell-isilon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.clientIPAddr

      • Vendor.filename

      • Vendor.inode

      • Vendor.userSID

      • Vendor.username

      Misc

      • Sets event.type field.

      For more information, see Package dell/isilon Release Notes.

    • darktrace/detect has been updated to v1.1.0.

      • The parser darktrace-detect is an aggregation of the three previous parsers: ai_analyst_alert-syslog, model_breach_alert-syslog, system_status_alert-syslog

      • Handles events with syslog headers in both the RFC 5424 and RFC 3164 formats

      • Deals with large JSON objects within the message

      • Handles the following log types and sets event.dataset accordingly: detect.aianalyst/detect.modelbreach/detect.modeltrigger/detect.systemstatus/detect.antigena

      • CPS normalization that was previously done in separate parsers is carried out based on event.dataset

      • CPS normalization carried out for additional data types - detect.modeltrigger and detect.antigena

      • Added santised examples of all variations of event.dataset and syslog header format

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package darktrace/detect Release Notes.

    • microsoft/dhcp-client has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser windows-dhcp-client is deprecated, and replaced by the new parser microsoft-windows-dhcp-client. While the old parser will remain available during a tranisition period, all future changes will only go into the new microsoft-windows-dhcp-client parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old windows-dhcp-client parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old windows-dhcp-client parser would duplicate certain fields, which the new microsoft-windows-dhcp-client parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.EventRecordId

      • Vendor.UserID

      • Vendor.ProcessID

      For more information, see Package microsoft/dhcp-client Release Notes.

    • haproxy/haproxy has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser haproxy-syslog is deprecated, and replaced by the new parser haproxy. While the old parser will remain available during a tranisition period, all future changes will only go into the new haproxy parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old haproxy-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old haproxy-syslog parser would duplicate certain fields, which the new haproxy parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.bytes_read

      • Vendor.client_ip

      • Vendor.method

      • Vendor.status_code

      Misc

      • Adds the Parser.version field to ensure compliance with CPS standard.

      For more information, see Package haproxy/haproxy Release Notes.

    • cisco/ise has been updated to v1.2.0.

      • Adds support for the CISE_Alarm messages.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package cisco/ise Release Notes.

    • humio/activity has been updated to v1.6.0.

      • Added new view interactions Open Alert Docs and Open Scheduled Search Docs which will open the online documentation for messages for alerts and scheduled searches.

      • Added a menu item on the table widgets on the dashboards containing a message for alerts and scheduled searches to open the online documentation for the message.

      For more information, see Package humio/activity Release Notes.

    • aws/waf has been updated to v1.1.0.

      Parser renaming and Deprecation notice

      The old parser waf-json is deprecated, and replaced by the new parser aws-waf. While the old parser will remain available during a tranisition period, all future changes will only go into the new aws-waf parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old waf-json parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old waf-json parser would duplicate certain fields, which the new aws-waf parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved.

      For more information, see Package aws/waf Release Notes.

    • zscaler/deception has been updated to v1.2.0.

      Parser renaming and Deprecation notice

      The old parser deception is deprecated, and replaced by the new parser zscaler-deception. While the old parser will remain available during a transition period, all future changes will only go into the new zscaler-deception parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old deception parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.

      Duplicated vendor fields dropped in new parser

      The old deception parser would duplicate certain fields, which the new zscaler-deception parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:

      • Vendor.attacker.name

      • Vendor.attacker.port

      • Vendor.linux.command_line

      • Vendor.linux.pid

      • Vendor.linux.process_name

      • Vendor.linux.user

      • Vendor.network.protocol

      • Vendor.score

      • Vendor.ssl.cipher

      • Vendor.ssl.version

      • Vendor.type

      • Vendor.web.host

      • Vendor.web.method

      • Vendor.web.scheme

      • Vendor.web.status

      • Vendor.web.uri

      • Vendor.web.user_agent.string

      For more information, see Package zscaler/deception Release Notes.