Falcon LogScale 1.169.0 GA (2024-12-17)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.169.0GA2024-12-17

Cloud

2026-02-28No1.136.01.157.0No

Hide file download links

Show file download links

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • GraphQL API

    • The new parameter strict has been added to the input of analyzeQuery() GraphQL query. When set to default value true, query validation will always validate uses of saved query and query parameter. When set to false, it will attempt to ignore validation of saved query and query parameter uses. This is a breaking change because previously, validation would behave as if strict was set to false. To achieve legacy behavior, set strict=false.

  • Storage

    • There is a change to the archiving logic so that LogScale no longer splits a given segment into multiple bucket objects based on ungrouped tag combinations in the segment. Tag groups were introduced to limit the number of datasources if a given tag had too many different values. But the current implementation of archiving splits the different tag combinations contained in a given segment back out into one bucket per tag combination, which is a scalability issue, and can also affect mini-segment merging. The new approach just uploads into one object per segment. As a visible impact for the user, there will be fewer objects in the archiving bucket, and the naming schema for the objects will change to not include the tags that were grouped into the tag groups that the datasource is based on. The set of events in the bucket will remain the same. This is a cluster risk, so the change is released immediately.

      For self-hosted customers: if you need time to change the external systems that read from the archive due to the naming changes, you may disable the DontSplitSegmentsForArchiving feature flag (see Enabling and Disabling Feature Flags).

      For more information, see Tag Grouping in AWS S3.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The QUERY_COORDINATOR environment variable is deprecated. To control whether a node should be allowed to be a query coordinator, use the query node task instead. Node tasks can be assigned and unassigned at runtime using the assignTasks() and unassignTasks() GraphQL mutations respectively, or controlled using the INITIAL_DISABLED_NODE_TASKS environment variable.

    For more information, see INITIAL_DISABLED_NODE_TASKS.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

Upgrades

Changes that may occur or be required during an upgrade.

  • Installation and Deployment

    • Once LogScale has been upgraded to 1.162.0 with the WriteNewSegmentFileFormat feature flag enabled, LogScale cannot be downgraded to a version lower than 1.157.0.

New features and improvements

  • Administration and Management

    • Usage is now logged to the humio repository.

  • Ingestion

  • Functions

Fixed in this release

  • Queries

    • The query table endpoint client has been fixed as it was unable to receive the response for tables larger than 128 MB, and an error occurred.

    • A performance regression in the query scheduler has been fixed as it could lead to query starvation and slow searches.

Known Issues

  • Ingestion

    • An issue has been identified where construction of parsers utilizing files may experience timeouts when the Ad-hoc tables feature is enabled. This issue potentially impacts clusters running versions 1.165 through 1.170.

      Mitigation: temporarily disable the ad-hoc tables feature on affected clusters.

      Solution: upgrade to version 1.171, where this issue has been resolved.

Improvement

  • Storage

    • Improved performance when syncing IOCs internally within nodes in a cluster.

    • Improved the performance of ingest queue message handling that immediately follows a change in the Kafka partition count. Without this improvement, changing the partition count could substantially slow down processing of events ingested before the repartitioning.

    • Relocation of datasources after a partition count change will now be restarted if the Kafka partition count changes again while the cluster is executing relocations. This ensures that datasource placement always reflects the latest partition count.

  • Functions

    • Improving the error message for missing time zones in the parseTimestamp() function.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • checkpoint/ngfw has been updated to v1.3.0.

      Duplicated vendor fields removed

      Updated parser has been improved to handle field duplication more efficiently. Previously, certain fields were duplicated under both the Vendor namespace (e.g. Vendor.srcIp) and a CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the updated parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the updated parser:

      • Vendor.action

      • Vendor.additional_info

      • Vendor.administrator

      • Vendor.app_risk

      • Vendor.app_rule_id

      • Vendor.app_rule_name

      • Vendor.application

      • Vendor.bytes

      • Vendor.categories

      • Vendor.client_inbound_interface

      • Vendor.client_ip

      • Vendor.conn_direction

      • Vendor.delivery_time

      • Vendor.description

      • Vendor.dlp_file_name

      • Vendor.dlp_rule_name

      • Vendor.dlp_rule_uid

      • Vendor.dns_message_type

      • Vendor.dns_type

      • Vendor.domain_name

      • Vendor.dst

      • Vendor.dst_user_name

      • Vendor.email_message_id

      • Vendor.email_queue_id

      • Vendor.email_subject

      • Vendor.endpoint_ip

      • Vendor.file_id

      • Vendor.file_name

      • Vendor.file_size

      • Vendor.file_type

      • Vendor.first_detection

      • Vendor.from

      • Vendor.ifdir

      • Vendor.ifname

      • Vendor.industry_reference

      • Vendor.information

      • Vendor.inzone

      • Vendor.last_detection

      • Vendor.lastupdatetime

      • Vendor.layer_name

      • Vendor.loguid

      • Vendor.mac_destination_address

      • Vendor.mac_source_address

      • Vendor.malware_action

      • Vendor.malware_rule_id

      • Vendor.malware_rule_name

      • Vendor.matched_category

      • Vendor.method

      • Vendor.objectname

      • Vendor.origin

      • Vendor.origin_ip

      • Vendor.os_name

      • Vendor.os_version

      • Vendor.outzone

      • Vendor.packet_capture

      • Vendor.packets

      • Vendor.parent_process_name

      • Vendor.policy

      • Vendor.process_name

      • Vendor.product

      • Vendor.proto

      • Vendor.received_bytes

      • Vendor.referrer

      • Vendor.resource

      • Vendor.rule_name

      • Vendor.rule_uid

      • Vendor.s_port

      • Vendor.security_outzone

      • Vendor.sent_bytes

      • Vendor.sequencenum

      • Vendor.server_outbound_bytes

      • Vendor.server_outbound_interface

      • Vendor.server_outbound_packets

      • Vendor.service

      • Vendor.service_id

      • Vendor.session_description

      • Vendor.session_uid

      • Vendor.severity

      • Vendor.smartdefence_profile

      • Vendor.sport_svc

      • Vendor.src

      • Vendor.src_user_group

      • Vendor.src_user_name

      • Vendor.start_time

      • Vendor.svc

      • Vendor.to

      • Vendor.type

      • Vendor.uid

      • Vendor.update_version

      • Vendor.url

      • Vendor.user

      • Vendor.user_agent

      • Vendor.user_group

      • Vendor.usercheck_incident_uid

      • Vendor.web_client_type

      • Vendor.xlatedport

      • Vendor.xlatedport_svc

      • Vendor.xlatedst

      • Vendor.xlatesport

      • Vendor.xlatesport_svc

      • Vendor.xlatesrc

      Miscellaneous

      • Bug fix: resolved an issue with the regex used to extract fields from rawstring.

      • Bumps the ecs.version to 8.16.0.

      • Corrects a typo in the event.type field values to comply with ECS. Changed conection to connection and delection to deletion.

      • Removes the destination.service.name field as it was not valid ECS field.

      • Renames the network.app_name to network.application to comply with ECS.

      • Updates the event.dataset from content-awareness to ngfw.content-awareness to comply with CPS.

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/sysmon has been updated to v1.1.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package microsoft/sysmon Release Notes.

    • imperva/cloud-waf has been updated to v1.3.1.

      • Removes the references to the lookup file from the parser.

      • Bumps the ecs.version to 8.16.0.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package imperva/cloud-waf Release Notes.

    • cisco/firepower has been updated to v1.4.0.

      • Bumps the Parser.version to 3.0.0 and ecs.version to 8.16.0

      • Improves the field extraction and performance

      • Removes the event.code field as it does not conform to CPS standard

      • Further normalisation to ECS fields; observer.ingress.vlan.name, observer.egress.vlan.name, rule.ruleset, rule.category, user_agent.name, user_agent.original, user_agent.version, network.application, http.response.status_code, http.request.referrer

      For more information, see Package cisco/firepower Release Notes.

    • infoblox/nios has been updated to v1.2.1.

      • Adds event.kind field mapped to CPS

      For more information, see Package infoblox/nios Release Notes.

    • paloalto/firewall has been updated to v1.2.0.

      • Adds additional mappings to ECS for: source.geo.country_name, destination.geo.country_name, rule.category, process.command_line, source.ip (for Config logs), network.packets fields.

      • Adds url.* ECS fields for subtype url

      • Adds the field observer.type

      • Adds additional options to Config logs to determine event.outcome

      • Enhancement to parsing for system auth logs

      • Decodes network.transport to include network.iana_numbers

      • Aliases client.ip/port to source.ip/port and server.ip/port to destination.ip/port

      For more information, see Package paloalto/firewall Release Notes.

    • palo-alto/prisma-sd-wan has been updated to v1.1.0.

      • Improves the field extraction and performance.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      • Sets the Vendor.type field based on the event type.

      • Sets the observer.address, observer.name, event.outcome fields and more.

      • Renames the parser to paloalto-prisma-sdwan.

      For more information, see Package palo-alto/prisma-sd-wan Release Notes.

    • cisco/meraki has been updated to v1.2.1.

      • Removes the references to the lookup file from the parser

      • Bumps the ecs.version to 8.16.0

      For more information, see Package cisco/meraki Release Notes.

    • f5networks/bigip has been updated to v2.0.0.

      • Now supports all BIG-IP events: ASM, APM, DNS, LTM as well as BIG-IP System and OS logs.

      • Improves CPS categorization and normalization.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/duo has been updated to v2.1.0.

      • Adds normalization using the Vendor.auth_device.* fields.

      • Updates the field mapping for Cisco Duo Authentication events. To improve the accuracy and consistency of field normalization previously mapped source.user.* fields have been updated to user.* fields. This is a breaking change and some of the search queries, dasbhboards or alers that rely on the source.user.* fields may stop working. Update all affected search queries to use user.* fields to restore functionality.

      For more information, see Package cisco/duo Release Notes.

    • darktrace/detect has been updated to v1.1.0.

      • The parser darktrace-detect is an aggregation of the three previous parsers: ai_analyst_alert-syslog, model_breach_alert-syslog, system_status_alert-syslog

      • Handles events with syslog headers in both the RFC 5424 and RFC 3164 formats

      • Deals with large JSON objects within the message

      • Handles the following log types and sets event.dataset accordingly: detect.aianalyst/detect.modelbreach/detect.modeltrigger/detect.systemstatus/detect.antigena

      • CPS normalization that was previously done in separate parsers is carried out based on event.dataset

      • CPS normalization carried out for additional data types - detect.modeltrigger and detect.antigena

      • Added santised examples of all variations of event.dataset and syslog header format

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package darktrace/detect Release Notes.

    • infoblox/nios has been updated to v1.2.2.

      • Improves the dns.* fields extraction.

      • Bumps the ecs.version to 8.16.0

      • Enhacnes the regex to accept hashes in the host.domain field.

      For more information, see Package infoblox/nios Release Notes.

    • cisco/ise has been updated to v1.2.0.

      • Adds support for the CISE_Alarm messages.

      • Bumps the minimum LogScale version to 1.142 to support assertions in yaml files.

      For more information, see Package cisco/ise Release Notes.

    • humio/activity has been updated to v1.6.0.

      • Added new view interactions Open Alert Docs and Open Scheduled Search Docs which will open the online documentation for messages for alerts and scheduled searches.

      • Added a menu item on the table widgets on the dashboards containing a message for alerts and scheduled searches to open the online documentation for the message.

      For more information, see Package humio/activity Release Notes.

    • paloalto/firewall has been updated to v1.2.1.

      • Adds an additional mapping to ECS for user_agent.original field.

      • Parses user.name out of Admin field from Config logs.

      For more information, see Package paloalto/firewall Release Notes.