Falcon LogScale 1.192.0 GA (2025-06-10)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.192.0 | GA | 2025-06-10 | Cloud | 2026-07-31 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.192.0 to download the latest version
Bug fixes and updates
Advance Warning
The following items are due to change in a future release.
Functions
Starting from release 1.195, the query functions
asn()andipLocation()will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, likematch(),iocLookup(), andcidr().
Deprecation
Items that have been deprecated and may be removed in a future release.
The
colorfield on the Role type has been marked as deprecated (will be removed in version 1.195).The
setConsideredAliveUntilandsetConsideredAliveForGraphQL mutations are deprecated and will be removed in 1.195.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
New features and improvements
GraphQL API
Labels can now be added to files through the GraphQL mutations: newFile() and updateFile(), and can be queried on the File input datatype.
Dashboards and Widgets
To support the output of the
correlate()function introduced in this version, theTablewidget has a new format setting Group fields by prefix to display fields from the same event in a single column.
Functions
The new
correlate()function for advanced event pattern detection is now available. This feature enables users to identify specific sequences of events.Key capabilities:
Search for related event groups and patterns
Define temporal relationships
Configure custom detection criteria
Example use case: Search for a sequence where a user has three failed login attempts followed by a successful login within a five-minute window.
For detailed implementation guidelines and configuration options, please refer to the
correlate()function documentation.For more information, see
correlate().
Fixed in this release
User Interface
Filtering on the result of an aggregation could lead to more rows in the UI than there should be. This issue has now been fixed.
Automation and Triggers
The Time interval selector now correctly retains the timestamp selected in Advanced settings when editing a trigger in the
Searchpage. Previously, it would always default to @ingesttimestamp.
Improvement
GraphQL API
Extended the analyzeQuery() endpoint with an optional time interval. This allows validating the interval for syntax errors.
Storage
Reduced memory usage when working with large tables (for example, those defined by
defineTable()).
Functions
Searches using ID filters such as with
in(@id, values=[...])are now being optimized to run more efficiently. This improvement is especially noticeable when drilling down into results using thecorrelate()function.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
f5networks/bigip has been updated to v2.3.2.
Fixed field mapping to use direct assignment instead of rename function for better performance
For more information, see Package f5networks/bigip Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
juniper/srx has been updated to v1.4.0.
Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs
Enhanced source IP extraction with support for src-ip-str field
Added user.name field mapping from source.user.name when available
Fixed indentation in SSH authentication message parsing
For more information, see Package juniper/srx Release Notes.
asimily/iomt has been updated to v1.1.1.
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignments
Removed deprecated parser asimily-iomt-json
For more information, see Package asimily/iomt Release Notes.
zscaler/internet-access has been updated to v1.4.1.
Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present
Updated parser version to 2.4.1
For more information, see Package zscaler/internet-access Release Notes.
akamai/asec has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 8.17.0
Replaced rename() function with direct assignments for field mappings
Removed deprecated parser asec-json.yaml
For more information, see Package akamai/asec Release Notes.
forcepoint/dlp has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename function
Fixed parser version reference
For more information, see Package forcepoint/dlp Release Notes.
cisco/duo has been updated to v2.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 2.1.1
Updated parser to use array:append for array declaration
For more information, see Package cisco/duo Release Notes.
aws/waf has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename() function
Removed deprecated waf-json.yaml parser
For more information, see Package aws/waf Release Notes.
aws/s3-server-access has been updated to v1.2.1.
Updated parser to use direct field assignments instead of rename() function
Fixed field mapping consistency
For more information, see Package aws/s3-server-access Release Notes.
nozomi/ids has been updated to v1.3.0.
Updated timestamp parsing to support MMM dd yyyy HH:mm:ss format
Added support for new message types including threat intelligence updates, link status changes, and network scans
Enhanced MAC address normalization with uppercase conversion and consistent delimiter formatting
Improved field extraction for domain and username parsing
Fixed lowercase normalization for various address fields
The old parser nozomi-syslog is now officially removed from the Nozomi IDS package
For more information, see Package nozomi/ids Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
juniper/srx has been updated to v1.3.0.
Updated parser to use ECS 8.17.0
Improved field extraction with format() function
Enhanced array handling with array:append() for event categories and types
Added support for mgd login events with user roles and service type
Fixed field handling for null values
The old parser srx-syslog is now officially removed from the Juniper SRX package
For more information, see Package juniper/srx Release Notes.
darktrace/detect has been updated to v1.3.1.
Fixed timestamp parsing for Antigena events to use start time instead of end time
For more information, see Package darktrace/detect Release Notes.
aws/vpcflow has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.2.1
Updated parser to use array:append for array declaration
For more information, see Package aws/vpcflow Release Notes.
zscaler/private-access has been updated to v1.3.2.
Added support for private cloud controller status logs
Improved log type detection for logs without sourcetype field
Enhanced log format detection for various ZPA log types
For more information, see Package zscaler/private-access Release Notes.
fortinet/fortimail has been updated to v2.0.0.
Improved parsing of key-value pairs with empty values
Enhanced event categorization for all log types
Added support for email address extraction from complex formats
Fixed handling of comma-separated recipient lists
Added URL parsing capabilities
Improved outcome determination logic
For more information, see Package fortinet/fortimail Release Notes.
fortinet/fortimail has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
Updated client.ip to non-array field
The old parser fortimail is now officially removed from the Fortinet Fortimail package
For more information, see Package fortinet/fortimail Release Notes.
dell/isilon has been updated to v1.2.1.
Updated field mapping syntax from rename() to direct assignment for better performance
Fixed minor code formatting issues
For more information, see Package dell/isilon Release Notes.
veeam/veeamdataplatform has been updated to v1.0.1.
Updated field assignments to use direct assignment instead of rename() function
Improved field mapping consistency
For more information, see Package veeam/veeamdataplatform Release Notes.
aws/guardduty has been updated to v1.1.2.
Updated field mapping to use direct assignment instead of rename function
Removed deprecated guardduty-json.yaml parser
Updated parser version to 1.2.1
For more information, see Package aws/guardduty Release Notes.
f5networks/bigip has been updated to v2.3.1.
Fixed VLAN ID parsing in connection error and SSL handshake failure events
For more information, see Package f5networks/bigip Release Notes.
aws/guardduty has been updated to v1.1.3.
Added event.reason field mapping from Vendor.title
Updated parser version to 1.2.2
For more information, see Package aws/guardduty Release Notes.
aws/cloudtrail has been updated to v1.1.6.
Updated parser version to 2.0.6
Updated CPS version to 1.0.0
Fixed TLS field handling by removing rename function and adding drop operations
For more information, see Package aws/cloudtrail Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
asimily/iomt has been updated to v1.1.2.
Updated parser version to 1.1.2
Updated parser to use array:append for array declaration
For more information, see Package asimily/iomt Release Notes.
claroty/ctd has been updated to v1.2.1.
Fixed field mapping to use direct assignment instead of rename function
Improved case statement formatting for better readability
Updated parser version to 1.1.2
For more information, see Package claroty/ctd Release Notes.
broadcom/proxysg has been updated to v1.2.1.
Updated field mapping to use direct assignment instead of rename function
Fixed parser version to 1.1.2
For more information, see Package broadcom/proxysg Release Notes.
aws/fsx has been updated to v1.1.1.
Updated field mapping to use direct assignment instead of rename function
Updated ECS version to 8.17.0
Updated parser version to 1.1.1
Updated parser to use array:append for array declaration
For more information, see Package aws/fsx Release Notes.
cisco/firepower has been updated to v1.6.4.
Fixed regex pattern for hop failure messages to handle interface names with spaces
For more information, see Package cisco/firepower Release Notes.
imperva/cloud-waf has been updated to v1.4.0.
Added regex pattern matching to filter CEF events and drop non-CEF log entries
Updated ECS version to 8.17.0
Removed rename() function calls for direct field assignment
Deleted cwaf-cef.yaml parser file
For more information, see Package imperva/cloud-waf Release Notes.
f5networks/bigip has been updated to v2.3.0.
Added support for F5 BIG-IP logs in Splunk format (HTTP traffic, load balancer failures, DNS requests/responses)
Fixed IP address field mapping to correctly populate source.ip, destination.ip, and server.ip fields
Improved timestamp parsing to support additional formats
Enhanced key-value parsing with better handling of empty fields
For more information, see Package f5networks/bigip Release Notes.
aruba/clearpass has been updated to v1.2.3.
Updated field mapping to use format() function instead of rename() for better compatibility
Downgraded CPS version from 2.0.0 to 1.0.0
Removed deprecated clearpass-syslog.yaml parser file
For more information, see Package aruba/clearpass Release Notes.
island/island has been updated to v1.2.1.
Updated field assignments to use direct assignment instead of rename() function
Fixed parser version to match package version
For more information, see Package island/island Release Notes.
google/chrome-enterprise-security-events has been updated to v1.2.0.
Updated ECS version from 8.11.0 to 8.17.0
Removed deprecated parser Google_Chrome_Enterprise.yaml
Simplified field assignments by removing unnecessary rename() functions
Updated parser version to 2.0.1
For more information, see Package google/chrome-enterprise-security-events Release Notes.
haproxy/haproxy has been updated to v1.2.1.
Updated field assignment syntax from rename() to direct assignment
Updated parser version to 1.1.2
For more information, see Package haproxy/haproxy Release Notes.
zscaler/internet-access has been updated to v1.4.0.
Updated parser to use direct field assignments instead of rename() function
Fixed base64 decoding for URL fields
For more information, see Package zscaler/internet-access Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
checkpoint/ngfw has been updated to v2.1.0.
Added support for CEF formatted logs with and without headers
Enhanced timestamp handling for various formats
Added field mappings for additional Check Point fields
Improved event categorization and field normalization
Added support for additional network direction indicators
For more information, see Package checkpoint/ngfw Release Notes.