Falcon LogScale 1.194.0 GA (2025-06-24)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.194.0GA2025-06-24

Cloud

2026-07-31No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Advance Warning

The following items are due to change in a future release.

  • Functions

    • Starting from release 1.195, the query functions asn() and ipLocation() will display an error instead of a warning should an error occur with their external dependency. This change will align their behavior to functions using similar external resources, like match(), iocLookup(), and cidr().

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The color field on the Role type has been marked as deprecated (will be removed in version 1.195).

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The updateScheduledSearchV2 GraphQL mutation has been deprecated in favor of updateScheduledSearchV3, which now includes field triggerOnEmptyResult .

New features and improvements

  • Automation and Triggers

    • Scheduled searches can now trigger actions even when no results are found. Previously, actions would only trigger when results were found. This is an optional feature that you can set in Advanced settings.

    • It is now possible to test Actions with an empty set of events. This feature allows for validating that actions work correctly when no events are found by a scheduled search, and helps prevent action configuration errors.

  • GraphQL API

  • Configuration

Fixed in this release

  • Administration and Management

    • Fixed an issue in the live-dashboard-query-count metric to improve accuracy.

  • User Interface

    • Fixed an issue where some table columns would not get sorted properly.

  • Dashboards and Widgets

    • Widgets now display the Raw value format with better precision, as they no longer round/truncate significant digits: instead, raw values now keep the same precision that JavaScript floats can handle. For example, before the fix a chart would display a raw value format like 12345678 as 12,345,700; after the fix, the chart correctly displays the value as 12,345,678.

  • Queries

    • Fixed an issue where during digest restart a query might receive duplicate events.

Improvement

  • Storage

    • Made improvements to all bucket upload operations. Bucket storage upload operations (uploaded files/global snapshots/segments) now work more efficiently by utilizing the upload queue and callback functions to complete the upload. This ensures that configured concurrency limits are properly enforced.

  • Functions

    • Improved performance of match(mode=glob). It now runs significantly faster in many situations. The performance impact depends on the situation; speed-ups of 4x-90x have been observed.

    • The correlate() function now generates a warning message when used in an unsupported, non-top-level context, such as in subqueries or when passed as an argument to a function.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • f5networks/bigip has been updated to v2.3.2.

      • Fixed field mapping to use direct assignment instead of rename function for better performance

      For more information, see Package f5networks/bigip Release Notes.

    • cisco/ios has been updated to v1.6.1.

      • Added support for VTY access logs with new pattern matching

      For more information, see Package cisco/ios Release Notes.

    • juniper/srx has been updated to v1.4.0.

      • Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs

      • Enhanced source IP extraction with support for src-ip-str field

      • Added user.name field mapping from source.user.name when available

      • Fixed indentation in SSH authentication message parsing

      For more information, see Package juniper/srx Release Notes.

    • zscaler/internet-access has been updated to v1.4.1.

      • Fixed conditional parsing of file.mtime field to handle cases when Vendor.lastmodtime is not present

      • Updated parser version to 2.4.1

      For more information, see Package zscaler/internet-access Release Notes.

    • forcepoint/dlp has been updated to v1.2.1.

      • Updated field assignments to use direct assignment instead of rename function

      • Fixed parser version reference

      For more information, see Package forcepoint/dlp Release Notes.

    • cloudflare/zerotrust has been updated to v1.2.3.

      • Fixed handling of PROXY_CONN_REFUSED connection close reason

      • Improved bulk log processing by removing trailing newline characters

      • Updated parser version to 2.1.3

      For more information, see Package cloudflare/zerotrust Release Notes.

    • fortinet/fortigate has been updated to v1.3.4.

      • Updated ECS version to 9.0.0

      • Added message and rule.name fields for alert events

      • Fixed field mappings for UTM alert events

      For more information, see Package fortinet/fortigate Release Notes.

    • mimecast/email-security has been updated to v1.0.0.

      • Upgraded parser to align with CPS standards

      • Normalized email fields to ECS format

      • Added MITRE ATT&CK technique mappings

      • Enhanced threat detection capabilities

      • Improved dashboard visualizations with better field mappings

      • Updated all dashboards to use normalized fields

      • Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.

      • Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data

      For more information, see Package mimecast/email-security Release Notes.

    • darktrace/detect has been updated to v1.3.1.

      • Fixed timestamp parsing for Antigena events to use start time instead of end time

      For more information, see Package darktrace/detect Release Notes.

    • cisco/meraki has been updated to v1.5.0.

      • Added support for JSON formatted logs with timestamps in ts and occurredAt fields

      • Added support for IDS Alert events with pass-through detections

      • Added support for File Scanned events

      • Added support for BGP, DHCP, VPN, and wireless association events

      • Updated ECS version to 9.0.0

      For more information, see Package cisco/meraki Release Notes.

    • zscaler/private-access has been updated to v1.3.2.

      • Added support for private cloud controller status logs

      • Improved log type detection for logs without sourcetype field

      • Enhanced log format detection for various ZPA log types

      For more information, see Package zscaler/private-access Release Notes.

    • okta/sso has been updated to v1.4.0.

      • Enhanced user target field handling to support multiple values

      • Added support for event hook delivery events

      • Improved event categorization with more comprehensive event type mappings

      • Added client fields including client.as.number and client.user fields

      • Added transaction.id and rule fields for better traceability

      • Added user_agent fields including device name and version

      • Updated ECS version to 9.0.0

      For more information, see Package okta/sso Release Notes.

    • fortinet/fortimail has been updated to v2.0.0.

      • Improved parsing of key-value pairs with empty values

      • Enhanced event categorization for all log types

      • Added support for email address extraction from complex formats

      • Fixed handling of comma-separated recipient lists

      • Added URL parsing capabilities

      • Improved outcome determination logic

      For more information, see Package fortinet/fortimail Release Notes.

    • dell/isilon has been updated to v1.2.1.

      • Updated field mapping syntax from rename() to direct assignment for better performance

      • Fixed minor code formatting issues

      For more information, see Package dell/isilon Release Notes.

    • f5networks/bigip has been updated to v2.3.1.

      • Fixed VLAN ID parsing in connection error and SSL handshake failure events

      For more information, see Package f5networks/bigip Release Notes.

    • aws/guardduty has been updated to v1.1.3.

      • Added event.reason field mapping from Vendor.title

      • Updated parser version to 1.2.2

      For more information, see Package aws/guardduty Release Notes.

    • cloudflare/zerotrust has been updated to v1.3.0.

      • Enhanced JSON parsing with excludeEmpty and handleNull options

      • Updated event type categorization for email security logs

      • Added new test cases for improved coverage

      • Updated parser version to 2.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • aruba/clearpass has been updated to v1.2.4.

      • Added support for additional syslog header formats

      • Enhanced event categorization for various event types

      • Added extensive field extraction from Description field

      • Added support for authentication, session, and configuration events

      • Improved field normalization for client IP and MAC addresses

      For more information, see Package aruba/clearpass Release Notes.

    • claroty/ctd has been updated to v1.2.1.

      • Fixed field mapping to use direct assignment instead of rename function

      • Improved case statement formatting for better readability

      • Updated parser version to 1.1.2

      For more information, see Package claroty/ctd Release Notes.

    • checkpoint/ngfw has been updated to v2.1.1.

      • Fixed CEF log parsing regex to properly handle logs without trailing newlines

      • Updated ECS version to 9.0.0

      • Updated parser version to 3.1.1

      For more information, see Package checkpoint/ngfw Release Notes.

    • imperva/cloud-waf has been updated to v1.4.0.

      • Added regex pattern matching to filter CEF events and drop non-CEF log entries

      • Updated ECS version to 8.17.0

      • Removed rename() function calls for direct field assignment

      • Deleted cwaf-cef.yaml parser file

      For more information, see Package imperva/cloud-waf Release Notes.

    • island/island has been updated to v1.2.1.

      • Updated field assignments to use direct assignment instead of rename() function

      • Fixed parser version to match package version

      For more information, see Package island/island Release Notes.

    • google/chrome-enterprise-security-events has been updated to v1.2.0.

      • Updated ECS version from 8.11.0 to 8.17.0

      • Removed deprecated parser Google_Chrome_Enterprise.yaml

      • Simplified field assignments by removing unnecessary rename() functions

      • Updated parser version to 2.0.1

      For more information, see Package google/chrome-enterprise-security-events Release Notes.

    • haproxy/haproxy has been updated to v1.2.1.

      • Updated field assignment syntax from rename() to direct assignment

      • Updated parser version to 1.1.2

      For more information, see Package haproxy/haproxy Release Notes.

    • cisco/ise has been updated to v1.3.2.

      • Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats

      • Added support for "purging data older than" message format

      • Added support for "completed successfully" message format with event outcome set to success

      • Added support for CISE_Alarm messages with improved parsing

      • Enhanced field extraction for alarm messages

      • Added event categorization for SGT assignment and RADIUS authentication drop alarms

      For more information, see Package cisco/ise Release Notes.

    • rubrik/security-cloud has been updated to v1.1.1.

      • Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)

      • Updated ECS version to 9.0.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • checkpoint/ngfw has been updated to v2.1.0.

      • Added support for CEF formatted logs with and without headers

      • Enhanced timestamp handling for various formats

      • Added field mappings for additional Check Point fields

      • Improved event categorization and field normalization

      • Added support for additional network direction indicators

      For more information, see Package checkpoint/ngfw Release Notes.