Falcon LogScale 1.195.0 GA (2025-07-01)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.195.0GA2025-07-01

Cloud

2026-07-31No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Removed

Items that have been removed as of this release.

Configuration

  • Removed server compatibility checks from multi-cluster searches. These checks became obsolete due to some internal implementation changes occurred in past versions. The new behavior is described at Multi-Cluster Compatibility Across Versions.

    Additional related changes:

  • The QueryBacktrackingLimit feature flag has been removed. Use the QueryBacktrackingLimit dynamic configuration to adjust the limit.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.

    The information about the total number of datasources is available via the logs by the GlobalSegmentStatsLoggerJob in the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.

  • The setConsideredAliveUntil and setConsideredAliveFor GraphQL mutations are deprecated and will be removed in 1.195.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Storage

    • Changed segment upload behavior to use the first available ownerHosts that is alive instead of just the first ownerHost.

    • Reverted a change from version 1.191.0 that increased the buffer size used for parsing global snapshots, as the change did not yield the expected performance improvements.

  • Ingestion

    • Parse Data now only report missing lookup files when the query statement using the file is actually evaluated. For example, when using case branching with a missing lookup file that the event doesn't hit, no warning will be generated for the missing file.

  • Queries

    • Changed HTTP status code from 400 to 503 when a query fails to start due to internal errors, such as query queue being full.

  • Functions

    • asn() and ipLocation() functions now throws errors (instead of warnings) in query contexts where there are issues with external dependencies. This matches the error handling behavior of functions that also use external dependencies, like match() and ioc:lookup().

New features and improvements

  • GraphQL API

    • Added new GraphQL mutation copySavedQuery(). This mutation allows copying a saved query, optionally into another repository.

  • Ingestion

    • Added ingest feeds for consuming data from Azure Event Hubs, this feature is now available on cloud and was released for self hosted as of 1.189.0.

      For more information, see Ingest Data from Azure Event Hubs.

Fixed in this release

  • Dashboards and Widgets

    • Fixed an issue where clicking a preset interaction, such as Go to events link in the Table widget to add a field filter to the end of a query, would convert a safe value into an incorrect regex.

  • Queries

    • Fixed an issue that caused incorrect worker assignments to a query after handover operations. These incorrect assignments would lead to unnecessary query restarts.

    • During digest restart, live queries could miss some events in cases where the live query had dependencies, such as dependencies on a lookup file. This issue has now been fixed.

  • Other

    • LogScale shutdown could be delayed if errors occurred during a shutdown already in progress.

Improvement

  • Automation and Triggers

    • For filter and aggregate alerts, values for field-based throttling are now being hashed to save space.

      For Self-hosted only: this change enables storing more values for field-based throttling when using throttle fields with large values. See FILTER_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED and AGGREGATE_ALERT_MAX_THROTTLE_FIELD_VALUES_STORED configuration variables.

      For Self-hosted only: if you need to downgrade after upgrading to this version, you might lose all values stored for field-based throttling, causing alerts with field-based throttling to trigger again although they should have been throttled. This will occur at most once per throttling field value.

  • Storage

    • Reduced memory usage when handling numerical values in internal JSON representation.

  • GraphQL API

    • Added support for labels in the GraphQL API for Actions. Labels can now be:

      • Added to Actions through the GraphQL mutations for creating and updating Actions

      • Queried on the "Action" type

    • Made the name input argument of createDashboardFromTemplateV2() mutation optional. If not supplied, the name will default to the name in the template.

  • Queries

    • Enhanced query handling to prevent execution of queries originating from timed-out HTTP requests.

    • Increased delays between repeated query restarts of the same static query.

    • Improved consistency in log message format between slow query and query ended logs.

  • Functions

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • f5networks/bigip has been updated to v2.3.2.

      • Fixed field mapping to use direct assignment instead of rename function for better performance

      For more information, see Package f5networks/bigip Release Notes.

    • checkpoint/ngfw has been updated to v2.1.2.

      • Regex fix to stop backtracking errors for logs that use "=" as the key-value separator

      • Added event.kind field with default value "event"

      • Removed redundant case statement for event.kind assignment

      • Updated parser version to 3.1.2

      For more information, see Package checkpoint/ngfw Release Notes.

    • cisco/ios has been updated to v1.6.1.

      • Added support for VTY access logs with new pattern matching

      For more information, see Package cisco/ios Release Notes.

    • nozomi/ids has been updated to v1.3.1.

      • Updated ECS version to 9.0.0

      • Improved field extraction for Mitre attack tactics and techniques

      • Fixed parser version to 3.0.1

      For more information, see Package nozomi/ids Release Notes.

    • juniper/srx has been updated to v1.4.0.

      • Added support for authentication events with UI_LOGIN_EVENT, DYNAMIC_VPN_AUTH_OK, REMOTE_ACCESS_VPN_AUTH_OK, DYNAMIC_VPN_AUTH_FAIL, and REMOTE_ACCESS_VPN_AUTH_FAIL message IDs

      • Enhanced source IP extraction with support for src-ip-str field

      • Added user.name field mapping from source.user.name when available

      • Fixed indentation in SSH authentication message parsing

      For more information, see Package juniper/srx Release Notes.

    • microsoft/dhcp-client has been updated to v1.1.1.

      • Updated ECS version to 9.0.0

      • Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id

      For more information, see Package microsoft/dhcp-client Release Notes.

    • forcepoint/dlp has been updated to v1.2.1.

      • Updated field assignments to use direct assignment instead of rename function

      • Fixed parser version reference

      For more information, see Package forcepoint/dlp Release Notes.

    • cloudflare/zerotrust has been updated to v1.2.3.

      • Fixed handling of PROXY_CONN_REFUSED connection close reason

      • Improved bulk log processing by removing trailing newline characters

      • Updated parser version to 2.1.3

      For more information, see Package cloudflare/zerotrust Release Notes.

    • fortinet/fortigate has been updated to v1.3.4.

      • Updated ECS version to 9.0.0

      • Added message and rule.name fields for alert events

      • Fixed field mappings for UTM alert events

      For more information, see Package fortinet/fortigate Release Notes.

    • mimecast/email-security has been updated to v1.0.0.

      • Upgraded parser to align with CPS standards

      • Normalized email fields to ECS format

      • Added MITRE ATT&CK technique mappings

      • Enhanced threat detection capabilities

      • Improved dashboard visualizations with better field mappings

      • Updated all dashboards to use normalized fields

      • Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.

      • Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data

      For more information, see Package mimecast/email-security Release Notes.

    • darktrace/detect has been updated to v1.3.1.

      • Fixed timestamp parsing for Antigena events to use start time instead of end time

      For more information, see Package darktrace/detect Release Notes.

    • cisco/meraki has been updated to v1.5.0.

      • Added support for JSON formatted logs with timestamps in ts and occurredAt fields

      • Added support for IDS Alert events with pass-through detections

      • Added support for File Scanned events

      • Added support for BGP, DHCP, VPN, and wireless association events

      • Updated ECS version to 9.0.0

      For more information, see Package cisco/meraki Release Notes.

    • zscaler/private-access has been updated to v1.3.2.

      • Added support for private cloud controller status logs

      • Improved log type detection for logs without sourcetype field

      • Enhanced log format detection for various ZPA log types

      For more information, see Package zscaler/private-access Release Notes.

    • okta/sso has been updated to v1.4.0.

      • Enhanced user target field handling to support multiple values

      • Added support for event hook delivery events

      • Improved event categorization with more comprehensive event type mappings

      • Added client fields including client.as.number and client.user fields

      • Added transaction.id and rule fields for better traceability

      • Added user_agent fields including device name and version

      • Updated ECS version to 9.0.0

      For more information, see Package okta/sso Release Notes.

    • darktrace/detect has been updated to v1.4.0.

      • Enhanced audit event parsing with improved categorization and field mapping

      • Added validation for source IP addresses using CIDR check

      • Updated ECS version to 9.0.0

      • Added support for syslog appname-based event classification

      • Updated parser to 2.2.0

      For more information, see Package darktrace/detect Release Notes.

    • fortinet/fortimail has been updated to v2.0.0.

      • Improved parsing of key-value pairs with empty values

      • Enhanced event categorization for all log types

      • Added support for email address extraction from complex formats

      • Fixed handling of comma-separated recipient lists

      • Added URL parsing capabilities

      • Improved outcome determination logic

      For more information, see Package fortinet/fortimail Release Notes.

    • netgate/pfsense has been updated to v1.1.1.

      • Updated ECS version from 8.11.0 to 9.0.0

      • Removed rename() function from field mappings for direct assignments

      • Removed pfsense-syslog.yaml parser file

      For more information, see Package netgate/pfsense Release Notes.

    • aws/guardduty has been updated to v1.1.3.

      • Added event.reason field mapping from Vendor.title

      • Updated parser version to 1.2.2

      For more information, see Package aws/guardduty Release Notes.

    • cloudflare/zerotrust has been updated to v1.3.0.

      • Enhanced JSON parsing with excludeEmpty and handleNull options

      • Updated event type categorization for email security logs

      • Added new test cases for improved coverage

      • Updated parser version to 2.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • aruba/clearpass has been updated to v1.2.4.

      • Added support for additional syslog header formats

      • Enhanced event categorization for various event types

      • Added extensive field extraction from Description field

      • Added support for authentication, session, and configuration events

      • Improved field normalization for client IP and MAC addresses

      For more information, see Package aruba/clearpass Release Notes.

    • microsoft/sysmon has been updated to v1.1.2.

      • Updated ECS version to 9.0.0

      • Simplified field assignments by removing unnecessary rename() functions

      • Improved code readability and maintainability

      For more information, see Package microsoft/sysmon Release Notes.

    • checkpoint/ngfw has been updated to v2.1.1.

      • Fixed CEF log parsing regex to properly handle logs without trailing newlines

      • Updated ECS version to 9.0.0

      • Updated parser version to 3.1.1

      For more information, see Package checkpoint/ngfw Release Notes.

    • imperva/cloud-waf has been updated to v1.4.0.

      • Added regex pattern matching to filter CEF events and drop non-CEF log entries

      • Updated ECS version to 8.17.0

      • Removed rename() function calls for direct field assignment

      • Deleted cwaf-cef.yaml parser file

      For more information, see Package imperva/cloud-waf Release Notes.

    • imperva/cloud-waf has been updated to v1.5.0.

      • Updated ECS version to 9.0.0

      • Updated parser version to 3.2.0

      • Enhanced severity handling with support for both numeric risk scores and text-based risk levels

      • Improved source IP handling with source.address field and proper CIDR validation

      • Updated array handling for event.category and event.type fields

      For more information, see Package imperva/cloud-waf Release Notes.

    • cisco/ios has been updated to v1.7.0.

      • Added support for additional log formats including ACCOUNTING events and IGMP logs

      • Enhanced access list log parsing to support both denied and permitted traffic

      • Added support for timezone-specific timestamp parsing

      • Updated to ECS version 9.0.0

      • Updated parser version to 2.6.0

      For more information, see Package cisco/ios Release Notes.

    • island/island has been updated to v1.2.1.

      • Updated field assignments to use direct assignment instead of rename() function

      • Fixed parser version to match package version

      For more information, see Package island/island Release Notes.

    • google/chrome-enterprise-security-events has been updated to v1.2.0.

      • Updated ECS version from 8.11.0 to 8.17.0

      • Removed deprecated parser Google_Chrome_Enterprise.yaml

      • Simplified field assignments by removing unnecessary rename() functions

      • Updated parser version to 2.0.1

      For more information, see Package google/chrome-enterprise-security-events Release Notes.

    • haproxy/haproxy has been updated to v1.2.1.

      • Updated field assignment syntax from rename() to direct assignment

      • Updated parser version to 1.1.2

      For more information, see Package haproxy/haproxy Release Notes.

    • cisco/ise has been updated to v1.3.2.

      • Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats

      • Added support for "purging data older than" message format

      • Added support for "completed successfully" message format with event outcome set to success

      • Added support for CISE_Alarm messages with improved parsing

      • Enhanced field extraction for alarm messages

      • Added event categorization for SGT assignment and RADIUS authentication drop alarms

      For more information, see Package cisco/ise Release Notes.

    • rubrik/security-cloud has been updated to v1.1.1.

      • Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)

      • Updated ECS version to 9.0.0

      For more information, see Package rubrik/security-cloud Release Notes.