Falcon LogScale 1.197.0 GA (2025-07-15)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.197.0GA2025-07-15

Cloud

2026-09-30No1.150.01.177.0No

Hide file download links

Show file download links

Bug fixes and updates

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.

    The information about the total number of datasources is available via the logs by the GlobalSegmentStatsLoggerJob in the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.

  • The lastScheduledSearch field from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replace lastScheduledSearch.

  • The EXTRA_KAFKA_CONFIGS_FILE configuration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Installation and Deployment

    • The Docker image base has been changed from Alpine to Wolfi OS. Main impact:

      • Most users won't notice any difference

      • Shell users (shell used manually inside the container ) may notice different available binaries

      • apk package manager has been removed, as no longer needed in these images

      • Users still needing apk should contact Support.

      Method used in previous releases:

      • ARM64 version of LogScale as a special tag (for example, 1.195.0--arm64).

      New method:

      • Single-tag Docker image index covering both ARM and x86

      • Format example for both ARM and x86 users: 1.195.0 (plain tag).

      • Users now get the appropriate architecture image automatically with the plain tag.

      Users currently using for example 1.195.0--arm64 tag should switch to the plain tag.

  • Queries

    • Aggregate streaming queries are now terminated if the originating HTTP request is closed.

New features and improvements

  • User Interface

    • Added a new functionality to the Parsers page for importing test cases from log files (limited to 30):

      • A new Import tests button has been added with two import modes: Append mode to add new test cases to existing ones, and Overwrite mode to replace existing test cases with newly imported ones.

      • The Delete test button in the header has been replaced by a trash can button next to each test case that appears when hovering over or clicking on the test case.

      For more information, see Import Test Cases.

  • GraphQL API

  • Functions

    • The correlate() function now supports using saved queries in subqueries.

Fixed in this release

  • Storage

    • In some cases a digester node would not get partitions assigned while coming back online after a planned restart. This issue has now been fixed.

  • Queries

    • Fixed an issue where queries using personal user tokens weren't audit logged with the correct actor type.

    • Fixed an issue where streaming queries would sometimes fail to start and would terminate abruptly if planning the query was slow. In such cases a lock could also be leaked, which would prevent future streaming queries for that view from starting.

  • Functions

    • The correlate() function would fail to find - or find incorrect - constellations of events when link operators referenced modified fields. The link operator would always look for the field on the original, unmodified event, thereby missing any events added in the query.

      For example, this query:

      logscale
      correlate(
  A: { static_email := "foo@bar.com" },
  B: { email <=> A.static_email }
)

      would previously fail to find events that satisfy the constraints because the field static_email was not present on the original event. The issue has been fixed so that such a query now correctly finds the events.

Improvement

  • User Interface

    • When running a correlate() query, a named events tab will now appear for each sub-query of the correlate function, instead of a single events tab for the entire query.

  • API

    • Added queryId field to audit logs when starting queries. For queries started via queryjobs, this contains the ID of the job that is returned to the client. For streaming queries, the ID is the internal query ID that is returned in the header of the response.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • checkpoint/ngfw has been updated to v2.1.2.

      • Regex fix to stop backtracking errors for logs that use "=" as the key-value separator

      • Added event.kind field with default value "event"

      • Removed redundant case statement for event.kind assignment

      • Updated parser version to 3.1.2

      For more information, see Package checkpoint/ngfw Release Notes.

    • f5networks/bigip has been updated to v2.4.0.

      • Added support for F5 ASM Bot Defense logs

      • Fixed array handling for host.ip and observer.ip fields

      • Improved event severity mapping based on Vendor.severity field

      • Fixed source.ip extraction in APM invalid host header detection

      • Enhanced event type categorization for APM non-existent session events

      • Added lowercase normalization for network.transport field

      For more information, see Package f5networks/bigip Release Notes.

    • nozomi/ids has been updated to v1.3.1.

      • Updated ECS version to 9.0.0

      • Improved field extraction for Mitre attack tactics and techniques

      • Fixed parser version to 3.0.1

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.2.0.

      • Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events

      • Enhanced event categorization for various product types

      • Fixed network direction handling to improve log classification

      • Added test cases for new log formats

      • Updated parser version to 3.2.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • microsoft/dhcp-client has been updated to v1.1.1.

      • Updated ECS version to 9.0.0

      • Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id

      For more information, see Package microsoft/dhcp-client Release Notes.

    • cisco/meraki has been updated to v1.5.1.

      • Fixed regex patterns to handle multiline syslog messages

      • Fixed event severity handling for unknown values

      For more information, see Package cisco/meraki Release Notes.

    • cisco/meraki has been updated to v1.5.0.

      • Added support for JSON formatted logs with timestamps in ts and occurredAt fields

      • Added support for IDS Alert events with pass-through detections

      • Added support for File Scanned events

      • Added support for BGP, DHCP, VPN, and wireless association events

      • Updated ECS version to 9.0.0

      For more information, see Package cisco/meraki Release Notes.

    • okta/sso has been updated to v1.4.0.

      • Enhanced user target field handling to support multiple values

      • Added support for event hook delivery events

      • Improved event categorization with more comprehensive event type mappings

      • Added client fields including client.as.number and client.user fields

      • Added transaction.id and rule fields for better traceability

      • Added user_agent fields including device name and version

      • Updated ECS version to 9.0.0

      For more information, see Package okta/sso Release Notes.

    • darktrace/detect has been updated to v1.4.0.

      • Enhanced audit event parsing with improved categorization and field mapping

      • Added validation for source IP addresses using CIDR check

      • Updated ECS version to 9.0.0

      • Added support for syslog appname-based event classification

      • Updated parser to 2.2.0

      For more information, see Package darktrace/detect Release Notes.

    • cisco/ise has been updated to v1.3.3.

      • Enhanced parsing for CISE_Alarm messages with improved message extraction

      • Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics

      For more information, see Package cisco/ise Release Notes.

    • netgate/pfsense has been updated to v1.1.1.

      • Updated ECS version from 8.11.0 to 9.0.0

      • Removed rename() function from field mappings for direct assignments

      • Removed pfsense-syslog.yaml parser file

      For more information, see Package netgate/pfsense Release Notes.

    • cloudflare/zerotrust has been updated to v1.3.0.

      • Enhanced JSON parsing with excludeEmpty and handleNull options

      • Updated event type categorization for email security logs

      • Added new test cases for improved coverage

      • Updated parser version to 2.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • microsoft/sysmon has been updated to v1.1.2.

      • Updated ECS version to 9.0.0

      • Simplified field assignments by removing unnecessary rename() functions

      • Improved code readability and maintainability

      For more information, see Package microsoft/sysmon Release Notes.

    • checkpoint/ngfw has been updated to v2.1.1.

      • Fixed CEF log parsing regex to properly handle logs without trailing newlines

      • Updated ECS version to 9.0.0

      • Updated parser version to 3.1.1

      For more information, see Package checkpoint/ngfw Release Notes.

    • aws/cloudtrail has been updated to v2.0.1.

      • Updated parser to handle EventBridge events by removing "detail" prefix

      • Fixed JSON parsing to properly handle nested fields

      For more information, see Package aws/cloudtrail Release Notes.

    • imperva/cloud-waf has been updated to v1.5.0.

      • Updated ECS version to 9.0.0

      • Updated parser version to 3.2.0

      • Enhanced severity handling with support for both numeric risk scores and text-based risk levels

      • Improved source IP handling with source.address field and proper CIDR validation

      • Updated array handling for event.category and event.type fields

      For more information, see Package imperva/cloud-waf Release Notes.

    • cisco/ios has been updated to v1.7.0.

      • Added support for additional log formats including ACCOUNTING events and IGMP logs

      • Enhanced access list log parsing to support both denied and permitted traffic

      • Added support for timezone-specific timestamp parsing

      • Updated to ECS version 9.0.0

      • Updated parser version to 2.6.0

      For more information, see Package cisco/ios Release Notes.

    • aws/guardduty has been updated to v1.2.0.

      • Improved source and destination port handling for network connections

      • Added support for port probe events with proper destination address mapping

      • Enhanced event categorization with network and connection type detection

      • Added event type classification (allowed/denied) based on blocked field

      • Added authentication category for RDS login attempts

      • Added API category for API call events

      • Updated ECS version to 9.0.0

      For more information, see Package aws/guardduty Release Notes.

    • rubrik/security-cloud has been updated to v1.1.1.

      • Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)

      • Updated ECS version to 9.0.0

      For more information, see Package rubrik/security-cloud Release Notes.