Falcon LogScale 1.201.2 LTS (2025-10-01)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Downgrades To? | Config. Changes? |
|---|---|---|---|---|---|---|---|---|
| 1.201.2 | LTS | 2025-10-01 | Cloud On-Prem | 2026-09-30 | No | 1.150.0 | 1.177.0 | No |
Hide file download links
Download
Use docker pull humio/humio-core:1.201.2 to download the latest version
Hide file hashes
These notes include entries from the following previous releases: 1.201.1, 1.201.1, 1.201.1
Bug fixes and updates.
Removed
Items that have been removed as of this release.
Storage
Removed the ingest request backpressure mechanism introduced in 1.115. This mechanism throttled ingest requests on nodes running digest work while experiencing event latency. The implementation prevented clusters from properly using Kafka as a buffer for event backlogs. Additionally, it hid the existence of backlogs from administrators by delaying events on shippers rather than in Kafka where they are visible to LogScale.
Administrators are advised to either:
Size nodes to handle temporary ingest rate spikes without falling behind on digest.
Run separate ingest and digest nodes to prevent ingest spikes from consuming capacity needed for digest work.
This change also removes the following dynamic configurations:
Configuration
Removed the following deprecated environment variables:
WINDOW_ENABLED
Deprecation
Items that have been deprecated and may be removed in a future release.
The datasource-count metric has been deprecated and will be removed in version 1.201 of LogScale.
The information about the total number of datasources is available via the logs by the
GlobalSegmentStatsLoggerJobin the datasources field. When a new datasource is created or marked as deleted, the total number of datasources is logged in the datasourceCount field.The
lastScheduledSearchfield from the ScheduledSearch datatype is now deprecated and planned for removal in LogScale version 1.202. The new lastExecuted and lastTriggered fields have been added to the ScheduledSearch datatype to replacelastScheduledSearch.The
EXTRA_KAFKA_CONFIGS_FILEconfiguration variable has been deprecated and planned to be removed no earlier than version 1.225.0. For more information, see RN Issue.
rdns()has been deprecated and will be removed in version 1.249. UsereverseDns()as an alternative function.
Behavior Changes
Scripts or environment which make use of these tools should be checked and updated for the new configuration:
Installation and Deployment
When using
KAFKA_MANAGED_BY_HUMIO=true, LogScale will now crash on boot if it fails to determine whether its topics exist in Kafka via Kafka's admin API. Previously, LogScale would assume the topics didn't exist and attempt to create them, resulting in confusing error messages if the topics actually existed.The Docker image base has been changed from Alpine to Wolfi OS. Main impact:
Most users won't notice any difference
Shell users (shell used manually inside the container ) may notice different available binaries
apk package manager has been removed, as no longer needed in these images
Users still needing apk should contact Support.
Method used in previous releases:
ARM64 version of LogScale as a special tag (for example,
1.195.0--arm64).New method:
Single-tag Docker image index covering both ARM and x86
- Format example for both ARM and x86 users:
1.195.0(plain tag).Users now get the appropriate architecture image automatically with the plain tag.
Users currently using for example
1.195.0--arm64tag should switch to the plain tag.Storage
AWS Netty client is now the disabled as the default HTTP client for S3 Bucket operation, and now reverts to the existing PekkoHttpClient by setting the default value of
S3_NETTY_CLIENTtofalse. This change addresses performance issues identified when downloading significant amounts of data from the S3 Bucket for queries.GraphQL API
Setting the MaxRelocatedDatasourcesInGlobal field of the DynamicConfig datatype to
0or negative value now sets the limit to0instead of resetting to the default value. Users wishing to return to the default value should use the API to unset the configuration.Configuration
The
MAX_DATASOURCESenvironment variable no longer controls the maximum datasources of system repositories. System repositories now have a default maximum of 50,000 datasources.Ingestion
The fields @id and @ingesttimestamp can no longer be set by ingesting them. These fields are set internally by LogScale and LogScale depends upon them not being overwritten. If events are ingested with these fields, the field values are now ignored and a warning is added to the event.
Before this change, setting the @id field did not work: LogScale would just overwrite this field. Setting the @ingesttimestamp field worked partially; depending on your query, you could see the field value or the actual ingest time of the event.
The LogScale Repository action will no longer retain the value of the fields @id, @ingesttimestamp, @input_size, @event_parsed, @error, @error_msg and @error_msg[i] for any index
i, as these are special fields in LogScale and will be set automatically on the newly ingested events. Instead, the value of these fields from the events sent to the action will be stored in fields named @id.original, @ingesttimestamp.original, @input_size.original, @event_parsed.original, @error.original, @error_msg.original and @error_msg.original[i].If you need to restore the previous functionality, that is possible for most of the fields by updating the parser you use to revert these changes. Note, however, that you cannot do this for @id and @ingesttimestamp fields, as LogScale now ignores those fields on ingested events.
Ingest-only nodes (
ingestonlynode role) will no longer be selected as table coordinators.Queries
Aggregate streaming queries are now terminated if the originating HTTP request is closed.
Packages
Custom packages now require a more strict folder structure to ensure consistency and reliability:
The
manifest.yamlfile can be located anywhere in the project, and its location defines the package root.All asset folders (such as parsers, alerts, and actions) must be directly located in the project root.
New features and improvements
Installation and Deployment
Added the environmental variable
HUMIO_OPTS_FS, which can be set to override the field separator used when word-splitting usingHUMIO_OPTSin the launcher script. This is useful when the options contain characters in$IFS(such as spaces), which would otherwise be split incorrectly.For more information, see LogScale Launcher Script.
Administration and Management
Added an election system to address hardware failures. A node can be elected using the REST endpoint
/api/v1/internal/hardware-failure, marking a node as being elected with a hardware failure for 60 minutes.There are three reasons a node can be elected as bad:
Slow query: Query coordinators have seen the same node operating up to 100 times slower at query execution than others.
Poll connection timeout: Polls have timed out across all nodes in the cluster when trying to query a node.
Hardware failure: When hardware has underlying issues such as disk corruption, a node can be elected through the
/api/v1/internal/hardware-failureendpoint, and eventually automatically evicted.
All votes can be tracked through the log line
Casting vote because a host is in a bad state. All elections can be tracked through the log lineThese nodes were deemed bad by the rest of the cluster.
User Interface
Added a new functionality to the
Parserspage for importing test cases from log files (limited to 30):A new button has been added with two import modes:
Appendmode to add new test cases to existing ones, andOverwritemode to replace existing test cases with newly imported ones.The button in the header has been replaced by a trash can button next to each test case that appears when hovering over or clicking on the test case.
For more information, see Import Test Cases.
Adding Spanish locale to the platform so a cluster can now be initialized with Spanish translations.
The following repository/view pages in the LogScale web interface now manage assets in a table layout format:
Dashboards— new page layout for listing repository dashboards under the top bar menu item .Parsers— new page layout for listing repository parsers under the top bar menu item .Actions— new page layout for listing repository actions under the top bar menu item .Resources— this is a new web interface page containing the following assets:Files (replaces the former top bar menu item; sorting capability not yet available at this time).
Interactions — interactions have been moved from the repository menu to this
Resourcespage, with new columns for created/modified metadata (sorting capability not yet available at this time).Saved Searches — a new page for managing saved searches with the table format layout.
These pages can now support scalable management of large asset volumes with improved search, filter and sort capabilities, making it easier to find the assets you're looking for.
Redesigned the experience of managing saved queries on the
Searchpage, by introducing new web interface items:tab — allows recalling recent queries in an updated page.
tab — opens a panel for saved searches with information like descriptions, labels, and last modified.
tab — displays saved queries that users marked as favorites.
Action buttons for saved and favorite searches, notably the button.
Updated dialog where you can now add/edit description of the saved search as well as labels.
For more information, see Save Searches.
GraphQL API
Added three endpoints to enable transfer of segments and uploaded files to its organizations current bucket:
addOrganizationForBucketTransfer tells LogScale to start moving segments and uploaded files under the organization.
removeOrganizationForBucketTransfer tells LogScale to stop an ongoing transfer.
getStatusOrganizationForBucketTransfer asks whether a transfer is ongoing for this organization.
trueif the transfer is ongoing,falseotherwise.
API
Added a new field to the query API
namedFilterQueries.This will contain queries which can be executed to see the events that each subquery in a
correlate()function matches on. This field can be used to debug correlate queries.Added new GraphQL API capabilities for searching across different types of LogScale assets:
Extended entitiesSearch query endpoint to support sorting and filtering on specific asset properties. Use entitiesPage to navigate the results.
Specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.
New entitiesLabels query endpoint to get all labels across asset types.
specify argument(s) for paths to search in to narrow down search result to e.g. a specific view.
New entitiesPackages query endpoint to get all package details across asset types.
Added new fields to various asset types including createdInfo , modifiedInfo , and labels .
Configuration
Added the configuration variable
AZURE_STORAGE_RESPONSE_TIMEOUT_SECONDS, which configures the response timeout for Azure Bucket Storage operations to prevent and reduce response timeouts depending on the connection.For more information, see
AZURE_STORAGE_RESPONSE_TIMEOUT_SECONDS.
Log Collector
The
Fleet overviewpage now displays the following new sections:Summary dashboards
Widgets for status (Error/Okay)
Collector counts by OS and top versions - including whether any collectors should be updated.
Ingest volume for the last 24h
Functions
The
correlate()function now supports using saved queries in subqueries.Added
text:startsWith()which can be used to test whether a field or string constant contains a specific prefix.Added
text:endsWith()which can be used to test whether a field or string constant contains a specific suffix.The new
percentage()query function is now available. It allows you to calculate the percentage of events that match a subquery.For more information, see
percentage().
Fixed in this release
Security
Creating a repository token with the
Change archiving settingspermission will no longer result in an error. Additionally, giving theChange S3 archiving settingspermission now gives the actual permission instead of theChange archiving settingspermission.
Automation and Triggers
The Scheduling configuration for scheduled searches no longer flips to when a cron expression for specific months is specified.
Storage
In some cases a digester node would not get partitions assigned while coming back online after a planned restart. This issue has now been fixed.
Indicators of Compromise (IoC) with more than 127 labels were unable to be stored. This issue has now been fixed.
Startup failed if a host contained a deprecated storage task in the global database. This issue has now been fixed.
Corrected an issue where datasources migrating to new Kafka partitions during rebalancing carried over offsets from their original partitions, preventing LogScale from determining where to start digest.
Migrated datasources now start with an offset of -1 and are marked as idle upon creation. This allows LogScale to skip these datasources when determining where to start digest, and will continue to ignore them until receiving a message.
Configuration
The automatic tag grouping threshold now calculates correctly.
Previously, LogScale incorrectly calculated
MAX_DISTINCT_TAG_VALUESas the maximum ofAUTOSHARDING_MAXand the configuredMAX_DISTINCT_TAG_VALUESvalue. WhenAUTOSHARDING_MAXincreased to131,072for backwards compatibility, automatic tag grouping stopped triggering at its intended threshold. To solve this,MAX_DISTINCT_TAG_VALUESnow uses only its configured value (default:1,000). This value operates independently from the deprecatedAUTOSHARDING_MAXsetting.
Ingestion
The data-ingester-parser-errors metric has been fixed as it was under-reporting, meaning it was showing fewer parser errors than were actually occurring (the data-ingester-errors metric reported errors as normal, though).
Dashboards and Widgets
Fixed an issue with the Look Up Events interaction in the
Tablewidget, which would in certain scenarios result in an invalid query.
Queries
In rare cases the query state cache files on disk was not cleaned up properly. This change fixes those cases along with better error handling and logging.
Fixed an issue where queries using personal user tokens weren't audit logged with the correct actor type.
Fixed an issue where streaming queries would sometimes fail to start and would terminate abruptly if planning the query was slow. In such cases a lock could also be leaked, which would prevent future streaming queries for that view from starting.
Fixed an issue where slow queries were unable to search bucketed and replaced non-mini segments, because they were deleted from the bucket earlier than intended.
Functions
Fixed an issue where reuse of queries would not detect changes to saved queries used inside the
defineTable()query function.The
correlate()function would fail to find - or find incorrect - constellations of events when link operators referenced modified fields. The link operator would always look for the field on the original, unmodified event, thereby missing any events added in the query.For example, this query:
logscalecorrelate( A: { static_email := "foo@bar.com" }, B: { email<=>A.static_email } )would previously fail to find events that satisfy the constraints because the field static_email was not present on the original event. The issue has been fixed so that such a query now correctly finds the events.
The
correlate()function has been fixed as conditional statements (such ascase/if) with field assignments incorrectly included fields from all branches in the output, rather than only fields from the executed branch.The
correlate()function has been fixed due tocasestatements within the query causing incorrect filter query generation for event tabs. Previously, filter queries extracted all conditions from different case branches, causing event tabs to appear empty even whencorrelate()found valid constellations. This fix now ensures that filter query generation correctly preserves the case statement structure in event tab filters.
Other
Fixed LDAP authentication bug.
Known Issues
Storage
For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between
PRIMARY_STORAGE_PERCENTAGEandPRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.
Improvement
User Interface
When running a
correlate()query, a named events tab will now appear for each sub-query of the correlate function, instead of a single events tab for the entire query.
Storage
Optimized encryption during bucket uploads by reducing the amount of copying.
LogScale now validates segment file copies when creating them in secondary storage. This will help prevent file corruption during this type of transfer.
GraphQL API
Added support for partial time intervals for GraphQL endpoint analyzeQuery(). Default time interval values are now aligned with the query jobs API.
API
Added queryId field to audit logs when starting queries. For queries started via
queryjobs, this contains the ID of the job that is returned to the client. For streaming queries, the ID is the internal query ID that is returned in the header of the response.
Queries
LogScale request logs no longer contain internal query poll or delete requests on the
queryjobsendpoint, unless those requests either fail or take more than 5 seconds.To increase visibility into query worker and coordinator communication, the new metrics internal-queryjobs-timing is being added, which tracks the response times for polls on the
queryjobsendpoint.LogScale now allows distribution of large query state caches of arbitrary size to followers.
Functions
The Language Server Protocol (LSP) now provides enhanced code completion for the
correlate()function. The LSP now includes contextual suggestions for subquery snippets as well as relevant attribute suggestions based on the query context.
Recent Package Updates
The following LogScale packages have been updated within the last month.
Package Changes
cisco/meraki has been updated to v1.5.2.
Enhanced authentication event parsing with improved regex pattern for authentication messages
Added support for AnyConnect VPN connection success and failure events with detailed field extraction
Added authentication event categorization with proper event types
For more information, see Package cisco/meraki Release Notes.
checkpoint/ngfw has been updated to v2.1.2.
Regex fix to stop backtracking errors for logs that use "=" as the key-value separator
Added event.kind field with default value "event"
Removed redundant case statement for event.kind assignment
Updated parser version to 3.1.2
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ios has been updated to v1.6.1.
Added support for VTY access logs with new pattern matching
For more information, see Package cisco/ios Release Notes.
okta/sso has been updated to v1.4.1.
Fixed user agent field mapping from user_agent.device.name to user_agent.os.name
Updated CPS version to 1.1.0
For more information, see Package okta/sso Release Notes.
f5networks/bigip has been updated to v2.4.0.
Added support for F5 ASM Bot Defense logs
Fixed array handling for host.ip and observer.ip fields
Improved event severity mapping based on Vendor.severity field
Fixed source.ip extraction in APM invalid host header detection
Enhanced event type categorization for APM non-existent session events
Added lowercase normalization for network.transport field
For more information, see Package f5networks/bigip Release Notes.
nozomi/ids has been updated to v1.3.1.
Updated ECS version to 9.0.0
Improved field extraction for Mitre attack tactics and techniques
Fixed parser version to 3.0.1
For more information, see Package nozomi/ids Release Notes.
checkpoint/ngfw has been updated to v2.2.0.
Added support for additional log types including VPN-1 & FireWall-1, Application Control URL Filtering, and Log Update events
Enhanced event categorization for various product types
Fixed network direction handling to improve log classification
Added test cases for new log formats
Updated parser version to 3.2.0
For more information, see Package checkpoint/ngfw Release Notes.
darktrace/detect has been updated to v2.0.0.
Added support for CEF-formatted DCIP logs with new event.dataset "darktrace.dcip"
Enhanced MITRE ATT&CK technique and tactic mapping using objectArray functions
Improved field mappings for threat intelligence data
Updated parser to 3.0.0
For more information, see Package darktrace/detect Release Notes.
zscaler/internet-access has been updated to v1.5.1.
Enhanced user email field handling to only set user.email when a valid email format is detected
Improved MD5 hash field processing for file.hash.md5
Fixed conditional logic for user field extraction across all dataset types
Updated parser version to 2.5.1
For more information, see Package zscaler/internet-access Release Notes.
darktrace/detect has been updated to v1.5.0.
Added support for email events
Updated parser to 2.3.0
For more information, see Package darktrace/detect Release Notes.
cisco/ios has been updated to v1.7.1.
Added support for additional timezone formats including BST, CEST, GMT, IST, JST, SAST, WAT, and WIB
For more information, see Package cisco/ios Release Notes.
tausight/ephi-risk-posture has been updated to v1.2.1.
Updated ECS version from 8.17.0 to 9.0.0
Updated CPS version from 1.0.0 to 1.1.0
Replaced rename() function calls with direct field assignments for improved performance
Fixed email.from.address field mapping to use array:append instead of direct array assignment
Added metadata-source.yaml file for package metadata
For more information, see Package tausight/ephi-risk-posture Release Notes.
cloudflare/zerotrust has been updated to v1.4.0.
Added severity mapping based on risk score
Added event.kind = alert for zone-scoped-http-requests when severity is present
Added event.action mapping from Vendor.SecurityAction
Added array deduplication for event.category[] and event.type[]
Updated email field normalization to convert all email addresses to lowercase
Enhanced DNS event action mapping to use coalesce function for better field resolution
Updated parser version to 2.3.0 and CPS version to 1.1.0
For more information, see Package cloudflare/zerotrust Release Notes.
okta/sso has been updated to v1.4.2.
Enhanced timestamp parsing to handle events without published timestamp field
Improved target array parsing with better regex matching for JSON structure
Fixed handling of error message events that lack timestamp information
Updated parser version to 2.4.2
For more information, see Package okta/sso Release Notes.
microsoft/dhcp-client has been updated to v1.1.1.
Updated ECS version to 9.0.0
Changed field mapping approach from rename() to direct assignment for event.id, process.pid, and user.id
For more information, see Package microsoft/dhcp-client Release Notes.
cloudflare/zerotrust has been updated to v1.5.0.
Enhanced bulk log processing with improved batched event handling
Added SHA256 hash generation for batched events to track event relationships
Improved JSON parsing structure for better event separation
Updated parser version to 2.4.0
For more information, see Package cloudflare/zerotrust Release Notes.
okta/sso has been updated to v1.4.4.
Enhanced actor type handling with conditional logic for IP addresses and Event Hooks
Fixed client.user.full_name field mapping to handle different actor types appropriately
For more information, see Package okta/sso Release Notes.
aruba/clearpass has been updated to v1.3.0.
Enhanced System category event handling with improved regex patterns for cleanup operations
Improved data integrity by using temporary field for rawstring processing
Updated parser version to 2.1.0 and CPS version to 1.1.0
For more information, see Package aruba/clearpass Release Notes.
cisco/firepower has been updated to v1.7.1.
Updated CPS version to 1.1.0
Enhanced regex patterns for improved log parsing accuracy
Added support for user domain and username extraction in connection events
Improved multi-event code parsing for SSL VPN events (725001-9, 12, 13, 16, 21, 22)
Added event.outcome field for configuration and connection info events
Enhanced parsing for Group/User/IP patterns in VPN connection logs
Moved syslog severity code mapping to end of parser for better performance
For more information, see Package cisco/firepower Release Notes.
cloudflare/zerotrust has been updated to v1.2.3.
Fixed handling of PROXY_CONN_REFUSED connection close reason
Improved bulk log processing by removing trailing newline characters
Updated parser version to 2.1.3
For more information, see Package cloudflare/zerotrust Release Notes.
f5networks/bigip has been updated to v2.3.2.
Fixed field mapping to use direct assignment instead of rename function for better performance
For more information, see Package f5networks/bigip Release Notes.
fortinet/fortigate has been updated to v1.3.5.
Updated CPS version to 1.1.0
Updated parser version to 2.1.4
Removed drop statements for fields (Vendor.time, Vendor.eventtime, Vendor.date, Vendor.tz, Vendor.ts, Vendor.srcmac, Vendor.source_mac, Vendor.dir, Vendor.direction, Vendor.service)
For more information, see Package fortinet/fortigate Release Notes.
fortinet/fortigate has been updated to v1.3.4.
Updated ECS version to 9.0.0
Added message and rule.name fields for alert events
Fixed field mappings for UTM alert events
For more information, see Package fortinet/fortigate Release Notes.
cisco/meraki has been updated to v1.5.1.
Fixed regex patterns to handle multiline syslog messages
Fixed event severity handling for unknown values
For more information, see Package cisco/meraki Release Notes.
mimecast/email-security has been updated to v1.0.0.
Upgraded parser to align with CPS standards
Normalized email fields to ECS format
Added MITRE ATT&CK technique mappings
Enhanced threat detection capabilities
Improved dashboard visualizations with better field mappings
Updated all dashboards to use normalized fields
Renamed parser from mimecast-json to mimecast-emailsecurity. ***This is a breaking change***. Use the #type field with the new parser name in queries as #type="mimecast-emailsecurity". All fields in events will now be available with the Vendor prefix. Fields should be referenced as Vendor.<fieldname> in queries.
Added new *Awareness Training* dashboard to support following log types: awareness-training-performance-details, awareness-training-watchlist-details and awareness-training-user-data
For more information, see Package mimecast/email-security Release Notes.
zscaler/internet-access has been updated to v1.5.0.
Added support for multi-event processing with event.original.hash.sha256 field for bulk events
Updated parser to preserve event.original field for the first event in multi-event logs
Enhanced event processing logic to handle concatenated JSON events more efficiently
Updated parser version to 2.5.0
For more information, see Package zscaler/internet-access Release Notes.
cisco/meraki has been updated to v1.5.0.
Added support for JSON formatted logs with timestamps in ts and occurredAt fields
Added support for IDS Alert events with pass-through detections
Added support for File Scanned events
Added support for BGP, DHCP, VPN, and wireless association events
Updated ECS version to 9.0.0
For more information, see Package cisco/meraki Release Notes.
aws/cloudtrail has been updated to v2.0.2.
Added support for IdentityCenterUser identity type
Improved handling of identity center user identities
For more information, see Package aws/cloudtrail Release Notes.
radware/alteon has been updated to v1.2.1.
Parser renaming and Deprecation noticeUpdated ECS version to 9.0.0
Removed deprecated alteon-syslog parser
Fixed field assignment operations to use direct assignment instead of rename operations
Updated parser version to 1.1.1
### Version 1.2.0
The old parser alteon-syslog is deprecated, and replaced by the new parser radware-alteon. While the old parser will remain available during a tranisition period, all future changes will only go into the new radware-alteon parser. We recommend switching to the newer parser as soon as possible, to make for the smoothest upgrade. The old alteon-syslog parser will be removed at some point in the future. In your data, the field #type contains the name of the parser, so any queries you may have that searches for this field need to accomodate this change.
Duplicated vendor fields dropped in new parserThe old alteon-syslog parser would duplicate certain fields, which the new radware-alteon parser will not. The fields which were previously duplicated, would be present both under the Vendor namespace (e.g. Vendor.srcIp), and as a field mapped to CPS (e.g. source.ip). If the value of two such fields is byte-for-byte the same, the new parser will no longer preserve the vendor-specific field, but only the CPS field. If the value of the two fields differ, both fields will be preserved. This means the following fields will no longer be present in the parsed data, when using the new parser:
Vendor.keys.DstIP
Vendor.keys.DstPort
Vendor.keys.Method
Vendor.keys.ResponseCode
Vendor.keys.SrcIp
Vendor.keys.URL
Vendor.keys.UserAgent
Vendor.keys.WAFObservedIP
### Version 1.0.1
Adds logic to detect event.outcome for http requests based on status code
Adds comments to better explain the logic of the temporary fields
Bumps parser version to 1.0.1
### Version 1.0.0
Adds new event.module and Cps.version fields
Removes the Product field
Sets following tags: Cps.version, Vendor, ecs.version, event.dataset, event.kind, event.module, event.outcome, observer.type
Bug fix: making event.category field an array
For more information, see Package radware/alteon Release Notes.
cisco/firepower has been updated to v1.7.2.
Updated parser version to 3.3.2
Enhanced regex pattern for event code 106015 to better capture flags field with multiple values
For more information, see Package cisco/firepower Release Notes.
okta/sso has been updated to v1.4.0.
Enhanced user target field handling to support multiple values
Added support for event hook delivery events
Improved event categorization with more comprehensive event type mappings
Added client fields including client.as.number and client.user fields
Added transaction.id and rule fields for better traceability
Added user_agent fields including device name and version
Updated ECS version to 9.0.0
For more information, see Package okta/sso Release Notes.
darktrace/detect has been updated to v1.4.0.
Enhanced audit event parsing with improved categorization and field mapping
Added validation for source IP addresses using CIDR check
Updated ECS version to 9.0.0
Added support for syslog appname-based event classification
Updated parser to 2.2.0
For more information, see Package darktrace/detect Release Notes.
checkpoint/ngfw has been updated to v2.3.1.
Fixed regex pattern for numerical action values to prevent backtracking issues
Updated parser version to 3.3.1
For more information, see Package checkpoint/ngfw Release Notes.
okta/sso has been updated to v1.4.3.
Enhanced target array parsing with improved regex pattern to handle whitespace variations in JSON structure
Fixed parsing of target arrays with flexible spacing between "target" field and array brackets
For more information, see Package okta/sso Release Notes.
cisco/ise has been updated to v1.3.3.
Enhanced parsing for CISE_Alarm messages with improved message extraction
Added event categorization and type for CISE_MONITORING_DATA_PURGE_AUDIT, CISE_System_Statistics
For more information, see Package cisco/ise Release Notes.
aws/cloudtrail has been updated to v2.1.0.
Updated parser version to 4.0.0
Enhanced event categorization and typing for various AWS actions
Changed observer.type from "iam" to "identity" for IAM-related events
Updated AssumeRole and AssumeRoleWithSAML event categorization from authentication to iam
Modified ConsoleLogin event dataset from "cloudtrail.iam" to "cloudtrail.auth"
Added UserAuthentication event handling with authentication category
Improved event type mappings by removing "info" type from several actions
Enhanced StartInstances and RunInstances categorization from configuration to host
Added GenerateDataKey event handling with configuration category and creation type
Updated wildcard matching to be more specific and removed default fallback categorization
For more information, see Package aws/cloudtrail Release Notes.
netgate/pfsense has been updated to v1.1.1.
Updated ECS version from 8.11.0 to 9.0.0
Removed rename() function from field mappings for direct assignments
Removed pfsense-syslog.yaml parser file
For more information, see Package netgate/pfsense Release Notes.
checkpoint/ngfw has been updated to v2.3.0.
Enhanced observer name extraction from originsicname field using regex pattern
Improved source field handling for email addresses and IP addresses in 'from' field
Added service.id and service.name field mappings with protocol detection
Enhanced network protocol detection based on service identifiers
Updated parser version to 3.3.0 and CPS version to 1.1.0
For more information, see Package checkpoint/ngfw Release Notes.
cisco/ise has been updated to v1.4.0.
Added support for CISE_TACACS_Accounting events (codes 3300, 3301, 3302)
Added comprehensive TACACS+ diagnostics parsing for CISE_TACACS_Diagnostics category
Enhanced event categorization for TACACS+ authentication, authorization, and accounting events
Added support for TACACS+ network access control and user management events
Updated parser version to 2.1.0
For more information, see Package cisco/ise Release Notes.
checkpoint/ngfw has been updated to v2.3.2.
Enhanced IP address validation using CIDR function for source and destination fields
Improved handling of source.address and destination.address fields with proper IP validation
Updated parser version to 3.3.2
For more information, see Package checkpoint/ngfw Release Notes.
cloudflare/zerotrust has been updated to v1.3.0.
Enhanced JSON parsing with excludeEmpty and handleNull options
Updated event type categorization for email security logs
Added new test cases for improved coverage
Updated parser version to 2.2.0
For more information, see Package cloudflare/zerotrust Release Notes.
fortinet/fortigate has been updated to v1.4.0.
Updated parser version to 3.0.0
Enhanced event outcome determination for traffic and UTM events with expanded action mappings
Improved TLS certificate field handling using array:append for proper array construction
Fixed vulnerability category field mapping to use array:append
Added new test cases for VPN, IPS, and traffic events
Updated field assignments to use array operations for ECS compliance
For more information, see Package fortinet/fortigate Release Notes.
cisco/duo has been updated to v3.0.0.
Vendor fields are now aliased to the client namespace where source was previously used, as client better describes the role of devices initiating authentication flows whereas source is intended for network details
client fields are aliased to source at the end of the parser to avoid a breaking change. This allows the source fields to be easily removed from the parser at a later date
event.dataset of duo.administrator is now assigned when Vendor.action = * AND Vendor.isotimestamp = * rather than when Vendor.description = * (as "description":null often occurs, meaning that the Vendor.description field is not created)
Categorization now matches on event.dataset first, then event.action to handle repeat event.action values across different log types (e.g., event.action of enrollment appears in both Authentication and Telephony logs)
Added use of user.target fields - with logic implemented to make sure this is only applied on applicable event
Added parsing of nested JSON in duo.activity logs from the fields: Vendor.actor.details/Vendor.target.details/Vendor.old_target.details
Removed the Host fields section for duo.authentication and duo.trustmonitor events. As auth_device is the MFA device used in the auth process - not the host on which the event happened. Also Vendor.target fields are not present in this log type. So this section was not accurate
Moved the determination of event.outcome after the default values are set in categorization - so that these default values can be overwritten when outcome information is available in the event
Updated the handling of object arrays to use objectArray:eval() instead of concatArray and splitString
Added observer.type := "identity"
Additional normalization of ECS fields
Updates to the assignment of event.category for cloudsso_update_routing_rule and user_restore events
Updated CPS version to 1.1.0
Updated ECS version to 9.0.0
Updated parser version to 3.0.0
For more information, see Package cisco/duo Release Notes.
aruba/clearpass has been updated to v1.2.4.
Added support for additional syslog header formats
Enhanced event categorization for various event types
Added extensive field extraction from Description field
Added support for authentication, session, and configuration events
Improved field normalization for client IP and MAC addresses
For more information, see Package aruba/clearpass Release Notes.
aws/guardduty has been updated to v1.2.1.
Updated severity threshold logic to use >= instead of > for more accurate alert classification
Fixed severity mapping to properly categorize findings at exact threshold values (9.0, 7.0, 4.0)
Updated parser version to 1.3.1
For more information, see Package aws/guardduty Release Notes.
microsoft/sysmon has been updated to v1.1.2.
Updated ECS version to 9.0.0
Simplified field assignments by removing unnecessary rename() functions
Improved code readability and maintainability
For more information, see Package microsoft/sysmon Release Notes.
microsoft/dhcp-server has been updated to v1.3.1.
Updated ECS version to 9.0.0
Updated parser version to 2.1.1
Changed field mapping from rename() to direct assignment for better performance
For more information, see Package microsoft/dhcp-server Release Notes.
checkpoint/ngfw has been updated to v2.1.1.
Fixed CEF log parsing regex to properly handle logs without trailing newlines
Updated ECS version to 9.0.0
Updated parser version to 3.1.1
For more information, see Package checkpoint/ngfw Release Notes.
aws/cloudtrail has been updated to v2.0.1.
Updated parser to handle EventBridge events by removing "detail" prefix
Fixed JSON parsing to properly handle nested fields
For more information, see Package aws/cloudtrail Release Notes.
imperva/cloud-waf has been updated to v1.5.0.
Updated ECS version to 9.0.0
Updated parser version to 3.2.0
Enhanced severity handling with support for both numeric risk scores and text-based risk levels
Improved source IP handling with source.address field and proper CIDR validation
Updated array handling for event.category and event.type fields
For more information, see Package imperva/cloud-waf Release Notes.
zscaler/deception has been updated to v2.2.0.
Added support for authentication events with improved categorization
Enhanced severity normalization with numeric values
Improved field extraction for user information
Added event.dataset field to distinguish between threat and audit events
For more information, see Package zscaler/deception Release Notes.
cisco/ios has been updated to v1.7.0.
Added support for additional log formats including ACCOUNTING events and IGMP logs
Enhanced access list log parsing to support both denied and permitted traffic
Added support for timezone-specific timestamp parsing
Updated to ECS version 9.0.0
Updated parser version to 2.6.0
For more information, see Package cisco/ios Release Notes.
aws/guardduty has been updated to v1.2.0.
Improved source and destination port handling for network connections
Added support for port probe events with proper destination address mapping
Enhanced event categorization with network and connection type detection
Added event type classification (allowed/denied) based on blocked field
Added authentication category for RDS login attempts
Added API category for API call events
Updated ECS version to 9.0.0
For more information, see Package aws/guardduty Release Notes.
cisco/ise has been updated to v1.3.2.
Enhanced parsing for CISE_MONITORING_DATA_PURGE_AUDIT events to support additional message formats
Added support for "purging data older than" message format
Added support for "completed successfully" message format with event outcome set to success
Added support for CISE_Alarm messages with improved parsing
Enhanced field extraction for alarm messages
Added event categorization for SGT assignment and RADIUS authentication drop alarms
For more information, see Package cisco/ise Release Notes.
rubrik/security-cloud has been updated to v1.1.1.
Added support for additional timestamp format (yyyy-MM-dd HH:mm:ss[.SSS] Z z)
Updated ECS version to 9.0.0
For more information, see Package rubrik/security-cloud Release Notes.
cisco/ise has been updated to v1.3.4.
Added parsing for CmdSet field to extract command line information into process.command_line field
Enhanced command parsing to filter and extract command arguments from TACACS authorization logs
Updated parser version to 2.0.7 and CPS version to 1.1.0
For more information, see Package cisco/ise Release Notes.