Falcon LogScale 1.227.0 Not Released (2026-02-10)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.227.0Not Released2026-02-10

Internal Only

2027-02-28No1.150.01.177.0No

Not released.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Storage

    • Removed the feature flag WriteNewSegmentFileFormat, making the new segment file format mandatory. This feature was introduced in version 1.138 to improve segment file compression and became enabled by default in version 1.162.

      Important

      After deploying this version, clusters cannot be downgraded to versions older than 1.177.

  • GraphQL API

    • Improved resource management controls to ensure system stability and performance for GraphQL query processing. These changes will not impact normal usage of LogScale's UI and API.

  • Configuration

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

Configuration

  • The environment variable TEMP_SHORTCUT_EXTERNAL_FUNCTION_CALLS is no longer used by LogScale and can be safely removed.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

  • The Secondary Storage feature is now deprecated and will be removed in LogScale 1.231.0.

    The Bucket Storage feature provides superior functionality for storing rarely queried data in cheaper storage while keeping frequently queried data in hot storage (fast and expensive). For more information, see Bucket Storage.

    Please contact LogScale support for any concerns about this deprecation.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • Queries

    • The QuerySessions class now propagates user permission changes to running static queries, allowing them to end or restart as necessary. Previously, this behavior was only applied to live queries.

New features and improvements

  • Automation and Triggers

  • GraphQL API

    • Extended the analyzeQuery() GraphQL endpoint to support alerts. The queryKind parameter now supports the following values:

      • For filter alerts: { filterAlert: {} }

      • For aggregate alerts: { aggregateAlert: {} }

      • For legacy alerts: { legacyAlert: {} }

      Note

      Alerts have restrictions beyond the query string, in particular regarding the time interval of a query. Those restrictions are outside the scope of the validation done by analyzeQuery().

  • Queries

  • Functions

    • Released the new query function explain:asTable(), which provides detailed insights into query performance by showing a step-by-step breakdown of time consumption and event filtering throughout the query.

Fixed in this release

  • User Interface

    • Fixed an issue with correlate query graph visualization, where nodes and edges would not render correctly in certain circumstances.

    • These two wrong behaviors have been fixed in the web interface:

      • The Events tab would not show when the main correlate query did not return results.

      • A wrong default widget was selected by the Widget selector.

  • Automation and Triggers

    • Fixed an issue where the creation of a scheduled report without parameter values would result in an invalid and failing result.

  • Storage

    • Fixed an issue where global snapshot failure would prevent further attempts until system restart.

    • Fixed an issue occurring during offset calculation for digest that could cause minisegments that go missing before being fully replicated to be incorrectly deleted and replayed from Kafka.

      This occurred only in datasources that were recently created or whose status had recently changed from idle to non-idle. In the future, these minisegments will appear in the cluster admin panel designated as "absent".

    • Fixed an issue where a failing assertion in DataSyncJob could cause a system crash in very rare cases.

  • Functions

    • Fixed an issue where using the function wildcard() as part of an expression (for example test(wildcard(...))) would result in an internal server error. The proper query validation error now correctly displays in the Query editor.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Automation and Triggers

    • The Triggers overview page has been updated with the following improvements:

      • Sorting is now available for all columns.

      • The Search... field now supports filtering across all columns.

      • The Select all and None filtering options are now available for quickly selecting all items and then excluding single items, and for quickly identifying triggers with no label, action, or package attached.

        Both options are available for the Labels, Actions and Packages columns.

      For more information, see Manage Triggers.

  • Storage

    • Added a delay between retry attempts when global snapshot uploads fail.

  • Queries

    • The election process regarding slow queries has been updated to the following parameters:

      • Changed the threshold from 100 times slower to 500 times slower for vote casting.

      • Increased vote timeout from 5 minutes to 15 minutes.

      When a node is elected as problematic by the entire cluster within the timeout period, it is logged with the message These nodes were deemed bad by the rest of the cluster.

    • Improved query throttling for segment merges. Queries are not throttled if segment merging falls behind due to slow segment fetches.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aws/vpcflow has been updated to v1.3.0.

      • Enhanced IP address validation using CIDR function for source and destination fields

      • Added network transport protocol mapping based on IANA numbers

      • Improved event action normalization to lowercase format

      • Updated ECS version to 9.2.0 and CPS version to 1.1.0

      • Enhanced CSV header detection with improved regex pattern

      For more information, see Package aws/vpcflow Release Notes.

    • cisco/meraki has been updated to v2.0.0.

      • Enhanced IP and address normalization with proper CIDR validation

      • Improved network protocol handling with tcp/ip normalization to network.transport

      • Added support for l7_firewall events with proper categorization

      • Enhanced IDS alert processing with decision-based event outcomes

      • Improved field mapping for client.domain and host.hostname with lowercase normalization

      • Added destination.mac field mapping from vendor fields

      • Updated event.type arrays to remove redundant "info" entries for cleaner categorization

      • Fixed temporary variable naming conflicts by prefixing with underscore

      • Enhanced file scanning events with proper category and type assignments

      For more information, see Package cisco/meraki Release Notes.

    • cisco/umbrella has been updated to v1.4.2.

      • Updated parser version to 3.0.2

      • Enhanced source.address field mapping to use external_client_ip as fallback when internal_client_ip is not available

      For more information, see Package cisco/umbrella Release Notes.

    • infoblox/nios has been updated to v1.4.1.

      • Fixed DNS answers type field mapping to use proper array notation (dns.answers[0].type instead of dns.answers.type)

      • Updated parser version to 3.0.1

      For more information, see Package infoblox/nios Release Notes.

    • nozomi/ids has been updated to v1.4.0.

      • Updated parser version to 4.0.0

      • Updated ECS version 9.2.0

      • Added new field mappings for message, domain, and network protocol fields

      • Added IP address validation to filter invalid and non-routable addresses

      • Added array deduplication for event categorization fields

      • Added enhanced extraction patterns for threat indicators and network entities

      • Changed event categorization from message-based regex to classification prefix-based logic

      • Changed severity mapping ranges for better alignment with risk levels

      • Changed address field logic to support both IP and domain values

      • Changed observer field handling to distinguish between IPs and hostnames

      • Consolidated field normalization and lowercase operations

      • Fixed field name reference issues

      • Removed redundant message-based categorization patterns

      • Removed duplicate field assignments

      • Improved overall parser maintainability and performance

      For more information, see Package nozomi/ids Release Notes.

    • checkpoint/ngfw has been updated to v2.6.0.

      • Enhanced originsicname field parsing with key-value extraction for better observer name identification

      • Added policy ID tag parsing to extract policy name, management server, and date information

      • Improved rule.ruleset field mapping to include policy name from parsed policy ID tag

      • Enhanced rule.uuid field mapping to include NAT rule UIDs

      • Added network.community_id field generation for both ICMP and non-ICMP events

      • Improved observer.name field mapping with conditional logic for firewall traffic and threat prevention events

      • Enhanced client/server field identification for application control and URL filtering logs

      • Updated parser version to 3.6.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • aws/waf has been updated to v3.0.0.

      • Enhanced cloud service detection from httpSourceName (CloudFront, API Gateway, ELB)

      • Added cloud account ID and region extraction from webaclId ARN

      • Added rule name extraction from webaclId

      • Improved event outcome mapping (success/failure based on allow/block actions)

      • Added TLS JA3 fingerprint support

      • Added URL scheme field mapping

      • Updated rule.category and rule.ruleset field mappings

      • Updated ECS version to 9.2.0

      • Improved code formatting and organization

      For more information, see Package aws/waf Release Notes.

    • fortinet/fortigate has been updated to v2.3.0.

      • Fixed CEF parsing to handle multiple cat fields without overwriting by renaming ad.cat to ad.ext.cat

      • Enhanced user field mapping with conditional logic for suser and duser fields

      • Improved source address parsing for events without designated fields using regex extraction from ui and sproc fields

      • Added support for additional observer fields including hostname, product, vendor, and version

      • Enhanced event field mappings with additional coalesce options for event.id, event.reason, and event.action

      • Added event.start field mapping from Vendor.start

      • Improved source.domain assignment for non-IP addresses

      • Updated parser version to 5.1.0

      For more information, see Package fortinet/fortigate Release Notes.

    • cisco/ise has been updated to v2.0.4.

      • Added support for CISE_External_MDM event category with comprehensive event code handling

      • Enhanced CISE_Passed_Authentications parsing with additional event codes (5236, 5238, 5240)

      • Improved CISE_Failed_Attempts parsing with new event codes (5402, 5422, 5434, 5416)

      • Added support for CISE_Administrative_and_Operational_Audit event codes (51025, 60166, 60167, 60069)

      • Enhanced RADIUS accounting with support for Interim-Update status type

      For more information, see Package cisco/ise Release Notes.

    • trellix/fireeye-nx has been updated to v1.3.0.

      • Enhanced event categorization with conditional logic based on event class ID

      • Added dynamic event dataset generation based on vendor event name

      • Improved source and destination field handling with IP/domain detection

      • Migrated host fields to observer fields for better ECS compliance

      • Added network transport and VLAN ID field mappings

      • Added rule name and URL original field mappings

      • Updated ECS version to 9.2.0

      • Updated parser version to 2.0.0

      • Added timestamp parsing from Vendor.rt field

      For more information, see Package trellix/fireeye-nx Release Notes.