Falcon LogScale 1.240.1 LTS (2026-06-03)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.240.1LTS2026-06-03

Cloud

On-Prem

2027-06-30Yes1.177.01.177.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.240.0, 1.239.0, 1.238.0, 1.237.0, 1.236.0, 1.235.0

Bug fixes and updates.

Breaking Changes

The following items create a breaking change in the behavior, response or operation of this release.

  • Security

    • Secure Lightweight Directory Access Protocol (LDAPS) is now required for LDAP connections, see RN Issue in version 1.217.0.

  • Metrics and Monitoring

    • The internal metrics ingest-parsing and ingest-parsing-allocation have been revised to track on a per event basis, as is implied by their description and documentation.

      The following internal metrics have been added to reflect existing metrics, that are now normalized by bytes parsed:

      • ingest-parsing-time-per-bytes

      • ingest-parsing-allocation-per-byte

      Two additional internal metrics have also been added to track the number of bytes ingested into a parser, and how many bytes emerge from a parser respectively:

      • ingest-parsing-bytes-in

      • ingest-parsing-bytes-out

Advance Warning

The following items are due to change in a future release.

  • Security

    • Starting from LogScale version 1.237, support for insecure ldap connections will be removed. Self-Hosted customers using LDAP will only be able to use ldaps secure connections.

Removed

Items that have been removed as of this release.

GraphQL API

  • Color coding for denoting additional roles in LogScale's GraphQL API have been removed due to lack of consistent functionality.

  • The deprecated GraphQL mutations createScheduledSearch and updateScheduledSearch have been removed.

Configuration

  • The environment variables SEGMENT_READ_FADVICE and SEGMENT_READ_AHEAD_COUNT have been removed.

    Previously, these variables were used to enable LogScale to use the Linux system posix_fadvise to notify the OS ahead of time that it planned to read segment bytes. This feature was disabled by default in version 1.85.0.

Deprecation

Items that have been deprecated and may be removed in a future release.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • API

    • The User-Agent header of outgoing HTTP requests has been changed from pekko/$pekko-version to LogScale/$major.$minor.$patch.

  • Configuration

    • Support for array and map aliasing has been removed to simplify YAML file handling. This change only affects users who have manually introduced aliases into any YAML files that LogScale is meant to consume - LogScale does not produce YAML files containing aliases.

  • Queries

    • LogScale Regular Expression Engine V2 is now the default engine for queries. The previous engine remains in use for parsers, meaning for a limited time, the regex syntax in queries will differ from that of parsers unless the F flag is specified for parser regexes. For more information see Regular Expression Flags.

      The following expression constructions change meaning with the Regular Expression Engine V2:

      • Octal notation such as \nnn where n is a digit between 0-7 is no longer supported. Instead, use the hexadecimal notation options \xnn, \x{nnnn}, or \unnnn to achieve similar results.

        This change is being made because octal notation overlapped with the backreference syntax, making it easy for common errors to go unnoticed. For example, when trying to match IP addresses, a misplaced backslash like before 122 in the IP address 10\.82\.\122\.42 could cause the regex to match to an incorrect string like 10.82.R.42 rather than the intended IP address.

      • \v is now understood as vertical whitespace, not just the vertical tabulation (VT) character. To match the vertical tabulation character specifically, use \x0B.

      • \h is now understood as horizontal whitespace, not the literal character h. To match the character specifically, remove the backslash. To match the characters \h together, escape the backslash by using \\h.

      • Unrecognized escape sequences like \l no longer refer to the literal character and now produce an error.

      • \b now uses the same definition of "word character" as \w: any ASCII letter, digit, or the _ character.

      • Inline flags now apply to all branches of an alternation. For example, (?i)foo|bar is now interpreted as (?i)(?:foo|bar), whereas previously it applied only to the first branch (foo).

      These changes make LogScale's regular expressions more consistent with popular regex engines and syntaxes such as PCRE2, Java's regex engine, and ECMAScript's regex engine. Note that LogScale's regular expressions are not fully compatible with those engines.

      Note

      Regular expressions related to any of the previously mentioned non-LogScale regex engines and syntaxes are not compatible with LogScale. However, familiarity with any of them will help users feel more comfortable using LogScale's regular expression variant.

      The Regular Expression Engine V2 also supports the following additional features not available in the previous engine:

      • Possessive quantifications/repetitions like a++ - this feature instructs the engine not to retain backtracking information, acting as "all or nothing" quantifications. Possessive quantifiers are particularly useful when matching non-overlapping character sets, such as \S++\s, and often result in improved performance compared to non-possessive equivalents such as \S+\s.

      • Positive and negative lookarounds like (?=X) - these are zero-width assertions that do not advance the match position, but assert that their bodies either match or do not match at the given position. For example, the following code snippet matches everything but newlines between two forward slashes that are not escaped: 

        (?<!\/)\/(.+?)(?<!\\)\/

        This is because the following asserts that the preceeding character is not a backslash: 

        `(?<!\/)`

      Note

      These features are not available in parsers unless the F flag is used.

      Issues fixed in the new engine include the following:

      • An issue where the previous engine would run indefinitely when matching regular expressions that match the empty string has been resolved.

      • Multiple issues where otherwise valid regular expressions would fail to compile under the previous engine have been resolved.

      • An issue where a regex could cause the Java Virtual Machine (JVM) to crash has been resolved.

      • An issue where the case-insensitivity flag would interfere with boundary conditions has been resolved.

      • An issue where inline case-insensitivity flags would not properly apply to the corresponding group has been resolved.

      • An issue where the negated word character class \W would match digits has been resolved.

      • An issue where the previous engine would produce incorrect group numbering has been resolved.

      Warning and error messages may appear incorrectly formatted during the transition period while the previous regex engine is being phased out. This is expected behavior and messages will become more legible once the previous engine is fully removed.

      For more information, see LogScale Regular Expression Engine V2.

Upgrades

Changes that may occur or be required during an upgrade.

  • Security

    • Upgraded Apache Log4j to version 2.25.4 to address security vulnerabilities.

  • Installation and Deployment

    • The Linux Wolfi OS base image for Docker has been updated for LogScale to eliminate Common Vulnerabilities and Exposures (CVEs).

      For more information regarding Wolfi, visit their documentation here: Wolfi OS - GitHub

    • Upgraded LogScale's bundled Java Development Kit (JDK) from version 25.0.2 to 25.0.3.

  • Ingestion

    • The Apache Kafka client has been updated to version 4.2.0.

New features and improvements

  • Documentation

    • The Knowledge Base section of the documentation has been renamed to Guidance. This name change will enable us to build a wider range of content.

      The sub-sections, How-To, Best Practice, Troubleshooting, Use Cases and Questions will stay. The URLs for each page have also not changed and will keep their kb prefix.

    • You can now add custom bookmarks for different pages on the library pages using the 🔖 menu.

      Bookmarks can be marked as favorite, and favorite bookmarks are always available in the 🔖 menu and will be displayed on the homepage for quick access.

      For more information, see Bookmarking Pages.

  • GraphQL API

    • The GraphQL mutation removeExpirationFromLimit has been added, which removes limit expiration.

      The mutation can be called as follows:

      graphql
      mutation removeExpFromLimit {
  removeExpirationFromLimit(input: {id: "<limitid>"}) {
    <some field you want to read from the returned limit after the removal of the expiration>
  }
}

      Previously, it was not possible to remove the expiration from a limit using the existing update call.

      Note

      This mutation requires either ManageClusters or ManageOrganizations permissions on the cluster.

  • Configuration

    • Added the dynamic configuration option QuerySchedulerMaxCpuMsPerTimeSlice, which controls how much CPU time a chunk is allowed to take before deferral of the remaining processing is attempted. The default is 1,000 milliseconds.

    • Added the environment variable MAX_TABLE_SIZE_BYTES, which controls the maximum table size for functions such as defineTable(). This allows the table size to be controlled independently of the .CSV file size.

      The variable performs using the following rules:

      • If the environment variable is set by the user, it retains the provided value.

      • If the environment value is not set by the user, the value is derived from the MaxCsvFileUploadSizeBytes.

      • If MaxCsvFileUploadSizeBytes is not set, it has the value from the Default Max CSV File Upload Size.

      Note

      Unless specifically overwritten, the value follows that of the CSV file size.

    • Uploads and downloads now use separate queues with a separate concurrency limit for each. The following configuration options have been added:

      Some parts of the transfer process may be CPU-intensive, for example handling segment encryption. The concurrency of this work is controlled via the thread pool size. It is recommended to leave this at its default value, since permitting too much CPU-intensive work for bucket transfers at a time can be disruptive to the rest of the system.

      The S3_STORAGE_CONCURRENCY setting, and similar settings for other bucket providers, is deprecated for removal in version 1.252.0. To ease migration, S3_STORAGE_MAX_CONCURRENT_UPLOADS and S3_STORAGE_MAX_CONCURRENT_DOWNLOADS will use the value of S3_STORAGE_CONCURRENCY as a default if the latter is configured. These changes also apply to the GCP and AZURE bucket types in addition to the S3 bucket type.

  • Queries

    • Cross-view asset references are now supported in queries and parsers, allowing users to reference saved queries, parsers, and files from other views using the following syntax.

      • Saved queries - $"query://viewName:queryName"() or $"query://viewName/scope/package:queryName"() for package-scoped queries.

      • Parsers - $"parser://viewName:parserName"() or $"parser://viewName/scope/package:parserName"() for package-scoped parsers.

      • Files - file://viewName:fileName or file://viewName/scope/package:fileName for package-scoped files.

      This feature requires ReadAccess permission on both the source view (where the query or parser runs) and the target view (where the asset is located). The feature is supported in:

      • Queries, including join() and defineTable() subqueries, and triggers (alerts and scheduled searches).

      • Parsers - parsers can reference cross-view saved queries and files during data ingestion.

      Note

      This feature's capability is only functional for parsers with view-level tokens that are set up to include the set of views referenced in the parser, and/or organization and system-level tokens.

      Cross-view references are not supported and are actively blocked for parsers and saved queries used by:

      • Event forwarding rules

      • Ingest tokens

      • Ingest listeners

      • Ingest feeds

      • FDR feeds

      Validation is enforced both at assignment time (when associating a parser with one of these features) and when updating a parser or saved query already part of a chain. This includes transitive references through parser and saved query chains.

      Cross-view references are also not supported for:

      • Shared dashboard tokens - these tokens can only query the main view and cannot access cross-view references.

      • The deprecated lookup() query function - use the match() function instead.

      A new GraphQL field qualifiedName has been added to the SavedQuery output type. This field returns the fully qualified reference format, for example query://viewName:queryName or query://viewName/scope/package:queryName for package-scoped queries.

      The existing redirectQueryAssetLookupTo feature continues to work for implicit (non-prefixed) references. Explicit cross-view references using the query:// or file:// prefix override the redirect setting.

      For more information, see Resolving Resources to a Different Named View or Repository.

  • Fleet Management

    • Fleet overview now offers two query modes:

      • The legacy mode, which remains available for existing workflows and is unchanged.

      • The new mode, which supports only collectors operating using versions 1.9.0 and newer.

      The new query mode will be set as the default. To revert to the previous version, the new query mode can be disabled in Settings.

      They key differences in legacy mode and the new query mode overview include:

      • Legacy overview will perform queries to catch all versions of collectors, and also display collectors that are not enrolled.

      • New overview will feature queries only using #kind tags. It will show the notification Requires 1.9.0+ for all collectors with versions 1.5.*-1.8.*, as ingest and status will not be queried, and therefore not shown.

      All collectors below version 1.5.* will not be queried. However, they will appear in the historical section, since we cannot differentiate between inactive collectors and those that are this old.

      Only the overview queries are updated; group queries have not been impacted.

    • A new column has been added to the Fleet overview section, displaying security findings for each collector.

  • Metrics and Monitoring

    • The following metrics have been added:

      • query-segment-chunk-deferred - counts how many times the query scheduler stops execution part way through a chunk and defers the remaining work for later.

        This is an indicator of the presence of one or more very slow queries. The query scheduler executes queries by scanning each segment in portions of a particular byte size (chunks, consisting of a number of blocks) and is only able to make prioritization decisions between chunks. If a chunk takes too long, the scheduler may stop execution part of the way through and defer the rest of the work, allowing it to context-switch to other queries.

      • block-count-in-chunk - counts the number of blocks included in each segment chunk for segments being read during queries.

  • Packages

    • Release notes for packages are now incorporated into these release notes. The release notes included cover any changes to a package within the last month from the date of the corresponding LogScale release.

Fixed in this release

  • Security

    • Fixed an issue where the validation protocol requiring group names to each be unique identifiers was not applied correctly for requests involving multiple nodes almost simultaneously.

  • User Interface

    • Fixed an issue where x-axis ordering for the Bar Chart widget could become unstable when the Others series in the Max series (bars) property contained varying subsets of x-axis categories with data updates.

    • When uploading lookup files, the Import files dialog now correctly rejects invalid file types also when using the drag-and-drop method. Previously, the file validation only occurred when using the Browse computer button.

  • Automation and Triggers

    • Fixed an issue in the handling of time zones where if an anchored time interval like LastWeek was used in scheduled reports, UTC timezone was implemented to calculate the start and end date of the report, leading to a drift in the time window (if the report was configured with a different time zone).

    • Fixed an issue where action invocation could hang indefinitely if the action used Transport Layer Security (TLS) and the host name was not compatible with Server Name Indication (SNI) hostname requirements. Invalid hostnames are no longer added as an SNI on a TLS connection.

    • Fixed an issue where aggregate alerts could trigger at a future time when an alert was behind and running static queries to catch up, and was configured with trigger mode Immediate (the default for aggregate alerts using @timestamp).

  • Storage

    • Fixed a rare issue where bucket transfer scheduler behavior sometimes led to starvation and/or a reduction in the effective concurrency of bucket transfers by a total of 1, particularly in situations where transfer failure already existed, such as in cases of network issues.

  • Configuration

    • Fixed an issue where, if not specified, the default Lightweight Directory Access Protocol (LDAP) port would be assumed to be 389 instead of 636, which is the default for Lightweight Directory Access Protocol over SSL/TLS (LDAPS). As a workaround, the port can be explicitly specified in the LDAP setup.

  • Ingestion

    • Fixed an issue where a misconfigured ingest feed would prevent the initialization of other feeds during the initialization process.

    • Fixed an issue where misconfigured ingest feeds would prevent other feeds from being picked up during the initialization phase.

  • Queries

    • Fixed an issue where JSON files could be exported as empty files instead of containing the expected content.

    • Fixed an issue where some very permissive regular expressions would cause subsequent results highlighting to exhaust a node's available memory.

    • Fixed an issue where very long regular expressions (greater than 10,000 characters) would cause a query to fail.

    • Fixed an issue where updating a lookup file between query submission and execution could cause queries to fail unexpectedly.

    • Scheduling of hash files has been reverted due to excessive overhead on the thread that creates hash files.

    • Fixed an issue where static queries transferred across different version of LogScale would become unreadable due to formatting changes and cause the query to fail. Now if this issue occurs, the query will restart.

    • Fixed an issue where a live query would occasionally fail, either internally or during client polling. This was due to a race condition created by a lack of bucket alignment.

    • Fixed an issue where temporary, self-correcting failures to publish in global snapshot could lead to query failures.

    • Fixed an issue where query handover in LogScale such as those occurring during node restart would in some cases lead to empty query results.

    • Fixed an issue where multi-cluster search queries were not correctly reflecting that they had been stopped. This occurred in cases where queries were stopped before all dependencies were ready, such as defineTable() subqueries or files.

  • Functions

    • Fixed an issue where link operator placement validation in the correlate() function was not sufficiently strict. The subsequent resolution has also improved error message validation.

    • Fixed an issue where queries using the correlate() function in a cluster running both a version older than 1.233 and a version that is 1.233 or newer experienced a serialization issue, where the new version serialized items in a format that was not recognized by the previous version.

    • Fixed a rare issue where the correlate() function could miss events at time bucket boundaries. This fix only takes effect when all nodes in the cluster are running at least version 1.238.0 - multi-cluster search is not yet supported.

    • Fixed an issue introduced in version 1.236 that caused correlate() queries running more than one iteration to find no results. This occurred when the repository was configured to use tag grouping and the query made use of the tags.

  • Packages

    • Fixed an issue where the absence of the Linux command-line utility lscpu in the Docker base image broke the CPU Architecture widget in the humio/insights package.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • A loading indicator has been added to the autocompletion menu in the new Query Editor for user-triggered prompts like the following:

      • Ctrl+Space

      • +Space

      This improves user experience during slow load times by ensuring users are aware that completions are being fetched from the server.

  • Storage

    • Reworked bucket storage concurrency controls to provide better granularity. Bucket storage uploads and downloads previously shared the same concurrency limit (S3_STORAGE_CONCURRENCY) and used a shared queue where uploads always received priority over downloads.

  • Configuration

    • The upper limit on the system setting MAPPER_JOB_QUEUE_LENGTH has been removed. This setting controls the maximum size of the mapper pool in each worker node.

      The mapper pool size defaults to 50% of the cores on the node, and the queue is configured by default to provide one queue slot per pool thread. This configuration ensures that mapper pool threads do not run out of work before the scheduler main loop can enqueue more.

      Note

      The mapper pool size default can be overridden by QUERY_EXECUTOR_CORES.

      The previous upper limit of 128 was harmful on nodes with more than 256 cores. Since there is no reason to impose an upper boundary on this configuration, the limit has been removed.

      The default value is recommended. The following considerations apply when adjusting this setting:

      • Decreasing the queue size risks leaving the mapper pool intermittently idle while the scheduler prepares more work to execute.

      • Increasing the queue size increases the latency on query prioritization decisions, since it takes longer between the scheduler deciding to execute a piece of work and that work making it through the queue.

    • Added the dynamic configuration option QuerySchedulerMaxCpuMsPerTimeSlice, which controls how much CPU time a chunk is allowed to take before attemptingdeferral of the remaining process. The default is 1,000 milliseconds.

  • Queries

    • Implemented the ability to stop work mid-chunk in the query scheduler, in order to switch between queries more responsively when slow queries are running. This behavior can be opted out of via the AllowQuerySchedulerToBailOnSlowChunks feature flag, which is planned for removal in a future version.

  • Fleet Management

    • Fleet management groups can now be created with configurations that are partial and/or that contain merge conflicts. Users are provided with a warning regarding possible conflicts, but are no longer blocked from saving the group.

    • The following improvements have been made to the Fleet overview section:

      • A badge is now displayed in the hostname column when the collector is running in FIPS mode.

      • A new column has been added that displays the user agent reported by the collector.

    • The Fleet Insights page now also provides a legacy mode. Legacy mode will still query for collectors that do not have #kind tags ingest, sources, and problemsReport field.

      The new Fleet Insights page will continue to query using only #kind tags.

  • Metrics and Monitoring

    • Added the metric query-segment-chunk-deferred. The query scheduler executes queries by scanning each segment in portions of a particular byte size (chunks, consisting of a number of blocks) and is only able to make prioritization decisions between chunks. If a chunk takes too long, the scheduler may stop execution part way through and defer the rest of the work for later. This allows the scheduler to context switch to other queries, even when a very slow query is present where chunks take a long time. This metric counts how many times that kind of deferment occurs, which is an indicator of the presence of one or more very slow queries.

      Added the metric block-count-in-chunk, which counts the number of blocks included in each segment chunk for segments being read during queries.

    • The following changes have been made to metrics:

      • bucket-storage-transfer-free-slots has been replaced by bucket-storage-upload-free-slots and bucket-storage-download-free-slots.

      • node-to-node-transfer-free-slots has been renamed to node-to-node-download-free-slots.

  • Auditing and Monitoring

    • The field extraLogFields from query input is now logged in query audit and activity logs, exposed with the prefix customKey. For example, a field in extra log keys named traceId=123 will be logged as customKey.traceId=123 in the audit and activity logs.

    • The fields orgId and CID have been added to activity logs for Schedule PDF Reports where available. Additionally, scheduledReportId, scheduledReportName, orgId, and CID are now also sent to the PDF Render Service for logging purposes when users request a PDF be rendered.

  • Functions

    • correlate() queries now use selective scanning. Instead of always scanning all data, the query engine selects which pipelines and segments to scan based on the query structure and data available on disk or bucket storage at the time of query submission. This can significantly improve performance for queries where only a subset of the data is relevant.

      This feature will be available once all nodes in the cluster are running at least version 1.239 and are not running multi-cluster search.

      The default iteration limit for correlate() has been raised from 5 to 10, and the maximum from 10 to 20, as selective scanning may require additional iterations to converge.

  • Other

    • JSON encoding performance for message template output for actions and logs has been improved for the humio-activity repository. As a result, fewer characters are encoded, but all characters required to be encoded for JSON are encoded correctly.

  • Packages

    • Backoff-retry logic has been added to LogScale's package return from disk functionality. Immediately after a new node is started, where packages may not be synchronized, this asynchronous process gives the cluster a chance to catch up.

      Note

      The operation to retrieve packages may still be subject to failure. However, the incidence of failure will now be lower.

    • A new validation to existing processes for ensuring adherence to maximum package file size during upload has been added. Package size is now checked on installation and updated in two ways:

      • As before, the package is checked against the environment variable MAX_FILEUPLOAD_SIZE. If the package is larger than this value, it is rejected.

      • As a new validation, if the package serializes to a size too large to be placed on LogScale's Kafka queue as determined by the default Kafka message size (2 MB), the package is also rejected with the error message The package is too large.

      Note

      The second validation does not change which packages can be installed. Packages exceeding the Kafka message size limit will still fail during installation. Instead, this change detects this error earlier, and provides a meaningful error message instead of an internal exception.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • juniper/srx has been updated to v1.5.2.

      • Enhanced timestamp parsing with additional format support for non-RFC compliant logs

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.1.0

      • Improved field handling with proper timestamp field cleanup

      For more information, see Package juniper/srx Release Notes.

    • cisco/ios has been updated to v1.9.2.

      • Enhanced regex patterns to handle optional whitespace after colon separators in event codes

      • Added support for FPMD and FTMD event types for SD-WAN flow monitoring and traffic analysis

      • Added IANA protocol number to network transport protocol mapping for common protocols

      • Improved MAC address parsing to support both lowercase and uppercase hexadecimal characters

      • Updated ECS version to 9.3.0

      • Updated parser version to 2.9.1

      For more information, see Package cisco/ios Release Notes.

    • cisco/firepower has been updated to v2.0.0.

      • Updated parser version to 5.0.0

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      • Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format

      • Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation

      • Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction

      • Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end

      • Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics

      • Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing

      • Enhanced parsing for event code 302021 with event action extraction and network transport assignment

      • Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization

      • Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction

      • Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP

      • Added support for event code 733100 with rate limiting and intrusion detection categorization

      • Added support for event code 746015 with DNS protocol parsing and question/answer extraction

      • Enhanced parsing for event code 746016 with improved DNS lookup failure parsing

      • Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization

      • Added support for event code 750003 with network authentication failure categorization

      • Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction

      • Added event.code field assignment from vendor mnemonic

      • Added event.reason field consistency logic to ensure availability across ASA and FTD events

      For more information, see Package cisco/firepower Release Notes.

    • cloudflare/zerotrust has been updated to v2.2.0.

      • Enhanced email security alert filtering to only generate alerts for malicious, suspicious, or spoof dispositions

      • Added threat technique name mapping from ThreatCategories for email security alerts

      • Improved event categorization for email security with separate handling for threat techniques vs general emails

      • Updated WAF alert generation to trigger only when severity indicates likely attack or attack (severity <= 50)

      • Updated parser version to 4.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • juniper/srx has been updated to v1.5.3.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format

      • Updated parser version to 3.0.2

      • Updated CPS version to 1.2.0

      For more information, see Package juniper/srx Release Notes.

    • checkpoint/ngfw has been updated to v2.7.0.

      • Fixed event.kind assignment for malware detection events to properly set "alert" value

      • Enhanced conditional logic for malware event categorization in Block and Detect actions

      • Updated parser version to 3.7.0

      For more information, see Package checkpoint/ngfw Release Notes.

    • fortinet/fortigate has been updated to v2.3.3.

      • Enhanced VPN tunnel event handling with improved source address mapping for tunnel-up actions

      • Added source.nat.ip field mapping from Vendor.tunnelip for VPN tunnel events

      • Improved network direction detection with additional conditions for Vendor.init field

      • Fixed corrupted type field parsing by restoring "utm" value when type field contains text/css, text/html, or other text/* values

      • Updated parser version to 5.1.3

      For more information, see Package fortinet/fortigate Release Notes.

    • microsoft/sysmon has been updated to v1.1.4.

      • Added @dataConnectionID field to the select statement for improved data connection tracking

      • Updated parser version to 1.1.4

      For more information, see Package microsoft/sysmon Release Notes.

    • darktrace/detect has been updated to v2.0.2.

      • Updated ECS version to 9.2.0

      • Updated parser version to 3.0.2

      • Enhanced timestamp parsing for RFC 3164 syslog format to handle single-digit day values with optional space padding

      • Added array-based field handling for host.mac[] field

      For more information, see Package darktrace/detect Release Notes.

    • zscaler/internet-access has been updated to v2.1.2.

      • Fixed event.action field assignment order in firewall events to ensure proper conditional processing

      • Updated parser version to 4.0.2

      For more information, see Package zscaler/internet-access Release Notes.

    • cisco/umbrella has been updated to v1.4.3.

      • Updated parser version to 3.0.3

      • Enhanced DLP logs parsing with improved URL handling using parseUri function

      • Added url.original field mapping for DLP traffic logs

      • Improved destination.domain field extraction for better URL parsing accuracy

      For more information, see Package cisco/umbrella Release Notes.

    • aws/vpcflow has been updated to v1.3.1.

      • Added observer.ingress.interface.id field mapping from Vendor.interface-id

      • Updated parser version to 1.3.1

      For more information, see Package aws/vpcflow Release Notes.

    • f5networks/bigip has been updated to v3.1.1.

      • Updated ECS version to 9.3.0 and Parser version to 4.0.1

      • Enhanced HTTP request parsing for ASM events with improved regex extraction for request content

      • Fixed HTTP request body content extraction to properly parse content portion from request data

      • Added HTTP request MIME type field mapping from Content-Type header

      • Corrected HTTP request referrer field mapping to use proper vendor field

      • Improved authentication failure parsing with more specific regex pattern for user extraction

      • Fixed indentation and formatting issues in audit event processing section

      For more information, see Package f5networks/bigip Release Notes.

    • dell/isilon has been updated to v1.2.3.

      • Updated ECS version to 9.3.0

      • Updated parser version to 1.1.4

      • Added support for RFC 5424 syslog format parsing

      • Added log.syslog.version field mapping

      • Enhanced timestamp parsing with case-based logic for different syslog formats

      For more information, see Package dell/isilon Release Notes.

    • cisco/firepower has been updated to v1.9.2.

      • Updated parser version to 4.1.2

      • Enhanced regex patterns for event code 106023 to better handle user domain and username extraction in various formats

      • Added support for multiple parsing patterns including domain\user combinations and hostname-only formats

      • Improved connection ID handling in event codes 302013 and 302015 by removing connection ID from event.action field

      • Added support for event code 402117 for IPSEC non-IPSec packet events

      • Enhanced key-value parsing regex patterns for events 430001-430007 to handle more complex field structures

      • Added IANA protocol number to transport protocol mapping for better protocol identification

      • Fixed whitespace formatting issues in parser code

      For more information, see Package cisco/firepower Release Notes.

    • checkpoint/ngfw has been updated to v2.7.1.

      • Enhanced client/server field mapping to apply to all events instead of only application control logs

      • Moved client/server field assignments outside conditional logic for broader coverage

      • Updated parser version to 3.7.1

      For more information, see Package checkpoint/ngfw Release Notes.