Falcon LogScale 1.245.1 GA (2026-07-07)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.245.1GA2026-07-07

Cloud

Next LTSNo1.177.01.177.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.245.0

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Removed

Items that have been removed as of this release.

GraphQL API

  • The deprecated enum value filteralert has been removed from the LanguageVersionEnum enum in the GraphQL API.

Configuration

  • The deprecated environment variable EXTRA_KAFKA_CONFIGS_FILE has been removed. LogScale will now refuse to start if this environment variable is configured.

    The following environment variable prefixes are available for configuring each Kafka client individually:

    In addition, KAFKA_COMMON_ can be used to pass configuration to all clients, though settings configured using the client-specific prefixes take precedence when a setting is present with both prefixes.

    Kafka configuration options such as request.timeout.ms can be passed with these prefixes using the following rewrite procedure:

    1. Enter the option name in all uppercase - for example: REQUEST.TIMEOUT.MS.

    2. Replace . with _ - for example: REQUEST_TIMEOUT_MS.

    3. Apply the prefix for the target client - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS.

    4. Pass the configuration option as an environment variable to LogScale on boot - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS=30000.

    Configuration previously passed via EXTRA_KAFKA_CONFIGS_FILE can be migrated to environment variables using the procedure above, using the KAFKA_COMMON_ prefix.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

New features and improvements

  • Functions

    • Added the new function appendAggregation(), which appends an aggregation of the preceding events to the end of the current result set. This allows query results to be appended with an aggregate summary such as totals, averages, and more.

      The following example demonstrates the function:

      logscale
      head() | appendAggregation({ sum(value, as="value") | event:="total"})

Fixed in this release

  • GraphQL API

    • Fixed an issue where the GraphQL argument metadataEndpointUrl was not persisted when provided to the GraphQL mutation updateSamlIdentityProvider.

  • Storage

    • Fixed an issue with bucket upload logic that in rare cases was causing the loss of lookup files during upload. This same issue also caused lookup file uploads to be slower than expected due to unintentional throttling.

  • Ingestion

    • Digest partition assignment to hosts is now uniform across the partition range to avoid hotspots.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • User Interface

    • Collapsible sections have been added to the parser extensions view in the Parser editor.

  • GraphQL API

    • The GraphQL query analyzeQuery now supports a new query kind for scheduled searches.

  • Configuration

    • The default value for the environment variable QUERY_CACHE_COMPLETE_STATES_MIN_COST has been lowered from 1000 to 100 to make cheaper queries eligible for caching.

  • Queries

    • Queries that filter on the event ID field @id using a malformed value now immediately returns no results, instead of scanning for events that could never match.

      If a malformed value appears alongside one or more valid values (for example in an or expression of several @id values), only the invalid value is dropped; the valid values still resolve directly to their respective events.

  • Functions

    • The query function stdDev() has been improved:

      • An issue has been fixed that caused the function to crash in an extreme corner case.

      • Overall performance of the function has been improved.

      • A new algorithm has been introduced that handles smaller relative deviations with greater ease. This algorithm may produce slightly different results than before. However, under normal circumstances the change amounts to less than 1 parts per million (ppm).

    • The function redactEvents() has been updated to account for internal query result caches. Redaction tasks will now only finish once query caches that may contain the redacted event have reached their maximum time to live, ensuring that such events will not temporarily appear due to results being served from the cache.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • everpure/flashblade has been updated to v1.2.0.

      • Added support for GUI and CLI session logs (purity.guisession and purity.clisession)

      • Enhanced heartbeat message parsing for system monitoring

      • Improved source address handling with IP/domain classification

      • Updated ECS version to 9.3.0

      • Enhanced regex patterns for better alert message parsing

      • Added session authentication event categorization

      For more information, see Package everpure/flashblade Release Notes.

    • dell/isilon has been updated to v1.3.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 1.2.0

      • Added support for Dell Isilon API audit logs parsing

      • Enhanced regex pattern matching to handle both SMB protocol logs and API request logs

      • Added HTTP request method and response status code field mappings

      • Added JSON parsing for API request arguments

      • Enhanced user ID mapping with coalesce function for multiple source fields

      • Enhanced client IP mapping with coalesce function for multiple source fields

      • Added event outcome determination based on HTTP response status codes

      For more information, see Package dell/isilon Release Notes.

    • rubrik/security-cloud has been updated to v1.1.3.

      • Enhanced timestamp parsing to support additional precision formats

      • Updated parser version to 1.1.3

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.2.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • everpure/flasharray has been updated to v1.0.5.

      • Added new regex pattern for enhanced audit log parsing with support for command structure extraction

      • Enhanced observer.hostname field mapping to use coalesce function for better field population

      • Added event.id field mapping from Vendor.MessageID for improved event tracking

      • Updated parser version to 2.0.4

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      For more information, see Package everpure/flasharray Release Notes.

    • cisco/ios has been updated to v1.10.0.

      • Added new regex pattern to handle logs with sequence numbers and timestamps in format: <priority>message_count: sequence: timestamp: %facility-severity-eventcode: message

      • Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers

      • Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings

      • Fixed IST timezone timestamp parsing to support optional milliseconds format

      • Improved LOGOUT event parsing to handle optional source address in parentheses

      • Updated parser version to 2.10.0

      For more information, see Package cisco/ios Release Notes.

    • everpure/flashblade has been updated to v1.2.1.

      • Updated vendor name from Pure Storage to Everpure across all package components

      • Updated manifest author information to reflect Everpure branding

      For more information, see Package everpure/flashblade Release Notes.

    • juniper/srx has been updated to v1.5.4.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding

      • Updated parser version to 3.0.3

      For more information, see Package juniper/srx Release Notes.

    • darktrace/detect has been updated to v2.1.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 3.1.0

      • Updated ECS version to 9.3.0

      • Enhanced AI Analyst event processing to include "informational" category for alert generation

      • Improved model breach event processing to use Vendor.model.category instead of Vendor.category for alert determination

      • Enhanced severity mapping for model breach events with improved priority-based scoring (1-5 scale)

      • Fixed event.risk_score assignment to occur before conditional processing

      • Improved code formatting and conditional logic structure

      • Enhanced regex patterns for email attachment hash processing

      For more information, see Package darktrace/detect Release Notes.

    • cloudflare/zerotrust has been updated to v2.2.1.

      • Fixed WAF alert generation logic to trigger when severity >= 50 (previously <= 50)

      • Updated parser version to 4.2.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • cisco/ise has been updated to v2.0.7.

      • Improve consistency for log.level parsing

      • Add support for connection failure events

      • Updated parser version to 3.0.7

      For more information, see Package cisco/ise Release Notes.

    • everpure/flasharray has been updated to v1.0.6.

      • Updated vendor name from Pure Storage to Everpure across all package components

      • Updated manifest author information to reflect Everpure branding

      For more information, see Package everpure/flasharray Release Notes.

    • cisco/ise has been updated to v2.0.6.

      • Enhanced network field mapping with improved source, destination, client, server, and host field assignments

      • Restructured IP address and domain handling for better network topology representation

      • Added host.ip[] and host.mac[] arrays for endpoint authentication tracking

      • Improved MAC address formatting with standardized uppercase and hyphen format

      • Updated ECS version to 9.3.0

      • Updated parser version to 3.0.6

      • Updated CPS version to 1.2.0

      • Enhanced user.email field with lowercase normalization

      • Fixed event.type assignment for profiler event code 80003 from "error" to "info"

      • Minor code formatting improvements and indentation fixes

      For more information, see Package cisco/ise Release Notes.

    • fortinet/fortigate has been updated to v2.4.0.

      • Added FortiSwitch device detection based on devname prefix (FSW)

      • Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller

      • Added FortiSwitch-specific field mappings for MAC address learned on switch port

      • Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"

      • Updated parser version to 5.3.0

      For more information, see Package fortinet/fortigate Release Notes.