Falcon LogScale 1.246.1 LTS (2026-07-17)

Version?Type?Release Date?Availability?End of SupportSecurity UpdatesUpgrades From?Downgrades To?Config. Changes?
1.246.1LTS2026-07-17

Cloud

On-Prem

2027-07-31Yes1.177.01.177.0No

Hide file download links

Show file download links

Hide file hashes

Show file hashes

These notes include entries from the following previous releases: 1.246.0, 1.245.0, 1.244.0, 1.243.0, 1.242.0, 1.241.0

Bug fixes and updates.

Advance Warning

The following items are due to change in a future release.

  • Installation and Deployment

    • We are decommissioning the the Nexus server used to host Java-based LogScale installation binaries, with a tentative decommission date of August 14, 2026. To download Java-based LogScale installers, please send a request to logscalesuccess@crowdstrike.com to obtain a username & API token, which are required to download from our new distribution platform.

Removed

Items that have been removed as of this release.

GraphQL API

  • The deprecated enum value filteralert has been removed from the LanguageVersionEnum enum in the GraphQL API.

  • The GraphQL mutation removeSizeBasedRetentionForAllOrganizations has been removed. This mutation was previously deprecated and scheduled for removal in version 1.201.

Configuration

  • The deprecated environment variable EXTRA_KAFKA_CONFIGS_FILE has been removed. LogScale will now refuse to start if this environment variable is configured.

    The following environment variable prefixes are available for configuring each Kafka client individually:

    In addition, KAFKA_COMMON_ can be used to pass configuration to all clients, though settings configured using the client-specific prefixes take precedence when a setting is present with both prefixes.

    Kafka configuration options such as request.timeout.ms can be passed with these prefixes using the following rewrite procedure:

    1. Enter the option name in all uppercase - for example: REQUEST.TIMEOUT.MS.

    2. Replace . with _ - for example: REQUEST_TIMEOUT_MS.

    3. Apply the prefix for the target client - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS.

    4. Pass the configuration option as an environment variable to LogScale on boot - for example: KAFKA_INGEST_QUEUE_CONSUMER_REQUEST_TIMEOUT_MS=30000.

    Configuration previously passed via EXTRA_KAFKA_CONFIGS_FILE can be migrated to environment variables using the procedure above, using the KAFKA_COMMON_ prefix.

Deprecation

Items that have been deprecated and may be removed in a future release.

  • The following manuals have been moved to the archives:

  • The GraphQL field queryToRead in the query poll response has been deprecated and will be removed in version 1.258.

    Users that require table data for a subquery should use the tableName query parameter on the poll endpoint instead. This serves cached data rather than creating a new query based on the queryToRead string.

  • The userId parameter for the updateDashboardToken GraphQL mutation has been deprecated and will be removed in version 1.273.

  • rdns() has been deprecated and will be removed in version 1.249. Use reverseDns() as an alternative function.

Behavior Changes

Scripts or environment which make use of these tools should be checked and updated for the new configuration:

  • GraphQL API

    • After an organization is soft deleted using the removeOrganization mutation, you can now only call the following mutations on that organization:

      Previously, you could call any mutation on a soft-deleted organization.

Upgrades

Changes that may occur or be required during an upgrade.

  • Security

    • Upgraded the dependency Jackson to version 2.21.3 to address a denial of service vulnerability.

      See their documentation here: Jackson: GitHub

    • Upgraded Netty to version 4.2.13 to address a number of security vulnerabilities. See Netty project for more information about Netty.

  • User Interface

    • The LogScale UI time zone database has been updated to the Internet Assigned Numbers Authority (IANA) 2026b release.

New features and improvements

  • Security

  • User Interface

    • Unicode control characters (C0, C1, and DEL) are now rendered as visible placeholders in the Event List, improving visibility of data that contains these previously invisible characters.

  • Automation and Triggers

    • The new Interval option has been added as an alternative to cron expressions or simple scheduling frequency for scheduled reports. This new option uses Relative Time Syntax modifiers (for example, @every 3h) allowing scheduled reports to run at regular intervals.

      For more information, see Create Scheduled Reports.

    • Email actions now support dynamic recipients using message templates. Most templates available in email subjects and bodies can also be used in the recipients list, including field references such as {field:fieldName} that resolve from event data at trigger time. Templates can constitute the entire recipient address (for example, {field:email}) or be embedded within an email address (for example, {field:username}@crowdstrike.com or {name}@example.com). This enables sending notifications directly to users referenced in log events, such as notifying a user whose login failed. Static and dynamic recipients can be mixed freely.

      Templates that produce large or multi-line output (such as {events}, {events_html}, or {url}) are not permitted in recipients. For filter alerts, which trigger on a single event, the recipient is calculated from that event. For other alert types, the recipient is calculated from the first event only, which may be problematic if events have different values for the field referenced in the recipient template.

      Warning: when using field references, ensure the query is scoped so that recipients only receive events relevant to them.

      For more information, see Dynamic Email Recipients.

  • GraphQL API

    • Added the new GraphQL endpoint removeFeatureOptInForAllOrgs. This endpoint allows cluster owners to remove feature flag opt-ins at the organization level for all organizations in the cluster for a specific feature flag.

      This simplifies cleanup after a feature flag rollout process that involved first enabling the feature flag on a subset of organizations before enabling it globally on the cluster.

    • The GraphQL field metadataEndpointUrl has been added to the SamlIdentityProvider output type in the GraphQL API. This field makes it possible to verify whether the GraphQL field metadataEndpointUrl is set correctly after creating or updating a SAML Identity Provider.

  • API

    • An endpoint has been added to force a parser to recompile on a given node at /api/v1/invalidateParser. This endpoint requires the ManageCluster permission.

    • Added an ingest status endpoint at /api/v1/status/ingest. This endpoint exposes a node's ability to receive and handle incoming ingest requests.

      In the future, this endpoint will be used to signal whether all conditions necessary for ingesting have been met for recently-started nodes, such as whether lookup files have been synchronized. At present, no such conditions have been implemented and the endpoint always responds with 200 OK.

    • The following endpoint has been added:

      POST /api/v1/repositories/{repo}/queryjobs/{id}/newclient

      This endpoint creates a new client for an existing query, allowing multiple independent consumers to poll the same query session.

  • Functions

    • Added the new function appendAggregation(), which appends an aggregation of the preceding events to the end of the current result set. This allows query results to be appended with an aggregate summary such as totals, averages, and more.

      The following example demonstrates the function:

      logscale
      head() | appendAggregation({ sum(value, as="value") | event:="total"})

Fixed in this release

  • Security

    • Fixed an issue where BitBucket social login was failing due to Atlassian's CHANGE-3052 deprecation. BitBucket now requires OAuth2 access tokens to be sent as a Bearer token in the Authorization header rather than as a query parameter. This issue has now been resolved.

    • Fixed an issue where a race condition caused the ability for permission assignments to be created for groups that had already been deleted.

    • A discrepancy regarding organization name validation has been fixed. Previously, names could contain special characters and HTML tags when creating an organization. However, when updating said organization, stricter validation was applied that disallowed those characters and tags. The validation logic for creating and updating operations has now been properly aligned.

      Note

      Organization names can still contain the characters < and >.

  • Administration and Management

    • Fixed an issue where removing a node using the Cluster administration menu, with the REST endpoint DELETE /api/v1/clusterconfig/members/<node_id>, or with GraphQL API using the mutation clusterUnregisterNode could lead to data loss, even when the flag force/accept-data-loss was not set.

      A validation step has also been added that ensures data is properly replicated before allowing node removal, which may slightly slow the operation.

      The fix can be disabled via the feature flag RefreshClusterManagementStatsInUnregisterNode, which is scheduled for removal in version 1.252. If issues arise that lead to the need to disable the feature flag, inform support.

      For more information, see Best Practice: Contacting Support.

  • User Interface

    • Fixed an issue where syntax highlighting in the Query Editor could sometimes fail on large queries.

    • Fixed an issue where recalling a recent query would incorrectly display results as an event list instead of auto-selecting the appropriate visualization.

  • GraphQL API

    • Fixed an issue where saved queries could be created without a name, making them impossible to display in the UI. The name field in the GraphQL mutation createSavedQuery is now validated, and will fail when the value is empty or contains invalid characters.

    • Fixed an issue where the GraphQL argument metadataEndpointUrl was not persisted when provided to the GraphQL mutation updateSamlIdentityProvider.

  • Storage

    • Fixed an issue with bucket upload logic that in rare cases was causing the loss of lookup files during upload. This same issue also caused lookup file uploads to be slower than expected due to unintentional throttling.

    • Fixed an issue where auxiliary files with no local segment were not included when calculating disk usage. Previously, the files would appear as system data for a node in the Cluster Overview page, when they are in fact LogScale data. As a result, the node would be able to fetch an auxiliary file without fetching the corresponding segment file as a valid part of execution.

    • Fixed an issue that could cause bucket storage uploads to throttle unnecessarily when lookup files were being deleted while LogScale attempted to upload them to bucket storage. LogScale was incorrectly treating this as an upload failure, causing exponential backoff to activate.

    • Fixed an issue where in rare cases, events would be serialized into blocks incorrectly, leading to one or more fields becoming unreadable.

  • Ingestion

    • A regression introduced in version 1.237 for parsers has been fixed. Previously, parsers were failing with the error message Parser failed with exception com.humio.jitrex.RegexCancelledException" despite previously operating above the timeout limit.

    • Fixed an issue where updating lookup files with more than one key column could cause an error that was reported to the user as an internal server error.

    • Digest partition assignment to hosts is now uniform across the partition range to avoid hotspots.

  • Dashboards and Widgets

    • The legend ordering for stacked bar charts now follows the order of the stack itself.

      For more information, see Bar Chart Widget.

  • Queries

    • Anchoring in regular expressions would produce incorrect prefilters. Specifically, this affected the $ anchor, which may optionally match a line terminator unless the multi-line flag is enabled. The resulting prefilter would incorrectly require anchoring at the end of the input, causing some valid values to be erroneously filtered out. This issue has now been resolved.

    • Fixed an issue in the Regular Expression Engine v2 where end-of-string anchors were not applied correctly in all cases, which could lead to incorrect query results.

    • Fixed an issue where, in rare cases, queries could go missing when reusing query sessions and submitting identical queries close together, causing a race condition.

    • Fixed an issue in the query scheduler where segments were not correctly closed when the feature flag AllowQuerySchedulerToBailOnSlowChunks was enabled, leading to occasional query starvation.

  • Auditing and Monitoring

    • An issue has been fixed where audit log entries exceeding 16KB would be truncated with an ellipsis character (...), causing the resulting JSON to be unparseable. The maximum string length for audit log JSON output has also been increased to 900KB.

  • Functions

    • The query function series() now correctly respects query memory limits.

    • The parseLEEF() function now correctly adds error messages to the @error_msg[] field when failing to parse. This aligns error reporting with other parse functions.

    • The parseCEF() function now correctly adds error messages to the @error_msg field when parsing fails, aligning error reporting with the behavior of other functions.

    • The sankey() function now displays a more specific warning when the number of source-target flows exceed the limit, instead of showing the more generic groupBy() function limit warning.

    • Fixed an issue with the correlate() function, where using the parameter jitterTolerance in conjunction with the sequence parameter being set to true could cause events falling within the jitter tolerance window but slightly out of timestamp order to be incorrectly excluded from results.

      correlate() now also supports jitterTolerance together with sequenceBy, provided the first field in sequenceBy is @timestamp or @ingesttimestamp. Previously, jitterTolerance could only be used with default sequencing. The jitter tolerance is applied to the first timestamp field, and any additional sequenceBy fields act as tiebreakers.

    • Fixed an issue where a recent feature that introduced the ability to look up files in other views using the syntax readFile(file://<path>), and to look up files in packages in other views using the syntax readFile("file://<otherview>/<scope>/<package>:<filename>") was not implemented for files served externally.

    • Fixed an issue with the correlate() function, where selective scanning would incorrectly influence the decision process for pipeline actions in cases where no data was available. Queries with one or more pipelines that contain zero matches in their segments will now finish much more quickly.

Known Issues

  • Storage

    • For clusters using secondary storage where the primary storage on some nodes in the cluster may be getting filled (that is, the storage usage on the primary disk is halfway between PRIMARY_STORAGE_PERCENTAGE and PRIMARY_STORAGE_MAX_FILL_PERCENTAGE), those nodes may fail to transfer segments from other nodes. The failure will be indicated by the error java.nio.file.AtomicMoveNotSupportedException with message "Invalid cross-device link".

      This does not corrupt data or cause data loss, but will prevent the cluster from being fully healthy, and could also prevent data from reaching adequate replication.

Improvement

  • Security

    • The default example text provided when setting up IP filters has been updated and deduplicated.

  • User Interface

    • The saved searches filter now matches against labels in addition to the search name.

    • Collapsible sections have been added to the parser extensions view in the Parser editor.

    • Recent queries are now saved after the first results arrive rather than immediately after a search is initiated. This allows the system to correctly determine whether to store the current widget type for manually selected visualizations, or omit it for auto-detected visualizations, ensuring recalled queries display with the correct visualization.

  • Automation and Triggers

    • Labels are now one of the elements exported when exporting Amazon S3 actions to templates or packages. However, the field useProxyOption is no longer exported, in an effort to align consistently with other action types.

      For more information, see Action Type: S3.

    • Trigger errors and warnings are now shown and can be cleared regardless of whether the trigger is enabled or disabled.

      For more information, see Triggers.

  • GraphQL API

    • The GraphQL query analyzeQuery now supports a new query kind for scheduled searches.

  • Storage

    • A new environment variable, S3_STORAGE_STREAM_IDLE_TIMEOUT_SECONDS, has been introduced. The environment variable ensures that if an Amazon S3 provider fails to send any data for the configured time duration, the transfer is aborted instead of hanging indefinitely and blocking other transfers from being scheduled. When using this variable, it's important to note the following:

      • If not defined, the default duration value is 180 seconds.

      • This environment variable controls the stream idle timeout for both upload and download times.

      • While the timeout mechanism was already in place for S3 upload, it was not previously present for S3 download.

    • Segment fetches that perform segment merges and archving now each have the same priority as segment fetches for queries. As a result, they are prioritized on a first-come, first-served basis within this priority level.

      This change helps avoid starvation of segment merges and archiving processes in cases of slow bucket downloads, or large numbers of segment downloads for queries.

  • Configuration

    • The default value for the environment variable QUERY_CACHE_COMPLETE_STATES_MIN_COST has been lowered from 1000 to 100 to make cheaper queries eligible for caching.

    • The following environment variables have been added to control start rate limiting for the query coordinator:

      These environment variables allow for controlling an existing mechanism. No new mechanism is introduced. If these limits are reached, queries are delayed and do not start execution until later.

  • Ingestion

    • Improved the distribution of digest partitions onto nodes. The previous implementation would sometimes cause individual nodes to own clusters of partitions, causing hotspots. The new implementation distributes partitions across available nodes without this type of clustering.

  • Queries

    • Scheduled searches no longer start immediately when due to run. Instead, all scheduled searches due to start within a given minute are staggered over that minute, smoothing out the load on the query engine and improving overall query performance.

      For more information, see Automatic distribution within each minute.

    • LogScale's Search UI now populates events in subquery Table tabs using a direct lookup in the table used by the query. As a result, the subquery table tab is now populated with a single request, increasing its speed significantly.

      For more information, see Display tabs.

    • Added an optimization for OR character predicates in the Regular Expression Engine v2. Regexes such as the following are now significantly faster:

      regex
      [ab]{4}
      regex
      [Ee]xecution|[Mm]alware

      For more information, see Operators.

    • Added an optimization for case-insensitive regexes in the Regular Expression Engine v2. Many case-insensitive regexes are now up to approximately 30% faster than before.

    • Added an optimization for case-insensitive searching in the Regular Expression Engine v2. This optimization applies to most regular expressions containing a sequence of characters. For example, case-insensitive regular expressions such as /Twain/ and /(Tom|Sawyer|Huckleberry|Finn)/ are now up to twice as fast.

    • Segment reading has been optimized for certain scenarios, primarily where events contain a larger number of fields.

    • The fields organizationId and userId have been added to the query ended logs generated on query workers when part of a query completes.

    • Queries that filter on the event ID field @id using a malformed value now immediately returns no results, instead of scanning for events that could never match.

      If a malformed value appears alongside one or more valid values (for example in an or expression of several @id values), only the invalid value is dropped; the valid values still resolve directly to their respective events.

  • Fleet Management

    • The Fleet Management configuration editor has been upgraded and is now based on the extensible code editor CodeMirror. This improves page loading times across LogScale and NG-SIEM, and includes the following improvements:

      • Ingest tokens are hidden in the editor until actively selected.

      • Visual warnings are displayed for unused sinks.

      Note

      Auto-completion with all required fields automatically added is currently not available in the new editor.

    • The humio-fleet system repository is now created by default, both for newly created organizations and for existing organizations.

      Previously, this repository was only created on demand the first time Fleet Management ingested data from a log shipper, meaning organizations that did not use Fleet Management never had it. As a result of this change, a humio-fleet repository will appear in every organization regardless of whether Fleet Management is in use. The repository retains data for 30 days by default.

  • Metrics and Monitoring

    • Three new utilization percentage fields have been added to the same logs that record queryCostPerMs:

      • queryUtilizationPercentage - approximates CPU time spent on the query as a percentage of worker capacity.

      • userUtilizationPercentage - approximates CPU time spent on the user's queries as a percentage of worker capacity.

      • orgUtilizationPercentage - approximates CPU time spent on the organization's queries as a percentage of worker capacity.

      These fields approximate how much CPU time is being spent within the time interval denoted by the corresponding queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. As the boundaries of this interval are approximate, it is possible for the utilization percentage to exceed 100%.

    • Added the query and live-reduce thread pools to the thread-pool-queue-size metric.

    • New logging fields have been added to make it easier to determine how much cost per millisecond a query is accumulating, as well as how much cost per millisecond the associated user and organization are accumulating across all their queries.

      The new fields are logged on query workers and measure cost per millisecond for the query, user, and organization respectively:

      • queryCostPerMs - cost per millisecond for the query.

      • userCostPerMs - cost per millisecond for the user across all their queries.

      • orgCostPerMs - cost per millisecond for the organization across all their queries.

      The time interval covered by each measurement is denoted by the queryCurrentTimespanMs, userCurrentTimespanMs, and orgCurrentTimespanMs fields. The interval can be controlled using the new QuerySchedulerCostMetricsLoggingIntervalSeconds dynamic configuration parameter, which defaults to 30 seconds.

      These fields are logged periodically when a measurement interval ends while a query is running, and are also included in the "Query Ended" logs produced by the worker.

  • Functions

    • The query function stdDev() has been improved:

      • An issue has been fixed that caused the function to crash in an extreme corner case.

      • Overall performance of the function has been improved.

      • A new algorithm has been introduced that handles smaller relative deviations with greater ease. This algorithm may produce slightly different results than before. However, under normal circumstances the change amounts to less than 1 parts per million (ppm).

    • The function redactEvents() has been updated to account for internal query result caches. Redaction tasks will now only finish once query caches that may contain the redacted event have reached their maximum time to live, ensuring that such events will not temporarily appear due to results being served from the cache.

    • Two improvements previously gated by cluster version for the correlate() function are now enabled by default, including for multi-cluster search scenarios where the minimum version is unknown:

      • The time bucket boundary off-by-one millisecond fix, previously applied only when all nodes in the cluster were running at least version 1.238.

      • Selective scanning, previously used only when all nodes in the cluster were running at least version 1.239.

Recent Package Updates

The following LogScale packages have been updated within the last month.

  • Package Changes

    • aruba/clearpass has been updated to v1.4.1.

      • Added support for log4j format parsing with new regex pattern

      • Updated parser version to 3.0.1

      • Updated ECS version to 9.3.0 and CPS version to 1.2.0

      For more information, see Package aruba/clearpass Release Notes.

    • fortinet/fortigate has been updated to v2.3.4.

      • Enhanced CEF parsing to handle optional angle brackets in syslog priority field

      • Improved Vendor.type assignment logic for numeric cat values to use subtype instead

      • Added catch-all case to prevent field dropping in event categorization

      • Enhanced wireless event categorization with dedicated network connection handling

      • Added comprehensive wireless action outcome mapping for success/failure determination

      • Improved observer.serial_number field mapping to include Vendor.sn field

      • Added message field mapping from Vendor.msg for all events

      • Moved message field assignment outside of alert-specific logic for broader coverage

      • Updated parser version to 5.2.0 and ECS version to 9.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • everpure/flashblade has been updated to v1.2.0.

      • Added support for GUI and CLI session logs (purity.guisession and purity.clisession)

      • Enhanced heartbeat message parsing for system monitoring

      • Improved source address handling with IP/domain classification

      • Updated ECS version to 9.3.0

      • Enhanced regex patterns for better alert message parsing

      • Added session authentication event categorization

      For more information, see Package everpure/flashblade Release Notes.

    • dell/isilon has been updated to v1.3.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 1.2.0

      • Added support for Dell Isilon API audit logs parsing

      • Enhanced regex pattern matching to handle both SMB protocol logs and API request logs

      • Added HTTP request method and response status code field mappings

      • Added JSON parsing for API request arguments

      • Enhanced user ID mapping with coalesce function for multiple source fields

      • Enhanced client IP mapping with coalesce function for multiple source fields

      • Added event outcome determination based on HTTP response status codes

      For more information, see Package dell/isilon Release Notes.

    • cisco/meraki has been updated to v2.0.1.

      • Updated ECS version to 9.3.0 and CPS version to 1.2.0

      • Added support for anyconnect_vpn_auth_success event type with IP and port extraction

      • Improved kvParse operation for type= format logs with explicit separator parameter

      • Reordered event type parsing logic for better pattern matching efficiency

      For more information, see Package cisco/meraki Release Notes.

    • everpure/flasharray has been updated to v1.0.5.

      • Added new regex pattern for enhanced audit log parsing with support for command structure extraction

      • Enhanced observer.hostname field mapping to use coalesce function for better field population

      • Added event.id field mapping from Vendor.MessageID for improved event tracking

      • Updated parser version to 2.0.4

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      For more information, see Package everpure/flasharray Release Notes.

    • cisco/firepower has been updated to v2.0.0.

      • Updated parser version to 5.0.0

      • Updated CPS version to 1.2.0

      • Updated ECS version to 9.3.0

      • Enhanced parsing for event codes 109201, 109207, 109210 with improved server address extraction and consistency with ASA format

      • Enhanced parsing for event code 113019 with additional vendor fields for group, session type, and network bytes calculation

      • Enhanced parsing for event codes 11300*, 11301* with improved server address, client NAT IP, and user extraction

      • Enhanced parsing for event codes 302013, 302015 with improved connection ID handling and username extraction from message end

      • Enhanced parsing for event code 302014 with corrected source/destination mapping based on connection initiator/target semantics

      • Enhanced parsing for event code 302016 with improved connection ID extraction and user closure reason parsing

      • Enhanced parsing for event code 302021 with event action extraction and network transport assignment

      • Enhanced parsing for event code 502103 with improved user privilege parsing and IAM categorization

      • Enhanced parsing for event codes 609001, 609002 with additional event action and destination address extraction

      • Enhanced parsing for event code 722051 with corrected field mapping for client NAT IP

      • Added support for event code 733100 with rate limiting and intrusion detection categorization

      • Added support for event code 746015 with DNS protocol parsing and question/answer extraction

      • Enhanced parsing for event code 746016 with improved DNS lookup failure parsing

      • Enhanced parsing for event codes 750001, 750002, 750006, 750007 with network configuration categorization

      • Added support for event code 750003 with network authentication failure categorization

      • Enhanced parsing for event code 751002 with improved authentication failure categorization and error message extraction

      • Added event.code field assignment from vendor mnemonic

      • Added event.reason field consistency logic to ensure availability across ASA and FTD events

      For more information, see Package cisco/firepower Release Notes.

    • rubrik/security-cloud has been updated to v1.1.3.

      • Enhanced timestamp parsing to support additional precision formats

      • Updated parser version to 1.1.3

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.2.0

      For more information, see Package rubrik/security-cloud Release Notes.

    • cisco/ios has been updated to v1.10.0.

      • Added new regex pattern to handle logs with sequence numbers and timestamps in format: &lt;priority&gt;message_count: sequence: timestamp: %facility-severity-eventcode: message

      • Added support for multiline message fragments that start with multiple spaces and lack proper IOS facility headers

      • Enhanced timezone handling to respect data connector timezone selection over parser-defined timezone mappings

      • Fixed IST timezone timestamp parsing to support optional milliseconds format

      • Improved LOGOUT event parsing to handle optional source address in parentheses

      • Updated parser version to 2.10.0

      For more information, see Package cisco/ios Release Notes.

    • juniper/srx has been updated to v1.5.4.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format to handle optional space padding

      • Updated parser version to 3.0.3

      For more information, see Package juniper/srx Release Notes.

    • cisco/umbrella has been updated to v1.4.3.

      • Updated parser version to 3.0.3

      • Enhanced DLP logs parsing with improved URL handling using parseUri function

      • Added url.original field mapping for DLP traffic logs

      • Improved destination.domain field extraction for better URL parsing accuracy

      For more information, see Package cisco/umbrella Release Notes.

    • darktrace/detect has been updated to v2.1.0.

      • Updated CPS version to 1.2.0

      • Updated parser version to 3.1.0

      • Updated ECS version to 9.3.0

      • Enhanced AI Analyst event processing to include "informational" category for alert generation

      • Improved model breach event processing to use Vendor.model.category instead of Vendor.category for alert determination

      • Enhanced severity mapping for model breach events with improved priority-based scoring (1-5 scale)

      • Fixed event.risk_score assignment to occur before conditional processing

      • Improved code formatting and conditional logic structure

      • Enhanced regex patterns for email attachment hash processing

      For more information, see Package darktrace/detect Release Notes.

    • juniper/srx has been updated to v1.5.3.

      • Fixed timestamp parsing format for single-digit day values in BSD syslog format

      • Updated parser version to 3.0.2

      • Updated CPS version to 1.2.0

      For more information, see Package juniper/srx Release Notes.

    • everpure/flashblade has been updated to v1.2.1.

      • Updated vendor name from Pure Storage to Everpure across all package components

      • Updated manifest author information to reflect Everpure branding

      For more information, see Package everpure/flashblade Release Notes.

    • cisco/ise has been updated to v2.0.6.

      • Enhanced network field mapping with improved source, destination, client, server, and host field assignments

      • Restructured IP address and domain handling for better network topology representation

      • Added host.ip[] and host.mac[] arrays for endpoint authentication tracking

      • Improved MAC address formatting with standardized uppercase and hyphen format

      • Updated ECS version to 9.3.0

      • Updated parser version to 3.0.6

      • Updated CPS version to 1.2.0

      • Enhanced user.email field with lowercase normalization

      • Fixed event.type assignment for profiler event code 80003 from "error" to "info"

      • Minor code formatting improvements and indentation fixes

      For more information, see Package cisco/ise Release Notes.

    • everpure/flasharray has been updated to v1.0.6.

      • Updated vendor name from Pure Storage to Everpure across all package components

      • Updated manifest author information to reflect Everpure branding

      For more information, see Package everpure/flasharray Release Notes.

    • cisco/ise has been updated to v2.0.7.

      • Improve consistency for log.level parsing

      • Add support for connection failure events

      • Updated parser version to 3.0.7

      For more information, see Package cisco/ise Release Notes.

    • cloudflare/zerotrust has been updated to v2.2.1.

      • Fixed WAF alert generation logic to trigger when severity >= 50 (previously <= 50)

      • Updated parser version to 4.2.1

      • Updated ECS version to 9.3.0

      • Updated CPS version to 1.2.0

      For more information, see Package cloudflare/zerotrust Release Notes.

    • fortinet/fortigate has been updated to v2.4.0.

      • Added FortiSwitch device detection based on devname prefix (FSW)

      • Added FortiSwitch-specific event subtypes: link, poe, spanning_tree, switch, switch_controller

      • Added FortiSwitch-specific field mappings for MAC address learned on switch port

      • Standardized event.module to "fortigate", observer.type to "firewall", and observer.product to "fortigate"

      • Updated parser version to 5.3.0

      For more information, see Package fortinet/fortigate Release Notes.

    • f5networks/bigip has been updated to v3.1.1.

      • Updated ECS version to 9.3.0 and Parser version to 4.0.1

      • Enhanced HTTP request parsing for ASM events with improved regex extraction for request content

      • Fixed HTTP request body content extraction to properly parse content portion from request data

      • Added HTTP request MIME type field mapping from Content-Type header

      • Corrected HTTP request referrer field mapping to use proper vendor field

      • Improved authentication failure parsing with more specific regex pattern for user extraction

      • Fixed indentation and formatting issues in audit event processing section

      For more information, see Package f5networks/bigip Release Notes.