Falcon LogScale 1.97.0 GA (2023-07-04)
| Version? | Type? | Release Date? | Availability? | End of Support | Security Updates | Upgrades From? | Config. Changes? |
|---|---|---|---|---|---|---|---|
| 1.97.0 | GA | 2023-07-04 | Cloud | 2024-08-31 | No | 1.44.0 | No |
Available for download two days after release.
Bug fixes and updates.
Advance Warning
The following items are due to change in a future release.
Installation and Deployment
Support for running on Java 11, 12, 13, 14, 15 and 16 will be removed by the end of September 2023.
New features and improvements
Security
All view permission tokens created from now on will not be able to run queries based on the user who created it (legacy behavior due to user requirement for queries). They will however be able to run queries on behalf of the organization given the right permissions.
Existing view permission tokens and the resources (scheduled searches, alerts, etc.) are unaffected by this change. For any view permission tokens created after this change, the scheduled searches, alerts, etc. created using these tokens, will run based on the organization instead of the user who created the token.
This addresses the issue where, for example, alerts created using a view permission token would fail to run if the user who created the token was removed from the organization or if the permissions needed to run the alert was removed from the user. With the new behaviour the alert will continue working even though the user is removed or looses the required permissions to run the alert.
Migration from the legacy Organization Shared Dashboard IP filter to the Dashboard Security Policies for sharing dashboards will be done by Creating an IP Filter corresponding to the old filter. If the migration can be performed, this IP Filter will be set on all shared dashboards and set as the Shared Dashboard IP filter Security Policy for the organization. If migration cannot be done, a notification will be displayed to the organization owner explaining how to complete the migration manually. Migration cannot be done when there is a shared Dashboard that has an IP filter other than the legacy Organization Shared Dashboard IP filter.
Introducing organization query ownership, permission tokens and organization level security policies features.
For more information, see Organization Owned Queries, Repository & View Permissions, Security Policies.
UI Changes
Organization and system level permissions can now be handled through the UI.
Automation and Alerts
More attributes have been added to Filter alerts:
Filter alerts will now be able to catch up with up to 24 hours of delay (ingest delays + delays in actions).
Filter alerts will now trigger on events that are unavailable for up to 10 minutes due to query warnings.
For more information, see Filter Alerts.
A new / option has been added for Alerts and Scheduled Searches.
For more information, see Managing Alerts.
GraphQL API
A GraphQL API has been added to read the current tag groupings on a repository.
For more information, see repository() .
Configuration
The following configuration parameters have been added:
FILTER_ALERTS_MAX_CATCH_UP_LIMITto set how long back filter alerts will be able to catch up with delays.FILTER_ALERTS_MAX_WAIT_FOR_MISSING_DATAto set for how long filter alerts will wait for query warnings about missing data to disappear.
The following configuration parameters for storage concurrency are now deprecated:
GCP_STORAGE_UPLOAD_CONCURRENCYGCP_STORAGE_DOWNLOAD_CONCURRENCY
They are replaced by new variables:
If unassigned, the new variables will populate with the largest value from the deprecated variables, until these are removed.
Dashboards and Widgets
When clicking on a dashboard widget, the query will now use the live setting of the dashboard. Also, parameter values are carried over.
For more information, see Manage Widgets.
Log Collector
Quick filters have been added on
Fleet Overview(Status and Config) and onConfig overview(Status) pages.For more information, see Falcon Log Collector Manage your Fleet.
Other
Tag groupingspage is now available under the repository Settings tab to see the tag groupings which are currently in use on a repository.
Fixed in this release
Automation and Alerts
Filter alerts with a query ending with a comment would not run. This issue has now been fixed.
Ingestion
A 500 status code was issued when ingesting to
/api/v1/ingest/jsonwith no assigned parser. It now ingests the rawstring.
Dashboards and Widgets
The rendering of JSON in the
Event Listwidget is now faster and consumes less memory.When using the
sort()function with theBar Chartwidget, it would only stay sorted for a while. The issue has been fixed and it now remains sorted in the same order as the underlying data.