|
| 1 | +[[release-notes-header-8.4.0]] |
| 2 | +== 8.4 |
| 3 | + |
| 4 | +[discrete] |
| 5 | +[[release-notes-8.4.0]] |
| 6 | +=== 8.4.0 |
| 7 | + |
| 8 | +[discrete] |
| 9 | +[[known-issue-8.4.0]] |
| 10 | +==== Known issues |
| 11 | +* If additional look-back time is set for the advanced query rule preview, alerts from source documents that are outside the preview time frame may not appear in the preview ({pull}137422[#137422]). |
| 12 | +* A new Lucene 9 validation change may cause errors whenever regular expressions are included in EQL queries. This bug affects users who upgrade from {stack} version 7.x to 8.x and are using event correlation rules. To resolve this issue, use triple quotes `""" """` for regular expressions in event correlation rule queries. |
| 13 | +* The Rules page incorrectly displays a notification that an update for prebuilt rules is available even if the rules have been fully updated. Currently, there is no way to remove or hide the notification ({pull}139095[#139095]). |
| 14 | + |
| 15 | +[discrete] |
| 16 | +[[breaking-changes-8.4.0]] |
| 17 | +==== Breaking changes |
| 18 | +// tag::breaking-changes[] |
| 19 | +// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output. |
| 20 | +:pull: {pull} |
| 21 | +There are no breaking changes in 8.4.0. |
| 22 | +// end::breaking-changes[] |
| 23 | + |
| 24 | +[discrete] |
| 25 | +[[features-8.4.0]] |
| 26 | +==== Features |
| 27 | +* Creates a new rule type, New Terms, that creates an alert when a value appears for the first time in a particular field ({pull}134526[#134526]). |
| 28 | +* Adds the Insights section to the Alert details flyout to show related cases and alerts ({pull}136009[#136009], {pull}138419[#138419]) |
| 29 | +* Shows process alerts in the event process analyzer ({pull}135340[#135340]). |
| 30 | +* Adds support for wildcard exceptions for detection rules. New operators are `matches` and `does not match` ({pull}136147[#136147]). |
| 31 | +* Adds a new search query parameter, `dry_run`, to the bulk actions API that allows you to simulate a bulk action without permanently updating rules ({pull}134664[#134664]). |
| 32 | +* Creates the response console, an interface that enables you to take actions on specific hosts ({pull}135360[#135360], {pull}134520[#134520]). |
| 33 | +* Includes integration policy errors and statuses in {fleet} and {elastic-sec} to help troubleshoot when an {agent} has an `Unhealthy` status ({pull}136241[#136241], {pull}136038[#136038]). |
| 34 | +* Adds Attack surface reduction protections feature to reduce vulnerabilities on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. |
| 35 | +* Adds an endpoint self-healing feature to roll back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. |
| 36 | +* Adds the ability to run query packs as live queries ({pull}132198[#132198]). |
| 37 | +* Provides support for process, file, and network events in Kubernetes. You must enable the session view data setting on your {endpoint-cloud-sec} integration policy to enrich these events with session data and Kubernetes metadata fields. |
| 38 | + |
| 39 | +[discrete] |
| 40 | +[[bug-fixes-8.4.0]] |
| 41 | +==== Bug fixes and enhancements |
| 42 | +* Updates the Network page's UI to match the Hosts and Users pages ({pull}137541[#137541], {pull}136913[#136913]). |
| 43 | +* Improves the experience of bulk editing index patterns on rules by warning users early that machine learning rules can’t be edited ({pull}134664[#134664]). |
| 44 | +* Enhances rule previews with configurable rule intervals and look-back times ({pull}137102[#137102]). |
| 45 | +* Enhances the `status pending` badge for endpoint actions with a detailed status when you hover on it ({pull}136966[#136966]). |
| 46 | +* Turns grouped navigation on by default ({pull}136819[#136819]). |
| 47 | +* Improves the experience of bulk exporting rules by informing users early which rules can and cannot be exported ({pull}136418[#136418]). |
| 48 | +* Adds index pattern information to the Inspect panel ({pull}136407[#136407]). |
| 49 | +* Adds a custom dashboards table to the Dashboards page ({pull}136221[#136221], {pull}136671[#136671]). |
| 50 | +* Fixes a performance issue with creating alerts from source documents that contain a large number of fields ({pull}135956[#135956]). |
| 51 | +* Updates the rule exceptions UI ({pull}135255[#135255]). |
| 52 | +* Fixes performance issues with rules management ({pull}135311[#135311]). |
| 53 | +* Allows you to disable `@timestamp` as a fallback timestamp field when you've defined a timestamp override ({pull}135116[#135116]). |
| 54 | +* Enhances the host risk score UI ({pull}133708[#133708]). |
| 55 | +* Updates the lists index template to use new logic ({pull}133067[#133067]). |
| 56 | +* Adds event filters to event correlation rules ({pull}132507[#132507]). |
| 57 | +* Allows you to define a data view as the rule's data source, making runtime fields available for rule configuration ({pull}130929[#130929]). |
| 58 | +* Creates a single visualization pane on the Alerts page, and adds a treemap visualization that shows the distribution of alerts as nested, proportionally-sized tiles ({pull}126896[#126896]). |
| 59 | +* Fixes an incorrect counter for exported rules ({pull}138598[#138598]). |
| 60 | +* Fixes event filters based on OS version ({pull}138517[#138517]). |
| 61 | +* Fixes a bug that could change the batch size for event search in indicator rules ({pull}138356[#138356]). |
| 62 | +* Fixes a bug that prevented users from accessing alert details if they didn't have the appropriate privileges to view the internal index `.internal.alerts-security.alerts-spaceId`. Now, the Alert details flyout correctly uses the public alias index `.alerts-security,akerts-spaceId` ({pull}138331[#138331]). |
| 63 | +* Fixes the preview button for {ml} rules ({pull}137878[#137878]). |
| 64 | +* Fixes a bug that could crash the Endpoints list when a policy ID was missing ({pull}137788[#137788]). |
| 65 | +* Fixes a bug that could interfere with opening host or user details pages ({pull}137719[#137719]). |
| 66 | +* Fixes several bugs related to refreshing the Alerts page ({pull}137620[#137620]). |
| 67 | +* Fixes a bug that prevented threshold rules' Timeline templates from being respected during investigations ({pull}137233[#137233]). |
| 68 | +* Fixes a permissions bug related to the **Save Timeline** button ({pull}136724[#136724]). |
| 69 | +* Fixes a bug with selecting Timeline templates with the same name ({pull}135694[#135694]). |
| 70 | +* Fixes field aliases to `signal-threshold_result.*` ({pull}135565[#135565]). |
| 71 | +* Fixes a bug that lost track of which rules you had selected after refreshing the Rules page ({pull}135533[#135533]). |
| 72 | +* Fixes a bug that lost track of which rules you had selected after applying a bulk action on the Rules page ({pull}135291[#135291]). |
| 73 | +* Fixes a bug that prevented the Rules table from pausing auto-refresh while bulk actions were being applied ({pull}135208[135208]). |
| 74 | +* Fixes a bug that could cause queries with nested fields to fail when opened ({pull}134866[#134866]). |
| 75 | +* Fixes a bug that slowed down the display of network details ({pull}133539[#133539]). |
| 76 | +* Various minor bug fixes and enhancements ({pull}133079[#133079], {pull}138135[#138135], {pull}137588[#137588], {pull}137511[#137511], {pull}137492[#137492], {pull}135907[#135907], {pull}135426[#135426]). |
| 77 | +* Fixes an {endpoint-cloud-sec} bug on macOS and Linux that could cause CPU spikes if malware protection is enabled on an {endpoint-cloud-sec} integration policy (https://github.com/elastic/endpoint/issues/22[#22]). |
| 78 | +* Fixes a bug that could cause {endpoint-cloud-sec} to crash when outputting log data to {ls}. |
| 79 | +* Allows {endpoint-cloud-sec} to be added to agents running on Ubuntu 22.04 and Debian 11. |
0 commit comments