elastic · nastasha-solomon · Aug 23, 2022 · Aug 17, 2022 · Aug 17, 2022 · Aug 17, 2022
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.4.0, {elastic-sec} version 8.4.0>>
 * <<release-notes-8.3.3, {elastic-sec} version 8.3.3>>
 * <<release-notes-8.3.2, {elastic-sec} version 8.3.2>>
 * <<release-notes-8.3.1, {elastic-sec} version 8.3.1>>
@@ -24,6 +25,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/kibana/issues/
 :pull: https://github.com/elastic/kibana/pull/
 
+include::release-notes/8.4.asciidoc[]
 include::release-notes/8.3.asciidoc[]
 include::release-notes/8.2.asciidoc[]
 include::release-notes/8.1.asciidoc[]

@@ -0,0 +1,79 @@
+[[release-notes-header-8.4.0]]
+== 8.4
+
+[discrete]
+[[release-notes-8.4.0]]
+=== 8.4.0
+
+[discrete]
+[[known-issue-8.4.0]]
+==== Known issues
+* If additional look-back time is set for the advanced query rule preview, alerts from source documents that are outside the preview time frame may not appear in the preview ({pull}137422[#137422]).
+* A new Lucene 9 validation change may cause errors whenever regular expressions are included in EQL queries. This bug affects users who upgrade from {stack} version 7.x to 8.x and are using event correlation rules. To resolve this issue, use triple quotes `""" """` for regular expressions in event correlation rule queries.
+* The Rules page incorrectly displays a notification that an update for prebuilt rules is available even if the rules have been fully updated. Currently, there is no way to remove or hide the notification ({pull}139095[#139095]).
+
+[discrete]
+[[breaking-changes-8.4.0]]
+==== Breaking changes
+// tag::breaking-changes[]
+// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output.
+:pull: {pull}
+There are no breaking changes in 8.4.0.
+// end::breaking-changes[]
+
+[discrete]
+[[features-8.4.0]]
+==== Features
+* Creates a new rule type, New Terms, that creates an alert when a value appears for the first time in a particular field ({pull}134526[#134526]).
+* Adds the Insights section to the Alert details flyout to show related cases and alerts ({pull}136009[#136009], {pull}138419[#138419])
+* Shows process alerts in the event process analyzer ({pull}135340[#135340]).
+* Adds support for wildcard exceptions for detection rules. New operators are `matches` and `does not match` ({pull}136147[#136147]).
+* Adds a new search query parameter, `dry_run`, to the bulk actions API that allows you to simulate a bulk action without permanently updating rules ({pull}134664[#134664]).
+* Creates the response console, an interface that enables you to take actions on specific hosts ({pull}135360[#135360], {pull}134520[#134520]).
+* Includes integration policy errors and statuses in {fleet} and {elastic-sec} to help troubleshoot when an {agent} has an `Unhealthy` status ({pull}136241[#136241], {pull}136038[#136038]).
+* Adds Attack surface reduction protections feature to reduce vulnerabilities on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory.
+* Adds an endpoint self-healing feature to roll back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features.
+* Adds the ability to run query packs as live queries ({pull}132198[#132198]).
+* Provides support for process, file, and network events in Kubernetes. You must enable the session view data setting on your {endpoint-cloud-sec} integration policy to enrich these events with session data and Kubernetes metadata fields.
+
+[discrete]
+[[bug-fixes-8.4.0]]
+==== Bug fixes and enhancements
+* Updates the Network page's UI to match the Hosts and Users pages ({pull}137541[#137541], {pull}136913[#136913]).
+* Improves the experience of bulk editing index patterns on rules by warning users early that machine learning rules can’t be edited ({pull}134664[#134664]).
+* Enhances rule previews with configurable rule intervals and look-back times ({pull}137102[#137102]).
+* Enhances the `status pending` badge for endpoint actions with a detailed status when you hover on it ({pull}136966[#136966]).
+* Turns grouped navigation on by default ({pull}136819[#136819]).
+* Improves the experience of bulk exporting rules by informing users early which rules can and cannot be exported ({pull}136418[#136418]).
+* Adds index pattern information to the Inspect panel ({pull}136407[#136407]).
+* Adds a custom dashboards table to the Dashboards page ({pull}136221[#136221], {pull}136671[#136671]).
+* Fixes a performance issue with creating alerts from source documents that contain a large number of fields ({pull}135956[#135956]).
+* Updates the rule exceptions UI ({pull}135255[#135255]).
+* Fixes performance issues with rules management ({pull}135311[#135311]).
+* Allows you to disable `@timestamp` as a fallback timestamp field when you've defined a timestamp override ({pull}135116[#135116]).
+* Enhances the host risk score UI ({pull}133708[#133708]).
+* Updates the lists index template to use new logic ({pull}133067[#133067]).
+* Adds event filters to event correlation rules ({pull}132507[#132507]).
+* Allows you to define a data view as the rule's data source, making runtime fields available for rule configuration ({pull}130929[#130929]).
+* Creates a single visualization pane on the Alerts page, and adds a treemap visualization that shows the distribution of alerts as nested, proportionally-sized tiles ({pull}126896[#126896]).
+* Fixes an incorrect counter for exported rules ({pull}138598[#138598]).
+* Fixes event filters based on OS version ({pull}138517[#138517]).
+* Fixes a bug that could change the batch size for event search in indicator rules ({pull}138356[#138356]).
+* Fixes a bug that prevented users from accessing alert details if they didn't have the appropriate privileges to view the internal index `.internal.alerts-security.alerts-spaceId`. Now, the Alert details flyout correctly uses the public alias index `.alerts-security,akerts-spaceId` ({pull}138331[#138331]).
+* Fixes the preview button for {ml} rules ({pull}137878[#137878]).
+* Fixes a bug that could crash the Endpoints list when a policy ID was missing ({pull}137788[#137788]).
+* Fixes a bug that could interfere with opening host or user details pages ({pull}137719[#137719]).
+* Fixes several bugs related to refreshing the Alerts page ({pull}137620[#137620]).
+* Fixes a bug that prevented threshold rules' Timeline templates from being respected during investigations ({pull}137233[#137233]).
+* Fixes a permissions bug related to the **Save Timeline** button ({pull}136724[#136724]).
+* Fixes a bug with selecting Timeline templates with the same name ({pull}135694[#135694]).
+* Fixes field aliases to `signal-threshold_result.*` ({pull}135565[#135565]).
+* Fixes a bug that lost track of which rules you had selected after refreshing the Rules page ({pull}135533[#135533]).
+* Fixes a bug that lost track of which rules you had selected after applying a bulk action on the Rules page ({pull}135291[#135291]).
+* Fixes a bug that prevented the Rules table from pausing auto-refresh while bulk actions were being applied ({pull}135208[135208]).
+* Fixes a bug that could cause queries with nested fields to fail when opened ({pull}134866[#134866]).
+* Fixes a bug that slowed down the display of network details ({pull}133539[#133539]).
+* Various minor bug fixes and enhancements ({pull}133079[#133079], {pull}138135[#138135], {pull}137588[#137588], {pull}137511[#137511], {pull}137492[#137492], {pull}135907[#135907], {pull}135426[#135426]).
+* Fixes an {endpoint-cloud-sec} bug on macOS and Linux that could cause CPU spikes if malware protection is enabled on an {endpoint-cloud-sec} integration policy (https://github.com/elastic/endpoint/issues/22[#22]).
+* Fixes a bug that could cause {endpoint-cloud-sec} to crash when outputting log data to {ls}.
+* Allows {endpoint-cloud-sec} to be added to agents running on Ubuntu 22.04 and Debian 11.