From 65bf05f7e207728e3fa43280ff6347c2546a9253 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 21 Nov 2024 15:31:35 -0500 Subject: [PATCH 01/37] First draft --- docs/release-notes.asciidoc | 2 ++ docs/release-notes/8.17.asciidoc | 59 ++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 docs/release-notes/8.17.asciidoc diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index ca01ecb5a8..b65b623ff4 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -67,6 +68,7 @@ This section summarizes the changes in each release. * <> * <> +include::release-notes/8.17.asciidoc[] include::release-notes/8.16.asciidoc[] include::release-notes/8.15.asciidoc[] include::release-notes/8.14.asciidoc[] diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc new file mode 100644 index 0000000000..5225a9f2cc --- /dev/null +++ b/docs/release-notes/8.17.asciidoc @@ -0,0 +1,59 @@ +[[release-notes-header-8.17.0]] +== 8.17 + +[discrete] +[[known-issue-8.17.0]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +[discrete] +[[features-8.17.0]] +==== New features +* Adds Signer option to Mac trusted apps ({kibana-pull}197821[#197821]). + +[discrete] +[[enhancements-8.17.0]] +==== Enhancements +* Check user permissions before initialising entity engine ({kibana-pull}198661[#198661]). + +[discrete] +[[bug-fixes-8.17.0]] +==== Bug fixes +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). +* Only refresh the asset criticality index after bulk upload ({kibana-pull}200897[#200897]). +* Fetching Assistant Knowledge Base fails when current user's username contains a : character ({kibana-pull}200131[#200131]). +* Index Values are not available in dropdown under New Index Enter for Knowledge Base ({kibana-pull}199990[#199990]). +* Fixes `required_fields` being removed after rule `PATCH` calls ({kibana-pull}199901[#199901]). +* Update file validation because the file type is empty on windows ({kibana-pull}199791[#199791]). +* API changes for right placement of deleting the old component template ({kibana-pull}199734[#199734]). +* Improve asset criticality bulk error when entities are duplicated ({kibana-pull}199651[#199651]). +* Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). +* Fixes issue with duplicate timeline reloading ({kibana-pull}198652[#198652]). +* Refactor UI on insights ({kibana-pull}197349[#197349]). +* Explicitly Skip two mocked data tests form serverless MKI runs ({kibana-pull}196871[#196871]). +* Bug: update timestamp on criticality soft delete ({kibana-pull}196722[#196722]). +* Fixes a bug where quickly disabling and re-enabling event aggregation will result in aggregation being disabled. +* On Linux endpoints, enable process information enrichment for file and network events when process events are disabled. +* Fixes a time skew bug when Linux VMs using ebpf event probes are suspended and then resumed. +* Fixes a bug where the Linux system call, setsid, was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From e0c4f7bbf63e79de966c98f1db6ecfe1ccb53b3f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 21 Nov 2024 15:48:20 -0500 Subject: [PATCH 02/37] Adds ver header --- docs/release-notes/8.17.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 5225a9f2cc..63c8b77a55 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -1,6 +1,10 @@ [[release-notes-header-8.17.0]] == 8.17 +[discrete] +[[release-notes-8.17.0]] +=== 8.17.0 + [discrete] [[known-issue-8.17.0]] ==== Known issues From 20e930d0ad86feb938cefee50fb10863dbc4eb72 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 4 Dec 2024 10:07:15 -0500 Subject: [PATCH 03/37] Adds latest info --- docs/release-notes/8.17.asciidoc | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 63c8b77a55..73603cc14a 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -44,20 +44,21 @@ On November 12, 2024, it was discovered that manually running a custom query rul [discrete] [[bug-fixes-8.17.0]] ==== Bug fixes -* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). -* Only refresh the asset criticality index after bulk upload ({kibana-pull}200897[#200897]). -* Fetching Assistant Knowledge Base fails when current user's username contains a : character ({kibana-pull}200131[#200131]). -* Index Values are not available in dropdown under New Index Enter for Knowledge Base ({kibana-pull}199990[#199990]). -* Fixes `required_fields` being removed after rule `PATCH` calls ({kibana-pull}199901[#199901]). +* Clear error on second entity engine init API call ({kibana-pull}202903[#202903]). +* Modify copy of the install rules title and message ({kibana-pull}202226[#202226]). +* Restrict and Reject CEF logs in Automatic Import and redirect to CEF integration instead ({kibana-pull}201792[#201792]). +* Disable Install All button when installation is in progress ({kibana-pull}201731[#201731]). +* Disable add note button in flyout is user lacks privileges ({kibana-pull}201707[#201707]). +* Remove fields with @ from the script processor ({kibana-pull}201548[#201548]). +* Fixes setup KB ({kibana-pull}201175[#201175]). +* Display cardinality for threshold rules ({kibana-pull}201162[#201162]). +* Init: Put engine in error state if data view does not exist ({kibana-pull}201140[#201140]). * Update file validation because the file type is empty on windows ({kibana-pull}199791[#199791]). -* API changes for right placement of deleting the old component template ({kibana-pull}199734[#199734]). -* Improve asset criticality bulk error when entities are duplicated ({kibana-pull}199651[#199651]). * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes issue with duplicate timeline reloading ({kibana-pull}198652[#198652]). * Refactor UI on insights ({kibana-pull}197349[#197349]). * Explicitly Skip two mocked data tests form serverless MKI runs ({kibana-pull}196871[#196871]). * Bug: update timestamp on criticality soft delete ({kibana-pull}196722[#196722]). -* Fixes a bug where quickly disabling and re-enabling event aggregation will result in aggregation being disabled. * On Linux endpoints, enable process information enrichment for file and network events when process events are disabled. -* Fixes a time skew bug when Linux VMs using ebpf event probes are suspended and then resumed. +* Refactor kernel driver to work around CrowdStrike `CRITICAL_PROCESS_DIED` bugcheck (BSOD). * Fixes a bug where the Linux system call, setsid, was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From fe6773446acd6d68217ba12d8de4c5c8e4ee8cfe Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 00:13:25 -0500 Subject: [PATCH 04/37] Updates my areas --- docs/release-notes/8.17.asciidoc | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 73603cc14a..5c75078455 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -48,17 +48,17 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Modify copy of the install rules title and message ({kibana-pull}202226[#202226]). * Restrict and Reject CEF logs in Automatic Import and redirect to CEF integration instead ({kibana-pull}201792[#201792]). * Disable Install All button when installation is in progress ({kibana-pull}201731[#201731]). -* Disable add note button in flyout is user lacks privileges ({kibana-pull}201707[#201707]). +* Turns off the **Add note** button in the alert details flyout if you do not have adequate privileges ({kibana-pull}201707[#201707]). * Remove fields with @ from the script processor ({kibana-pull}201548[#201548]). * Fixes setup KB ({kibana-pull}201175[#201175]). -* Display cardinality for threshold rules ({kibana-pull}201162[#201162]). -* Init: Put engine in error state if data view does not exist ({kibana-pull}201140[#201140]). -* Update file validation because the file type is empty on windows ({kibana-pull}199791[#199791]). +* Fixes a bug that prevented cardinality details for threshold rules from being displayed ({kibana-pull}201162[#201162]). +* Fixes a bug that caused the risk engine to be stuck in the `Installing` status if the Security default data view did not exist. With this fix, the engine correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you were on Windows ({kibana-pull}199791[#199791]) * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). -* Fixes issue with duplicate timeline reloading ({kibana-pull}198652[#198652]). -* Refactor UI on insights ({kibana-pull}197349[#197349]). +* Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). +* Improves the flow for for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). * Explicitly Skip two mocked data tests form serverless MKI runs ({kibana-pull}196871[#196871]). * Bug: update timestamp on criticality soft delete ({kibana-pull}196722[#196722]). -* On Linux endpoints, enable process information enrichment for file and network events when process events are disabled. -* Refactor kernel driver to work around CrowdStrike `CRITICAL_PROCESS_DIED` bugcheck (BSOD). -* Fixes a bug where the Linux system call, setsid, was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file +* Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. +* Improves {elastic-defend} by refactoring the kernel driver to work around the CrowdStrike `CRITICAL_PROCESS_DIED` bug check (BSOD). +* Fixes an {elastic-defend} bug where the Linux system call (setsid) was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From 08f8885e4543e8e58cbfe792577096fca8c9d53b Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Fri, 6 Dec 2024 09:18:12 -0800 Subject: [PATCH 05/37] Edits --- docs/release-notes/8.17.asciidoc | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 5c75078455..147ce005c5 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -39,26 +39,25 @@ On November 12, 2024, it was discovered that manually running a custom query rul [discrete] [[enhancements-8.17.0]] ==== Enhancements -* Check user permissions before initialising entity engine ({kibana-pull}198661[#198661]). +* Checks user permissions before initialising entity engine ({kibana-pull}198661[#198661]). [discrete] [[bug-fixes-8.17.0]] ==== Bug fixes -* Clear error on second entity engine init API call ({kibana-pull}202903[#202903]). -* Modify copy of the install rules title and message ({kibana-pull}202226[#202226]). -* Restrict and Reject CEF logs in Automatic Import and redirect to CEF integration instead ({kibana-pull}201792[#201792]). -* Disable Install All button when installation is in progress ({kibana-pull}201731[#201731]). +* Clears error on second entity engine init API call ({kibana-pull}202903[#202903]). +* Modifies the install rules title and message ({kibana-pull}202226[#202226]). +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792]). +* Disables the **Install All** button on the **Add Elastic Rules** page when installation is in progress ({kibana-pull}201731[#201731]). * Turns off the **Add note** button in the alert details flyout if you do not have adequate privileges ({kibana-pull}201707[#201707]). -* Remove fields with @ from the script processor ({kibana-pull}201548[#201548]). -* Fixes setup KB ({kibana-pull}201175[#201175]). -* Fixes a bug that prevented cardinality details for threshold rules from being displayed ({kibana-pull}201162[#201162]). -* Fixes a bug that caused the risk engine to be stuck in the `Installing` status if the Security default data view did not exist. With this fix, the engine correctly reports the `Error` state ({kibana-pull}201140[#201140]). -* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you were on Windows ({kibana-pull}199791[#199791]) +* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). +* Fixes an issue that could interfere with Knowledge Base ({kibana-pull}201175[#201175]). +* Fixes a bug that prevented cardinality details for threshold rules from appearing ({kibana-pull}201162[#201162]). +* Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the Security default data view did not exist. With this fix, the engine correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with Asset Criticality data if you were on Windows ({kibana-pull}199791[#199791]) * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). -* Explicitly Skip two mocked data tests form serverless MKI runs ({kibana-pull}196871[#196871]). -* Bug: update timestamp on criticality soft delete ({kibana-pull}196722[#196722]). +* Fixes a bug where the `@timestamp` field would not update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around the CrowdStrike `CRITICAL_PROCESS_DIED` bug check (BSOD). * Fixes an {elastic-defend} bug where the Linux system call (setsid) was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From 5884f7cda214a7e3483fd8abd66aa7063ee02c07 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 12:44:14 -0500 Subject: [PATCH 06/37] Minor adjustments --- docs/release-notes/8.17.asciidoc | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 147ce005c5..5a84a65896 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -39,24 +39,24 @@ On November 12, 2024, it was discovered that manually running a custom query rul [discrete] [[enhancements-8.17.0]] ==== Enhancements -* Checks user permissions before initialising entity engine ({kibana-pull}198661[#198661]). +* Checks user permissions before initializing the entity engine ({kibana-pull}198661[#198661]). [discrete] [[bug-fixes-8.17.0]] ==== Bug fixes -* Clears error on second entity engine init API call ({kibana-pull}202903[#202903]). -* Modifies the install rules title and message ({kibana-pull}202226[#202226]). +* Clears the error on the second entity engine initialization ({kibana-pull}202903[#202903]). +* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792]). -* Disables the **Install All** button on the **Add Elastic Rules** page when installation is in progress ({kibana-pull}201731[#201731]). -* Turns off the **Add note** button in the alert details flyout if you do not have adequate privileges ({kibana-pull}201707[#201707]). +* Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes an issue that could interfere with Knowledge Base ({kibana-pull}201175[#201175]). -* Fixes a bug that prevented cardinality details for threshold rules from appearing ({kibana-pull}201162[#201162]). -* Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the Security default data view did not exist. With this fix, the engine correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with Asset Criticality data if you were on Windows ({kibana-pull}199791[#199791]) * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). -* Improves the flow for for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). +* Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). * Fixes a bug where the `@timestamp` field would not update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around the CrowdStrike `CRITICAL_PROCESS_DIED` bug check (BSOD). From 5e496ebf105982c625db491cc2a0832c1e52f3d8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 13:12:55 -0500 Subject: [PATCH 07/37] small tweaks --- docs/release-notes/8.17.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 5a84a65896..1964499fa8 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -34,7 +34,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul [discrete] [[features-8.17.0]] ==== New features -* Adds Signer option to Mac trusted apps ({kibana-pull}197821[#197821]). +* Adds a signature option for trusted applications on macOS ({kibana-pull}197821[#197821]). [discrete] [[enhancements-8.17.0]] @@ -53,11 +53,11 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes an issue that could interfere with Knowledge Base ({kibana-pull}201175[#201175]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). -* Fixes an issue that prevented you from successfully importing TSV files with Asset Criticality data if you were on Windows ({kibana-pull}199791[#199791]) +* Fixes an issue that prevented you from successfully importing TSV files with Asset Criticality data if you're on Windows ({kibana-pull}199791[#199791]) * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). -* Fixes a bug where the `@timestamp` field would not update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). +* Fixes a bug where the `@timestamp` field wouldn't update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around the CrowdStrike `CRITICAL_PROCESS_DIED` bug check (BSOD). -* Fixes an {elastic-defend} bug where the Linux system call (setsid) was not properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file +* Fixes an {elastic-defend} bug where the Linux system call (setsid) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From 6a827cb4e9e4cbdec95ddfbd08f0ca17e4d4dc61 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 13:35:27 -0500 Subject: [PATCH 08/37] known issue for exceptions --- docs/release-notes/8.17.asciidoc | 60 ++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 1964499fa8..54a92091ea 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -9,6 +9,66 @@ [[known-issue-8.17.0]] ==== Known issues +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +[%collapsible] +==== + +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. + +*Workaround* + + +For custom rules: + +. From the {security-app}, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. + +. Fetch the affected exception list ID or IDs that are associated with the rule. +.. Find the affected rule's ID (`id`). From the {security-app}, , open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. +.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: ++ +[source,console] +---- +curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +---- ++ +.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). +. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). ++ +The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +==== +// end::known-issue[201820] + // tag::known-issue[] [discrete] .Duplicate alerts can be produced from manually running threshold rules From 0a9591d2a947b48e8ada1a870f197581b50ddd13 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 14:12:57 -0500 Subject: [PATCH 09/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 54a92091ea..88240eccc4 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -119,5 +119,6 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). * Fixes a bug where the `@timestamp` field wouldn't update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. -* Improves {elastic-defend} by refactoring the kernel driver to work around the CrowdStrike `CRITICAL_PROCESS_DIED` bug check (BSOD). +* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. +* Fix an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. * Fixes an {elastic-defend} bug where the Linux system call (setsid) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file From 0b1090fbed5405299e3a16b8abc4f83e462d15f9 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 14:13:13 -0500 Subject: [PATCH 10/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 88240eccc4..afb6d356c3 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -121,4 +121,5 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fix an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. -* Fixes an {elastic-defend} bug where the Linux system call (setsid) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. \ No newline at end of file +* Fixes an {elastic-defend} bug where the Linux system call (setsid) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. +* Fix an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file From 89f345472f2f9da07e8e010688290921f21441e5 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 14:15:42 -0500 Subject: [PATCH 11/37] Applies same changes --- docs/release-notes/8.17.asciidoc | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index afb6d356c3..1c16286a79 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -14,32 +14,31 @@ .The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] ==== - *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. *Workaround* + For custom rules: -. From the {security-app}, <> the rule or rules with the affected exception lists. +. From the **Rules** page, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. -. Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, , open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. -.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: + [source,console] ---- curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme ---- + -.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + [source,console] ---- @@ -55,17 +54,17 @@ curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5 } ---- + -. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: + [source,console] ---- curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + -. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From 7fa1b0965ecdb42ffca4f9190e00965520dd9e33 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 17:11:57 -0500 Subject: [PATCH 12/37] ryland's input --- docs/release-notes/8.17.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 1c16286a79..00d27c0010 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -27,7 +27,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. @@ -35,7 +35,7 @@ NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, + [source,console] ---- -curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. @@ -58,11 +58,11 @@ curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5 + [source,console] ---- -curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Re-import the modified exception list using **Import exception lists** option on the <> page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== From a8d3a48963a84860139abeaf4b11b396353215c0 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:52:40 -0500 Subject: [PATCH 13/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 00d27c0010..476f578140 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -112,7 +112,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes an issue that could interfere with Knowledge Base ({kibana-pull}201175[#201175]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). -* Fixes an issue that prevented you from successfully importing TSV files with Asset Criticality data if you're on Windows ({kibana-pull}199791[#199791]) +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). From e2eadc25bd1d62c28fd5216bdc69857fd8e90752 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:52:47 -0500 Subject: [PATCH 14/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 476f578140..dd2384fe84 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -113,7 +113,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). -* Fixes Asset Criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). +* Fixes asset criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). * Fixes a bug where the `@timestamp` field wouldn't update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). From a5a0f8c0b10203831a5d1d062687b09631a39857 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:52:54 -0500 Subject: [PATCH 15/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index dd2384fe84..fb9bd6751f 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -116,7 +116,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes asset criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). -* Fixes a bug where the `@timestamp` field wouldn't update upon Asset Criticality soft delete ({kibana-pull}196722[#196722]). +* Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fix an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. From 4724cb4b15d0631d61832c0f1d435f157e0b0f77 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:53:01 -0500 Subject: [PATCH 16/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index fb9bd6751f..c7df9c3298 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -120,5 +120,5 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fix an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. -* Fixes an {elastic-defend} bug where the Linux system call (setsid) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. +* Fixes an {elastic-defend} bug where the Linux system call (`setsid`) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. * Fix an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file From 82c5a4763a4965d59b4193a78a3334ce3f7e99e7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:53:08 -0500 Subject: [PATCH 17/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index c7df9c3298..98a498f8f9 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -119,6 +119,6 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fix an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. +* Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. * Fixes an {elastic-defend} bug where the Linux system call (`setsid`) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. * Fix an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file From 160932e87508ea09ce57a4386d419d3c7b48c861 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 08:53:13 -0500 Subject: [PATCH 18/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 98a498f8f9..dc54b7164f 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -121,4 +121,4 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. * Fixes an {elastic-defend} bug where the Linux system call (`setsid`) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. -* Fix an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file +* Fixes an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file From ad0d32c197c13404eacc799a80734bb1c55563af Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 11:05:56 -0500 Subject: [PATCH 19/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Steph Milovic --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index dc54b7164f..a4f72169bf 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -109,7 +109,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). -* Fixes an issue that could interfere with Knowledge Base ({kibana-pull}201175[#201175]). +* Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). From f48ea90fcc7b52434677bdafb16523224e23fa7d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 11:06:07 -0500 Subject: [PATCH 20/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Mark Hopkin --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index a4f72169bf..c6806f6b90 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -111,7 +111,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). -* Fixes a bug that caused the risk engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, the engine now correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Fixes asset criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). From 81aef9bb3a3b1739da959c1d8b1feece52971f93 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 13:19:01 -0500 Subject: [PATCH 21/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Steph Milovic --- docs/release-notes/8.17.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index c6806f6b90..bcbcfed245 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -110,6 +110,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). +* Fixes an issue with Gemini streaming in the AI Assistant ({kibana-pull}201299[#201299]). +* Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints ({kibana-pull}198622[#198622]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). From d2d206cfe518c6893cc240925185cd8e25df9b4c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 13:21:36 -0500 Subject: [PATCH 22/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Steph Milovic --- docs/release-notes/8.17.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index bcbcfed245..242159b298 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -99,6 +99,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[enhancements-8.17.0]] ==== Enhancements * Checks user permissions before initializing the entity engine ({kibana-pull}198661[#198661]). +* Updates LangChain dependencies, adding support for the new Bedrock cross-region inference profiles ({kibana-pull}198622[#198622]). [discrete] [[bug-fixes-8.17.0]] From 0411314ee68d5bfc29dfdde948762b8b9f1f8dd2 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Dec 2024 13:30:22 -0500 Subject: [PATCH 23/37] Moar bugs --- docs/release-notes/8.17.asciidoc | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 242159b298..b518f5c164 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -15,7 +15,7 @@ [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}[#201820]). *Workaround* + @@ -106,7 +106,9 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== Bug fixes * Clears the error on the second entity engine initialization ({kibana-pull}202903[#202903]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). -* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792]). +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). +* Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file ({kibana-pull}201622[#201622]). * Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). @@ -117,9 +119,10 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Fixes asset criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). +* Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). -* Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). +* Users without {fleet} read privilege were blocked from interacting with any onboarding card, this has been fixed ({kibana-pull}202413[#202413]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. From cc8950132f39f8136432678673f93e7e991c6aaa Mon Sep 17 00:00:00 2001 From: Benjamin Ironside Goldstein Date: Mon, 9 Dec 2024 11:07:25 -0800 Subject: [PATCH 24/37] Adds two new features --- docs/release-notes/8.17.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index b518f5c164..d41888520e 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -94,6 +94,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[features-8.17.0]] ==== New features * Adds a signature option for trusted applications on macOS ({kibana-pull}197821[#197821]). +* Lets you use alert suppression on EQL sequence alerts ({kibana-pull}189725[#189725]). +* Adds GA support for the case action feature, which let rules automatically create cases ({kibana-pull}196973[#196973]). [discrete] [[enhancements-8.17.0]] From f1e3eca69b6519f4167b69f894d20c2519e60804 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Dec 2024 16:55:31 -0500 Subject: [PATCH 25/37] revised ki summary --- docs/release-notes/8.17.asciidoc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index d41888520e..7a11b30c9a 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -62,9 +62,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. -+ -Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From e01155a75220af341c699e3aa827c15d3d6a21e3 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:58:15 -0500 Subject: [PATCH 26/37] Update docs/release-notes/8.17.asciidoc --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 7a11b30c9a..72b791e816 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -15,7 +15,7 @@ [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}[#201820]). +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). *Workaround* + From b3bfaa60d97535daf6f8f80243b47484703f28e6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 22:22:06 -0500 Subject: [PATCH 27/37] Update docs/release-notes/8.17.asciidoc --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 72b791e816..026cf15a2b 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -62,7 +62,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From 0fcc135627c981f4c83197dd6871dc70e754d3eb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:16:42 -0500 Subject: [PATCH 28/37] Update docs/release-notes/8.17.asciidoc --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 026cf15a2b..5099bbe4ca 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -113,7 +113,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). -* Fixes an issue with Gemini streaming in the AI Assistant ({kibana-pull}201299[#201299]). +* Fixes an issue with Gemini streaming in the AI Assistant ({kibana-pull}201299[#201299]). * Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints ({kibana-pull}198622[#198622]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). From d4265b7d22d4e0f3f7c9962e02d74a2cec7a3347 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 10 Dec 2024 14:16:50 -0500 Subject: [PATCH 29/37] Update docs/release-notes/8.17.asciidoc --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 5099bbe4ca..41e49fa475 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -125,6 +125,6 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Users without {fleet} read privilege were blocked from interacting with any onboarding card, this has been fixed ({kibana-pull}202413[#202413]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. +* Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon. * Fixes an {elastic-defend} bug where the Linux system call (`setsid`) wasn't properly gathered for RHEL 9/CentOS Stream 9 process events. * Fixes an issue where {elastic-defend} can enter an infinite loop if an external application opens and retains handles to files within {elastic-defend}s directory while it is processing a `get-file` response action. This can result in {elastic-defend} flooding Elasticsearch with documents until the handles are closed. \ No newline at end of file From 63fb15bb1814641922cdb2a7867d8cd13818b8ad Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 11 Dec 2024 20:33:46 -0500 Subject: [PATCH 30/37] editorial fixes --- docs/release-notes/8.17.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 41e49fa475..b6f3e26d69 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -109,14 +109,14 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). * Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). * Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file ({kibana-pull}201622[#201622]). -* Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). -* Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). +* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). * Fixes an issue with Gemini streaming in the AI Assistant ({kibana-pull}201299[#201299]). * Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints ({kibana-pull}198622[#198622]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). -* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Fixes asset criticality index issue when setting up entity engines concurrently ({kibana-pull}199486[#199486]). * Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). From a3c599644720f56c8bed951adcf0d1c7cd9fa072 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:10:16 -0500 Subject: [PATCH 31/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index b6f3e26d69..473c42791c 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -23,7 +23,7 @@ For custom rules: . From the **Rules** page, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to the **Rules** page and <> the rules. Ensure you select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: From 3e9317559704efdf165dfed8ea8c6c116d89b778 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:26:24 -0500 Subject: [PATCH 32/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 473c42791c..4e4511745b 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -92,7 +92,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[features-8.17.0]] ==== New features * Adds a signature option for trusted applications on macOS ({kibana-pull}197821[#197821]). -* Lets you use alert suppression on EQL sequence alerts ({kibana-pull}189725[#189725]). +* Allows you to use alert suppression on EQL sequence alerts ({kibana-pull}189725[#189725]). * Adds GA support for the case action feature, which let rules automatically create cases ({kibana-pull}196973[#196973]). [discrete] From ef12742fadc29dcd816f35e20062249ad3c8defc Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:27:28 -0500 Subject: [PATCH 33/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 4e4511745b..c3ff674536 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -93,7 +93,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== New features * Adds a signature option for trusted applications on macOS ({kibana-pull}197821[#197821]). * Allows you to use alert suppression on EQL sequence alerts ({kibana-pull}189725[#189725]). -* Adds GA support for the case action feature, which let rules automatically create cases ({kibana-pull}196973[#196973]). +* Adds GA support for the case action feature, which lets rules automatically create cases ({kibana-pull}196973[#196973]). [discrete] [[enhancements-8.17.0]] From fa798a5853d08afbff4f44efb0070951e6582322 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:27:36 -0500 Subject: [PATCH 34/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index c3ff674536..38a817362b 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -107,7 +107,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Clears the error on the second entity engine initialization ({kibana-pull}202903[#202903]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). -* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). +* Fixes a bug in Automatic Import where icons did not display after the integration was installed ({kibana-pull}201139[#201139]). * Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file ({kibana-pull}201622[#201622]). * Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). From 55ef508588f3df40445808829327b491888e707d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:27:48 -0500 Subject: [PATCH 35/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 38a817362b..6f263013c4 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -106,7 +106,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== Bug fixes * Clears the error on the second entity engine initialization ({kibana-pull}202903[#202903]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). -* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Rejects CEF logs from Automatic Import and instead redirects you to the CEF integration ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). * Fixes a bug in Automatic Import where icons did not display after the integration was installed ({kibana-pull}201139[#201139]). * Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file ({kibana-pull}201622[#201622]). * Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). From a6574ee68d9706faa6bf4143d4dc4eebde08d40f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:27:56 -0500 Subject: [PATCH 36/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 6f263013c4..23730a7d40 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -110,7 +110,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug in Automatic Import where icons did not display after the integration was installed ({kibana-pull}201139[#201139]). * Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file ({kibana-pull}201622[#201622]). * Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). -* Turns off the **Add note** button in the alert details flyout if you're lacking adequate privileges ({kibana-pull}201707[#201707]). +* Turns off the **Add note** button in the alert details flyout if you don't have the appropriate permission ({kibana-pull}201707[#201707]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). * Fixes an issue with Gemini streaming in the AI Assistant ({kibana-pull}201299[#201299]). From 9f25bc1c0205169b4acf98b1ac8a4b981066a160 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 12 Dec 2024 10:29:20 -0500 Subject: [PATCH 37/37] Update docs/release-notes/8.17.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.17.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 23730a7d40..ed03b7b20d 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -122,7 +122,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug where the `@timestamp` field wouldn't update upon asset criticality soft delete ({kibana-pull}196722[#196722]). * Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes ({kibana-pull}198652[#198652]). * Improves the flow for the Insights section in the alert details flyout ({kibana-pull}197349[#197349]). -* Users without {fleet} read privilege were blocked from interacting with any onboarding card, this has been fixed ({kibana-pull}202413[#202413]). +* Fixes an issue where users without the {fleet} `read` permission were blocked from interacting with any onboarding card ({kibana-pull}202413[#202413]). * Improves {elastic-defend} for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled. * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fixes an issue in {elastic-defend} versions 8.15.2 and 8.15.3 which can result in Windows boot failure `0xC000007B` referencing `ElasticElam.sys` or recovery mode prompt at boot. We have only received reports of this happening when {elastic-defend} is installed alongside CrowdStrike Falcon.