From a33d3a9d6df05e827fa2597171c6711da829ef66 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 10 Dec 2024 09:02:05 -0500 Subject: [PATCH 1/8] First draft --- docs/release-notes.asciidoc | 1 + docs/release-notes/8.16.asciidoc | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index c60a100248..3b7992ca6e 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index c95df615a3..62dfdfe593 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -1,6 +1,25 @@ [[release-notes-header-8.16.0]] == 8.16 +[discrete] +[[release-notes-8.16.2]] +=== 8.16.2 + +[discrete] +[[bug-fixes-8.16.2]] +==== Bug fixes +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). +* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). +* Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). +* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). +* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. +* Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. + [discrete] [[release-notes-8.16.1]] === 8.16.1 @@ -37,6 +56,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). * Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). * Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). * Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). * Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). * Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). From 4458fc4032e4841fd88f7928e184a386fe9e32ff Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 11 Dec 2024 08:04:20 -0500 Subject: [PATCH 2/8] Adds known issue fix --- docs/release-notes/8.16.asciidoc | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 62dfdfe593..f51d535fbb 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -8,13 +8,14 @@ [discrete] [[bug-fixes-8.16.2]] ==== Bug fixes -* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). + * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). * Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). * Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. From 83170baef5d098c35e5fce885bb520f1045e85a9 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 11 Dec 2024 20:32:49 -0500 Subject: [PATCH 3/8] Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index f51d535fbb..268afae06d 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -10,7 +10,7 @@ ==== Bug fixes * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). -* Fixes an issue that could interfere with Knowledge Base set up ({kibana-pull}201175[#201175]). +* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). * Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). From 17bc680a8551f8ccbe08e4348ad97a3efb38eb36 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 11 Dec 2024 20:33:03 -0500 Subject: [PATCH 4/8] Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 268afae06d..8f2b2eb6fd 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -16,7 +16,7 @@ * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). -* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly reports the `Error` state ({kibana-pull}201140[#201140]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. * Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. From 5e4bc985e2c06157d01592a00db5aa537d7a61bb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 11 Dec 2024 20:33:31 -0500 Subject: [PATCH 5/8] Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 8f2b2eb6fd..61031957a9 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -12,7 +12,7 @@ * Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). * Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). * Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). -* Disables the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). * Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). * Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). * Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). From b348cd66634baf747d3ce6b71fdb300b7e253607 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 12 Dec 2024 18:03:19 -0500 Subject: [PATCH 6/8] Adds edits --- docs/release-notes.asciidoc | 2 +- docs/release-notes/8.16.asciidoc | 36 +++++++++++++++++++++++--------- 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index e1251782fa..986e1a4424 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,8 +3,8 @@ This section summarizes the changes in each release. -* <> * <> +* <> * <> * <> * <> diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index c6c784ddb9..3241b18e8e 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -37,7 +37,8 @@ *Details* + On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). -*Workaround* + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. For custom rules: @@ -55,8 +56,11 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can + [source,console] ---- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- ++ +NOTE: Specify the space if you're not using the default one. + + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + @@ -78,21 +82,25 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' ''${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). . Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + ==== // end::known-issue[201820] // tag::known-issue[] [discrete] -.Duplicate alerts can be produced from manually running threshold rules +.Manually running threshold rules may generate duplicate alerts [%collapsible] ==== *Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. ==== // end::known-issue[] @@ -136,7 +144,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul *Details* + On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). -*Workaround* + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. For custom rules: @@ -154,8 +163,11 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can + [source,console] ---- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- ++ +NOTE: Specify the space if you're not using the default one. + + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + @@ -177,11 +189,15 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' ''${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). . Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + ==== // end::known-issue[201820] @@ -212,11 +228,11 @@ On August 1, 2024, it was discovered that Elastic AI Assistant's responses when // tag::known-issue[] [discrete] -.Duplicate alerts can be produced from manually running threshold rules +.Manually running threshold rules may generate duplicate alerts [%collapsible] ==== *Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. ==== // end::known-issue[] From 5de1d55c54b3e4e1c239a8c393b3d1bfeb5a79ba Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 16 Dec 2024 16:56:48 -0500 Subject: [PATCH 7/8] Removing space param --- docs/release-notes/8.16.asciidoc | 6 ------ 1 file changed, 6 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 3241b18e8e..41e6d2484b 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -58,9 +58,6 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can ---- curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- -+ -NOTE: Specify the space if you're not using the default one. - + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + @@ -165,9 +162,6 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can ---- curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- -+ -NOTE: Specify the space if you're not using the default one. - + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + From f99c36adc00cfd64f3a3c00280acf5cbc3f5e8e5 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 16 Dec 2024 17:03:18 -0500 Subject: [PATCH 8/8] Removed extra qoute --- docs/release-notes/8.16.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 41e6d2484b..889fffc24c 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -79,7 +79,7 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' ''${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). @@ -183,7 +183,7 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' ''${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`).