From 5b43c2be5e51523db4dc64a56d42f2c4725e82a6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 16 Jan 2025 13:08:35 -0500 Subject: [PATCH 1/2] [Request][8.15.4 & 8.16.0] Add RN summary about Defend bug fix (#6429) * First draft * Fixes links * Update docs/release-notes/8.15.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> (cherry picked from commit 471a633b38ea56ce5b03e197a96a2822549c1b67) # Conflicts: # docs/release-notes/8.16.asciidoc --- docs/release-notes/8.15.asciidoc | 1 + docs/release-notes/8.16.asciidoc | 357 +++++++++++++++++++++++++++++++ 2 files changed, 358 insertions(+) create mode 100644 docs/release-notes/8.16.asciidoc diff --git a/docs/release-notes/8.15.asciidoc b/docs/release-notes/8.15.asciidoc index 15d695b8cf..43cedd86cd 100644 --- a/docs/release-notes/8.15.asciidoc +++ b/docs/release-notes/8.15.asciidoc @@ -38,6 +38,7 @@ * Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that didn't natively include this telemetry, such as Windows Server 2019. This could result in dropped or unattributed API events. * Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. After this fix, {elastic-defend} removes these fields. * Fixes an {elastic-defend} bug where Windows API events could be dropped if they contained Unicode characters that couldn't be converted to ANSI. +* Fixes a race condition that could allow an attacker with administrative rights to disable {elastic-defend} on Windows. We would like to acknowledge Sean Moore (@Fr0g) at https://strafecybersecurity.com[strafecybersecurity.com] for their assistance. [discrete] [[release-notes-8.15.3]] diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc new file mode 100644 index 0000000000..6a56f0c52e --- /dev/null +++ b/docs/release-notes/8.16.asciidoc @@ -0,0 +1,357 @@ +[[release-notes-header-8.16.0]] +== 8.16 + +[discrete] +[[release-notes-8.16.2]] +=== 8.16.2 + +[discrete] +[[bug-fixes-8.16.2]] +==== Bug fixes + +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). +* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). +* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). +* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). +* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. +* Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. + +[discrete] +[[release-notes-8.16.1]] +=== 8.16.1 + +[discrete] +[[known-issue-8.16.1]] +==== Known issues + +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. + +For custom rules: + +. From the **Rules** page, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. + +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: ++ +[source,console] +---- +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +---- ++ +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + +==== +// end::known-issue[201820] + +// tag::known-issue[] +[discrete] +.Manually running threshold rules may generate duplicate alerts +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.1]] +==== Bug fixes +* Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). +* Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). +* Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). +* Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). +* Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). +* Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). +* Fixes a time skew bug that occurred when Linux virtual machines using eBPF event probes were suspended and then resumed. + +[discrete] +[[release-notes-8.16.0]] +=== 8.16.0 + +[discrete] +[[known-issue-8.16.0]] +==== Known issues + +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. + +For custom rules: + +. From the **Rules** page, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. + +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: ++ +[source,console] +---- +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +---- ++ +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + +==== +// end::known-issue[201820] + +// tag::known-issue[] +[discrete] +.Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error +[%collapsible] +==== +*Details* + +Updating a Knowledge Base entry of type "index" results in an error. + +*Workaround* + +Instead of updating an "index" entry, delete it and add it again with the desired changes. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running threshold rules may generate duplicate alerts +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +// tag::known-issue-53[] +[discrete] +.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space +[%collapsible] +==== +*Details* + +On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space. + +*Workaround* + +Manually edit your browser's local storage and refresh the **Alerts** page: + +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using. + +. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, http://localhost:1234. +. Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. +. Refresh the **Alerts** page to reload it. + +==== +// end::known-issue-53[] + +[discrete] +[[breaking-changes-8.16.0]] +==== Breaking changes + +* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body `{ "message": "{kib} is shutting down and not accepting new incoming requests" }`. + +[discrete] +[[features-8.16.0]] +==== New features + +* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]). +* Enables agentless deployment for Elastic's Cloud Security Posture Management integration and the new Cloud Asset Inventory integration ({kibana-pull}191557[#191557]). +* Enables data collected by the Wiz and AWS Security Hub integrations to appear on the Findings page and in entity details flyouts (https://github.com/elastic/integrations/pull/10790[#10790], https://github.com/elastic/integrations/pull/11158[#11158]). +* Enables alerts collected by the Falco integration to appear on the Alerts page (https://github.com/elastic/integrations/pull/9619[#9619], https://github.com/elastic/integrations/pull/11051[#11051]). +* Adds ability to manually run rules for a specified time period, either for testing purposes or to generate alerts for past events. +* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]). +* Adds the ability to attach notes to alerts and events and introduces the Notes page, which allows you to manage all existing notes ({kibana-pull}186787[#186787], {kibana-pull}186807[#186807], {kibana-pull}186931[#186931], {kibana-pull}186946[#186946], {kibana-pull}187214[#187214], {kibana-pull}193373[#193373]). +* Enables detection rules to automatically execute system actions, such as opening a case ({kibana-pull}183937[#183937]). +* Adds role-based access control (RBAC) for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]). +* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]). +* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <> workflows by default ({kibana-pull}196270[#196270]). +* Introduces the entity store as a technical preview feature, which allows observed, imported, integrated, or uploaded entities to be stored persistently ({kibana-pull}192806[#192806]). +* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]). +* Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]). +* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]). +* Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]). +* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). ++ +IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data. +* Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]). +* Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <>. +* Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <>. +* Allows you to reduce CPU usage, I/O, and event sizes by turning off MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`. +* Allows you to configure your {elastic-defend} integration policy to collect SHA-256 file hashes in file events. Before doing so, consider the following caveats: +** This can greatly increase {elastic-defend}'s CPU and I/O utilization and impact system responsiveness. +** This can significantly delay event enrichment and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior. +** This can cause event processing queues to overflow and lead to dropped events. +** Many file events won't contain hashes. Hash collection is the best effort and is not guaranteed to be present in every event. Hashes are collected asynchronously and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing]. +* Improves {elastic-defend} by enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the Kafka output. +* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity. + +[discrete] +[[enhancements-8.16.0]] +==== Enhancements +* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]). +* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]). +* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]). +* Adds an **Other** option to the OpenAI connector's **Select an OpenAI provider** dropdown menu. Select this option when <> ({kibana-pull}194831[#194831]). +* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]). +* Adds an **Install and enable** button to the **Add Elastic Rules** page, which allows for rules to be immediately enabled after they're installed ({kibana-pull}191529[#191529]). +* Adds the **Alert Suppression** and **Investigative guide** fields to the rule upgrade workflow ({kibana-pull}195499[#195499]). +* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]). +* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]): +** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page and is stored locally instead of in {es}. +** Attack Discovery now combines related discoveries that would previously have appeared separately. +** Attack Discovery now detects and displays an error instead of hallucinated output. +* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]). +* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]). +* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]). +* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]). +* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]). +* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]). +* Allows Automatic Import to analyze a larger number of sample events when generating a new integration ({kibana-pull}196233[#196233]). +* Allows Automatic Import to recognize CSV logs and create integrations for CSV data ({kibana-pull}196228[#196228], {kibana-pull}194386[#194386]). +* Allows you to open the rule details flyout from the Alerts table ({kibana-pull}191764[#191764]). +* Allows you to resize the alert and event details flyouts and choose how it's displayed in relation to the Alerts table (over or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]). +* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]). +* Adds support in all detection rule types for {elastic-defend}'s automated response actions ({kibana-pull}193390[#193390], {kibana-pull}191874[#191874]). +* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. +* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`. +* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions. +* Ensures security artifacts are updated when the {elastic-defend} service starts. +* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy. +* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context. +* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output. +* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables the detection of certain defense evasions. You can turn this feature off in {elastic-defend} <> ({kibana-pull}190553[#190553]). +* Restores {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0. +* Improves {elastic-defend}'s caching to reduce memory usage on Windows. +* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID. +* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver. + +[discrete] +[[bug-fixes-8.16.0]] +==== Bug fixes + +* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]). +* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]). +* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]). +* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]). +* Improves the performance of the Alerts table ({kibana-pull}192827[#192827]). +* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture findings ({kibana-pull}194069[#194069]). +* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events. +* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI. +* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields. +* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events. +* Fixes a bug that prevented host name uniformity with {beats} products. If you request {elastic-defend} to use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default. +* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts. +* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy. +* Fixes a race condition that could allow an attacker with administrative rights to disable {elastic-defend} on Windows. We would like to acknowledge Sean Moore (@Fr0g) at https://strafecybersecurity.com[strafecybersecurity.com] for their assistance. +* Fixes scenarios where Automatic Import could generate invalid processors containing array access ({kibana-pull}196207[#196207]). +* Improves Timeline's table performance when row renderers are switched on ({kibana-pull}193316[#193316]). +* Fixes misaligned filter control labels on the Alerts page ({kibana-pull}192094[#192094]). \ No newline at end of file From c2494a7fdbe086f6277a606779a04269c7ba63dd Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 21 Jan 2025 08:43:07 -0500 Subject: [PATCH 2/2] removes 8.16 rns --- docs/release-notes/8.16.asciidoc | 357 ------------------------------- 1 file changed, 357 deletions(-) delete mode 100644 docs/release-notes/8.16.asciidoc diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc deleted file mode 100644 index 6a56f0c52e..0000000000 --- a/docs/release-notes/8.16.asciidoc +++ /dev/null @@ -1,357 +0,0 @@ -[[release-notes-header-8.16.0]] -== 8.16 - -[discrete] -[[release-notes-8.16.2]] -=== 8.16.2 - -[discrete] -[[bug-fixes-8.16.2]] -==== Bug fixes - -* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). -* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). -* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). -* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). -* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). -* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). -* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). -* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). -* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). -* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. - -[discrete] -[[release-notes-8.16.1]] -=== 8.16.1 - -[discrete] -[[known-issue-8.16.1]] -==== Known issues - -// tag::known-issue[201820] -[discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) -[%collapsible] -==== -*Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). - -*Workaround* + -Upgrade to 8.16.2, or follow the workarounds below. - -For custom rules: - -. From the **Rules** page, <> the rule or rules with the affected exception lists. -. Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. - -For prebuilt rules: - -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. - -. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: -.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. -.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: -+ -[source,console] ----- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ----- -+ -.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. -+ -[source,console] ----- -{ - "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", - "exceptions_list": [ - { - "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", - "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", - "namespace_type": "single" - } - ] -} ----- -+ -. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: -+ -[source,console] ----- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ----- -+ -. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. - -*Resolved* + -On December 17, 2024, this issue was resolved. - -==== -// end::known-issue[201820] - -// tag::known-issue[] -[discrete] -.Manually running threshold rules may generate duplicate alerts -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.1]] -==== Bug fixes -* Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). -* Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). -* Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). -* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). -* Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). -* Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). -* Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). -* Fixes a time skew bug that occurred when Linux virtual machines using eBPF event probes were suspended and then resumed. - -[discrete] -[[release-notes-8.16.0]] -=== 8.16.0 - -[discrete] -[[known-issue-8.16.0]] -==== Known issues - -// tag::known-issue[201820] -[discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) -[%collapsible] -==== -*Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). - -*Workaround* + -Upgrade to 8.16.2, or follow the workarounds below. - -For custom rules: - -. From the **Rules** page, <> the rule or rules with the affected exception lists. -. Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. - -For prebuilt rules: - -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. - -. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: -.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. -.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: -+ -[source,console] ----- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ----- -+ -.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. -+ -[source,console] ----- -{ - "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", - "exceptions_list": [ - { - "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", - "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", - "namespace_type": "single" - } - ] -} ----- -+ -. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: -+ -[source,console] ----- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ----- -+ -. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. - -*Resolved* + -On December 17, 2024, this issue was resolved. - -==== -// end::known-issue[201820] - -// tag::known-issue[] -[discrete] -.Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error -[%collapsible] -==== -*Details* + -Updating a Knowledge Base entry of type "index" results in an error. - -*Workaround* + -Instead of updating an "index" entry, delete it and add it again with the desired changes. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running threshold rules may generate duplicate alerts -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -// tag::known-issue-53[] -[discrete] -.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space -[%collapsible] -==== -*Details* + -On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space. - -*Workaround* + -Manually edit your browser's local storage and refresh the **Alerts** page: - -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using. - -. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. -. Refresh the **Alerts** page to reload it. - -==== -// end::known-issue-53[] - -[discrete] -[[breaking-changes-8.16.0]] -==== Breaking changes - -* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body `{ "message": "{kib} is shutting down and not accepting new incoming requests" }`. - -[discrete] -[[features-8.16.0]] -==== New features - -* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]). -* Enables agentless deployment for Elastic's Cloud Security Posture Management integration and the new Cloud Asset Inventory integration ({kibana-pull}191557[#191557]). -* Enables data collected by the Wiz and AWS Security Hub integrations to appear on the Findings page and in entity details flyouts (https://github.com/elastic/integrations/pull/10790[#10790], https://github.com/elastic/integrations/pull/11158[#11158]). -* Enables alerts collected by the Falco integration to appear on the Alerts page (https://github.com/elastic/integrations/pull/9619[#9619], https://github.com/elastic/integrations/pull/11051[#11051]). -* Adds ability to manually run rules for a specified time period, either for testing purposes or to generate alerts for past events. -* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]). -* Adds the ability to attach notes to alerts and events and introduces the Notes page, which allows you to manage all existing notes ({kibana-pull}186787[#186787], {kibana-pull}186807[#186807], {kibana-pull}186931[#186931], {kibana-pull}186946[#186946], {kibana-pull}187214[#187214], {kibana-pull}193373[#193373]). -* Enables detection rules to automatically execute system actions, such as opening a case ({kibana-pull}183937[#183937]). -* Adds role-based access control (RBAC) for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]). -* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]). -* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <> workflows by default ({kibana-pull}196270[#196270]). -* Introduces the entity store as a technical preview feature, which allows observed, imported, integrated, or uploaded entities to be stored persistently ({kibana-pull}192806[#192806]). -* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]). -* Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]). -* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]). -* Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]). -* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). -+ -IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data. -* Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]). -* Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning off MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`. -* Allows you to configure your {elastic-defend} integration policy to collect SHA-256 file hashes in file events. Before doing so, consider the following caveats: -** This can greatly increase {elastic-defend}'s CPU and I/O utilization and impact system responsiveness. -** This can significantly delay event enrichment and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior. -** This can cause event processing queues to overflow and lead to dropped events. -** Many file events won't contain hashes. Hash collection is the best effort and is not guaranteed to be present in every event. Hashes are collected asynchronously and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing]. -* Improves {elastic-defend} by enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the Kafka output. -* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity. - -[discrete] -[[enhancements-8.16.0]] -==== Enhancements -* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]). -* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]). -* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]). -* Adds an **Other** option to the OpenAI connector's **Select an OpenAI provider** dropdown menu. Select this option when <> ({kibana-pull}194831[#194831]). -* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]). -* Adds an **Install and enable** button to the **Add Elastic Rules** page, which allows for rules to be immediately enabled after they're installed ({kibana-pull}191529[#191529]). -* Adds the **Alert Suppression** and **Investigative guide** fields to the rule upgrade workflow ({kibana-pull}195499[#195499]). -* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]). -* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]): -** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page and is stored locally instead of in {es}. -** Attack Discovery now combines related discoveries that would previously have appeared separately. -** Attack Discovery now detects and displays an error instead of hallucinated output. -* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]). -* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]). -* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]). -* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]). -* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]). -* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]). -* Allows Automatic Import to analyze a larger number of sample events when generating a new integration ({kibana-pull}196233[#196233]). -* Allows Automatic Import to recognize CSV logs and create integrations for CSV data ({kibana-pull}196228[#196228], {kibana-pull}194386[#194386]). -* Allows you to open the rule details flyout from the Alerts table ({kibana-pull}191764[#191764]). -* Allows you to resize the alert and event details flyouts and choose how it's displayed in relation to the Alerts table (over or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]). -* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]). -* Adds support in all detection rule types for {elastic-defend}'s automated response actions ({kibana-pull}193390[#193390], {kibana-pull}191874[#191874]). -* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. -* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`. -* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions. -* Ensures security artifacts are updated when the {elastic-defend} service starts. -* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy. -* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context. -* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output. -* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables the detection of certain defense evasions. You can turn this feature off in {elastic-defend} <> ({kibana-pull}190553[#190553]). -* Restores {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0. -* Improves {elastic-defend}'s caching to reduce memory usage on Windows. -* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID. -* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver. - -[discrete] -[[bug-fixes-8.16.0]] -==== Bug fixes - -* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]). -* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]). -* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]). -* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]). -* Improves the performance of the Alerts table ({kibana-pull}192827[#192827]). -* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture findings ({kibana-pull}194069[#194069]). -* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events. -* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI. -* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields. -* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events. -* Fixes a bug that prevented host name uniformity with {beats} products. If you request {elastic-defend} to use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default. -* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts. -* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy. -* Fixes a race condition that could allow an attacker with administrative rights to disable {elastic-defend} on Windows. We would like to acknowledge Sean Moore (@Fr0g) at https://strafecybersecurity.com[strafecybersecurity.com] for their assistance. -* Fixes scenarios where Automatic Import could generate invalid processors containing array access ({kibana-pull}196207[#196207]). -* Improves Timeline's table performance when row renderers are switched on ({kibana-pull}193316[#193316]). -* Fixes misaligned filter control labels on the Alerts page ({kibana-pull}192094[#192094]). \ No newline at end of file