From 36b2c67761ba9807f05238cb0e82c3963ab671a1 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 10 Feb 2025 09:26:39 -0500 Subject: [PATCH 01/51] First draft --- docs/release-notes.asciidoc | 2 + docs/release-notes/8.18.asciidoc | 77 ++++++++++++++++++++++++++++++++ 2 files changed, 79 insertions(+) create mode 100644 docs/release-notes/8.18.asciidoc diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index d3bb176350..8138345d74 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -73,6 +74,7 @@ This section summarizes the changes in each release. * <> * <> +include::release-notes/8.18.asciidoc[] include::release-notes/8.17.asciidoc[] include::release-notes/8.16.asciidoc[] include::release-notes/8.15.asciidoc[] diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc new file mode 100644 index 0000000000..ae63ace26d --- /dev/null +++ b/docs/release-notes/8.18.asciidoc @@ -0,0 +1,77 @@ +[[release-notes-header-8.18.0]] +== 8.18 + +[discrete] +[[release-notes-8.18.0]] +=== 8.18.0 + +[discrete] +[[deprecations-8.18.0]] +==== Deprecations +* Adds management deprecated apis to the upgrade assistant ({kibana-pull}206904[#206904]) for details. +* Adds upgrade notes for management deprecated apis ({kibana-pull}206903[#206903]) for details. +* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details. +* Deprecates siem signals migration APIs ({kibana-pull}202662[#202662]) for details. + +[discrete] +[[features-8.18.0]] +==== New features +* Remove Tech preview badge for GA ({kibana-pull}208523[#208523]). +* Adds "Install" and "Reinstall" button on Entity Store status page ({kibana-pull}208149[#208149]). +* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374]). +* Update Entity Store Dashboard to prompt for Service Entity Type ({kibana-pull}207336[#207336]). +* Adds in-text citations to security solution AI assistant responses ({kibana-pull}206683[#206683]). +* Adds service enrichment to detection engine ({kibana-pull}206582[#206582]). +* Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). +* Service Flyout ({kibana-pull}206268[#206268]). +* Bring back last alert status change to flyout ({kibana-pull}205224[#205224]). +* Add the "service" type to Security Entity Analytics - Entity Store. It will find services by the service.name field, calculate risk score, and allow asset criticality assignment ({kibana-pull}204437[#204437]). +* CrowdStrike RunScript: Log Actions and UI Output ({kibana-pull}204044[#204044]). +* Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]). +* CrowdStrike RTR connector's sub actions ({kibana-pull}203420[#203420]). +* Adds preview logged requests for new terms, threshold, query, ML rule types ({kibana-pull}203320[#203320]). +* Adds RunScript API route (supporting CrowdStrike) ({kibana-pull}203101[#203101]). +* Adds advanced option to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* Service Entity Store ({kibana-pull}202344[#202344]). +* Adds RunScript CS Command - UI ({kibana-pull}202012[#202012]). +* Breaking out timeline & note privileges ({kibana-pull}201780[#201780]). +* Cases assignees sub feature ({kibana-pull}201654[#201654]). +* Entity Engine status tab ({kibana-pull}201235[#201235]). +* Introduce case observables (phase 0 & 1) ({kibana-pull}190237[#190237]). +* Adds support for suppressing EQL sequence alerts ({kibana-pull}189725[#189725]). + +[discrete] +[[enhancements-8.18.0]] +==== Enhancements +* Service example added to entity store upload ({kibana-pull}209023[#209023]). +* Changes to support event.ingested as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). +* Adds Kibana Support for Security AI Prompts Integration ({kibana-pull}207138[#207138]). +* Adds Knowledge Base entries API ({kibana-pull}206407[#206407]). +* Enable inference connector for Auto Import ({kibana-pull}206111[#206111]). +* Feature Flag Support for Cloud Security Posture Plugin ({kibana-pull}205438[#205438]). +* Alerts filtering ({kibana-pull}205070[#205070]). +* Use inference connector in security AI features ({kibana-pull}204505[#204505]). +* Adds audit logging to knowledge base entry changes ({kibana-pull}203349[#203349]). +* Updated EnablementModalCallout name to AdditionalChargesMessage ({kibana-pull}203061[#203061]). +* Set min-width for DistributionBar and added README for storybook ({kibana-pull}202247[#202247]). +* Product documentation tool ({kibana-pull}199694[#199694]). + +[discrete] +[[bug-fixes-8.18.0]] +==== Bug fixes +* Fixes Structured log template to use single quotes ({kibana-pull}209736[#209736]). +* Fixes issue with multiple ip addresses in strings ({kibana-pull}209475[#209475]). +* Fixes missing ecs mappings ({kibana-pull}209057[#209057]). +* "Select a Connector" popup does not show up after the user selects any connector and then cancels it from Endpoint Insights ({kibana-pull}208969[#208969]). +* Fixes ES|QL alert on alert ({kibana-pull}208894[#208894]). +* Adds missing fields to input manifest templates ({kibana-pull}208768[#208768]). +* Adds filter to entity definitions schema ({kibana-pull}208588[#208588]). +* Adds missing fields into AWS S3 manifest ({kibana-pull}208080[#208080]). +* Logs shard failures for eql event queries on rule details page and in event log ({kibana-pull}207396[#207396]). +* Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]). +* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). +* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). +* Use provided data stream description in generated README ({kibana-pull}203236[#203236]). +* Creating a shared component for the Risk Engine's countdown text ({kibana-pull}203212[#203212]). +* Use Data stream name for data_stream.dataset value in input manifests ({kibana-pull}203106[#203106]). +* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). \ No newline at end of file From 17d2038cc54ae6b0ac99ea656af4ec9af6946599 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 14 Mar 2025 16:18:26 -0400 Subject: [PATCH 02/51] Adds recent changes --- docs/release-notes/8.18.asciidoc | 68 +++++++++++++++++++++++++++----- 1 file changed, 58 insertions(+), 10 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index ae63ace26d..77f67d95b8 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -23,10 +23,12 @@ * Adds in-text citations to security solution AI assistant responses ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine ({kibana-pull}206582[#206582]). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). +* Rule gaps ({kibana-pull}206313[#206313]). * Service Flyout ({kibana-pull}206268[#206268]). * Bring back last alert status change to flyout ({kibana-pull}205224[#205224]). -* Add the "service" type to Security Entity Analytics - Entity Store. It will find services by the service.name field, calculate risk score, and allow asset criticality assignment ({kibana-pull}204437[#204437]). +* Add the "service" type to Security Entity Analytics - Entity Store. It will find services by the `service.name` field, calculate risk score, and allow asset criticality assignment. ({kibana-pull}204437[#204437]). * CrowdStrike RunScript: Log Actions and UI Output ({kibana-pull}204044[#204044]). +* Eui Refresh ({kibana-pull}204007[#204007]). * Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]). * CrowdStrike RTR connector's sub actions ({kibana-pull}203420[#203420]). * Adds preview logged requests for new terms, threshold, query, ML rule types ({kibana-pull}203320[#203320]). @@ -35,43 +37,89 @@ * Service Entity Store ({kibana-pull}202344[#202344]). * Adds RunScript CS Command - UI ({kibana-pull}202012[#202012]). * Breaking out timeline & note privileges ({kibana-pull}201780[#201780]). -* Cases assignees sub feature ({kibana-pull}201654[#201654]). +* Introduce a new sub-feature to allow users to control a role's ability to assign users to a case ({kibana-pull}201654[#201654]). * Entity Engine status tab ({kibana-pull}201235[#201235]). * Introduce case observables (phase 0 & 1) ({kibana-pull}190237[#190237]). * Adds support for suppressing EQL sequence alerts ({kibana-pull}189725[#189725]). +* Add new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. +* Add new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. +* Endpoint will send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. +* Updates infrastructure of HttpClient to allow for future implementation of a rust based client. +* Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. +* Global artifacts update will be delivered incrementally, closely monitoring the health of the rollout. To support it, Endpoint will contact a new cloud API to know which artifacts it should use, will contact elastic telemetry to send periodic health information during artifacts testing, and lastly will allow opt-out via advanced policy setting from participation in staged artifacts rollout. +* Enable process event aggregation by default. +* How was it tested?. +Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. +* To reduce CPU usage, I/O, and event sizes, users can now opt into aggregation of network events. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use `advanced.events.aggregate_network` in advanced policy to enable it. +* ISSUE-14632: Count Events via Process Cache. [discrete] [[enhancements-8.18.0]] ==== Enhancements +* Enable visualization in flyout advanced setting ({kibana-pull}211319[#211319]). * Service example added to entity store upload ({kibana-pull}209023[#209023]). +* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). * Changes to support event.ingested as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). * Adds Kibana Support for Security AI Prompts Integration ({kibana-pull}207138[#207138]). * Adds Knowledge Base entries API ({kibana-pull}206407[#206407]). * Enable inference connector for Auto Import ({kibana-pull}206111[#206111]). -* Feature Flag Support for Cloud Security Posture Plugin ({kibana-pull}205438[#205438]). * Alerts filtering ({kibana-pull}205070[#205070]). * Use inference connector in security AI features ({kibana-pull}204505[#204505]). * Adds audit logging to knowledge base entry changes ({kibana-pull}203349[#203349]). * Updated EnablementModalCallout name to AdditionalChargesMessage ({kibana-pull}203061[#203061]). -* Set min-width for DistributionBar and added README for storybook ({kibana-pull}202247[#202247]). +* UI changes for Risk Engine to include closed alerts for risk score calculation ({kibana-pull}201909[#201909]). * Product documentation tool ({kibana-pull}199694[#199694]). +* Reduce system performance impact of file events. +* Improve the resilience of Elastic Defend in low memory situations. +* Endpoint status message ACK'ed to Agent shows: Defend policy name, revision, and Agent policy revision. +* Various performance optimizations to reduce Defend's CPU usage and improve system responsiveness. +* Include policy name and id in alerts. +* Various performance optimizations to reduce Defend's CPU usage and improve system responsiveness. +* Add advanced option `allow_cloud_features` to let the user explicitly list which cloud resources can be reached by Endpoint. +* Defend: Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks - including malware and 3rd party security products. +* Defend: Improved script visibility. Adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. +* Elastic Defend includes an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. +* (Elastic Defend) Add `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. +* Improve host information accuracy, such as IP addresses. Endpoint was updating this information only during new policy application or at least once per 24h, so this information could have been inaccurate for several hours, especially on roaming endpoints (laptops). [discrete] [[bug-fixes-8.18.0]] ==== Bug fixes -* Fixes Structured log template to use single quotes ({kibana-pull}209736[#209736]). -* Fixes issue with multiple ip addresses in strings ({kibana-pull}209475[#209475]). +* Alerts table in Rule Preview panel fills container width ({kibana-pull}214028[#214028]). +* 8.18 Fix assistant apiConfig set by Security getting started page ({kibana-pull}213969[#213969]). +* Fixes session view navigation when in alert preview and add preview banner ({kibana-pull}213455[#213455]). +* Bedrock prompt updates ({kibana-pull}213160[#213160]). +* Adds `organizationId` and `projectId` OpenAI headers, along with arbitrary headers ({kibana-pull}213117[#213117]). +* Fixes unstructured syslog flow ({kibana-pull}213042[#213042]). +* Fixes alert insights color order ({kibana-pull}212980[#212980]). +* Fixes - Alert Table Event Rendered View + Cell actions ({kibana-pull}212721[#212721]). +* Fixes empty EQL query validation ({kibana-pull}212117[#212117]). +* Fixes analyzer no data message in flyout when analyzer is not enabled ({kibana-pull}211981[#211981]). +* Convert isolate host to standalone flyout ({kibana-pull}211853[#211853]). +* Adds bulkGetUserProfiles privilege to Security Feature ({kibana-pull}211824[#211824]). +* Changes for the confirmation message after RiskScore SO is updated ({kibana-pull}211372[#211372]). +* Update entity store copies ({kibana-pull}210991[#210991]). +* Delete 'critical services' count from Entity Analytics Dashboard header ({kibana-pull}210827[#210827]). +* Do not prompt users with the legacy risk engine installed to install the risk engine on the Entity Analytics dashboard ({kibana-pull}210430[#210430]). +* Make 7.x signals/alerts compatible with 8.18 alerts UI ({kibana-pull}209936[#209936]). +* Clicking link in host/user flyout does not refresh details panel ({kibana-pull}209863[#209863]). +* Remember page index in Rule Updates table ({kibana-pull}209537[#209537]). +* Make entity store description more generic ({kibana-pull}209130[#209130]). * Fixes missing ecs mappings ({kibana-pull}209057[#209057]). -* "Select a Connector" popup does not show up after the user selects any connector and then cancels it from Endpoint Insights ({kibana-pull}208969[#208969]). * Fixes ES|QL alert on alert ({kibana-pull}208894[#208894]). -* Adds missing fields to input manifest templates ({kibana-pull}208768[#208768]). * Adds filter to entity definitions schema ({kibana-pull}208588[#208588]). -* Adds missing fields into AWS S3 manifest ({kibana-pull}208080[#208080]). * Logs shard failures for eql event queries on rule details page and in event log ({kibana-pull}207396[#207396]). * Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]). * Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). * Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). +* EUI refresh: Rename color variables ({kibana-pull}204908[#204908]). * Use provided data stream description in generated README ({kibana-pull}203236[#203236]). * Creating a shared component for the Risk Engine's countdown text ({kibana-pull}203212[#203212]). * Use Data stream name for data_stream.dataset value in input manifests ({kibana-pull}203106[#203106]). -* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). \ No newline at end of file +* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). +* Fixes a bug where environment variables were not collected on macOS according to the advanced.capture_env_vars field. +* Use the first event's timestamp as the timestamp for event aggregation. +* Updated the way endpoint initially connects to agent, improving the speed of connection significantly. +* Fix issues where Windows Defend uninstallation leaves files within Endpoint's directory that cannot be removed by administrators. These files can prevent subsequent installs and upgrades. +* Increase the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. +* Improve `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From a4761969c78e70a19aa9b4e1ba595f38b297812c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Sat, 22 Mar 2025 17:56:19 -0400 Subject: [PATCH 03/51] Revisions --- docs/release-notes/8.18.asciidoc | 104 +++++++++++++++---------------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 77f67d95b8..72e5b7f4c6 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -8,79 +8,80 @@ [discrete] [[deprecations-8.18.0]] ==== Deprecations -* Adds management deprecated apis to the upgrade assistant ({kibana-pull}206904[#206904]) for details. -* Adds upgrade notes for management deprecated apis ({kibana-pull}206903[#206903]) for details. -* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details. -* Deprecates siem signals migration APIs ({kibana-pull}202662[#202662]) for details. +//* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]). +//* adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). +//* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details. +//Might need to elaborate on the following summary and also doc it in the Kibana release notes at https://www.elastic.co/guide/en/kibana/8.18/release-notes-8.18.0.html. +* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): + +** POST /api/detection_engine/signals/migrations +** DELETE /api/detection_engine/signals/migrations +** POST /api/detection_engine/signals/finalize_migrations +** GET /api/detection_engine/signals/migration_status + [discrete] [[features-8.18.0]] ==== New features -* Remove Tech preview badge for GA ({kibana-pull}208523[#208523]). -* Adds "Install" and "Reinstall" button on Entity Store status page ({kibana-pull}208149[#208149]). +* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). +* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374]). * Update Entity Store Dashboard to prompt for Service Entity Type ({kibana-pull}207336[#207336]). -* Adds in-text citations to security solution AI assistant responses ({kibana-pull}206683[#206683]). +* Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine ({kibana-pull}206582[#206582]). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). -* Rule gaps ({kibana-pull}206313[#206313]). +* Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]). * Service Flyout ({kibana-pull}206268[#206268]). -* Bring back last alert status change to flyout ({kibana-pull}205224[#205224]). +* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). * Add the "service" type to Security Entity Analytics - Entity Store. It will find services by the `service.name` field, calculate risk score, and allow asset criticality assignment. ({kibana-pull}204437[#204437]). -* CrowdStrike RunScript: Log Actions and UI Output ({kibana-pull}204044[#204044]). -* Eui Refresh ({kibana-pull}204007[#204007]). +* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). * Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]). -* CrowdStrike RTR connector's sub actions ({kibana-pull}203420[#203420]). -* Adds preview logged requests for new terms, threshold, query, ML rule types ({kibana-pull}203320[#203320]). -* Adds RunScript API route (supporting CrowdStrike) ({kibana-pull}203101[#203101]). -* Adds advanced option to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* Expands support for previewing logged {es} requests to include the new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). +* Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). +* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Service Entity Store ({kibana-pull}202344[#202344]). -* Adds RunScript CS Command - UI ({kibana-pull}202012[#202012]). -* Breaking out timeline & note privileges ({kibana-pull}201780[#201780]). -* Introduce a new sub-feature to allow users to control a role's ability to assign users to a case ({kibana-pull}201654[#201654]). +* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). +* Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]). * Entity Engine status tab ({kibana-pull}201235[#201235]). -* Introduce case observables (phase 0 & 1) ({kibana-pull}190237[#190237]). -* Adds support for suppressing EQL sequence alerts ({kibana-pull}189725[#189725]). -* Add new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. -* Add new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. -* Endpoint will send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. -* Updates infrastructure of HttpClient to allow for future implementation of a rust based client. +* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). +* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). +* Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. +* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. +* Updates infrastructure of HttpClient to allow for future implementation of a rust-based client. * Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. -* Global artifacts update will be delivered incrementally, closely monitoring the health of the rollout. To support it, Endpoint will contact a new cloud API to know which artifacts it should use, will contact elastic telemetry to send periodic health information during artifacts testing, and lastly will allow opt-out via advanced policy setting from participation in staged artifacts rollout. -* Enable process event aggregation by default. -* How was it tested?. -Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. -* To reduce CPU usage, I/O, and event sizes, users can now opt into aggregation of network events. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use `advanced.events.aggregate_network` in advanced policy to enable it. +* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow opt-out via advanced policy setting from participation in staged artifacts rollout. +* Enables process event aggregation by default. +* Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. +* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use `advanced.events.aggregate_network` in advanced policy to enable it. * ISSUE-14632: Count Events via Process Cache. [discrete] [[enhancements-8.18.0]] ==== Enhancements * Enable visualization in flyout advanced setting ({kibana-pull}211319[#211319]). -* Service example added to entity store upload ({kibana-pull}209023[#209023]). +* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). * Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). -* Changes to support event.ingested as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). -* Adds Kibana Support for Security AI Prompts Integration ({kibana-pull}207138[#207138]). -* Adds Knowledge Base entries API ({kibana-pull}206407[#206407]). -* Enable inference connector for Auto Import ({kibana-pull}206111[#206111]). -* Alerts filtering ({kibana-pull}205070[#205070]). -* Use inference connector in security AI features ({kibana-pull}204505[#204505]). -* Adds audit logging to knowledge base entry changes ({kibana-pull}203349[#203349]). +* Introduces changes to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). +* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). +* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). +* Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]). +* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). +* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). +* Adds audit logging for changes to knowledge base entries ({kibana-pull}203349[#203349]). * Updated EnablementModalCallout name to AdditionalChargesMessage ({kibana-pull}203061[#203061]). -* UI changes for Risk Engine to include closed alerts for risk score calculation ({kibana-pull}201909[#201909]). -* Product documentation tool ({kibana-pull}199694[#199694]). -* Reduce system performance impact of file events. -* Improve the resilience of Elastic Defend in low memory situations. -* Endpoint status message ACK'ed to Agent shows: Defend policy name, revision, and Agent policy revision. -* Various performance optimizations to reduce Defend's CPU usage and improve system responsiveness. -* Include policy name and id in alerts. -* Various performance optimizations to reduce Defend's CPU usage and improve system responsiveness. -* Add advanced option `allow_cloud_features` to let the user explicitly list which cloud resources can be reached by Endpoint. -* Defend: Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks - including malware and 3rd party security products. -* Defend: Improved script visibility. Adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. -* Elastic Defend includes an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. -* (Elastic Defend) Add `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. -* Improve host information accuracy, such as IP addresses. Endpoint was updating this information only during new policy application or at least once per 24h, so this information could have been inaccurate for several hours, especially on roaming endpoints (laptops). +* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). +* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). +* Reduces the system performance impact of file events. +* Improves the resilience of {elastic-defend} in low memory situations. +* Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. +* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. +* Includes the {elastic-defend} policy name and ID in alerts. +* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. +* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks - including malware and 3rd party security products. +* Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. +* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. +* Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. +* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once per 24h, so this information could have been inaccurate for several hours, especially on roaming endpoints (laptops). [discrete] [[bug-fixes-8.18.0]] @@ -112,7 +113,6 @@ Adds a new field to the metrics section of the metadata document called `top_pro * Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]). * Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). * Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). -* EUI refresh: Rename color variables ({kibana-pull}204908[#204908]). * Use provided data stream description in generated README ({kibana-pull}203236[#203236]). * Creating a shared component for the Risk Engine's countdown text ({kibana-pull}203212[#203212]). * Use Data stream name for data_stream.dataset value in input manifests ({kibana-pull}203106[#203106]). From d71c2884eeb3e146607e8090cf485f1421654302 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 24 Mar 2025 14:25:51 -0400 Subject: [PATCH 04/51] EA PRs --- docs/release-notes/8.18.asciidoc | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 72e5b7f4c6..3834b937ab 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -25,21 +25,18 @@ ==== New features * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). -* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374]). -* Update Entity Store Dashboard to prompt for Service Entity Type ({kibana-pull}207336[#207336]). +* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). +* Provides support for the service entity type, whereas previously, only user and host entity types were supported. ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). -* Adds service enrichment to detection engine ({kibana-pull}206582[#206582]). +* Adds service enrichment to detection engine (). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). * Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]). -* Service Flyout ({kibana-pull}206268[#206268]). * Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). -* Add the "service" type to Security Entity Analytics - Entity Store. It will find services by the `service.name` field, calculate risk score, and allow asset criticality assignment. ({kibana-pull}204437[#204437]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). * Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]). * Expands support for previewing logged {es} requests to include the new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). * Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). -* Service Entity Store ({kibana-pull}202344[#202344]). * Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). * Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]). * Entity Engine status tab ({kibana-pull}201235[#201235]). @@ -68,7 +65,6 @@ * Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). * Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). * Adds audit logging for changes to knowledge base entries ({kibana-pull}203349[#203349]). -* Updated EnablementModalCallout name to AdditionalChargesMessage ({kibana-pull}203061[#203061]). * Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). * Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). * Reduces the system performance impact of file events. From 0e33eeb899c262dbe1aa0cfbd9de9ea44534bf19 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 24 Mar 2025 14:35:08 -0400 Subject: [PATCH 05/51] adv setting summary --- docs/release-notes/8.18.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 3834b937ab..5123eb4fd9 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -26,7 +26,7 @@ * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Provides support for the service entity type, whereas previously, only user and host entity types were supported. ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). +* Provides support for the service entity type, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine (). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). @@ -55,7 +55,7 @@ [discrete] [[enhancements-8.18.0]] ==== Enhancements -* Enable visualization in flyout advanced setting ({kibana-pull}211319[#211319]). +* Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). * Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). * Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). * Introduces changes to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). From c3059dac061e4cf51222fa86986ec7e67b5d0d52 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 24 Mar 2025 15:12:54 -0400 Subject: [PATCH 06/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Jared Burgett <147995946+jaredburgettelastic@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 5123eb4fd9..5441e04abd 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -26,7 +26,7 @@ * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Provides support for the service entity type, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). +* Provides initial support for the service entity type, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine (). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). From 712e5ca4922353a9c0af94e37bdea850b03385d8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Tue, 25 Mar 2025 08:11:36 -0400 Subject: [PATCH 07/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Pablo Machado --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 5441e04abd..f62208dbda 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -26,7 +26,7 @@ * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Provides initial support for the service entity type, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). +* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine (). * Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). From e383710eb65b3b4ab6acab79fd5f661285ae5acb Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 16:47:59 -0400 Subject: [PATCH 08/51] more for features and enhancements --- docs/release-notes/8.18.asciidoc | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index f62208dbda..1e37a62931 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -9,9 +9,8 @@ [[deprecations-8.18.0]] ==== Deprecations //* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]). -//* adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). +//* Adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). //* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details. -//Might need to elaborate on the following summary and also doc it in the Kibana release notes at https://www.elastic.co/guide/en/kibana/8.18/release-notes-8.18.0.html. * The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): ** POST /api/detection_engine/signals/migrations @@ -29,7 +28,7 @@ * Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds service enrichment to detection engine (). -* Entity Store Config - Lookback period ({kibana-pull}206421[#206421]). +* Provides configuration options to Entity Store through additional API parameters ({kibana-pull}206421[#206421]). * Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]). * Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). @@ -39,18 +38,18 @@ * Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). * Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]). -* Entity Engine status tab ({kibana-pull}201235[#201235]). +* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). * Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). * Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). * Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. -* Updates infrastructure of HttpClient to allow for future implementation of a rust-based client. +* Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. * Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. -* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow opt-out via advanced policy setting from participation in staged artifacts rollout. +* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. +* Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry * Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. -* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use `advanced.events.aggregate_network` in advanced policy to enable it. -* ISSUE-14632: Count Events via Process Cache. +* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. [discrete] [[enhancements-8.18.0]] @@ -73,11 +72,11 @@ * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. -* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks - including malware and 3rd party security products. +* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. * Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. * Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. -* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once per 24h, so this information could have been inaccurate for several hours, especially on roaming endpoints (laptops). +* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. [discrete] [[bug-fixes-8.18.0]] From 358febf61c279520c85514659bd0857e89d42e02 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 18:29:40 -0400 Subject: [PATCH 09/51] revisions to bugs pt 1 --- docs/release-notes/8.18.asciidoc | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 1e37a62931..26d0424516 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -69,6 +69,7 @@ * Reduces the system performance impact of file events. * Improves the resilience of {elastic-defend} in low memory situations. * Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. +* When creating a new rule, the data view selector now shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. @@ -81,17 +82,17 @@ [discrete] [[bug-fixes-8.18.0]] ==== Bug fixes -* Alerts table in Rule Preview panel fills container width ({kibana-pull}214028[#214028]). -* 8.18 Fix assistant apiConfig set by Security getting started page ({kibana-pull}213969[#213969]). -* Fixes session view navigation when in alert preview and add preview banner ({kibana-pull}213455[#213455]). -* Bedrock prompt updates ({kibana-pull}213160[#213160]). -* Adds `organizationId` and `projectId` OpenAI headers, along with arbitrary headers ({kibana-pull}213117[#213117]). -* Fixes unstructured syslog flow ({kibana-pull}213042[#213042]). -* Fixes alert insights color order ({kibana-pull}212980[#212980]). -* Fixes - Alert Table Event Rendered View + Cell actions ({kibana-pull}212721[#212721]). -* Fixes empty EQL query validation ({kibana-pull}212117[#212117]). -* Fixes analyzer no data message in flyout when analyzer is not enabled ({kibana-pull}211981[#211981]). -* Convert isolate host to standalone flyout ({kibana-pull}211853[#211853]). +* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). +* Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]). +* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). +* Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). +* Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). +* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). +* Fixes the order of the alert insights so they're now shown from low risk to critical risk ({kibana-pull}212980[#212980]). +* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). +* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). +* Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). +* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). * Adds bulkGetUserProfiles privilege to Security Feature ({kibana-pull}211824[#211824]). * Changes for the confirmation message after RiskScore SO is updated ({kibana-pull}211372[#211372]). * Update entity store copies ({kibana-pull}210991[#210991]). From eac3efbc941b82bdf5d6120bbfaadfbba6d481d8 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 21:03:25 -0400 Subject: [PATCH 10/51] even more bugs --- docs/release-notes/8.18.asciidoc | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 26d0424516..dbb2ca91f0 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -93,17 +93,17 @@ * Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). * Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). * Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). -* Adds bulkGetUserProfiles privilege to Security Feature ({kibana-pull}211824[#211824]). -* Changes for the confirmation message after RiskScore SO is updated ({kibana-pull}211372[#211372]). -* Update entity store copies ({kibana-pull}210991[#210991]). -* Delete 'critical services' count from Entity Analytics Dashboard header ({kibana-pull}210827[#210827]). -* Do not prompt users with the legacy risk engine installed to install the risk engine on the Entity Analytics dashboard ({kibana-pull}210430[#210430]). -* Make 7.x signals/alerts compatible with 8.18 alerts UI ({kibana-pull}209936[#209936]). -* Clicking link in host/user flyout does not refresh details panel ({kibana-pull}209863[#209863]). -* Remember page index in Rule Updates table ({kibana-pull}209537[#209537]). -* Make entity store description more generic ({kibana-pull}209130[#209130]). -* Fixes missing ecs mappings ({kibana-pull}209057[#209057]). -* Fixes ES|QL alert on alert ({kibana-pull}208894[#208894]). +* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). +* Improves the confirmation message that appears when updated the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). +* Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]). +* Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]). +* Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). +* Makes the 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). +* Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). +* Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). +* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). +* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). +* Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). * Adds filter to entity definitions schema ({kibana-pull}208588[#208588]). * Logs shard failures for eql event queries on rule details page and in event log ({kibana-pull}207396[#207396]). * Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]). From 7eceb385ea8f0138b46a9cfe7af9e6f05c9df045 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 21:53:25 -0400 Subject: [PATCH 11/51] Revises more pr summaries --- docs/release-notes/8.18.asciidoc | 52 ++++++++++++++++++++++---------- 1 file changed, 36 insertions(+), 16 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index dbb2ca91f0..8e07338b51 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -5,12 +5,31 @@ [[release-notes-8.18.0]] === 8.18.0 +[discrete] +[[known-issue-8.18.0]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules. + +*Workaround* + + +Duplicate your rules and enable them. + +==== +// end::known-issue[] + [discrete] [[deprecations-8.18.0]] ==== Deprecations -//* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]). -//* Adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). -//* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details. +* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]). +* Adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). +* The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]). * The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): ** POST /api/detection_engine/signals/migrations @@ -22,6 +41,7 @@ [discrete] [[features-8.18.0]] ==== New features +* Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). @@ -88,7 +108,7 @@ * Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). * Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). * Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). -* Fixes the order of the alert insights so they're now shown from low risk to critical risk ({kibana-pull}212980[#212980]). +* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). * Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). * Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). * Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). @@ -104,18 +124,18 @@ * Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). * Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). * Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). -* Adds filter to entity definitions schema ({kibana-pull}208588[#208588]). -* Logs shard failures for eql event queries on rule details page and in event log ({kibana-pull}207396[#207396]). -* Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]). +* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). +* Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). +* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). * Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). * Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). -* Use provided data stream description in generated README ({kibana-pull}203236[#203236]). -* Creating a shared component for the Risk Engine's countdown text ({kibana-pull}203212[#203212]). -* Use Data stream name for data_stream.dataset value in input manifests ({kibana-pull}203106[#203106]). +* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). +* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). +* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). * Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). -* Fixes a bug where environment variables were not collected on macOS according to the advanced.capture_env_vars field. -* Use the first event's timestamp as the timestamp for event aggregation. -* Updated the way endpoint initially connects to agent, improving the speed of connection significantly. -* Fix issues where Windows Defend uninstallation leaves files within Endpoint's directory that cannot be removed by administrators. These files can prevent subsequent installs and upgrades. -* Increase the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. -* Improve `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file +* Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field. +* Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. +* Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. +* Fix issues where uninstalling Windows Defend leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. +* Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. +* Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From fc71c06c776ae1941fbf3eb3c000135037486321 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 22:02:10 -0400 Subject: [PATCH 12/51] order features --- docs/release-notes/8.18.asciidoc | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 8e07338b51..78accb376d 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -37,30 +37,29 @@ Duplicate your rules and enable them. ** POST /api/detection_engine/signals/finalize_migrations ** GET /api/detection_engine/signals/migration_status - [discrete] [[features-8.18.0]] ==== New features -* Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). + * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). -* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). -* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). -* Adds service enrichment to detection engine (). +* Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). +* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Provides configuration options to Entity Store through additional API parameters ({kibana-pull}206421[#206421]). +* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). +* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). +* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). * Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]). -* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). -* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). -* Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]). * Expands support for previewing logged {es} requests to include the new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). -* Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). -* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). +* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). * Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). * Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]). -* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). -* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). -* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). +* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). +* Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). +* Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). +* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). +* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. * Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. From 6082902c92eed218d737d8b0feea7286ae105743 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 22:07:36 -0400 Subject: [PATCH 13/51] Order ehancements --- docs/release-notes/8.18.asciidoc | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 78accb376d..c383442fa9 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -42,7 +42,7 @@ Duplicate your rules and enable them. ==== New features * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). -* Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). +* Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). * Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). * Provides configuration options to Entity Store through additional API parameters ({kibana-pull}206421[#206421]). @@ -73,18 +73,19 @@ Duplicate your rules and enable them. [discrete] [[enhancements-8.18.0]] ==== Enhancements -* Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). -* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). -* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). -* Introduces changes to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). -* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). -* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). + * Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]). -* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). * Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). -* Adds audit logging for changes to knowledge base entries ({kibana-pull}203349[#203349]). -* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). +* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). +* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). * Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). +* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). +* Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]). +* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). +* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). +* Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). +* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). +* Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). * Reduces the system performance impact of file events. * Improves the resilience of {elastic-defend} in low memory situations. * Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. From 1dd46975618154ab888afd87647b33d8c7c8bc1a Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Tue, 25 Mar 2025 22:13:39 -0400 Subject: [PATCH 14/51] Orders bugs --- docs/release-notes/8.18.asciidoc | 45 +++++++++++++++----------------- 1 file changed, 21 insertions(+), 24 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index c383442fa9..59b312ba68 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -8,7 +8,6 @@ [discrete] [[known-issue-8.18.0]] ==== Known issues - // tag::known-issue[] [discrete] .Duplicate alerts can be produced from manually running threshold rules @@ -40,7 +39,6 @@ Duplicate your rules and enable them. [discrete] [[features-8.18.0]] ==== New features - * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). @@ -73,7 +71,6 @@ Duplicate your rules and enable them. [discrete] [[enhancements-8.18.0]] ==== Enhancements - * Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]). * Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). * Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). @@ -102,37 +99,37 @@ Duplicate your rules and enable them. [discrete] [[bug-fixes-8.18.0]] ==== Bug fixes -* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). +* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). +* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). +* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). +* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). +* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). +* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). +* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). +* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). * Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]). -* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). * Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). * Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). -* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). -* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). -* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). -* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). -* Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). -* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). -* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). -* Improves the confirmation message that appears when updated the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). +* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). * Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]). * Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]). * Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). -* Makes the 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). +* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). +* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). +* Improves the confirmation message that appears when updated the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). * Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). * Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). -* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). -* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). +* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). +* Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). +* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). +* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). +* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). +* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). +* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). +* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). +* Makes the 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). * Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). -* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). * Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). -* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). -* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). -* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). -* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). -* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). -* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). -* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). * Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field. * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. From 83e8828781fb9b65450053e7c3a373cb09b0f66e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 26 Mar 2025 10:15:55 -0400 Subject: [PATCH 15/51] Minor revisions to PR summaries --- docs/release-notes/8.18.asciidoc | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 59b312ba68..3a8b66b5f3 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -41,30 +41,30 @@ Duplicate your rules and enable them. ==== New features * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). -* Adds the ability for users to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. Users can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). +* Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). * Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). -* Provides configuration options to Entity Store through additional API parameters ({kibana-pull}206421[#206421]). +* Allows you to configure how often the enrich policy runs for the entity store ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). +* Provides configuration options to the entity store through additional API parameters ({kibana-pull}206421[#206421]). * Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). -* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]). -* Expands support for previewing logged {es} requests to include the new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). +* Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]). +* Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). * Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). * Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). * Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). -* Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]). +* Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]). * Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). * Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). -* Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). +* Adds new third-party actions to Crowdstrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). -* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. -* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor health of staged global artifacts rollout. +* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. * Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. -* Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry +* Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry. * Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. * Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. @@ -72,8 +72,8 @@ Duplicate your rules and enable them. [[enhancements-8.18.0]] ==== Enhancements * Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]). -* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). * Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). +* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). * Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). * Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). * Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). @@ -84,9 +84,9 @@ Duplicate your rules and enable them. * Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). * Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). * Reduces the system performance impact of file events. -* Improves the resilience of {elastic-defend} in low memory situations. +* Improves {elastic-defend}'s resilience in low memory situations. * Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. -* When creating a new rule, the data view selector now shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). +* Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. @@ -116,7 +116,7 @@ Duplicate your rules and enable them. * Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). * Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). * Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). -* Improves the confirmation message that appears when updated the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). +* Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). * Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). * Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). * Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). @@ -127,12 +127,12 @@ Duplicate your rules and enable them. * Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). * Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). * Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). -* Makes the 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). +* Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). * Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). * Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). * Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field. * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. -* Fix issues where uninstalling Windows Defend leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. +* Fixes issues where uninstalling Windows Defend leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. * Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. * Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From 3af6fe20f3cc72c01b6692dfcfdbf7dc61b26122 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 10:45:15 -0400 Subject: [PATCH 16/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Steph Milovic --- docs/release-notes/8.18.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 3a8b66b5f3..b24c3aca58 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -109,6 +109,7 @@ Duplicate your rules and enable them. * Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). * Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]). * Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). +* Fixes a bug in AI Assistant that caused the Bedrock region to always be `us-east-1` ({kibana-pull}214251[#214251]). * Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). * Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). * Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]). From 013cd6d748df238b1594b878c6054b541fbdeaeb Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 12:27:26 -0400 Subject: [PATCH 17/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index b24c3aca58..38a52bd3e9 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -55,7 +55,7 @@ Duplicate your rules and enable them. * Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]). * Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). * Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). -* Adds new third-party actions to Crowdstrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). +* Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). * Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. From 6c20abda0c74556a257e8293b3914f107a339028 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 12:27:40 -0400 Subject: [PATCH 18/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 38a52bd3e9..bee02fe264 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -57,7 +57,7 @@ Duplicate your rules and enable them. * Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). * Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). -* Adds the `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. From 21a5e9b3a21f99d15c476ea9c2235a0258bfc6ab Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 12:27:51 -0400 Subject: [PATCH 19/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index bee02fe264..f8027bc504 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -58,7 +58,7 @@ Duplicate your rules and enable them. * Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). * Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). -* Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. +* Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. * Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. From 0359dee4fc81c30b0aa8d921bede201b9f9a3b4a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 12:28:19 -0400 Subject: [PATCH 20/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index f8027bc504..f5397a2150 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -65,7 +65,7 @@ Duplicate your rules and enable them. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. * Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry. -* Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. +* Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. * Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. [discrete] From d1da01ae3a4f43779d1f71f04e1a065b42e1bdca Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:36:14 -0400 Subject: [PATCH 21/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index f5397a2150..2f7e5ba5ce 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -60,7 +60,6 @@ Duplicate your rules and enable them. * Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. -* Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client. * Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. From cb6e1e745afb2bdf6ec3910abe70932f9b9f7533 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:36:24 -0400 Subject: [PATCH 22/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 2f7e5ba5ce..26343194ff 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -60,7 +60,6 @@ Duplicate your rules and enable them. * Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. -* Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. * Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry. From b01aab3b10883cc193a43ac76d1fe970462785b8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:36:37 -0400 Subject: [PATCH 23/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 26343194ff..22caf3a25e 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -62,7 +62,6 @@ Duplicate your rules and enable them. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. * Enables process event aggregation by default. -* Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry. * Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. * Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. From 6ef602018487ea963a71987a823581874b564ca2 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:36:52 -0400 Subject: [PATCH 24/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 22caf3a25e..a602f05de1 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -80,7 +80,7 @@ Duplicate your rules and enable them. * Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). * Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). * Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). -* Reduces the system performance impact of file events. +* Reduces the system performance impact of {elastic-defend} file events. * Improves {elastic-defend}'s resilience in low memory situations. * Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. * Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). From 2da14639c71d84f18b8def072862dd801b4b6638 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:37:04 -0400 Subject: [PATCH 25/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index a602f05de1..389e141078 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -131,6 +131,6 @@ Duplicate your rules and enable them. * Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field. * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. -* Fixes issues where uninstalling Windows Defend leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. +* Fixes issues where uninstalling {elastic-defend] on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. * Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. * Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From f00b7a9a0ce136a5289ef5ab2d3a64ea0bd675d8 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:37:21 -0400 Subject: [PATCH 26/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 389e141078..1f2e8dc78a 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -128,7 +128,6 @@ Duplicate your rules and enable them. * Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). * Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). * Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). -* Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field. * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. * Fixes issues where uninstalling {elastic-defend] on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. From 11269089bf7145731046b9fbc11487b9f995a5a0 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:38:23 -0400 Subject: [PATCH 27/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 1f2e8dc78a..e6e3c0d9fa 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -91,7 +91,7 @@ Duplicate your rules and enable them. * Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. * Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. -* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. +* Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. [discrete] [[bug-fixes-8.18.0]] From c0de6fff1719f2c4131f9758c7c9672cec64fd8e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:38:34 -0400 Subject: [PATCH 28/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index e6e3c0d9fa..6d21c13161 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -90,7 +90,7 @@ Duplicate your rules and enable them. * Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. * Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. -* Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts. +* Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts. * Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. [discrete] From 568f8d0c003003145fdf3e15f21ab8029c4bf062 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:38:46 -0400 Subject: [PATCH 29/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 6d21c13161..660ebadcb4 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -88,7 +88,7 @@ Duplicate your rules and enable them. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. * Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. -* Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. +* Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. * Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts. * Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. From c2aee48a8f4c840811301c34e1f1b4ce05489a4d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:38:59 -0400 Subject: [PATCH 30/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 660ebadcb4..df2224a2fc 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -87,7 +87,7 @@ Duplicate your rules and enable them. * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. -* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. +* Adds a new set of {elastic-defend} fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. * Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. * Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts. From b3da32c9621fc390c8392c9e9f10efe350585b95 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:39:16 -0400 Subject: [PATCH 31/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index df2224a2fc..886d62cbfd 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -82,7 +82,7 @@ Duplicate your rules and enable them. * Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). * Reduces the system performance impact of {elastic-defend} file events. * Improves {elastic-defend}'s resilience in low memory situations. -* Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision. +* Updates the {elastic-defend} policy status message to show the {elastic-defend} policy name, revision, and {agent} policy revision. * Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. From 969477badd85c4df0797068d5c4584fe7e262f53 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:39:26 -0400 Subject: [PATCH 32/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 886d62cbfd..7756794d53 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -58,6 +58,7 @@ Duplicate your rules and enable them. * Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). * Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). +* {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. From acc0a65f1db4acb1e5c914de87203b2ecc59a1a6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 26 Mar 2025 14:40:44 -0400 Subject: [PATCH 33/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 7756794d53..0a07ef702b 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -87,7 +87,7 @@ Duplicate your rules and enable them. * Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. -* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}. +* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend} ({kibana-pull}205785[#205785]). * Adds a new set of {elastic-defend} fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. * Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. * Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. From dd5dfa67e5b4b557bb3370ac5cdf2ac6c77961ae Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 27 Mar 2025 09:49:59 -0400 Subject: [PATCH 34/51] rule migration feature --- docs/release-notes/8.18.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 0a07ef702b..a34c450a43 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -26,8 +26,6 @@ Duplicate your rules and enable them. [discrete] [[deprecations-8.18.0]] ==== Deprecations -* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]). -* Adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]). * The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]). * The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): @@ -39,6 +37,7 @@ Duplicate your rules and enable them. [discrete] [[features-8.18.0]] ==== New features +* Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents. * The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). * Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). * Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). From ddedd6c919ba97cfc9befbbfea515f0b6e0d49de Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 27 Mar 2025 10:10:06 -0400 Subject: [PATCH 35/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index a34c450a43..e06c53e01c 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -60,7 +60,7 @@ Duplicate your rules and enable them. * {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. -* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout. +* {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). * Enables process event aggregation by default. * Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. * Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. From 033ba7929dee772ac065cda91c49d31b7cd20341 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 27 Mar 2025 10:23:03 -0400 Subject: [PATCH 36/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index e06c53e01c..e44aebd2a9 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -59,7 +59,6 @@ Duplicate your rules and enable them. * Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. -* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts. * {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). * Enables process event aggregation by default. * Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. From ff0b7705b275fdba11119adf79b6f00a06a2c13e Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 27 Mar 2025 10:23:48 -0400 Subject: [PATCH 37/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index e44aebd2a9..756e56dc80 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -56,7 +56,6 @@ Duplicate your rules and enable them. * Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). * Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). * Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). -* Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]). * {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). From 7441813ae107c8b4a8e4c3ed493b43b0e50599f2 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 27 Mar 2025 10:24:13 -0400 Subject: [PATCH 38/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Daniel Ferullo <56368752+ferullo@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 756e56dc80..19b545df0e 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -59,7 +59,6 @@ Duplicate your rules and enable them. * {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). -* Enables process event aggregation by default. * Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. * Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. From af541246b18ae4ba48c5b936b9f1bd029cfc8546 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 27 Mar 2025 11:08:10 -0400 Subject: [PATCH 39/51] Revised title --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 19b545df0e..64cdb54b47 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -10,7 +10,7 @@ ==== Known issues // tag::known-issue[] [discrete] -.Duplicate alerts can be produced from manually running threshold rules +.Rules cannot be enabled if they're corrupted while upgrading from 7.x to 8.x [%collapsible] ==== *Details* + From 6943b861c357823cc06f75b82f544546dc06509c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Thu, 27 Mar 2025 12:28:43 -0400 Subject: [PATCH 40/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 64cdb54b47..2e40b6de43 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -124,7 +124,7 @@ Duplicate your rules and enable them. * Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). * Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). * Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). -* Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). +* Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. * Fixes issues where uninstalling {elastic-defend] on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. From 84b01cef0162353ff08baf9206adedacce200711 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 28 Mar 2025 09:01:23 -0400 Subject: [PATCH 41/51] known issue title --- docs/release-notes/8.18.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 2e40b6de43..d001a1b9fc 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -10,7 +10,7 @@ ==== Known issues // tag::known-issue[] [discrete] -.Rules cannot be enabled if they're corrupted while upgrading from 7.x to 8.x +.Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x [%collapsible] ==== *Details* + @@ -127,6 +127,6 @@ Duplicate your rules and enable them. * Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). * Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. * Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. -* Fixes issues where uninstalling {elastic-defend] on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. +* Fixes issues where uninstalling {elastic-defend} on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. * Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. * Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From cdaba8a08a6aca13635c7969f0613fc90b3d82ef Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 28 Mar 2025 09:02:40 -0400 Subject: [PATCH 42/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index d001a1b9fc..6e384ff626 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -81,6 +81,7 @@ Duplicate your rules and enable them. * Improves {elastic-defend}'s resilience in low memory situations. * Updates the {elastic-defend} policy status message to show the {elastic-defend} policy name, revision, and {agent} policy revision. * Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). +* Allows rule actions (except for **Summary of alerts** actions that run at a custom frequency) to activate during manual rule runs ({kibana-pull}200784[#200784]). * Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. * Includes the {elastic-defend} policy name and ID in alerts. * Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend} ({kibana-pull}205785[#205785]). From de5d5140f2aa4cecfa305c2d07792553c00f8f90 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 3 Apr 2025 17:15:17 -0400 Subject: [PATCH 43/51] more EA PRs --- docs/release-notes/8.18.asciidoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 6e384ff626..500e155547 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -112,6 +112,9 @@ Duplicate your rules and enable them. * Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). * Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). * Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). +* Fixes a bug that prevented the `indexPattern` parameter from being respected when you refreshed a data view ({kibana-pull}215151[#215151]). +* Ensures that {kib} space IDs are dynamically retrieved for entity risk scores in the entity flyout ({kibana-pull}216063[#216063]). +* Uses data from the risk engine's saved object instead of your browser's local storage when loading the Entity Risk Score page ({kibana-pull}215304[#215304]). * Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). * Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). * Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). From 8e6c3d7903130dc6d591a3e7e5c58cec31e26ec2 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 4 Apr 2025 10:12:52 -0400 Subject: [PATCH 44/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 500e155547..9de4c6672c 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -60,7 +60,13 @@ Duplicate your rules and enable them. * Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. * {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). * Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. -* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it. +* Introduces <> in the {elastic-defend} integration policy to reduce the volume of data that {elastic-endpoint} processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your {elastic-defend} integration policy advanced settings: ++ +NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} policies. ++ +** {elastic-endpoint} will merge short lived process `create/terminate` events and `network connect/terminate` events so only a single document is produced. +** {elastic-endpoint} will only include a small subset of data in the `host.*` fieldset in event documents. +** {elastic-endpoint} will not report MD5 and SHA-1 hashes in event data. [discrete] [[enhancements-8.18.0]] From 5a3c5145cd15bbd4a05dc444b0fda76321d2cb34 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 4 Apr 2025 12:17:58 -0400 Subject: [PATCH 45/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 9de4c6672c..f9ab7bcb80 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -47,6 +47,7 @@ Duplicate your rules and enable them. * Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). * Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). * Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]). +* The manual runs functionality is now generally available ({kibana-pull}209535[#209535]). * Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). * Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). * Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). From 9f38601fdcaf44f9df30d82a31061fd06ea8c608 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 4 Apr 2025 14:49:33 -0400 Subject: [PATCH 46/51] alert suppression ki for eql rules --- docs/release-notes/8.18.asciidoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index f9ab7bcb80..dbf4592bd7 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -23,6 +23,17 @@ Duplicate your rules and enable them. ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules +[%collapsible] +==== +*Details* + +Alert suppression for event correlation rules is generally available but still shows as being in technical preview when you create a new rule. + +==== +// end::known-issue[] + [discrete] [[deprecations-8.18.0]] ==== Deprecations From 2abff441ee207667b82f7feabfa355428eab45a4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 7 Apr 2025 10:44:54 -0400 Subject: [PATCH 47/51] Update docs/release-notes/8.18.asciidoc --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index dbf4592bd7..da88d3ad39 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -29,7 +29,7 @@ Duplicate your rules and enable them. [%collapsible] ==== *Details* + -Alert suppression for event correlation rules is generally available but still shows as being in technical preview when you create a new rule. +On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check (https://github.com/elastic/docs-content/issues/1021)[#1021]. ==== // end::known-issue[] From 3b274a8107c88128aa476312c0172916a6a023e3 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 7 Apr 2025 16:16:05 -0400 Subject: [PATCH 48/51] Removes two genai prs --- docs/release-notes/8.18.asciidoc | 2 -- 1 file changed, 2 deletions(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index da88d3ad39..c13a589b71 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -83,8 +83,6 @@ NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} poli [discrete] [[enhancements-8.18.0]] ==== Enhancements -* Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]). -* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]). * Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). * Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). * Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). From 9425de0672c209d2a030ced0bfe4e144a11bc77a Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 7 Apr 2025 18:36:42 -0400 Subject: [PATCH 49/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index c13a589b71..d74219ea84 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -89,7 +89,7 @@ NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} poli * Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). * Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]). * Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). -* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). +* Updates the entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). * Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). * Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). * Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). From a963815bb27e2b518edb1e70daca7170987eb9e4 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 7 Apr 2025 18:36:57 -0400 Subject: [PATCH 50/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index d74219ea84..13d808b6ac 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -113,7 +113,7 @@ NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} poli * Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). * Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). * Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). -* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). +* Ensures that the field mapping for Automatic Import contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). * Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). * Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). * Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). From 07cfdb223761c20f0422fafa969790dd8ec3806d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 7 Apr 2025 18:37:09 -0400 Subject: [PATCH 51/51] Update docs/release-notes/8.18.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes/8.18.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc index 13d808b6ac..5fa67b9404 100644 --- a/docs/release-notes/8.18.asciidoc +++ b/docs/release-notes/8.18.asciidoc @@ -135,7 +135,7 @@ NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} poli * Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). * Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). * Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). -* Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). +* Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). * Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). * Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). * Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]).