From 246fe3487e79cd52fa9d3f37ce14692e5323080e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 31 Jul 2025 15:49:26 +0100 Subject: [PATCH 1/2] Replace placeholder URLs (#6990) (cherry picked from commit 16334698c81dba33d1d3f90988852adf08fa3594) # Conflicts: # docs/AI-for-security/connect-to-byo.asciidoc # docs/cloud-native-security/cspm-get-started-aws.asciidoc # docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc # docs/release-notes/8.16.asciidoc # docs/release-notes/8.8.asciidoc # docs/release-notes/8.9.asciidoc --- docs/AI-for-security/connect-to-byo.asciidoc | 199 ++++ .../cspm-get-started-aws.asciidoc | 305 ++++++ .../get-started-with-kspm.asciidoc | 2 +- ...ltiple-vault-web-credentials-read.asciidoc | 10 + docs/release-notes/8.16.asciidoc | 893 ++++++++++++++++++ docs/release-notes/8.8.asciidoc | 508 ++++++++++ docs/release-notes/8.9.asciidoc | 187 ++++ 7 files changed, 2103 insertions(+), 1 deletion(-) create mode 100644 docs/AI-for-security/connect-to-byo.asciidoc create mode 100644 docs/cloud-native-security/cspm-get-started-aws.asciidoc create mode 100644 docs/release-notes/8.16.asciidoc create mode 100644 docs/release-notes/8.8.asciidoc create mode 100644 docs/release-notes/8.9.asciidoc diff --git a/docs/AI-for-security/connect-to-byo.asciidoc b/docs/AI-for-security/connect-to-byo.asciidoc new file mode 100644 index 0000000000..36e1cb1603 --- /dev/null +++ b/docs/AI-for-security/connect-to-byo.asciidoc @@ -0,0 +1,199 @@ +[[connect-to-byo-llm]] += Connect to your own local LLM + +:frontmatter-description: Set up a connector to LM Studio so you can use a local model with AI Assistant. +:frontmatter-tags-products: [security] +:frontmatter-tags-content-type: [guide] +:frontmatter-tags-user-goals: [get-started] + +This page provides instructions for setting up a connector to a large language model (LLM) of your choice using LM Studio. This allows you to use your chosen model within {elastic-sec}. You'll first need to set up a reverse proxy to communicate with {elastic-sec}, then set up LM Studio on a server, and finally configure the connector in your Elastic deployment. https://www.elastic.co/blog/ai-assistant-locally-hosted-models[Learn more about the benefits of using a local LLM]. + +This example uses a single server hosted in GCP to run the following components: + +* LM Studio with the https://huggingface.co/mistralai/Mistral-Nemo-Instruct-2407[Mistral-Nemo-Instruct-2407] model +* A reverse proxy using Nginx to authenticate to Elastic Cloud + +image::images/lms-studio-arch-diagram.png[Architecture diagram for this guide] + +NOTE: For testing, you can use alternatives to Nginx such as https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview[Azure Dev Tunnels] or https://ngrok.com/[Ngrok], but using Nginx makes it easy to collect additional telemetry and monitor its status by using Elastic's native Nginx integration. While this example uses cloud infrastructure, it could also be replicated locally without an internet connection. + +NOTE: For information about the performance of open-source models on tasks within {elastic-sec}, refer to the <>. + +[discrete] +== Configure your reverse proxy + +NOTE: If your Elastic instance is on the same host as LM Studio, you can skip this step. Also, check out our https://www.elastic.co/blog/herding-llama-3-1-with-elastic-and-lm-studio[blog post] that walks through the whole process of setting up a single-host implementation. + +You need to set up a reverse proxy to enable communication between LM Studio and Elastic. For more complete instructions, refer to a guide such as https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-on-ubuntu-22-04[this one]. + +The following is an example Nginx configuration file: + +[source,txt] +-------------------------------------------------- +server { + listen 80; + listen [::]:80; + server_name ; + server_tokens off; + add_header x-xss-protection "1; mode=block" always; + add_header x-frame-options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + return 301 ; +} + +server { + + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name ; + server_tokens off; + ssl_certificate /etc/letsencrypt/live//fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live//privkey.pem; + ssl_session_timeout 1d; + ssl_session_cache shared:SSL:50m; + ssl_session_tickets on; + ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; + ssl_protocols TLSv1.3 TLSv1.2; + ssl_prefer_server_ciphers on; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header x-xss-protection "1; mode=block" always; + add_header x-frame-options "SAMEORIGIN" always; + add_header X-Content-Type-Options "nosniff" always; + add_header Referrer-Policy "strict-origin-when-cross-origin" always; + ssl_stapling on; + ssl_stapling_verify on; + ssl_trusted_certificate /etc/letsencrypt/live//fullchain.pem; + resolver 1.1.1.1; + location / { + + if ($http_authorization != "Bearer ") { + return 401; +} + + proxy_pass :1234/; + } + +} +-------------------------------------------------- + +[IMPORTANT] +==== +If using the example configuration file above, you must replace several values: + +* Replace `` with your actual token, and keep it safe since you'll need it to set up the {elastic-sec} connector. +* Replace `` with your actual domain name. +* Update the `proxy_pass` value at the bottom of the configuration if you decide to change the port number in LM Studio to something other than 1234. +==== + +[discrete] +=== (Optional) Set up performance monitoring for your reverse proxy +You can use Elastic's {integrations-docs}/nginx[Nginx integration] to monitor performance and populate monitoring dashboards in the {security-app}. + +[discrete] +== Configure LM Studio and download a model + +First, install https://lmstudio.ai/[LM Studio]. LM Studio supports the OpenAI SDK, which makes it compatible with Elastic's OpenAI connector, allowing you to connect to any model available in the LM Studio marketplace. + +You must launch the application using its GUI before doing so using the CLI. For example, use Chrome RDP with an https://cloud.google.com/architecture/chrome-desktop-remote-on-compute-engine[X Window System]. After you've opened the application the first time using the GUI, you can start it by using `sudo lms server start` in the CLI. + +Once you've launched LM Studio: + +1. Go to LM Studio's Search window. +2. Search for an LLM (for example, `Mistral-Nemo-Instruct-2407`). Your chosen model must include `instruct` in its name in order to work with Elastic. +3. After you find a model, view download options and select a recommended version (green). For best performance, select one with the thumbs-up icon that indicates good performance on your hardware. +4. Download one or more models. + +IMPORTANT: For security reasons, before downloading a model, verify that it is from a trusted source. It can be helpful to review community feedback on the model (for example using a site like Hugging Face). + +image::images/lms-model-select.png[The LM Studio model selection interface] + +In this example we used https://huggingface.co/mistralai/Mistral-Nemo-Instruct-2407[`mistralai/Mistral-Nemo-Instruct-2407`]. It has 12B total parameters, a 128,000 token context window, and uses GGUF https://huggingface.co/docs/transformers/main/en/quantization/overview[quanitization]. For more information about model names and format information, refer to the following table. + +[cols="1,1,1,1", options="header"] +|=== +| Model Name | Parameter Size | Tokens/Context Window | Quantization Format +| Name of model, sometimes with a version number. +| LLMs are often compared by their number of parameters — higher numbers mean more powerful models. +| Tokens are small chunks of input information. Tokens do not necessarily correspond to characters. You can use https://platform.openai.com/tokenizer[Tokenizer] to see how many tokens a given prompt might contain. +| Quantization reduces overall parameters and helps the model to run faster, but reduces accuracy. +| Examples: Llama, Mistral, Phi-3, Falcon. +| The number of parameters is a measure of the size and the complexity of the model. The more parameters a model has, the more data it can process, learn from, generate, and predict. +| The context window defines how much information the model can process at once. If the number of input tokens exceeds this limit, input gets truncated. +| Specific formats for quantization vary, most models now support GPU rather than CPU offloading. +|=== + +[discrete] +== Load a model in LM Studio + +After downloading a model, load it in LM Studio using the GUI or LM Studio's https://lmstudio.ai/blog/lms[CLI tool]. + +[discrete] +=== Option 1: load a model using the CLI (Recommended) + +It is a best practice to download models from the marketplace using the GUI, and then load or unload them using the CLI. The GUI allows you to search for models, whereas the CLI allows you to use `lms get` to search for models. The CLI provides a good interface for loading and unloading. + +Once you've downloaded a model, use the following commands in your CLI: + +1. Verify LM Studio is installed: `lms` +2. Check LM Studio's status: `lms status` +3. List all downloaded models: `lms ls` +4. Load a model: `lms load`. + +image::images/lms-cli-welcome.png[The CLI interface during execution of initial LM Studio commands] + +After the model loads, you should see a `Model loaded successfully` message in the CLI. Select a model using the arrow and *Enter* keys. + +image::images/lms-studio-model-loaded-msg.png[The CLI message that appears after a model loads] + +To verify which model is loaded, use the `lms ps` command. + +image::images/lms-ps-command.png[The CLI message that appears after running lms ps] + +If your model uses NVIDIA drivers, you can check the GPU performance with the `sudo nvidia-smi` command. + +[discrete] +=== Option 2: load a model using the GUI + +Refer to the following video to see how to load a model using LM Studio's GUI. You can change the **port** setting, which is referenced in the Nginx configuration file. Note that the **GPU offload** was set to **Max**. + +======= +++++ + + +
+++++ +======= + +[discrete] +== (Optional) Collect logs using Elastic's Custom Logs integration + +You can monitor the performance of the host running LM Studio using Elastic's {integrations-docs}/log[Custom Logs integration]. This can also help with troubleshooting. Note that the default path for LM Studio logs is `/tmp/lmstudio-server-log.txt`, as in the following screenshot: + +image::images/lms-custom-logs-config.png[The configuration window for the custom logs integration] + +[discrete] +== Configure the connector in your Elastic deployment + +Finally, configure the connector: + +1. Log in to your Elastic deployment. +2. Find the **Connectors** page in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Then click **Create Connector**, and select **OpenAI**. The OpenAI connector enables this use case because LM Studio uses the OpenAI SDK. +3. Name your connector to help keep track of the model version you are using. +4. Under **Select an OpenAI provider**, select **Other (OpenAI Compatible Service)**. +5. Under **URL**, enter the domain name specified in your Nginx configuration file, followed by `/v1/chat/completions`. +6. Under **Default model**, enter `local-model`. +7. Under **API key**, enter the secret token specified in your Nginx configuration file. +8. Click **Save**. + +image::images/lms-edit-connector.png[The Edit connector page in the {security-app}, with appropriate values populated] + +Setup is now complete. You can use the model you've loaded in LM Studio to power Elastic's generative AI features. You can test a variety of models as you interact with AI Assistant to see what works best without having to update your connector. + +NOTE: While local models work well for <>, we recommend you use one of <> for interacting with <>. As local models become more performant over time, this is likely to change. diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc new file mode 100644 index 0000000000..2a509e8123 --- /dev/null +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -0,0 +1,305 @@ +[[cspm-get-started]] += Get started with CSPM for AWS + +[discrete] +[[cspm-overview]] +== Overview + +This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. + +.Requirements +[sidebar] +-- +* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <>. +* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. +* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. +* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. +* The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. +-- + +[discrete] +[[cspm-setup]] +== Set up CSPM for AWS + +You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <> allows you to collect cloud posture data without having to manage the deployment of {agent} in your cloud. <> requires you to deploy and manage {agent} in the cloud account you want to monitor. + +[discrete] +[[cspm-aws-agentless]] +== Agentless deployment + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Select *AWS*, then either *AWS Organization* to onboard multiple accounts, or *Single Account* to onboard an individual account. +. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. +. Click **Advanced options**, then select **Agentless (BETA)**. +. Next, you'll need to authenticate to AWS. Two methods are available: +.. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. ++ +NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. ++ +.. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <>. +. Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. + +IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. + +[discrete] +[[cspm-aws-agent-based]] +== Agent-based deployment + +[discrete] +[[cspm-add-and-name-integration]] +=== Add the CSPM integration +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Search for `CSPM`, then click on the result. +. Click *Add Cloud Security Posture Management (CSPM)*. +. Select *AWS*, then either *AWS Organization* to onboard multiple accounts, or *Single Account* to onboard an individual account. +. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. + + +[discrete] +[[cspm-set-up-cloud-access-section]] +=== Set up cloud account access +The CSPM integration requires access to AWS's built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access. + +For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below. + + +[discrete] +[[cspm-set-up-cloudformation]] +=== CloudFormation (recommended) +. In the *Add Cloud Security Posture Management (CSPM) integration* menu, under *Setup Access*, select *CloudFormation*. +. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard. +. Return to your {kib} tab. Click *Save and continue* at the bottom of the page. +. Review the information, then click *Launch CloudFormation*. +. A CloudFormation template appears in a new browser tab. +. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. +. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. +. Tick the checkbox under *Capabilities* to authorize the creation of necessary resources. ++ +image::images/cspm-cloudformation-template.png[The Add permissions screen in AWS] ++ +. At the bottom of the template, select *Create stack*. + +When you return to {kib}, click *View assets* to review the data being collected by your new integration. + + +[discrete] +[[cspm-setup-organization-manual]] +=== Manual authentication for organization-level onboarding + +NOTE: If you're onboarding a single account instead of an organization, skip this section. + +When using manual authentication to onboard at the organization level, you need to configure the necessary permissions using the AWS console for the organization where you want to deploy: + +* In the organization's management account (root account), create an IAM role called `cloudbeat-root` (the name is important). The role needs several policies: + +** The following inline policy: + +.Click to expand policy +[%collapsible] +==== +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Action": [ + "organizations:List*", + "organizations:Describe*" + ], + "Resource": "*", + "Effect": "Allow" + }, + { + "Action": [ + "sts:AssumeRole" + ], + "Resource": "*", + "Effect": "Allow" + } + ] +} +``` +==== + +** The following trust policy: + +.Click to expand policy +[%collapsible] +==== +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::root" + }, + "Action": "sts:AssumeRole" + }, + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` +==== + +** The AWS-managed `SecurityAudit` policy. + +IMPORTANT: You must replace `` in the trust policy with your AWS account ID. + +* Next, for each account you want to scan in the organization, create an IAM role named `cloudbeat-securityaudit` with the following policies: +** The AWS-managed `SecurityAudit` policy. +** The following trust policy: + +.Click to expand policy +[%collapsible] +==== +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam:::role/cloudbeat-root" + }, + "Action": "sts:AssumeRole" + } + ] +} +``` +==== + +IMPORTANT: You must replace `` in the trust policy with your AWS account ID. + +After creating the necessary roles, authenticate using one of the manual authentication methods. + +IMPORTANT: When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. + +[discrete] +[[cspm-set-up-manual]] +=== Manual authentication methods + +* <> +* <> +* <> +* <> +* <> + +IMPORTANT: Whichever method you use to authenticate, make sure AWS’s built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] is attached. + +[discrete] +[[cspm-use-instance-role]] +==== Option 1 - Default instance role + +NOTE: If you are deploying to an AWS organization instead of an AWS account, you should already have <>, `cloudbeat-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. + +Follow AWS's https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html[IAM roles for Amazon EC2] documentation to create an IAM role using the IAM console, which automatically generates an instance profile. + +. Create an IAM role: +.. In AWS, go to your IAM dashboard. Click *Roles*, then *Create role*. +.. On the *Select trusted entity* page, under **Trusted entity type**, select *AWS service*. +.. Under **Use case**, select *EC2*. Click *Next*. ++ +image::images/cspm-aws-auth-1.png[The Select trusted entity screen in AWS] ++ +.. On the *Add permissions* page, search for and select `SecurityAudit`. Click *Next*. ++ +image::images/cspm-aws-auth-2.png[The Add permissions screen in AWS] ++ +.. On the *Name, review, and create* page, name your role, then click *Create role*. +. Attach your new IAM role to an EC2 instance: +.. In AWS, select an EC2 instance. +.. Select *Actions > Security > Modify IAM role*. ++ +image::images/cspm-aws-auth-3.png[The EC2 page in AWS, showing the Modify IAM role option] ++ +.. On the *Modify IAM role* page, search for and select your new IAM role. +.. Click *Update IAM role*. +.. Return to {kib} and <>. + +IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {kib}, in the **Setup Access* section, select *Assume role**. Leave **Role ARN** empty for agentless deployments. For agent-based deployments, leave it empty unless you want to specify a role the {agent} should assume instead of the default role for your EC2 instance. Click **Save and continue**. + +[discrete] +[[cspm-use-keys-directly]] +==== Option 2 - Direct access keys +Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, <>. + +For more details, refer to https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html[Access Keys and Secret Access Keys]. + +IMPORTANT: You must select *Programmatic access* when creating the IAM user. + +[discrete] +[[cspm-use-temp-credentials]] +==== Option 3 - Temporary security credentials +You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found using `GetSessionToken`. + +Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration's configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. + +NOTE: IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code when calling `GetSessionToken`. For more details, refer to AWS's https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[Temporary Security Credentials] documentation. + +You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled: + +[source,console] +---------------------------------- +sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email --duration-seconds 129600 --token-code 123456 +---------------------------------- + +The output from this command includes the following fields, which you should provide when configuring the CSPM integration: + +* `Access key ID`: The first part of the access key. +* `Secret Access Key`: The second part of the access key. +* `Session Token`: The required token when using temporary security credentials. + +After you provide credentials, <>. + +[discrete] +[[cspm-use-a-shared-credentials-file]] +==== Option 4 - Shared credentials file +If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html[Shared Credentials Files] documentation. + +Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: + +* `Credential Profile Name`: The profile name in the shared credentials file. +* `Shared Credential File`: The directory of the shared credentials file. + +If you don't provide values for all configuration fields, the integration will use these defaults: + +- If `Access key ID`, `Secret Access Key`, and `ARN Role` are not provided, then the integration will check for `Credential Profile Name`. +- If there is no `Credential Profile Name`, the default profile will be used. +- If `Shared Credential File` is empty, the default directory will be used. + - For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. + +After providing credentials, <>. + +[discrete] +[[cspm-use-iam-arn]] +==== Option 5 - IAM role Amazon Resource Name (ARN) +An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role's permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. + +To use an IAM role ARN, select *Assume role* under *Preferred manual method*, enter the ARN, and continue to Finish manual setup. + +[discrete] +[[cspm-finish-manual]] +=== Finish manual setup +Once you’ve provided AWS credentials, under *Where to add this integration*: + +If you want to monitor an AWS account or organization where you have not yet deployed {agent}: + +* Select *New Hosts*. +* Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-aws-account`. +* Click *Save and continue*, then *Add {agent} to your hosts*. The *Add agent* wizard appears and provides {agent} binaries, which you can download and deploy to your AWS account. + +If you want to monitor an AWS account or organization where you have already deployed {agent}: + +* Select **Existing hosts**. +* Select an agent policy that applies the AWS account you want to monitor. +* Click **Save and continue**. diff --git a/docs/cloud-native-security/get-started-with-kspm.asciidoc b/docs/cloud-native-security/get-started-with-kspm.asciidoc index 2a949e177d..b2d3196f5b 100644 --- a/docs/cloud-native-security/get-started-with-kspm.asciidoc +++ b/docs/cloud-native-security/get-started-with-kspm.asciidoc @@ -140,7 +140,7 @@ You can use the AWS CLI to generate temporary credentials. For example, you coul [source,console] ---------------------------------- -`sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@example.com --duration-seconds 129600 --token-code 123456` +`sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email@ --duration-seconds 129600 --token-code 123456` ---------------------------------- The output from this command includes the following fields, which you should provide when configuring the KSPM integration: diff --git a/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc b/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc index 3446d8a4e9..3f24a15672 100644 --- a/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc @@ -61,6 +61,7 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s [any where event.code : "5382" and (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and +<<<<<<< HEAD not winlog.event_data.SubjectLogonId : "0x3e7" and not winlog.event_data.Resource : "http://localhost/"] @@ -68,6 +69,15 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and not winlog.event_data.SubjectLogonId : "0x3e7" and not winlog.event_data.Resource : "http://localhost/"] +======= + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : ""] + + [any where event.code : "5382" and + (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and + not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.Resource : ""] +>>>>>>> 16334698 (Replace placeholder URLs (#6990)) ---------------------------------- diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc new file mode 100644 index 0000000000..56582ce18c --- /dev/null +++ b/docs/release-notes/8.16.asciidoc @@ -0,0 +1,893 @@ +[[release-notes-header-8.16.0]] +== 8.16 + +[discrete] +[[release-notes-8.16.6]] +=== 8.16.6 + +[discrete] +[[known-issue-8.16.6]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Installing an {elastic-defend} integration or a new agent policy upgrades installed prebuilt rules, overwriting user-added actions and exceptions +[%collapsible] +==== +*Details* + +When you install an {elastic-defend} integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions. + +*Workaround* + +To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten. + +*Resolved* + +This issue is fixed in {stack} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.6]] +==== Bug fixes +* Fixes a bug that prevented you from changing column widths in Timeline ({kibana-pull}214178[#214178]). +* Fixes a bug that prevented you from being able to save event filters ({kibana-pull}213805[#213805]). +* Allows Automatic Import to handle a variety of structures when parsing system logs ({kibana-pull}212611[#212611]). +* Fixes a bug that prevented the selected data view and **Show only detection alerts** option from being reliably persisted in Timeline ({kibana-pull}211343[#211343]). +* Fixes a rare upgrade failure when {elastic-defend} has tamper protection enabled. +* Fixes a bug in the scan response action that can crash {elastic-defend}. +* Fixes a potential {elastic-defend} crash when generating multiple ransomware alerts on Windows. This issue was simultaneously mitigated by a cloud artifact update (manifest version 1.0.1381) on February 24, 2025. Internet-connected instances of {elastic-defend} will automatically receive this update -- no user intervention required. Air-gapped customers hosting their own artifacts should follow <>. We would like to acknowledge https://www.todyl.com[Todyl] for their assistance with this issue. +* Fixes a bug in {elastic-defend} for Linux where tty capture limit defaults were ignored. + +[discrete] +[[release-notes-8.16.5]] +=== 8.16.5 + +[discrete] +[[known-issue-8.16.5]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.5]] +==== Bug fixes +* Fixes an issue with the Event Rendered View in the Alerts table where the table would sometimes have a height of zero and become unusable ({kibana-pull}212130[#212130]). +* Updated the `allocate_shellcode` {elastic-defend} API event behavior to explicitly only apply to unbacked memory. + +[discrete] +[[release-notes-8.16.4]] +=== 8.16.4 + +[discrete] +[[known-issue-8.16.4]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[features-8.16.4]] +==== New features +* Adds the `advanced.malware.max_file_size_bytes` <>, which allows you to control the maximum file size for malware protection. + +[discrete] +[[enhancements-8.16.4]] +==== Enhancements +* Enhances the performance of {elastic-defend} network events monitoring for better CPU utilization and responsiveness. +* Adds byte counts to Linux {elastic-defend} network disconnect events. + +[discrete] +[[bug-fixes-8.16.4]] +==== Bug fixes +* Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]). +* Fixes an AI Assistant bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]). +* Adds missing fields to Automatic Import's input manifest templates ({kibana-pull}208768[#208768]). +* Ensures that Automatic Import's structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character ({kibana-pull}209736[#209736]). +* Adds fields that are missing from Automatic Import's `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]). +* Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers. +* Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. +* Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive would contain a checksum error that made it unusable by most zip tools. +* Increases the maximum number of ETW buffers that {elastic-defend} can use. +* Fixes a bug in {elastic-defend} where a combination of "descendent of process" event filters and unenriched events would not match other event filters. +* Fixes an issue where {elastic-defend} wasn't correctly populating `event.created` for process events on Windows. +* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event, which was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended. + +[discrete] +[[release-notes-8.16.3]] +=== 8.16.3 + +[discrete] +[[known-issue-8.16.3]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.3]] +==== Bug fixes + +* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). +* Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari ({kibana-pull}203993[#203993]). +* Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]). +* Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned ({kibana-pull}203820[#203820]). +* Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]). +* Fixes a bug that caused the diff view to incorrectly mark certain characters as changed in specific cases ({kibana-pull}205138[#205138]). +* Lists all policies to ensure that integrations are properly displayed ({kibana-pull}205103[#205103]). +* Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict. ++ +Affected users who are unable to upgrade should set one or both of the following in their {elastic-defend} advanced policy, depending on their version: + +** `windows.advanced.events.process.creation_flags: false` (8.13.0 - 8.16.1) +** `windows.advanced.memory_protection.shellcode_trampoline_detection: false` (8.12.0 - 8.16.2) +* Fixes an {elastic-defend} bug that could cause the Windows API event call stack enrichment to fail for processes that started before {elastic-defend} and if another security product was present and hooking system DLLs. +* Fixes an {elastic-defend} bug that caused Windows API events involving `mswsock.dll` to be mislabeled with the `proxy_call` behavior. + +[discrete] +[[release-notes-8.16.2]] +=== 8.16.2 + +[discrete] +[[known-issue-8.16.2]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.2]] +==== Bug fixes + +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). +* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). +* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). +* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). +* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. +* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in the Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator. + +[discrete] +[[release-notes-8.16.1]] +=== 8.16.1 + +[discrete] +[[known-issue-8.16.1]] +==== Known issues + +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. + +For custom rules: + +. From the **Rules** page, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. + +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: ++ +[source,console] +---- +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +---- ++ +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + +==== +// end::known-issue[201820] + +// tag::known-issue[] +[discrete] +.Manually running threshold rules may generate duplicate alerts +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.16.1]] +==== Bug fixes +* Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). +* Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). +* Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). +* Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). +* Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). +* Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). +* Fixes a time skew bug that occurred when Linux virtual machines using eBPF event probes were suspended and then resumed. + +[discrete] +[[release-notes-8.16.0]] +=== 8.16.0 + +[discrete] +[[known-issue-8.16.0]] +==== Known issues + +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. + +For custom rules: + +. From the **Rules** page, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. + +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: ++ +[source,console] +---- +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +---- ++ +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + +==== +// end::known-issue[201820] + +// tag::known-issue[] +[discrete] +.Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error +[%collapsible] +==== +*Details* + +Updating a Knowledge Base entry of type "index" results in an error. + +*Workaround* + +Instead of updating an "index" entry, delete it and add it again with the desired changes. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running threshold rules may generate duplicate alerts +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +// tag::known-issue-53[] +[discrete] +.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space +[%collapsible] +==== +*Details* + +On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space. + +*Workaround* + +Manually edit your browser's local storage and refresh the **Alerts** page: + +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using. + +. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. +. Refresh the **Alerts** page to reload it. + +*Resolved* + +This issue is fixed in {stack} version 8.16.1. + +==== +// end::known-issue-53[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[breaking-changes-8.16.0]] +==== Breaking changes + +* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body `{ "message": "{kib} is shutting down and not accepting new incoming requests" }`. + +[discrete] +[[features-8.16.0]] +==== New features + +* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]). +* Enables agentless deployment for Elastic's Cloud Security Posture Management integration and the new Cloud Asset Inventory integration ({kibana-pull}191557[#191557]). +* Enables data collected by the Wiz and AWS Security Hub integrations to appear on the Findings page and in entity details flyouts (https://github.com/elastic/integrations/pull/10790[#10790], https://github.com/elastic/integrations/pull/11158[#11158]). +* Enables alerts collected by the Falco integration to appear on the Alerts page (https://github.com/elastic/integrations/pull/9619[#9619], https://github.com/elastic/integrations/pull/11051[#11051]). +* Adds ability to manually run rules for a specified time period, either for testing purposes or to generate alerts for past events. +* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]). +* Adds the ability to attach notes to alerts and events and introduces the Notes page, which allows you to manage all existing notes ({kibana-pull}186787[#186787], {kibana-pull}186807[#186807], {kibana-pull}186931[#186931], {kibana-pull}186946[#186946], {kibana-pull}187214[#187214], {kibana-pull}193373[#193373]). +* Enables detection rules to automatically execute system actions, such as opening a case ({kibana-pull}183937[#183937]). +* Adds role-based access control (RBAC) for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]). +* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]). +* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <> workflows by default ({kibana-pull}196270[#196270]). +* Introduces the entity store as a technical preview feature, which allows observed, imported, integrated, or uploaded entities to be stored persistently ({kibana-pull}192806[#192806]). +* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]). +* Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]). +* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]). +* Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]). +* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). ++ +IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data. +* Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]). +* Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <>. +* Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <>. +* Allows you to reduce CPU usage, I/O, and event sizes by turning off MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`. +* Allows you to configure your {elastic-defend} integration policy to collect SHA-256 file hashes in file events. Before doing so, consider the following caveats: +** This can greatly increase {elastic-defend}'s CPU and I/O utilization and impact system responsiveness. +** This can significantly delay event enrichment and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior. +** This can cause event processing queues to overflow and lead to dropped events. +** Many file events won't contain hashes. Hash collection is the best effort and is not guaranteed to be present in every event. Hashes are collected asynchronously and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing]. +* Improves {elastic-defend} by enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the Kafka output. +* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity. + +[discrete] +[[enhancements-8.16.0]] +==== Enhancements +* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]). +* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]). +* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]). +* Adds an **Other** option to the OpenAI connector's **Select an OpenAI provider** dropdown menu. Select this option when <> ({kibana-pull}194831[#194831]). +* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]). +* Adds an **Install and enable** button to the **Add Elastic Rules** page, which allows for rules to be immediately enabled after they're installed ({kibana-pull}191529[#191529]). +* Adds the **Alert Suppression** and **Investigative guide** fields to the rule upgrade workflow ({kibana-pull}195499[#195499]). +* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]). +* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]): +** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page and is stored locally instead of in {es}. +** Attack Discovery now combines related discoveries that would previously have appeared separately. +** Attack Discovery now detects and displays an error instead of hallucinated output. +* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]). +* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]). +* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]). +* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]). +* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]). +* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]). +* Allows Automatic Import to analyze a larger number of sample events when generating a new integration ({kibana-pull}196233[#196233]). +* Allows Automatic Import to recognize CSV logs and create integrations for CSV data ({kibana-pull}196228[#196228], {kibana-pull}194386[#194386]). +* Allows you to open the rule details flyout from the Alerts table ({kibana-pull}191764[#191764]). +* Allows you to resize the alert and event details flyouts and choose how it's displayed in relation to the Alerts table (over or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]). +* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]). +* Adds support in all detection rule types for {elastic-defend}'s automated response actions ({kibana-pull}193390[#193390], {kibana-pull}191874[#191874]). +* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. +* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`. +* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions. +* Ensures security artifacts are updated when the {elastic-defend} service starts. +* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy. +* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context. +* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output. +* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables the detection of certain defense evasions. You can turn this feature off in {elastic-defend} <> ({kibana-pull}190553[#190553]). +* Restores {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0. +* Improves {elastic-defend}'s caching to reduce memory usage on Windows. +* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID. +* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver. + +[discrete] +[[bug-fixes-8.16.0]] +==== Bug fixes + +* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]). +* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]). +* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]). +* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]). +* Improves the performance of the Alerts table ({kibana-pull}192827[#192827]). +* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture findings ({kibana-pull}194069[#194069]). +* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events. +* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI. +* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields. +* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events. +* Fixes a bug that prevented host name uniformity with {beats} products. If you request {elastic-defend} to use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default. +* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts. +* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy. +* Fixes a race condition that could allow an attacker with administrative rights to disable {elastic-defend} on Windows. We would like to acknowledge Sean Moore (@Fr0g) at https://strafecybersecurity.com[strafecybersecurity.com] for their assistance. +* Fixes scenarios where Automatic Import could generate invalid processors containing array access ({kibana-pull}196207[#196207]). +* Improves Timeline's table performance when row renderers are switched on ({kibana-pull}193316[#193316]). +* Fixes misaligned filter control labels on the Alerts page ({kibana-pull}192094[#192094]). \ No newline at end of file diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc new file mode 100644 index 0000000000..be9c0ebc39 --- /dev/null +++ b/docs/release-notes/8.8.asciidoc @@ -0,0 +1,508 @@ +[[release-notes-header-8.8.0]] +== 8.8 + +[discrete] +[[release-notes-8.8.2]] +=== 8.8.2 + +[discrete] +[[known-issue-8.8.2]] +==== Known issues +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. +* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. +* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: + +** Open alerts in Timeline. +** Adjust the Alerts table size. Do one of the following: + +*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. +*** Adjust your OS zoom settings and refresh the page. + +** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) +* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). ++ +NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. + ++ +The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: + ++ +**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: + ++ +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. ++ + +. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. +. Paste the JSON blob into a text file and edit it as follows: +.. Remove the `id:file.name` string from the `columns` array. +.. Remove the `file.name` string from the `visibleColumns` array. +. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. +. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. ++ +NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. + ++ +**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: + +. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. +. Search for the `file.name` field, de-select it, and click *Close*. +. Refresh the Alerts page. + +[discrete] +[[breaking-changes-8.8.2]] +==== Breaking changes + +There are no breaking changes in 8.8.2. + +[discrete] +[[enhancements-8.8.2]] +==== Enhancements +There are no user-facing changes in 8.8.2. + +[discrete] +[[bug-fixes-8.8.2]] +==== Bug fixes +* Fixes a bug that affected links to {kib} results generated by actions on rules from non-default {kib} spaces ({kibana-pull}159966[#159966]). +* Fixes a bug that prevented users from saving a Timeline after adding a `number` field ({kibana-pull}159723[#159723]). +* Fixes a bug that caused error messages to wrongfully display if users selected uninstalled {ml} jobs while creating a {ml} rule ({kibana-pull}159316[#159316]). +* Removes hover actions from tables within the Detection & Response dashboard when the alert count is zero ({kibana-pull}158902[#158902]). +* Fixes bugs in the Anomalies table that left {ml} jobs greyed out after they were installed ({kibana-pull}158821[#158821]) and that stopped some job counts from appearing ({kibana-pull}158739[#158739]). +* Fixes a bug that caused the **Add exceptions flyout** to load indefinitely and display an out of memory error when a rule had a large number of unmapped fields in multiple indices ({kibana-pull}159216[#159216]). +* Fixes a bug that prevented cell actions on fields with multiple values in the Alerts table ({kibana-pull}158060[#158060]). +* Fixes a bug that caused the Alerts page to query unnecessary indices ({kibana-pull}157286[#157286]). +* Fixes a bug that broke the mustache syntax for variables in rule actions ({kibana-pull}160446[#160446]). +* Fixes a bug that caused exception items to be erroneously duplicated if you modified an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specified its `item_id` ({kibana-pull}159223[#159223]). ++ +NOTE: If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. + +** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** ++ +[source,kibana] +---------------------------------- +// Retrieve exception documents grouped by `item_id`. +// Each bucket contains all duplicates of that document. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "match": { + "type": "exception-list" + } + } + ] + } + }, + "aggs": { + "item_id_duplicates": { + "terms": { + "field": "exception-list.item_id", + "min_doc_count": 2 + }, + "aggs": { + "ids": { + "top_hits": { + "size": 100, // Increase this if you may have more duplicates. + "_source": false + } + } + } + } + }, + "size": 0 +} +---------------------------------- + +** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** ++ +[source,kibana] +---------------------------------- +// Each item returned lost its `item_id`, which is expected to be present and unique. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "term": { + "exception-list.list_type": "item" + } + } + ], + "must_not": [ + { + "exists": { + "field": "exception-list.item_id" + } + } + ] + } + } +} +---------------------------------- + + +[discrete] +[[release-notes-8.8.1]] +=== 8.8.1 + +[discrete] +[[known-issue-8.8.1]] +==== Known issues +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. +* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. + +* If you modify an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: + +** <> through the {security-app} UI. +** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API. + ++ +If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. + +** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** ++ +[source,kibana] +---------------------------------- +// Retrieve exception documents grouped by `item_id`. +// Each bucket contains all duplicates of that document. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "match": { + "type": "exception-list" + } + } + ] + } + }, + "aggs": { + "item_id_duplicates": { + "terms": { + "field": "exception-list.item_id", + "min_doc_count": 2 + }, + "aggs": { + "ids": { + "top_hits": { + "size": 100, // Increase this if you may have more duplicates. + "_source": false + } + } + } + } + }, + "size": 0 +} +---------------------------------- + +** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** ++ +[source,kibana] +---------------------------------- +// Each item returned lost its `item_id`, which is expected to be present and unique. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "term": { + "exception-list.list_type": "item" + } + } + ], + "must_not": [ + { + "exists": { + "field": "exception-list.item_id" + } + } + ] + } + } +} +---------------------------------- + +* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: + +** Open alerts in Timeline. +** Adjust the Alerts table size. Do one of the following: + +*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. +*** Adjust your OS zoom settings and refresh the page. +*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) + +* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). ++ +NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. + ++ +The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: + ++ +**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: + ++ +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. ++ + +. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. +. Paste the JSON blob into a text file and edit it as follows: +.. Remove the `id:file.name` string from the `columns` array. +.. Remove the `file.name` string from the `visibleColumns` array. +. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. +. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. ++ +NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. + ++ +**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: + +. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. +. Search for the `file.name` field, de-select it, and click *Close*. +. Refresh the Alerts page. + +[discrete] +[[breaking-changes-8.8.1]] +==== Breaking changes + +There are no breaking changes in 8.8.1. + +[discrete] +[[features-8.8.1]] +==== New features + +* Introduces the Generative AI connector and <> for {elastic-sec} ({kibana-pull}157228[#157228], {kibana-pull}156933[#156933]). + +[discrete] +[[bug-fixes-8.8.1]] +==== Bug fixes +* Fixes a bug that made field types appear as `unknown` within the **Fields** browser and when examining alert or event details ({kibana-pull}158594[#158594]). +* Fixes a bug that caused all field types in the **Fields** browser to appear as `unknown` ({kibana-pull}158594[#158594]). +* Fixes a bug that caused the **Add rule exception** flyout to load indefinitely when index fields couldn't be retrieved ({kibana-pull}158371[#158371]). +* Provides support for using field names with wildcards in rule queries ({kibana-pull}157981[#157981]). +* Fixes CSS style issues on the rule details page ({kibana-pull}157935[#157935]). +* Fixes a bug that caused the `A-Z` option to incorrectly display on Alerts table sorting menus ({kibana-pull}157653[#157653]). +* Allows users to scroll through long error messages on the rule details page ({kibana-pull}157271[#157271]). + +[discrete] +[[release-notes-8.8.0]] +=== 8.8.0 + +To view a detailed summary of the latest features and enhancements, check out our {security-guide}/whats-new.html[release highlights]. + +[discrete] +[[known-issue-8.8.0]] +==== Known issues +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. +* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. +* {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1. +* All field types in the **Fields** browser appear as `unknown`. +* If you modify an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: + +** <> through the {security-app} UI. +** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API. + ++ +If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. + +** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** ++ +[source,kibana] +---------------------------------- +// Retrieve exception documents grouped by `item_id`. +// Each bucket contains all duplicates of that document. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "match": { + "type": "exception-list" + } + } + ] + } + }, + "aggs": { + "item_id_duplicates": { + "terms": { + "field": "exception-list.item_id", + "min_doc_count": 2 + }, + "aggs": { + "ids": { + "top_hits": { + "size": 100, // Increase this if you may have more duplicates. + "_source": false + } + } + } + } + }, + "size": 0 +} +---------------------------------- + +** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** ++ +[source,kibana] +---------------------------------- +// Each item returned lost its `item_id`, which is expected to be present and unique. +GET .kibana*/_search +{ + "query": { + "bool": { + "filter": [ + { + "term": { + "exception-list.list_type": "item" + } + } + ], + "must_not": [ + { + "exists": { + "field": "exception-list.item_id" + } + } + ] + } + } +} +---------------------------------- + +* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: + +** Open alerts in Timeline. +** Adjust the Alerts table size. Do one of the following: + +*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. +*** Change your OS zoom settings and refresh the page. +*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) + +* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). ++ +NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. + ++ +The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: + ++ +**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: + ++ +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. ++ + +. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. +. Paste the JSON blob into a text file and edit it as follows: +.. Remove the `id:file.name` string from the `columns` array. +.. Remove the `file.name` string from the `visibleColumns` array. +. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. +. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. ++ +NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. + ++ +**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: + +. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. +. Search for the `file.name` field, de-select it, and click *Close*. +. Refresh the Alerts page. + +[discrete] +[[breaking-changes-8.8.0]] +==== Breaking changes + +* The privileges for attaching alerts to cases have changed. Now, you need at least `Read` privileges for Security and `All` privileges for Cases ({kibana-pull}147985[#147985]). +* Adds conditional actions to the rules API. In {elastic-sec} 8.7 and earlier, action frequencies were set on a rule level by defining the `throttle` field. In 8.8 and later, action frequencies are set at the action level, and the `throttle` field is replaced by the `frequency` and `alert_filters` fields. The following APIs are affected: +** https://www.elastic.co/guide/en/security/8.8/rules-api-get.html[Get rule] +** https://www.elastic.co/guide/en/security/8.8/rules-api-find.html[Find rules] +** https://www.elastic.co/guide/en/security/8.8/rules-api-create.html#optional-actions-fields-rule-create[Create rule] +** https://www.elastic.co/guide/en/security/8.8/rules-api-update.html#optional-actions-fields-rule-update[Update rule] +** https://www.elastic.co/guide/en/security/8.8/bulk-actions-rules-api.html#optional-actions-fields-bulk-update[Bulk rule actions] + +[discrete] +[[deprecations-8.8.0]] +==== Deprecations + +* The rule level `throttle` field is deprecated in {elastic-sec} 8.8 and is scheduled for end of life in Q4 of 2024. In {elastic-sec} 8.8 and later, we strongly recommend using the action level `frequency` field to set frequencies for individual rule actions. + +[discrete] +[[features-8.8.0]] +==== New features + +* Introduces <>, which scans your cloud VMs for vulnerabilities, and adds a tab to the Findings page that displays vulnerabilities ({kibana-pull}154388[#154388], {kibana-pull}154873[#154873], {kibana-pull}155045[#155045]). +* Introduces <>, which allows you to monitor and protect your Kubernetes workloads. +* Adds a new response action that allows you to execute commands on a selected host ({kibana-pull}150202[#150202]). +* Adds the `kibana.alert.url` field to alert documents. This field provides a shareable URL for the alert ({kibana-pull}155069[#155069]). +* Adds the ability to duplicate a shared exception list ({kibana-pull}154991[#154991]). +* Allows Timeline notes to be deleted ({kibana-pull}154834[#154834]). +* Allows you to specify conditions for when rule actions should run ({kibana-pull}154680[#154680]). +* Adds the ability to snooze rule notifications from the Rules table, the rule details page, or the Actions tab when editing a rule ({kibana-pull}153083[#153083], {kibana-pull}155407[#155407], {kibana-pull}155612[#155612]). +* Adds controls to the Alerts page that allow you to customize which filters appear at the top of the page ({kibana-pull}152450[#152450]). + +[discrete] +[[enhancements-8.8.0]] +==== Enhancements + +* Renames the Notable Anomalies section in the Entity Analytics dashboard to Anomalies ({kibana-pull}155687[#155687]). +* Displays additional {ml} anomaly jobs on the Entity Analytics dashboard ({kibana-pull}155520[#155520]). +* Makes alert count links on the Entity Analytics dashboard navigate to the Alerts page instead of opening in Timeline ({kibana-pull}153372[#153372]). +* Updates the Data Quality dashboard to include a new tree map and storage size metrics for each index ({kibana-pull}155581[#155581]). +* Adds cloud infrastructure-related fields to the alert details flyout highlighted fields section ({kibana-pull}155247[#155247]). +* Allows you to specify how to handle alert suppression for alerts with missing fields ({kibana-pull}155055[#155055]). +* Gives users more control over how they receive alert notifications and lets them define conditions that must be met for a notification to occur ({kibana-pull}154526[#154526]). +* Adds a warning message to tell you when a rule has reached the maximum number of alerts limit ({kibana-pull}154112[#154112]). +* Updates how browser field descriptions are provided to {kib} ({kibana-pull}153498[#153498]). +* Enables multi-level grouping for alerts on the Alerts page, based on various fields ({kibana-pull}152862[#152862]). +* Adds links to the Detection & Response and Entity Analytics dashboards that jump to the Alerts page with filters enabled ({kibana-pull}152714[#152714]). +* Updates the visualizations throughout {elastic-sec} to Lens visualizations ({kibana-pull}150531[#150531]). +* Adds a *Share alert* link to the alert details flyout ({kibana-pull}148800[#148800]). +* Adds a warning message to the Rules page when a maintenance window is running ({kibana-pull}155386[#155386]). +* Adds a global search bar to the Detections and Response and Entity Analytics dashboards ({kibana-pull}156832[#156832]). +* Adds the "Investigate in timeline" inline action to alert counts on the Detections and Response and Entity Analytics dashboards ({kibana-pull}154299[#154299]). +* Session view: Makes the row representing the session leader remain visible when you scroll past it, and adds a button to this row that allows you to collapse child processes ({kibana-pull}154982[#154982]). +* Reduces Linux process event volume by about 50% by combining `fork`, `exec`, and `end` events when they occur around the same time (does not affect queries of this data) ({kibana-pull}153213[#153213]). +* Updates where the technical preview tags appear for host risk score features ({kibana-pull}156659[#156659], {kibana-pull}156514[#156514]). +* Allows you to use fully qualified domain names (FQDNs) for hosts. To learn how to set a host name format in {fleet}, refer to {fleet-guide}/agent-policy.html[Elastic Agent policies]. + +[discrete] +[[bug-fixes-8.8.0]] +==== Bug fixes + +* Fixes a bug that interfered with the default time range when you opened an alert in Timeline ({kibana-pull}156884[#156884]). +* Fixes a bug that could cause the Alerts page to become unresponsive after entering an invalid query ({kibana-pull}156542[#156542]). +* Updates the colors used for entity analytic graphs to match those used for alert graphs ({kibana-pull}156383[#156383]). +* Fixes a bug that caused errors on the Data Quality dashboard when a `basePath` was configured ({kibana-pull}156233[#156233]). +* Fixes a bug that could cause problems when different users simultaneously edited a Timeline ({kibana-pull}155663[#155663]). +* Fixes a bug that could cause the wrong number of rules to appear in the modal for duplicating rules ({kibana-pull}155959[#155959]). +* Fixes a bug that could cause a blank option to appear in the Create rule exception form ({kibana-pull}155221[#155221]). +* Fixes issues that affected tags in the Add rule exception component of the Shared Exception Lists page ({kibana-pull}155219[#155219]). +* Fixes a bug that displayed an outdated count of affected rules on the Shared Exception Lists page ({kibana-pull}155108[#155108]). +* Improves performance for rendering indicator match alerts on the Alerts page ({kibana-pull}154821[#154821]). +* Fixes a bug that could affect alert prevalence counts on the Alerts page ({kibana-pull}154544[#154544]). +* Fixes a bug that could prevent you from using breadcrumbs to return to the Rules page ({kibana-pull}150322[#150322]). +* Fixes a bug that could prevent the *View all open alerts* button on the Detection and Response dashboard from applying the correct filters ({kibana-pull}156893[#156893]). +* Fixes several bugs related to session view and and Kubernetes dashboard ({kibana-pull}154982[#154982]). +* Fixes the delete index API so it only removes {elastic-sec} 7.x signals indices (`.siem-signals-`), index templates, and ILMs and doesn't delete 8.x alert indices (`.alerts-security.alerts-`). diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc new file mode 100644 index 0000000000..95a9416d8c --- /dev/null +++ b/docs/release-notes/8.9.asciidoc @@ -0,0 +1,187 @@ +[[release-notes-header-8.9.0]] +== 8.9 + +[discrete] +[[release-notes-8.9.2]] +=== 8.9.2 + +[discrete] +[[bug-fixes-8.9.2]] +==== Bug fixes + +* Fixes a bug that prevented inline actions on the Alerts page from completing ({kibana-pull}165099[#165099]). +* Fixes a bug that prevented blocklist file path entries for Windows and macOS applications from being passed as case insensitive ({kibana-pull}164200[#164200]). +* Fixes a bug in the confirmation message that appears when duplicating a single rule ({kibana-pull}163908[#163908]). +* Fixes a bug on the rule details page that showed the **Data view** label twice if you were viewing a rule using a data view ({kibana-pull}164494[#164494]). +* Fixes a bug that affected Timeline when you investigated an alert created from a rule with exceptions ({kibana-pull}162190[#162190]). + +[discrete] +[[release-notes-8.9.1]] +=== 8.9.1 + +[discrete] +[[known-issue-8.9.1]] +==== Known issues + +* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: + +** Open alerts in Timeline. +** Adjust the Alerts table size. Do one of the following: + +*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. +*** Adjust your OS zoom settings and refresh the page. +*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) + +* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). ++ +NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. + ++ +The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: + ++ +**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: + ++ +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. ++ + +. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. +. Paste the JSON blob into a text file and edit it as follows: +.. Remove the `id:file.name` string from the `columns` array. +.. Remove the `file.name` string from the `visibleColumns` array. +. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. +. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. ++ +NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. + ++ +**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: + +. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. +. Search for the `file.name` field, de-select it, and click *Close*. +. Refresh the Alerts page. + +[discrete] +[[enhancements-8.9.1]] +==== Enhancements +* Event correlation queries and rules can now detect {ref}/eql-syntax.html#eql-missing-events[missing events] in EQL sequences. + +[discrete] +[[bug-fixes-8.9.1]] +==== Bug fixes + +* Fixes a copy to clipboard bug that affected non-ECS fields ({kibana-pull}162883[#162883]). +* Fixes number rounding issues in the *Top alerts by* table on the Alerts page ({kibana-pull}162647[#162647]). +* Fixes bug that prevented controls from being rendered on {elastic-sec} dashboards ({kibana-pull}162514[#162514]). +* Fixes a bug that prevented rule changes from being saved if a rule's action frequency was shorter than the rule run interval ({kibana-pull}160798[#160798]). + +[discrete] +[[release-notes-8.9.0]] +=== 8.9.0 + +[discrete] +[[known-issue-8.9.0]] +==== Known issues + +* On the new Detection rule monitoring dashboard, total `Rule executions` will not always equal the sum of `Succeeded`, `Warning`, and `Failed` executions. This is expected because rules can write multiple statuses per execution. One typical example is gap detection: if a rule detects a gap in rule execution it will write an intermediate `Failed` status, then continue to run, and write a final status (such as `Warning`) before finishing its execution. +* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. +* The `upload` response action does not report the correct amount of available disk space. The correct amount is approximately four. +* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: + +** Open alerts in Timeline. +** Adjust the Alerts table size. Do one of the following: + +*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. +*** Adjust your OS zoom settings and refresh the page. +*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) + +* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). ++ +NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. + ++ +The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: + ++ +**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: + ++ +NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. ++ + +. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. +. Go to *Application -> Storage*, then expand *Local Storage*. +. Click on the name of your Kibana instance, for example, :1234. +. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. +. Paste the JSON blob into a text file and edit it as follows: +.. Remove the `id:file.name` string from the `columns` array. +.. Remove the `file.name` string from the `visibleColumns` array. +. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. +. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. ++ +NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. + ++ +**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: + +. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. +. Search for the `file.name` field, de-select it, and click *Close*. +. Refresh the Alerts page. + +[discrete] +[[breaking-changes-8.9.0]] +==== Breaking changes + +There are no breaking changes in 8.9.0. + +[discrete] +[[deprecations-8.9.0]] +==== Deprecations +* Removes the option to use the legacy navigation menu ({kibana-pull}158094[#158094]). +* General prebuilt threat indicator match rules were deprecated and replaced with improved indicator-type rules. + +[discrete] +[[features-8.9.0]] +==== New features +* Introduces the `top` command for MacOS and Linux, which shows active processes that {elastic-endpoint} is monitoring and recording. Processes are sorted by how much CPU they are causing {elastic-endpoint} to consume. Learn more about the `top` command by referring to the (https://www.github.com/elastic/endpoint/blob/main/EndpointTopCommand.md[readme]). +* Allows you to install the Cloud Security Posture Management (CSPM) integration via CloudFormation ({kibana-pull}159994[#159994]). +* Creates a new dashboard, Cloud Native Vulnerability Management, that provides an overview of vulnerabilities on your cloud hosts ({kibana-pull}159699[#159699]). +* Allows you to group vulnerabilities by resource (host) on the Vulnerabilities Findings page, and creates a Resource flyout that displays detailed vulnerability findings for individual hosts ({kibana-pull}159873[#159873], {kibana-pull}158987[#158987]). +* Adds a new custom dashboard, "Detection rule monitoring" ({kibana-pull}159875[#159875]). +* Allows you to anonymize event field values sent to AI Assistant ({kibana-pull}159857[#159857]). +* Adds a *Chat* button that opens AI Assistant to the alert details flyout ({kibana-pull}159633[#159633]). +* Updates AI Assistant to let you create and delete custom system prompts and default conversations ({kibana-pull}159365[#159365]). +* Allows you to add alert tags ({kibana-pull}157786[#157786]). +* Adds the ability to automatically isolate a host through a rule’s endpoint response action ({kibana-pull}152424[#152424]). +* Moves response actions to General Availability. +* Adds a new response action that allows you to upload files to an endpoint that has {elastic-endpoint} installed ({kibana-pull}157208[#157208]). +* Makes the Lateral Movement Detection advanced analytics package General Availability, and adds the ability to detect malicious activities in Windows RDP events (https://github.com/elastic/integrations/pull/6588[#6588]). + +[discrete] +[[enhancements-8.9.0]] +==== Enhancements +* Makes it easier to set up exceptions by auto-populating exception conditions and values with relevant alert data ({kibana-pull}159075[#159075]). +* Adds a *Last response* dropdown menu to the Rules table that allows you to filter rules by the status of their last execution ("Succeeded", "Warning", or "Failed") ({kibana-pull}159865[#159865]). +* Creates a Lens dashboard for monitoring the use of tokens by AI Assistant ({kibana-pull}159075[#159075]). +* Creates a connector for D3 Security ({kibana-pull}158569[#158569]). +* Improves the interface for installing and upgrading Elastic prebuilt rules ({kibana-pull}158450[#158450]). +* Shows a rule's actions on its details page ({kibana-pull}158189[#158189]). +* Allows you to add Lens visualizations to cases from the visualization's *More actions* menu ({kibana-pull}154918[#154918]). +* Adds a tooltip to snoozed rules that shows exactly when alerting will resume ({kibana-pull}157407[#157407]). +* Enhances the Data Exfiltration Detection package by adding the ability to detect exfiltration anomalies through USB devices and Airdrop (https://github.com/elastic/integrations/pull/6577[#6577]). + +[discrete] +[[bug-fixes-8.9.0]] +==== Bug fixes +* Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them ({kibana-pull}161331[#161331]). +* Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu ({kibana-pull}159908[#159908]). +* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule. +* Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({kibana-pull}157233[#157233]). +* Fixes a bug that allowed you to save a rule with an alert filter missing a query ({kibana-pull}159690[#159690]). +* Fixes unexpected filtering behavior on the Alerts page. Now, when you select a filter that excludes all alerts, an empty table now appears as expected ({kibana-pull}160374[#160374]). +* Fixes a UI bug where the **Label** field in the Investigation Guide form incorrectly turns red when the entered value is correct ({kibana-pull}160574[#160574], {kibana-pull}160577[#160577]). +* Fixes a bug that caused rules to snooze longer than specified ({kibana-pull}152873[#152873]). From c485c4d15835cba22956da5153f19c1d6956ea2b Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 1 Aug 2025 12:43:56 +0100 Subject: [PATCH 2/2] resolve conflict --- docs/AI-for-security/connect-to-byo.asciidoc | 199 ---- .../cspm-get-started-aws.asciidoc | 305 ------ ...ltiple-vault-web-credentials-read.asciidoc | 12 +- docs/release-notes/8.16.asciidoc | 893 ------------------ docs/release-notes/8.8.asciidoc | 508 ---------- docs/release-notes/8.9.asciidoc | 187 ---- 6 files changed, 1 insertion(+), 2103 deletions(-) delete mode 100644 docs/AI-for-security/connect-to-byo.asciidoc delete mode 100644 docs/cloud-native-security/cspm-get-started-aws.asciidoc delete mode 100644 docs/release-notes/8.16.asciidoc delete mode 100644 docs/release-notes/8.8.asciidoc delete mode 100644 docs/release-notes/8.9.asciidoc diff --git a/docs/AI-for-security/connect-to-byo.asciidoc b/docs/AI-for-security/connect-to-byo.asciidoc deleted file mode 100644 index 36e1cb1603..0000000000 --- a/docs/AI-for-security/connect-to-byo.asciidoc +++ /dev/null @@ -1,199 +0,0 @@ -[[connect-to-byo-llm]] -= Connect to your own local LLM - -:frontmatter-description: Set up a connector to LM Studio so you can use a local model with AI Assistant. -:frontmatter-tags-products: [security] -:frontmatter-tags-content-type: [guide] -:frontmatter-tags-user-goals: [get-started] - -This page provides instructions for setting up a connector to a large language model (LLM) of your choice using LM Studio. This allows you to use your chosen model within {elastic-sec}. You'll first need to set up a reverse proxy to communicate with {elastic-sec}, then set up LM Studio on a server, and finally configure the connector in your Elastic deployment. https://www.elastic.co/blog/ai-assistant-locally-hosted-models[Learn more about the benefits of using a local LLM]. - -This example uses a single server hosted in GCP to run the following components: - -* LM Studio with the https://huggingface.co/mistralai/Mistral-Nemo-Instruct-2407[Mistral-Nemo-Instruct-2407] model -* A reverse proxy using Nginx to authenticate to Elastic Cloud - -image::images/lms-studio-arch-diagram.png[Architecture diagram for this guide] - -NOTE: For testing, you can use alternatives to Nginx such as https://learn.microsoft.com/en-us/azure/developer/dev-tunnels/overview[Azure Dev Tunnels] or https://ngrok.com/[Ngrok], but using Nginx makes it easy to collect additional telemetry and monitor its status by using Elastic's native Nginx integration. While this example uses cloud infrastructure, it could also be replicated locally without an internet connection. - -NOTE: For information about the performance of open-source models on tasks within {elastic-sec}, refer to the <>. - -[discrete] -== Configure your reverse proxy - -NOTE: If your Elastic instance is on the same host as LM Studio, you can skip this step. Also, check out our https://www.elastic.co/blog/herding-llama-3-1-with-elastic-and-lm-studio[blog post] that walks through the whole process of setting up a single-host implementation. - -You need to set up a reverse proxy to enable communication between LM Studio and Elastic. For more complete instructions, refer to a guide such as https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-reverse-proxy-on-ubuntu-22-04[this one]. - -The following is an example Nginx configuration file: - -[source,txt] --------------------------------------------------- -server { - listen 80; - listen [::]:80; - server_name ; - server_tokens off; - add_header x-xss-protection "1; mode=block" always; - add_header x-frame-options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - return 301 ; -} - -server { - - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name ; - server_tokens off; - ssl_certificate /etc/letsencrypt/live//fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live//privkey.pem; - ssl_session_timeout 1d; - ssl_session_cache shared:SSL:50m; - ssl_session_tickets on; - ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256'; - ssl_protocols TLSv1.3 TLSv1.2; - ssl_prefer_server_ciphers on; - add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; - add_header x-xss-protection "1; mode=block" always; - add_header x-frame-options "SAMEORIGIN" always; - add_header X-Content-Type-Options "nosniff" always; - add_header Referrer-Policy "strict-origin-when-cross-origin" always; - ssl_stapling on; - ssl_stapling_verify on; - ssl_trusted_certificate /etc/letsencrypt/live//fullchain.pem; - resolver 1.1.1.1; - location / { - - if ($http_authorization != "Bearer ") { - return 401; -} - - proxy_pass :1234/; - } - -} --------------------------------------------------- - -[IMPORTANT] -==== -If using the example configuration file above, you must replace several values: - -* Replace `` with your actual token, and keep it safe since you'll need it to set up the {elastic-sec} connector. -* Replace `` with your actual domain name. -* Update the `proxy_pass` value at the bottom of the configuration if you decide to change the port number in LM Studio to something other than 1234. -==== - -[discrete] -=== (Optional) Set up performance monitoring for your reverse proxy -You can use Elastic's {integrations-docs}/nginx[Nginx integration] to monitor performance and populate monitoring dashboards in the {security-app}. - -[discrete] -== Configure LM Studio and download a model - -First, install https://lmstudio.ai/[LM Studio]. LM Studio supports the OpenAI SDK, which makes it compatible with Elastic's OpenAI connector, allowing you to connect to any model available in the LM Studio marketplace. - -You must launch the application using its GUI before doing so using the CLI. For example, use Chrome RDP with an https://cloud.google.com/architecture/chrome-desktop-remote-on-compute-engine[X Window System]. After you've opened the application the first time using the GUI, you can start it by using `sudo lms server start` in the CLI. - -Once you've launched LM Studio: - -1. Go to LM Studio's Search window. -2. Search for an LLM (for example, `Mistral-Nemo-Instruct-2407`). Your chosen model must include `instruct` in its name in order to work with Elastic. -3. After you find a model, view download options and select a recommended version (green). For best performance, select one with the thumbs-up icon that indicates good performance on your hardware. -4. Download one or more models. - -IMPORTANT: For security reasons, before downloading a model, verify that it is from a trusted source. It can be helpful to review community feedback on the model (for example using a site like Hugging Face). - -image::images/lms-model-select.png[The LM Studio model selection interface] - -In this example we used https://huggingface.co/mistralai/Mistral-Nemo-Instruct-2407[`mistralai/Mistral-Nemo-Instruct-2407`]. It has 12B total parameters, a 128,000 token context window, and uses GGUF https://huggingface.co/docs/transformers/main/en/quantization/overview[quanitization]. For more information about model names and format information, refer to the following table. - -[cols="1,1,1,1", options="header"] -|=== -| Model Name | Parameter Size | Tokens/Context Window | Quantization Format -| Name of model, sometimes with a version number. -| LLMs are often compared by their number of parameters — higher numbers mean more powerful models. -| Tokens are small chunks of input information. Tokens do not necessarily correspond to characters. You can use https://platform.openai.com/tokenizer[Tokenizer] to see how many tokens a given prompt might contain. -| Quantization reduces overall parameters and helps the model to run faster, but reduces accuracy. -| Examples: Llama, Mistral, Phi-3, Falcon. -| The number of parameters is a measure of the size and the complexity of the model. The more parameters a model has, the more data it can process, learn from, generate, and predict. -| The context window defines how much information the model can process at once. If the number of input tokens exceeds this limit, input gets truncated. -| Specific formats for quantization vary, most models now support GPU rather than CPU offloading. -|=== - -[discrete] -== Load a model in LM Studio - -After downloading a model, load it in LM Studio using the GUI or LM Studio's https://lmstudio.ai/blog/lms[CLI tool]. - -[discrete] -=== Option 1: load a model using the CLI (Recommended) - -It is a best practice to download models from the marketplace using the GUI, and then load or unload them using the CLI. The GUI allows you to search for models, whereas the CLI allows you to use `lms get` to search for models. The CLI provides a good interface for loading and unloading. - -Once you've downloaded a model, use the following commands in your CLI: - -1. Verify LM Studio is installed: `lms` -2. Check LM Studio's status: `lms status` -3. List all downloaded models: `lms ls` -4. Load a model: `lms load`. - -image::images/lms-cli-welcome.png[The CLI interface during execution of initial LM Studio commands] - -After the model loads, you should see a `Model loaded successfully` message in the CLI. Select a model using the arrow and *Enter* keys. - -image::images/lms-studio-model-loaded-msg.png[The CLI message that appears after a model loads] - -To verify which model is loaded, use the `lms ps` command. - -image::images/lms-ps-command.png[The CLI message that appears after running lms ps] - -If your model uses NVIDIA drivers, you can check the GPU performance with the `sudo nvidia-smi` command. - -[discrete] -=== Option 2: load a model using the GUI - -Refer to the following video to see how to load a model using LM Studio's GUI. You can change the **port** setting, which is referenced in the Nginx configuration file. Note that the **GPU offload** was set to **Max**. - -======= -++++ - - -
-++++ -======= - -[discrete] -== (Optional) Collect logs using Elastic's Custom Logs integration - -You can monitor the performance of the host running LM Studio using Elastic's {integrations-docs}/log[Custom Logs integration]. This can also help with troubleshooting. Note that the default path for LM Studio logs is `/tmp/lmstudio-server-log.txt`, as in the following screenshot: - -image::images/lms-custom-logs-config.png[The configuration window for the custom logs integration] - -[discrete] -== Configure the connector in your Elastic deployment - -Finally, configure the connector: - -1. Log in to your Elastic deployment. -2. Find the **Connectors** page in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Then click **Create Connector**, and select **OpenAI**. The OpenAI connector enables this use case because LM Studio uses the OpenAI SDK. -3. Name your connector to help keep track of the model version you are using. -4. Under **Select an OpenAI provider**, select **Other (OpenAI Compatible Service)**. -5. Under **URL**, enter the domain name specified in your Nginx configuration file, followed by `/v1/chat/completions`. -6. Under **Default model**, enter `local-model`. -7. Under **API key**, enter the secret token specified in your Nginx configuration file. -8. Click **Save**. - -image::images/lms-edit-connector.png[The Edit connector page in the {security-app}, with appropriate values populated] - -Setup is now complete. You can use the model you've loaded in LM Studio to power Elastic's generative AI features. You can test a variety of models as you interact with AI Assistant to see what works best without having to update your connector. - -NOTE: While local models work well for <>, we recommend you use one of <> for interacting with <>. As local models become more performant over time, this is likely to change. diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc deleted file mode 100644 index 2a509e8123..0000000000 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ /dev/null @@ -1,305 +0,0 @@ -[[cspm-get-started]] -= Get started with CSPM for AWS - -[discrete] -[[cspm-overview]] -== Overview - -This page explains how to get started monitoring the security posture of your cloud assets using the Cloud Security Posture Management (CSPM) feature. - -.Requirements -[sidebar] --- -* Minimum privileges vary depending on whether you need to read, write, or manage CSPM data and integrations. Refer to <>. -* The CSPM integration is available to all {ecloud} users. On-premise deployments require an https://www.elastic.co/pricing[Enterprise subscription]. -* CSPM only works in the `Default` {kib} space. Installing the CSPM integration on a different {kib} space will not work. -* CSPM is supported only on AWS, GCP, and Azure commercial cloud platforms, and AWS GovCloud. Other government cloud platforms are not supported. https://github.com/elastic/kibana/issues/new/choose[Click here to request support]. -* The user who gives the CSPM integration AWS permissions must be an AWS account `admin`. --- - -[discrete] -[[cspm-setup]] -== Set up CSPM for AWS - -You can set up CSPM for AWS either by enrolling a single cloud account, or by enrolling an organization containing multiple accounts. Either way, first you will add the CSPM integration, then enable cloud account access. Two deployment technologies are available: agentless, and agent-based. <> allows you to collect cloud posture data without having to manage the deployment of {agent} in your cloud. <> requires you to deploy and manage {agent} in the cloud account you want to monitor. - -[discrete] -[[cspm-aws-agentless]] -== Agentless deployment - -. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Search for `CSPM`, then click on the result. -. Click *Add Cloud Security Posture Management (CSPM)*. -. Select *AWS*, then either *AWS Organization* to onboard multiple accounts, or *Single Account* to onboard an individual account. -. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. -. Click **Advanced options**, then select **Agentless (BETA)**. -. Next, you'll need to authenticate to AWS. Two methods are available: -.. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. -+ -NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. -+ -.. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <>. -. Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. - -IMPORTANT: Agentless deployment does not work if you are using {cloud}/ec-traffic-filtering-deployment-configuration.html[Traffic filtering]. - -[discrete] -[[cspm-aws-agent-based]] -== Agent-based deployment - -[discrete] -[[cspm-add-and-name-integration]] -=== Add the CSPM integration -. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. -. Search for `CSPM`, then click on the result. -. Click *Add Cloud Security Posture Management (CSPM)*. -. Select *AWS*, then either *AWS Organization* to onboard multiple accounts, or *Single Account* to onboard an individual account. -. Give your integration a name that matches the purpose or team of the AWS account/organization you want to monitor, for example, `dev-aws-account`. - - -[discrete] -[[cspm-set-up-cloud-access-section]] -=== Set up cloud account access -The CSPM integration requires access to AWS's built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] in order to discover and evaluate resources in your cloud account. There are several ways to provide access. - -For most use cases, the simplest option is to use AWS CloudFormation to automatically provision the necessary resources and permissions in your AWS account. This method, as well as several manual options, are described below. - - -[discrete] -[[cspm-set-up-cloudformation]] -=== CloudFormation (recommended) -. In the *Add Cloud Security Posture Management (CSPM) integration* menu, under *Setup Access*, select *CloudFormation*. -. In a new browser tab or window, log in as an admin to the AWS account or organization you want to onboard. -. Return to your {kib} tab. Click *Save and continue* at the bottom of the page. -. Review the information, then click *Launch CloudFormation*. -. A CloudFormation template appears in a new browser tab. -. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. -. (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. -. Tick the checkbox under *Capabilities* to authorize the creation of necessary resources. -+ -image::images/cspm-cloudformation-template.png[The Add permissions screen in AWS] -+ -. At the bottom of the template, select *Create stack*. - -When you return to {kib}, click *View assets* to review the data being collected by your new integration. - - -[discrete] -[[cspm-setup-organization-manual]] -=== Manual authentication for organization-level onboarding - -NOTE: If you're onboarding a single account instead of an organization, skip this section. - -When using manual authentication to onboard at the organization level, you need to configure the necessary permissions using the AWS console for the organization where you want to deploy: - -* In the organization's management account (root account), create an IAM role called `cloudbeat-root` (the name is important). The role needs several policies: - -** The following inline policy: - -.Click to expand policy -[%collapsible] -==== -``` -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "organizations:List*", - "organizations:Describe*" - ], - "Resource": "*", - "Effect": "Allow" - }, - { - "Action": [ - "sts:AssumeRole" - ], - "Resource": "*", - "Effect": "Allow" - } - ] -} -``` -==== - -** The following trust policy: - -.Click to expand policy -[%collapsible] -==== -``` -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::root" - }, - "Action": "sts:AssumeRole" - }, - { - "Effect": "Allow", - "Principal": { - "Service": "ec2.amazonaws.com" - }, - "Action": "sts:AssumeRole" - } - ] -} -``` -==== - -** The AWS-managed `SecurityAudit` policy. - -IMPORTANT: You must replace `` in the trust policy with your AWS account ID. - -* Next, for each account you want to scan in the organization, create an IAM role named `cloudbeat-securityaudit` with the following policies: -** The AWS-managed `SecurityAudit` policy. -** The following trust policy: - -.Click to expand policy -[%collapsible] -==== -``` -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam:::role/cloudbeat-root" - }, - "Action": "sts:AssumeRole" - } - ] -} -``` -==== - -IMPORTANT: You must replace `` in the trust policy with your AWS account ID. - -After creating the necessary roles, authenticate using one of the manual authentication methods. - -IMPORTANT: When deploying to an organization using any of the authentication methods below, you need to make sure that the credentials you provide grant permission to assume `cloudbeat-root` privileges. - -[discrete] -[[cspm-set-up-manual]] -=== Manual authentication methods - -* <> -* <> -* <> -* <> -* <> - -IMPORTANT: Whichever method you use to authenticate, make sure AWS’s built-in https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions.html#jf_security-auditor[`SecurityAudit` IAM policy] is attached. - -[discrete] -[[cspm-use-instance-role]] -==== Option 1 - Default instance role - -NOTE: If you are deploying to an AWS organization instead of an AWS account, you should already have <>, `cloudbeat-root`. Skip to step 2 "Attach your new IAM role to an EC2 instance", and attach this role. You can use either an existing or new EC2 instance. - -Follow AWS's https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html[IAM roles for Amazon EC2] documentation to create an IAM role using the IAM console, which automatically generates an instance profile. - -. Create an IAM role: -.. In AWS, go to your IAM dashboard. Click *Roles*, then *Create role*. -.. On the *Select trusted entity* page, under **Trusted entity type**, select *AWS service*. -.. Under **Use case**, select *EC2*. Click *Next*. -+ -image::images/cspm-aws-auth-1.png[The Select trusted entity screen in AWS] -+ -.. On the *Add permissions* page, search for and select `SecurityAudit`. Click *Next*. -+ -image::images/cspm-aws-auth-2.png[The Add permissions screen in AWS] -+ -.. On the *Name, review, and create* page, name your role, then click *Create role*. -. Attach your new IAM role to an EC2 instance: -.. In AWS, select an EC2 instance. -.. Select *Actions > Security > Modify IAM role*. -+ -image::images/cspm-aws-auth-3.png[The EC2 page in AWS, showing the Modify IAM role option] -+ -.. On the *Modify IAM role* page, search for and select your new IAM role. -.. Click *Update IAM role*. -.. Return to {kib} and <>. - -IMPORTANT: Make sure to deploy the CSPM integration to this EC2 instance. When completing setup in {kib}, in the **Setup Access* section, select *Assume role**. Leave **Role ARN** empty for agentless deployments. For agent-based deployments, leave it empty unless you want to specify a role the {agent} should assume instead of the default role for your EC2 instance. Click **Save and continue**. - -[discrete] -[[cspm-use-keys-directly]] -==== Option 2 - Direct access keys -Access keys are long-term credentials for an IAM user or AWS account root user. To use access keys as credentials, you must provide the `Access key ID` and the `Secret Access Key`. After you provide credentials, <>. - -For more details, refer to https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html[Access Keys and Secret Access Keys]. - -IMPORTANT: You must select *Programmatic access* when creating the IAM user. - -[discrete] -[[cspm-use-temp-credentials]] -==== Option 3 - Temporary security credentials -You can configure temporary security credentials in AWS to last for a specified duration. They consist of an access key ID, a secret access key, and a session token, which is typically found using `GetSessionToken`. - -Because temporary security credentials are short term, once they expire, you will need to generate new ones and manually update the integration's configuration to continue collecting cloud posture data. Update the credentials before they expire to avoid data loss. - -NOTE: IAM users with multi-factor authentication (MFA) enabled need to submit an MFA code when calling `GetSessionToken`. For more details, refer to AWS's https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[Temporary Security Credentials] documentation. - -You can use the AWS CLI to generate temporary credentials. For example, you could use the following command if you have MFA enabled: - -[source,console] ----------------------------------- -sts get-session-token --serial-number arn:aws:iam::1234:mfa/your-email --duration-seconds 129600 --token-code 123456 ----------------------------------- - -The output from this command includes the following fields, which you should provide when configuring the CSPM integration: - -* `Access key ID`: The first part of the access key. -* `Secret Access Key`: The second part of the access key. -* `Session Token`: The required token when using temporary security credentials. - -After you provide credentials, <>. - -[discrete] -[[cspm-use-a-shared-credentials-file]] -==== Option 4 - Shared credentials file -If you use different AWS credentials for different tools or applications, you can use profiles to define multiple access keys in the same configuration file. For more details, refer to AWS' https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html[Shared Credentials Files] documentation. - -Instead of providing the `Access key ID` and `Secret Access Key` to the integration, provide the information required to locate the access keys within the shared credentials file: - -* `Credential Profile Name`: The profile name in the shared credentials file. -* `Shared Credential File`: The directory of the shared credentials file. - -If you don't provide values for all configuration fields, the integration will use these defaults: - -- If `Access key ID`, `Secret Access Key`, and `ARN Role` are not provided, then the integration will check for `Credential Profile Name`. -- If there is no `Credential Profile Name`, the default profile will be used. -- If `Shared Credential File` is empty, the default directory will be used. - - For Linux or Unix, the shared credentials file is located at `~/.aws/credentials`. - -After providing credentials, <>. - -[discrete] -[[cspm-use-iam-arn]] -==== Option 5 - IAM role Amazon Resource Name (ARN) -An IAM role Amazon Resource Name (ARN) is an IAM identity that you can create in your AWS account. You define the role's permissions. Roles do not have standard long-term credentials such as passwords or access keys. Instead, when you assume a role, it provides temporary security credentials for your session. - -To use an IAM role ARN, select *Assume role* under *Preferred manual method*, enter the ARN, and continue to Finish manual setup. - -[discrete] -[[cspm-finish-manual]] -=== Finish manual setup -Once you’ve provided AWS credentials, under *Where to add this integration*: - -If you want to monitor an AWS account or organization where you have not yet deployed {agent}: - -* Select *New Hosts*. -* Name the {agent} policy. Use a name that matches the purpose or team of the cloud account or accounts you want to monitor. For example, `dev-aws-account`. -* Click *Save and continue*, then *Add {agent} to your hosts*. The *Add agent* wizard appears and provides {agent} binaries, which you can download and deploy to your AWS account. - -If you want to monitor an AWS account or organization where you have already deployed {agent}: - -* Select **Existing hosts**. -* Select an agent policy that applies the AWS account you want to monitor. -* Click **Save and continue**. diff --git a/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc b/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc index 3f24a15672..72240746ac 100644 --- a/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc +++ b/docs/detections/prebuilt-rules/rule-details/multiple-vault-web-credentials-read.asciidoc @@ -61,23 +61,13 @@ sequence by winlog.computer_name, winlog.process.pid with maxspan=1s [any where event.code : "5382" and (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and -<<<<<<< HEAD not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] - - [any where event.code : "5382" and - (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and - not winlog.event_data.Resource : "http://localhost/"] -======= - not winlog.event_data.SubjectLogonId : "0x3e7" and not winlog.event_data.Resource : ""] [any where event.code : "5382" and (winlog.event_data.SchemaFriendlyName : "Windows Web Password Credential" and winlog.event_data.Resource : "http*") and - not winlog.event_data.SubjectLogonId : "0x3e7" and + not winlog.event_data.SubjectLogonId : "0x3e7" and not winlog.event_data.Resource : ""] ->>>>>>> 16334698 (Replace placeholder URLs (#6990)) ---------------------------------- diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc deleted file mode 100644 index 56582ce18c..0000000000 --- a/docs/release-notes/8.16.asciidoc +++ /dev/null @@ -1,893 +0,0 @@ -[[release-notes-header-8.16.0]] -== 8.16 - -[discrete] -[[release-notes-8.16.6]] -=== 8.16.6 - -[discrete] -[[known-issue-8.16.6]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Installing an {elastic-defend} integration or a new agent policy upgrades installed prebuilt rules, overwriting user-added actions and exceptions -[%collapsible] -==== -*Details* + -When you install an {elastic-defend} integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions. - -*Workaround* + -To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten. - -*Resolved* + -This issue is fixed in {stack} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.6]] -==== Bug fixes -* Fixes a bug that prevented you from changing column widths in Timeline ({kibana-pull}214178[#214178]). -* Fixes a bug that prevented you from being able to save event filters ({kibana-pull}213805[#213805]). -* Allows Automatic Import to handle a variety of structures when parsing system logs ({kibana-pull}212611[#212611]). -* Fixes a bug that prevented the selected data view and **Show only detection alerts** option from being reliably persisted in Timeline ({kibana-pull}211343[#211343]). -* Fixes a rare upgrade failure when {elastic-defend} has tamper protection enabled. -* Fixes a bug in the scan response action that can crash {elastic-defend}. -* Fixes a potential {elastic-defend} crash when generating multiple ransomware alerts on Windows. This issue was simultaneously mitigated by a cloud artifact update (manifest version 1.0.1381) on February 24, 2025. Internet-connected instances of {elastic-defend} will automatically receive this update -- no user intervention required. Air-gapped customers hosting their own artifacts should follow <>. We would like to acknowledge https://www.todyl.com[Todyl] for their assistance with this issue. -* Fixes a bug in {elastic-defend} for Linux where tty capture limit defaults were ignored. - -[discrete] -[[release-notes-8.16.5]] -=== 8.16.5 - -[discrete] -[[known-issue-8.16.5]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.5]] -==== Bug fixes -* Fixes an issue with the Event Rendered View in the Alerts table where the table would sometimes have a height of zero and become unusable ({kibana-pull}212130[#212130]). -* Updated the `allocate_shellcode` {elastic-defend} API event behavior to explicitly only apply to unbacked memory. - -[discrete] -[[release-notes-8.16.4]] -=== 8.16.4 - -[discrete] -[[known-issue-8.16.4]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[features-8.16.4]] -==== New features -* Adds the `advanced.malware.max_file_size_bytes` <>, which allows you to control the maximum file size for malware protection. - -[discrete] -[[enhancements-8.16.4]] -==== Enhancements -* Enhances the performance of {elastic-defend} network events monitoring for better CPU utilization and responsiveness. -* Adds byte counts to Linux {elastic-defend} network disconnect events. - -[discrete] -[[bug-fixes-8.16.4]] -==== Bug fixes -* Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they're passed as a single string ({kibana-pull}209475[#209475]). -* Fixes an AI Assistant bug that prevented you from selecting different connector types after initially choosing one ({kibana-pull}208969[#208969]). -* Adds missing fields to Automatic Import's input manifest templates ({kibana-pull}208768[#208768]). -* Ensures that Automatic Import's structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character ({kibana-pull}209736[#209736]). -* Adds fields that are missing from Automatic Import's `aws-s3-manifest.yml` file ({kibana-pull}208080[#208080]). -* Allows {elastic-defend} to detect or prevent malware process or image loads from WebDAV servers. -* Allows {elastic-defend} to bypass network traffic from other computers when promiscuous mode is enabled on Windows. -* Fixes a bug with the `get-file` Endpoint response action. When you used the `get-file` response action to retrieve a Windows Alternate Data Stream, the resulting `.zip` archive would contain a checksum error that made it unusable by most zip tools. -* Increases the maximum number of ETW buffers that {elastic-defend} can use. -* Fixes a bug in {elastic-defend} where a combination of "descendent of process" event filters and unenriched events would not match other event filters. -* Fixes an issue where {elastic-defend} wasn't correctly populating `event.created` for process events on Windows. -* When aggregating events, {elastic-defend} was using the final event's timestamp for the aggregated event, which was a bug. Now, {elastic-defend} will use the first event's timestamp as originally intended. - -[discrete] -[[release-notes-8.16.3]] -=== 8.16.3 - -[discrete] -[[known-issue-8.16.3]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.3]] -==== Bug fixes - -* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). -* Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari ({kibana-pull}203993[#203993]). -* Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]). -* Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned ({kibana-pull}203820[#203820]). -* Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]). -* Fixes a bug that caused the diff view to incorrectly mark certain characters as changed in specific cases ({kibana-pull}205138[#205138]). -* Lists all policies to ensure that integrations are properly displayed ({kibana-pull}205103[#205103]). -* Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict. -+ -Affected users who are unable to upgrade should set one or both of the following in their {elastic-defend} advanced policy, depending on their version: - -** `windows.advanced.events.process.creation_flags: false` (8.13.0 - 8.16.1) -** `windows.advanced.memory_protection.shellcode_trampoline_detection: false` (8.12.0 - 8.16.2) -* Fixes an {elastic-defend} bug that could cause the Windows API event call stack enrichment to fail for processes that started before {elastic-defend} and if another security product was present and hooking system DLLs. -* Fixes an {elastic-defend} bug that caused Windows API events involving `mswsock.dll` to be mislabeled with the `proxy_call` behavior. - -[discrete] -[[release-notes-8.16.2]] -=== 8.16.2 - -[discrete] -[[known-issue-8.16.2]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.2]] -==== Bug fixes - -* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). -* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). -* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). -* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). -* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). -* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). -* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). -* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). -* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). -* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in the Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator. - -[discrete] -[[release-notes-8.16.1]] -=== 8.16.1 - -[discrete] -[[known-issue-8.16.1]] -==== Known issues - -// tag::known-issue[201820] -[discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) -[%collapsible] -==== -*Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). - -*Workaround* + -Upgrade to 8.16.2, or follow the workarounds below. - -For custom rules: - -. From the **Rules** page, <> the rule or rules with the affected exception lists. -. Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. - -For prebuilt rules: - -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. - -. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: -.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. -.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: -+ -[source,console] ----- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ----- -+ -.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. -+ -[source,console] ----- -{ - "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", - "exceptions_list": [ - { - "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", - "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", - "namespace_type": "single" - } - ] -} ----- -+ -. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: -+ -[source,console] ----- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ----- -+ -. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. - -*Resolved* + -On December 17, 2024, this issue was resolved. - -==== -// end::known-issue[201820] - -// tag::known-issue[] -[discrete] -.Manually running threshold rules may generate duplicate alerts -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.16.1]] -==== Bug fixes -* Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). -* Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). -* Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). -* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). -* Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). -* Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). -* Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). -* Fixes a time skew bug that occurred when Linux virtual machines using eBPF event probes were suspended and then resumed. - -[discrete] -[[release-notes-8.16.0]] -=== 8.16.0 - -[discrete] -[[known-issue-8.16.0]] -==== Known issues - -// tag::known-issue[201820] -[discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) -[%collapsible] -==== -*Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). - -*Workaround* + -Upgrade to 8.16.2, or follow the workarounds below. - -For custom rules: - -. From the **Rules** page, <> the rule or rules with the affected exception lists. -. Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. - -For prebuilt rules: - -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. - -. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: -.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. -.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: -+ -[source,console] ----- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ----- -+ -.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. -+ -[source,console] ----- -{ - "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", - "exceptions_list": [ - { - "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", - "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", - "namespace_type": "single" - } - ] -} ----- -+ -. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: -+ -[source,console] ----- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ----- -+ -. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. - -*Resolved* + -On December 17, 2024, this issue was resolved. - -==== -// end::known-issue[201820] - -// tag::known-issue[] -[discrete] -.Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error -[%collapsible] -==== -*Details* + -Updating a Knowledge Base entry of type "index" results in an error. - -*Workaround* + -Instead of updating an "index" entry, delete it and add it again with the desired changes. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running threshold rules may generate duplicate alerts -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -// tag::known-issue-53[] -[discrete] -.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space -[%collapsible] -==== -*Details* + -On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space. - -*Workaround* + -Manually edit your browser's local storage and refresh the **Alerts** page: - -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using. - -. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. -. Refresh the **Alerts** page to reload it. - -*Resolved* + -This issue is fixed in {stack} version 8.16.1. - -==== -// end::known-issue-53[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks\--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[breaking-changes-8.16.0]] -==== Breaking changes - -* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body `{ "message": "{kib} is shutting down and not accepting new incoming requests" }`. - -[discrete] -[[features-8.16.0]] -==== New features - -* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]). -* Enables agentless deployment for Elastic's Cloud Security Posture Management integration and the new Cloud Asset Inventory integration ({kibana-pull}191557[#191557]). -* Enables data collected by the Wiz and AWS Security Hub integrations to appear on the Findings page and in entity details flyouts (https://github.com/elastic/integrations/pull/10790[#10790], https://github.com/elastic/integrations/pull/11158[#11158]). -* Enables alerts collected by the Falco integration to appear on the Alerts page (https://github.com/elastic/integrations/pull/9619[#9619], https://github.com/elastic/integrations/pull/11051[#11051]). -* Adds ability to manually run rules for a specified time period, either for testing purposes or to generate alerts for past events. -* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]). -* Adds the ability to attach notes to alerts and events and introduces the Notes page, which allows you to manage all existing notes ({kibana-pull}186787[#186787], {kibana-pull}186807[#186807], {kibana-pull}186931[#186931], {kibana-pull}186946[#186946], {kibana-pull}187214[#187214], {kibana-pull}193373[#193373]). -* Enables detection rules to automatically execute system actions, such as opening a case ({kibana-pull}183937[#183937]). -* Adds role-based access control (RBAC) for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]). -* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]). -* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <> workflows by default ({kibana-pull}196270[#196270]). -* Introduces the entity store as a technical preview feature, which allows observed, imported, integrated, or uploaded entities to be stored persistently ({kibana-pull}192806[#192806]). -* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]). -* Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]). -* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]). -* Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]). -* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). -+ -IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data. -* Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]). -* Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning off MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`. -* Allows you to configure your {elastic-defend} integration policy to collect SHA-256 file hashes in file events. Before doing so, consider the following caveats: -** This can greatly increase {elastic-defend}'s CPU and I/O utilization and impact system responsiveness. -** This can significantly delay event enrichment and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior. -** This can cause event processing queues to overflow and lead to dropped events. -** Many file events won't contain hashes. Hash collection is the best effort and is not guaranteed to be present in every event. Hashes are collected asynchronously and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing]. -* Improves {elastic-defend} by enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the Kafka output. -* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity. - -[discrete] -[[enhancements-8.16.0]] -==== Enhancements -* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]). -* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]). -* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]). -* Adds an **Other** option to the OpenAI connector's **Select an OpenAI provider** dropdown menu. Select this option when <> ({kibana-pull}194831[#194831]). -* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]). -* Adds an **Install and enable** button to the **Add Elastic Rules** page, which allows for rules to be immediately enabled after they're installed ({kibana-pull}191529[#191529]). -* Adds the **Alert Suppression** and **Investigative guide** fields to the rule upgrade workflow ({kibana-pull}195499[#195499]). -* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]). -* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]): -** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page and is stored locally instead of in {es}. -** Attack Discovery now combines related discoveries that would previously have appeared separately. -** Attack Discovery now detects and displays an error instead of hallucinated output. -* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]). -* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]). -* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]). -* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]). -* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]). -* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]). -* Allows Automatic Import to analyze a larger number of sample events when generating a new integration ({kibana-pull}196233[#196233]). -* Allows Automatic Import to recognize CSV logs and create integrations for CSV data ({kibana-pull}196228[#196228], {kibana-pull}194386[#194386]). -* Allows you to open the rule details flyout from the Alerts table ({kibana-pull}191764[#191764]). -* Allows you to resize the alert and event details flyouts and choose how it's displayed in relation to the Alerts table (over or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]). -* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]). -* Adds support in all detection rule types for {elastic-defend}'s automated response actions ({kibana-pull}193390[#193390], {kibana-pull}191874[#191874]). -* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. -* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`. -* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions. -* Ensures security artifacts are updated when the {elastic-defend} service starts. -* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy. -* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context. -* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output. -* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables the detection of certain defense evasions. You can turn this feature off in {elastic-defend} <> ({kibana-pull}190553[#190553]). -* Restores {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0. -* Improves {elastic-defend}'s caching to reduce memory usage on Windows. -* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID. -* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver. - -[discrete] -[[bug-fixes-8.16.0]] -==== Bug fixes - -* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]). -* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]). -* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]). -* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]). -* Improves the performance of the Alerts table ({kibana-pull}192827[#192827]). -* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture findings ({kibana-pull}194069[#194069]). -* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events. -* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI. -* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields. -* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events. -* Fixes a bug that prevented host name uniformity with {beats} products. If you request {elastic-defend} to use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default. -* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts. -* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy. -* Fixes a race condition that could allow an attacker with administrative rights to disable {elastic-defend} on Windows. We would like to acknowledge Sean Moore (@Fr0g) at https://strafecybersecurity.com[strafecybersecurity.com] for their assistance. -* Fixes scenarios where Automatic Import could generate invalid processors containing array access ({kibana-pull}196207[#196207]). -* Improves Timeline's table performance when row renderers are switched on ({kibana-pull}193316[#193316]). -* Fixes misaligned filter control labels on the Alerts page ({kibana-pull}192094[#192094]). \ No newline at end of file diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc deleted file mode 100644 index be9c0ebc39..0000000000 --- a/docs/release-notes/8.8.asciidoc +++ /dev/null @@ -1,508 +0,0 @@ -[[release-notes-header-8.8.0]] -== 8.8 - -[discrete] -[[release-notes-8.8.2]] -=== 8.8.2 - -[discrete] -[[known-issue-8.8.2]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. - -** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.2]] -==== Breaking changes - -There are no breaking changes in 8.8.2. - -[discrete] -[[enhancements-8.8.2]] -==== Enhancements -There are no user-facing changes in 8.8.2. - -[discrete] -[[bug-fixes-8.8.2]] -==== Bug fixes -* Fixes a bug that affected links to {kib} results generated by actions on rules from non-default {kib} spaces ({kibana-pull}159966[#159966]). -* Fixes a bug that prevented users from saving a Timeline after adding a `number` field ({kibana-pull}159723[#159723]). -* Fixes a bug that caused error messages to wrongfully display if users selected uninstalled {ml} jobs while creating a {ml} rule ({kibana-pull}159316[#159316]). -* Removes hover actions from tables within the Detection & Response dashboard when the alert count is zero ({kibana-pull}158902[#158902]). -* Fixes bugs in the Anomalies table that left {ml} jobs greyed out after they were installed ({kibana-pull}158821[#158821]) and that stopped some job counts from appearing ({kibana-pull}158739[#158739]). -* Fixes a bug that caused the **Add exceptions flyout** to load indefinitely and display an out of memory error when a rule had a large number of unmapped fields in multiple indices ({kibana-pull}159216[#159216]). -* Fixes a bug that prevented cell actions on fields with multiple values in the Alerts table ({kibana-pull}158060[#158060]). -* Fixes a bug that caused the Alerts page to query unnecessary indices ({kibana-pull}157286[#157286]). -* Fixes a bug that broke the mustache syntax for variables in rule actions ({kibana-pull}160446[#160446]). -* Fixes a bug that caused exception items to be erroneously duplicated if you modified an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specified its `item_id` ({kibana-pull}159223[#159223]). -+ -NOTE: If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - - -[discrete] -[[release-notes-8.8.1]] -=== 8.8.1 - -[discrete] -[[known-issue-8.8.1]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. - -* If you modify an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.1]] -==== Breaking changes - -There are no breaking changes in 8.8.1. - -[discrete] -[[features-8.8.1]] -==== New features - -* Introduces the Generative AI connector and <> for {elastic-sec} ({kibana-pull}157228[#157228], {kibana-pull}156933[#156933]). - -[discrete] -[[bug-fixes-8.8.1]] -==== Bug fixes -* Fixes a bug that made field types appear as `unknown` within the **Fields** browser and when examining alert or event details ({kibana-pull}158594[#158594]). -* Fixes a bug that caused all field types in the **Fields** browser to appear as `unknown` ({kibana-pull}158594[#158594]). -* Fixes a bug that caused the **Add rule exception** flyout to load indefinitely when index fields couldn't be retrieved ({kibana-pull}158371[#158371]). -* Provides support for using field names with wildcards in rule queries ({kibana-pull}157981[#157981]). -* Fixes CSS style issues on the rule details page ({kibana-pull}157935[#157935]). -* Fixes a bug that caused the `A-Z` option to incorrectly display on Alerts table sorting menus ({kibana-pull}157653[#157653]). -* Allows users to scroll through long error messages on the rule details page ({kibana-pull}157271[#157271]). - -[discrete] -[[release-notes-8.8.0]] -=== 8.8.0 - -To view a detailed summary of the latest features and enhancements, check out our {security-guide}/whats-new.html[release highlights]. - -[discrete] -[[known-issue-8.8.0]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. -* {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1. -* All field types in the **Fields** browser appear as `unknown`. -* If you modify an exception item using the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the {api-kibana}/operation/operation-updateexceptionlistitem[Update an exception list item] API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Change your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.0]] -==== Breaking changes - -* The privileges for attaching alerts to cases have changed. Now, you need at least `Read` privileges for Security and `All` privileges for Cases ({kibana-pull}147985[#147985]). -* Adds conditional actions to the rules API. In {elastic-sec} 8.7 and earlier, action frequencies were set on a rule level by defining the `throttle` field. In 8.8 and later, action frequencies are set at the action level, and the `throttle` field is replaced by the `frequency` and `alert_filters` fields. The following APIs are affected: -** https://www.elastic.co/guide/en/security/8.8/rules-api-get.html[Get rule] -** https://www.elastic.co/guide/en/security/8.8/rules-api-find.html[Find rules] -** https://www.elastic.co/guide/en/security/8.8/rules-api-create.html#optional-actions-fields-rule-create[Create rule] -** https://www.elastic.co/guide/en/security/8.8/rules-api-update.html#optional-actions-fields-rule-update[Update rule] -** https://www.elastic.co/guide/en/security/8.8/bulk-actions-rules-api.html#optional-actions-fields-bulk-update[Bulk rule actions] - -[discrete] -[[deprecations-8.8.0]] -==== Deprecations - -* The rule level `throttle` field is deprecated in {elastic-sec} 8.8 and is scheduled for end of life in Q4 of 2024. In {elastic-sec} 8.8 and later, we strongly recommend using the action level `frequency` field to set frequencies for individual rule actions. - -[discrete] -[[features-8.8.0]] -==== New features - -* Introduces <>, which scans your cloud VMs for vulnerabilities, and adds a tab to the Findings page that displays vulnerabilities ({kibana-pull}154388[#154388], {kibana-pull}154873[#154873], {kibana-pull}155045[#155045]). -* Introduces <>, which allows you to monitor and protect your Kubernetes workloads. -* Adds a new response action that allows you to execute commands on a selected host ({kibana-pull}150202[#150202]). -* Adds the `kibana.alert.url` field to alert documents. This field provides a shareable URL for the alert ({kibana-pull}155069[#155069]). -* Adds the ability to duplicate a shared exception list ({kibana-pull}154991[#154991]). -* Allows Timeline notes to be deleted ({kibana-pull}154834[#154834]). -* Allows you to specify conditions for when rule actions should run ({kibana-pull}154680[#154680]). -* Adds the ability to snooze rule notifications from the Rules table, the rule details page, or the Actions tab when editing a rule ({kibana-pull}153083[#153083], {kibana-pull}155407[#155407], {kibana-pull}155612[#155612]). -* Adds controls to the Alerts page that allow you to customize which filters appear at the top of the page ({kibana-pull}152450[#152450]). - -[discrete] -[[enhancements-8.8.0]] -==== Enhancements - -* Renames the Notable Anomalies section in the Entity Analytics dashboard to Anomalies ({kibana-pull}155687[#155687]). -* Displays additional {ml} anomaly jobs on the Entity Analytics dashboard ({kibana-pull}155520[#155520]). -* Makes alert count links on the Entity Analytics dashboard navigate to the Alerts page instead of opening in Timeline ({kibana-pull}153372[#153372]). -* Updates the Data Quality dashboard to include a new tree map and storage size metrics for each index ({kibana-pull}155581[#155581]). -* Adds cloud infrastructure-related fields to the alert details flyout highlighted fields section ({kibana-pull}155247[#155247]). -* Allows you to specify how to handle alert suppression for alerts with missing fields ({kibana-pull}155055[#155055]). -* Gives users more control over how they receive alert notifications and lets them define conditions that must be met for a notification to occur ({kibana-pull}154526[#154526]). -* Adds a warning message to tell you when a rule has reached the maximum number of alerts limit ({kibana-pull}154112[#154112]). -* Updates how browser field descriptions are provided to {kib} ({kibana-pull}153498[#153498]). -* Enables multi-level grouping for alerts on the Alerts page, based on various fields ({kibana-pull}152862[#152862]). -* Adds links to the Detection & Response and Entity Analytics dashboards that jump to the Alerts page with filters enabled ({kibana-pull}152714[#152714]). -* Updates the visualizations throughout {elastic-sec} to Lens visualizations ({kibana-pull}150531[#150531]). -* Adds a *Share alert* link to the alert details flyout ({kibana-pull}148800[#148800]). -* Adds a warning message to the Rules page when a maintenance window is running ({kibana-pull}155386[#155386]). -* Adds a global search bar to the Detections and Response and Entity Analytics dashboards ({kibana-pull}156832[#156832]). -* Adds the "Investigate in timeline" inline action to alert counts on the Detections and Response and Entity Analytics dashboards ({kibana-pull}154299[#154299]). -* Session view: Makes the row representing the session leader remain visible when you scroll past it, and adds a button to this row that allows you to collapse child processes ({kibana-pull}154982[#154982]). -* Reduces Linux process event volume by about 50% by combining `fork`, `exec`, and `end` events when they occur around the same time (does not affect queries of this data) ({kibana-pull}153213[#153213]). -* Updates where the technical preview tags appear for host risk score features ({kibana-pull}156659[#156659], {kibana-pull}156514[#156514]). -* Allows you to use fully qualified domain names (FQDNs) for hosts. To learn how to set a host name format in {fleet}, refer to {fleet-guide}/agent-policy.html[Elastic Agent policies]. - -[discrete] -[[bug-fixes-8.8.0]] -==== Bug fixes - -* Fixes a bug that interfered with the default time range when you opened an alert in Timeline ({kibana-pull}156884[#156884]). -* Fixes a bug that could cause the Alerts page to become unresponsive after entering an invalid query ({kibana-pull}156542[#156542]). -* Updates the colors used for entity analytic graphs to match those used for alert graphs ({kibana-pull}156383[#156383]). -* Fixes a bug that caused errors on the Data Quality dashboard when a `basePath` was configured ({kibana-pull}156233[#156233]). -* Fixes a bug that could cause problems when different users simultaneously edited a Timeline ({kibana-pull}155663[#155663]). -* Fixes a bug that could cause the wrong number of rules to appear in the modal for duplicating rules ({kibana-pull}155959[#155959]). -* Fixes a bug that could cause a blank option to appear in the Create rule exception form ({kibana-pull}155221[#155221]). -* Fixes issues that affected tags in the Add rule exception component of the Shared Exception Lists page ({kibana-pull}155219[#155219]). -* Fixes a bug that displayed an outdated count of affected rules on the Shared Exception Lists page ({kibana-pull}155108[#155108]). -* Improves performance for rendering indicator match alerts on the Alerts page ({kibana-pull}154821[#154821]). -* Fixes a bug that could affect alert prevalence counts on the Alerts page ({kibana-pull}154544[#154544]). -* Fixes a bug that could prevent you from using breadcrumbs to return to the Rules page ({kibana-pull}150322[#150322]). -* Fixes a bug that could prevent the *View all open alerts* button on the Detection and Response dashboard from applying the correct filters ({kibana-pull}156893[#156893]). -* Fixes several bugs related to session view and and Kubernetes dashboard ({kibana-pull}154982[#154982]). -* Fixes the delete index API so it only removes {elastic-sec} 7.x signals indices (`.siem-signals-`), index templates, and ILMs and doesn't delete 8.x alert indices (`.alerts-security.alerts-`). diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc deleted file mode 100644 index 95a9416d8c..0000000000 --- a/docs/release-notes/8.9.asciidoc +++ /dev/null @@ -1,187 +0,0 @@ -[[release-notes-header-8.9.0]] -== 8.9 - -[discrete] -[[release-notes-8.9.2]] -=== 8.9.2 - -[discrete] -[[bug-fixes-8.9.2]] -==== Bug fixes - -* Fixes a bug that prevented inline actions on the Alerts page from completing ({kibana-pull}165099[#165099]). -* Fixes a bug that prevented blocklist file path entries for Windows and macOS applications from being passed as case insensitive ({kibana-pull}164200[#164200]). -* Fixes a bug in the confirmation message that appears when duplicating a single rule ({kibana-pull}163908[#163908]). -* Fixes a bug on the rule details page that showed the **Data view** label twice if you were viewing a rule using a data view ({kibana-pull}164494[#164494]). -* Fixes a bug that affected Timeline when you investigated an alert created from a rule with exceptions ({kibana-pull}162190[#162190]). - -[discrete] -[[release-notes-8.9.1]] -=== 8.9.1 - -[discrete] -[[known-issue-8.9.1]] -==== Known issues - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[enhancements-8.9.1]] -==== Enhancements -* Event correlation queries and rules can now detect {ref}/eql-syntax.html#eql-missing-events[missing events] in EQL sequences. - -[discrete] -[[bug-fixes-8.9.1]] -==== Bug fixes - -* Fixes a copy to clipboard bug that affected non-ECS fields ({kibana-pull}162883[#162883]). -* Fixes number rounding issues in the *Top alerts by* table on the Alerts page ({kibana-pull}162647[#162647]). -* Fixes bug that prevented controls from being rendered on {elastic-sec} dashboards ({kibana-pull}162514[#162514]). -* Fixes a bug that prevented rule changes from being saved if a rule's action frequency was shorter than the rule run interval ({kibana-pull}160798[#160798]). - -[discrete] -[[release-notes-8.9.0]] -=== 8.9.0 - -[discrete] -[[known-issue-8.9.0]] -==== Known issues - -* On the new Detection rule monitoring dashboard, total `Rule executions` will not always equal the sum of `Succeeded`, `Warning`, and `Failed` executions. This is expected because rules can write multiple statuses per execution. One typical example is gap detection: if a rule detects a gap in rule execution it will write an intermediate `Failed` status, then continue to run, and write a final status (such as `Warning`) before finishing its execution. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* The `upload` response action does not report the correct amount of available disk space. The correct amount is approximately four. -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, :1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.9.0]] -==== Breaking changes - -There are no breaking changes in 8.9.0. - -[discrete] -[[deprecations-8.9.0]] -==== Deprecations -* Removes the option to use the legacy navigation menu ({kibana-pull}158094[#158094]). -* General prebuilt threat indicator match rules were deprecated and replaced with improved indicator-type rules. - -[discrete] -[[features-8.9.0]] -==== New features -* Introduces the `top` command for MacOS and Linux, which shows active processes that {elastic-endpoint} is monitoring and recording. Processes are sorted by how much CPU they are causing {elastic-endpoint} to consume. Learn more about the `top` command by referring to the (https://www.github.com/elastic/endpoint/blob/main/EndpointTopCommand.md[readme]). -* Allows you to install the Cloud Security Posture Management (CSPM) integration via CloudFormation ({kibana-pull}159994[#159994]). -* Creates a new dashboard, Cloud Native Vulnerability Management, that provides an overview of vulnerabilities on your cloud hosts ({kibana-pull}159699[#159699]). -* Allows you to group vulnerabilities by resource (host) on the Vulnerabilities Findings page, and creates a Resource flyout that displays detailed vulnerability findings for individual hosts ({kibana-pull}159873[#159873], {kibana-pull}158987[#158987]). -* Adds a new custom dashboard, "Detection rule monitoring" ({kibana-pull}159875[#159875]). -* Allows you to anonymize event field values sent to AI Assistant ({kibana-pull}159857[#159857]). -* Adds a *Chat* button that opens AI Assistant to the alert details flyout ({kibana-pull}159633[#159633]). -* Updates AI Assistant to let you create and delete custom system prompts and default conversations ({kibana-pull}159365[#159365]). -* Allows you to add alert tags ({kibana-pull}157786[#157786]). -* Adds the ability to automatically isolate a host through a rule’s endpoint response action ({kibana-pull}152424[#152424]). -* Moves response actions to General Availability. -* Adds a new response action that allows you to upload files to an endpoint that has {elastic-endpoint} installed ({kibana-pull}157208[#157208]). -* Makes the Lateral Movement Detection advanced analytics package General Availability, and adds the ability to detect malicious activities in Windows RDP events (https://github.com/elastic/integrations/pull/6588[#6588]). - -[discrete] -[[enhancements-8.9.0]] -==== Enhancements -* Makes it easier to set up exceptions by auto-populating exception conditions and values with relevant alert data ({kibana-pull}159075[#159075]). -* Adds a *Last response* dropdown menu to the Rules table that allows you to filter rules by the status of their last execution ("Succeeded", "Warning", or "Failed") ({kibana-pull}159865[#159865]). -* Creates a Lens dashboard for monitoring the use of tokens by AI Assistant ({kibana-pull}159075[#159075]). -* Creates a connector for D3 Security ({kibana-pull}158569[#158569]). -* Improves the interface for installing and upgrading Elastic prebuilt rules ({kibana-pull}158450[#158450]). -* Shows a rule's actions on its details page ({kibana-pull}158189[#158189]). -* Allows you to add Lens visualizations to cases from the visualization's *More actions* menu ({kibana-pull}154918[#154918]). -* Adds a tooltip to snoozed rules that shows exactly when alerting will resume ({kibana-pull}157407[#157407]). -* Enhances the Data Exfiltration Detection package by adding the ability to detect exfiltration anomalies through USB devices and Airdrop (https://github.com/elastic/integrations/pull/6577[#6577]). - -[discrete] -[[bug-fixes-8.9.0]] -==== Bug fixes -* Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them ({kibana-pull}161331[#161331]). -* Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu ({kibana-pull}159908[#159908]). -* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule. -* Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({kibana-pull}157233[#157233]). -* Fixes a bug that allowed you to save a rule with an alert filter missing a query ({kibana-pull}159690[#159690]). -* Fixes unexpected filtering behavior on the Alerts page. Now, when you select a filter that excludes all alerts, an empty table now appears as expected ({kibana-pull}160374[#160374]). -* Fixes a UI bug where the **Label** field in the Investigation Guide form incorrectly turns red when the entered value is correct ({kibana-pull}160574[#160574], {kibana-pull}160577[#160577]). -* Fixes a bug that caused rules to snooze longer than specified ({kibana-pull}152873[#152873]).