IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
8.1
edit8.1
edit8.1.3
editKnown issues
edit-
A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Bug fixes and enhancements
edit8.1.2
editKnown issues
edit-
A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Bug fixes and enhancements
edit-
Ensures Endpoint Security continues to run on all supported Windows versions by changing the primary signer of the
elastic-endpoint.exe
file fromELASTICSEARCH B.V.
toElasticsearch, Inc.
(#15).
8.1.1
editKnown issues
edit- A bug significantly impacts UI responsiveness. Therefore, we recommend to skip upgrading to this version.
- Endpoint Security cannot run on Windows 8.1 or Server 2012 R2 (#15).
-
A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Bug fixes and enhancements
edit- Fixes an Endpoint Security integration bug that prevented benign Windows files from being deleted under certain circumstances.
- Adds a notification to the Exception lists page that informs users if they are lacking certain role privileges (#126874).
-
Turns off the Upload value lists option on the Rules page if users have
Read
Security privileges only (#126829). -
Removes the option to select rules in the All Rules table if users have
Read
Security privileges only (#126827).
8.1.0
editKnown issues
edit- An Endpoint Security integration bug prevents benign Windows files from being deleted under certain circumstances.
- On macOS versions before 12.4, if Elastic Endpoint is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later.
-
Indicator match rules cannot use the
.items-*
system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules (#133457). -
A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Breaking changes
editThere are no breaking changes in 8.1.0.
Features
edit- Adds a Technical preview toggle above the Rules table which, when enabled, allows users to sort on all rule management columns (#119611).
- Introduces a new Host risk classification column in the All hosts table on the Hosts page. In addition, a new Host by risk tab has been added to the Hosts page and host detail pages. From the Host by risk tab, you can access an explanation of how a host’s risk is calculated and scored (#122980, #122586, #122018, #121075, #120487, #119734).
- Introduces the ability to bulk edit rule index patterns and tags (#122635).
- Expands Endpoint per-policy artifact assignment to include endpoint event filters and host isolation IP exceptions (#121879, #121632).
-
Adds the rule execution UUID field to alerts. In addition, the
kibana.alert.rule.execution.uuid
field is now part of the alert data schema and can be found in the field browser in the Alerts table.(#113058). - Introduces case metrics that summarize alert information and response times (#121336).
- Improves copy for the privilege check on the Endpoints page (#124118).
Bug fixes and enhancements
edit- Improves the performance of indicator match rules (#123882, #123677).
-
Changes the default indicator index query of custom and prebuilt indicator match rules to
@timestamp >= "now-30d/d"
(#123590). - Improves the exceptions interface by replacing the exceptions modal with a flyout (#123408).
-
Alert details flyout enhancements:
- Allows users to aggregate alert data based on a larger selection of ECS fields instead of just 10 preset options (#120610).
- Enriches threshold-related alert data from correct fields (#125376).
- Hides the delete button for disabled exception lists (#122844).
- Fixes various minor UX bugs (#121410).