IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
8.11
edit8.11
edit8.11.4
editBug fixes
edit- Stops the ES|QL tab from rendering until you click on it in Timeline (#173484).
-
Adds a feature flag (
timelineEsqlTabDisabled
) to hide the ES|QL tab in Timeline (#174029). - Removes the default query from the ES|QL tab in Timeline (#174393).
- Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).
8.11.3
editBug fixes
edit- Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).
8.11.2
editEnhancements
edit- Updates references on the Entity Risk Score management page (#171089).
Bug fixes
edit- Fixes a bug that caused the Alerts page to crash if you reloaded it while the preview panel in the alert details flyout was open (#172323).
- Fixes the event analyzer panel width (#172026).
- Applies page filters to MITRE ATT&CK® sub-technique cells when displaying rules (#170988).
- Fixes a bug with the Investigate in timeline action for Elastic AI Assistant that caused ES|QL queries to open in the KQL query bar within Timeline (#170542).
8.11.1
editEnhancements
edit- Allows user and host risk score tables to be filtered by time range (#168826).
Bug fixes
edit8.11.0
editKnown issues
edit- MITRE ATT&CK® technique cells show duplicate rules (#167929).
- MITRE ATT&CK® tactic cells show an incorrect rule count (#167930).
- An incorrect MITRE ATT&CK® sub-technique is applied after you save a rule (#170347).
- When using Elastic Defend’s protection updates feature, if you turn off automatic updates and select the current day as your deployed artifacts version, it’s possible that the set of protections has not been released for that day yet. As a result, Elastic Agent could fail to download the artifacts and be set to an Unhealthy state. To avoid this issue, pick a date previous to the current one (#170847).
Breaking changes
edit-
Ends support for the
filterQuery
field of thegetLiveQueryResults
andfindLiveQuery
APIs, and replaces it with the KQL fieldkuery
. Requests to those APIs that used thefilterQuery
field should replace it withkuery
(#161806). -
In 8.11, rule APIs will only support
investigation_fields
as{ field_names: string[] }
. If you’ve added this field to your rules in 8.10, you don’t need to do anything when you import your rules.
Deprecations
edit-
Deprecates the
doc_root.vulnerability.package
and replaces it with thedoc_root.package
ECS package (#164651).
New features
edit-
Upgrades Elastic Defend to capture a new Windows event type: ETW Threat Intelligence (ETW-TI). Renames the Windows events policy
Credential access
category toAPI
in the UI (but not in the.yaml
, maintaining backwards compatibility). Adds two new advanced options:windows.advanced.events.api_disabled
andwindows.advanced.events.api_verbose
(#167549). -
Adds the
Same family
category and tab to the Data Quality dashboard. Fields with mappings in the same family have the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics (#167480). -
Updates the exceptions flyout’s
match_any
operator to accept duplicate values that differ in case (#167208). - [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Enables the Elastic AI Assistant to answer questions about Elasticsearch Query Language (ES|QL) by allowing it to query, via ELSER, an ES|QL knowledge base. Refer to Elastic AI Assistant to enable the knowledge base (#167097).
- Enables ES|QL in Timeline (technical preview) (#166764).
- Adds the new ES|QL rule type (technical preview) (#165450).
-
Updates the Endpoint policy UI (Manage → Policies) to include a
Protection updates
tab, a new column calledDeployed version
, and a banner that highlights outdated policies (#165256, #162719). - Introduces full support for Elastic Endpoint on macOS Sonoma.
- Updates Elastic Defend to support AlmaLinux 9 and Rocky Linux 9.
-
Adds a new optional parameter to Elastic Endpoint’s
top
command. The--limit
parameter specifies how many times to refresh the command’s output before a graceful exit. - Adds Agent tamper protection for Elastic Defend, which prevents unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint from a host.
Enhancements
edit- Adds a new Generative AI connector, Amazon Bedrock, for use with Elastic AI Assistant (#166662).
- Renames the Generative AI connector to OpenAI, since Generative AI is now a category of connectors that include OpenAI and Amazon Bedrock (#167677).
-
Adds the
id
,severity
, andstatus
fields to the Webhook - Case Management connector (#166295). - Updates the order of items on Kibana’s left-side navigation menu to match the order in Elastic Security’s left-side navigation menu (#164268).
- Adds tooltips to overview section titles in the alert details flyout (#166737).
-
Updates the
.lists
and.items
indices to data streams (#162508).
Bug fixes
edit- Updates the Entity Risk Score error message to list the necessary permissions (#169216).
- Displays more descriptive errors for Generative AI connectors (#167674).
- Adds metrics to some rule execution warning messages (#167551).
- Fixes a bug that could cause the exceptions flyout to reload unnecessarily in response to rule updates (#166914).
- Fixes a bug that could cause EQL shell alerts to not include certain common fields (#166751).
- Sets the date and time picker to full width in the expanded Prevalence view within the alert details flyout (#166714).
- Fixes a bug that could prevent the Install Cloud Native Vulnerability Management button on the empty state of the Findings page from working (#166335).
- Fixes a bug that could cause an error when you edited a rule’s filter (#165262).
- Fixes a bug that caused the Rules table to auto-refresh when auto-refresh was disabled (#165250).