8.2

edit

8.2.3

edit

Known issues

edit
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancements

edit
  • Fixes a bug that caused incorrect enrichment data to be attached to alerts (#133591).

8.2.2

edit

Known issues

edit
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancements

edit
  • Fixes a sorting and tooltip issue in Timeline for non-ECS fields that don’t have nested values (#132570).

8.2.1

edit

Known issues

edit
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancements

edit
  • Allows preconfigured connectors to be used with cases (#130372).
  • Adds pagination to the Table tab on the Alert details flyout to fix a performance issue on the Timelines page (#131358).
  • Fixes sorting issues that were related to unmapped fields (#132190).
  • Fixes a bug in the Filter In, Filter Out, and Add to timeline investigation inline actions that caused incorrect results to be retrieved (#132251).
  • Enhances performance by improving calculations for the top count function and hover action in data tables (#131363).

8.2.0

edit

Known issues

edit
  • On macOS versions before 12.4, if Elastic Endpoint is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later.
  • Indicator match rules cannot use the .items-* system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules (#133457).
  • The matches operator in the Add Rule Exception flyout does not work because wildcard matches are not supported for rule exceptions. Using the matches operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting unsupported exceptions and refreshing the rules (#136340).
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Deprecations

edit

The following endpoints are deprecated (#129448) and will be removed in a future release. They will remain active for at least the next 18 months:

To avoid breakage, we recommend using the bulk rule actions API instead for similar bulk actions. You can also use the create, update, and delete rule APIs to manage rules individually.

Breaking changes

edit

There are no breaking changes in 8.2.0.

Features

edit
  • Enables rule previews for indicator match rules (#126651).
  • Displays the alerts table when previewing a rule (#127986).
  • Introduces a new beta feature, Session View. Session view contextualizes and provides insight into Linux process data (#127828, #126997, #127520, #124575).
  • Creates a Users page under Explore to help you better understand authentication and usage information (#127617, #127953, #126434, #126079, #128375, #130030).
  • Creates a User details flyout (#127019).
  • Creates a Blocklist that enables you to prevent applications from running on hosts (#127098, #127031, #126390).
  • Creates a Policies page, which lists all of the integration policies configured for Endpoint Security. Use the page to quickly view and manage your Endpoint Security integration policies (#123760).
  • Enables you to bulk-apply Timeline templates to rules (#128691).
  • Enables users to filter the rules management table by index pattern or MITRE ATT&CK tactic or technique (name or ID) (#128245).
  • Allows you to run Osquery searches from the Take action button on the Alert details flyout (Alerts and Timelines pages) (#128142).
  • Adds a list of linked cases to the alert details flyout (#128033).
  • Expands the actions you can take on visualizations throughout Elastic Security to Inspect, Open in Lens, Add to new case, and Add to existing case (#126507).
  • Adds rule execution logs to the rule details page to consolidate information about a rule’s execution history (#126215).
  • Enables wildcard entries for file.path.text fields within event filters with the matches operator (#125202).

Bug fixes and enhancements

edit
  • Performance enhancements for indicator match rules:

    • Adds point in time (PIT) search (#128433).
    • Adds events-first (reverse) search (#127428).
    • Includes filters from indicator match rule mappings to reduce the search load when rules run (#127411).
  • Fixes a bug that affected the accuracy of rule preview results (#128003).
  • Adds event log telemetry for detection rules (#128216).
  • Adds support for Osquery pack integration assets (#128109).
  • Fixes minor Osquery issues on alerts (#128676).
  • Allows users to reduce resource usage by collapsing KPIs and table queries running on the Hosts and Network pages (#127930).
  • Adds the Alert prevalence column to the Highlighted fields table (#127599).
  • Introduces a new landing page that provides guidance for adding data (#127324).
  • Redesigns the Fields browser (#126105).
  • Allows runtime fields to be managed from the Fields browser (#127037).
  • Adds the Blocklist enabled toggle to Malware protection settings (#127031).
  • Updates MITRE ATT&CK mappings for detection rules to v10.1 (#126288).
  • Adds an Advanced Settings toggle to turn off read privilege warnings for detection rules using a remote cross-cluster search (CCS) index pattern (#124459).
  • Adds four new Timeline templates that are focused on key event categories to provide relevant alert data and assist with investigation and resolution efforts (#125172).
  • Excludes malware and ransomware alerts from detection rule telemetry (#130233).
  • Fixes alert and external alert filters on the Hosts page and Users page (#129451).
  • Passes threshold alert filters to the Timeline (#129405).
  • Displays a confirmation message when a user creates the first event filter (#128810).
  • Fixes a bug that ignored exceptions when loading the threshold alert count in a Timeline (#128495).
  • Adds a fallback mechanism to EQL rules so that rules fall back to @timestamp if timestamp_override doesn’t exist (#127989).
  • Fixes a bug that stopped EQL rules from using a max_signals value greater than 100 (#127839).
  • Updates EQL rules to use the EQL method of the Elasticsearch client (#127684).