8.3
edit8.3
edit8.3.3
editKnown issues
edit- An Endpoint and Cloud Security bug on macOS and Linux can cause CPU spikes if malware protection is enabled on an Endpoint and Cloud Security integration policy. When this happens, Endpoint and Cloud Security may experience system coverage gaps. To avoid this, we recommend using Elastic Agent version 8.3.2 or earlier. If you are using Elastic Agent version 8.3.3 and have encountered this issue, you can temporarily resolve it by rebooting your computer and disabling malware protection on your Endpoint and Cloud Security integration policy (#22).
-
A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Bug fixes and enhancements
edit- Fixes a bug that prevented the Create field button from appearing in the Fields browser when you accessed it from a Timeline created using the Alerts page’s Open in timeline button (#135842).
-
Removes the unsupported
matches
operator from the Add Rule Exception flyout (#136340). - Prevents rule execution log events from being wrongly ordered when the maximum number of events are reached and events are filtered by status (#131675).
8.3.2
editKnown issue
edit-
The
matches
operator in the Add Rule Exception flyout does not work because wildcard matches are not supported for rule exceptions. Using thematches
operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting unsupported exceptions and refreshing the rules (#136340). -
A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example,
\w
,\s
,\d
).
Bug fixes and enhancements
editIf you already upgraded to 8.3.0 or 8.3.1 and noticed that rules created or updated in 8.2.x were failing with an error similar to the message below, complete the appropriate steps to restore your rules after you upgrade to 8.3.2. Refer to the known issue section of the 8.3.1 release notes for more information.
<rule-type>:<UUID>: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""
8.3.1
editKnown issue
editDetection rules stop running after upgrade
8.3.1 has a bug where detection rules that were created or edited in 8.2.x will stop running after you upgrade. Because of this, we advise against upgrading from 8.2.x to 8.3.1.
If you already upgraded from 8.2.x to 8.3.1, detection rules affected by the bug will have stopped running with an error that is similar to the following example:
<rule-type>:<UUID>: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""
To restore the affected rules and reset their statuses, complete the following.
To restore custom and prebuilt rules, you need privileges to manage rules.
Restore affected custom and prebuilt rules
- Go to the Rules page (Detect → Rules).
- Click the Rows per page menu under the rules table and select 100 rows.
- In the rules table, click the Rule column to sort by rule name.
-
Identify affected rules. They will have a
Failed
status in the Last response column. - Select the affected rules, then click Bulk actions → Disable.
-
Select the same rules, then click Bulk actions → Enable.
After you’ve re-enabled the affected rules, the rules' Last Response values will change to
Pending
and then update toActive
orOK
. - Go to the next page of results in the rules table and repeat steps 1 through 6.
Restore affected custom rules only (optional)
This is an alternative option for users who have only enabled custom rules and/or duplicated and enabled prebuilt rules.
- Go to the Rules page (Detect → Rules) and click Elastic rules.
- Switch on the Technical preview toggle above the table.
- In the rules table, click Custom rules.
- Sort the rules table by the Last Response column to show the latest rule statuses.
-
Select rules with the
Failed
status, then click Bulk actions → Tags → Add Tags. -
Add a new tag, for example
rules_to_fix
. This will generate new API keys and resolve the bug.On the next scheduled rule execution, the Last Response value for the rule will change to
Pending
, and then toActive
orOK
.
The matches
operator is not supported for rule exceptions
The matches
operator in the Add Rule Exception flyout does not work because wildcard matches are not supported for rule exceptions. Using the matches
operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting the unsupported exceptions and refreshing the rules (#136340).
Lucene 9 validation change might affect event correlation rules
A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w
, \s
, \d
).
Bug fixes and enhancements
edit- Fixes a bug that prevented the Cases widget in the Detection & Response dashboard from updating (#135128).
8.3.0
editKnown issue
editDetection rules stop running after upgrade
8.3.0 has a bug where detection rules that were created or edited in 8.2.x will stop running after you upgrade. Because of this, we advise against upgrading from 8.2.x to 8.3.0.
If you already upgraded from 8.2.x to 8.3.0, detection rules affected by the bug will have stopped running with an error that is similar to the following example:
<rule-type>:<UUID>: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: ""
To restore the affected rules and reset their statuses, complete the following.
To restore custom and prebuilt rules, you need privileges to manage rules.
Restore affected custom and prebuilt rules
- Go to the Rules page (Detect → Rules).
- Click the Rows per page menu under the rules table and select 100 rows.
- In the rules table, click the Rule column to sort by rule name.
-
Identify affected rules. They will have a
Failed
status in the Last response column. - Select the affected rules, then click Bulk actions → Disable.
-
Select the same rules, then click Bulk actions → Enable.
After you’ve re-enabled the affected rules, the rules' Last Response values will change to
Pending
and then update toActive
orOK
. - Go to the next page of results in the rules table and repeat steps 1 through 6.
Restore affected custom rules only (optional)
This is an alternative option for users who have only enabled custom rules and/or duplicated and enabled prebuilt rules.
- Go to the Rules page (Detect → Rules) and click Elastic rules.
- Switch on the Technical preview toggle above the table.
- In the rules table, click Custom rules.
- Sort the rules table by the Last Response column to show the latest rule statuses.
-
Select rules with the
Failed
status, then click Bulk actions → Tags → Add Tags. -
Add a new tag, for example
rules_to_fix
. This will generate new API keys and resolve the bug.
On the next scheduled rule execution, the Last Response value for the rule will change to Pending
, and then to Active
or OK
.
The matches
operator is not supported for rule exceptions
The matches
operator in the Add Rule Exception flyout does not work because wildcard matches are not supported for rule exceptions. Using the matches
operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting the unsupported exceptions and refreshing the rules (#136340).
Lucene 9 validation change might affect event correlation rules
A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w
, \s
, \d
).
Breaking changes
edit-
Updates Elastic prebuilt machine learning detection rules for some Windows and Linux anomalies with new
v3
machine learning jobs. A confirmation modal is displayed when updating rules ifv1
/v2
jobs are installed. If you’re using 8.2 or earlier versions of Beats or Elastic Agent, you may need to duplicate prebuilt rules or create new custom rules before you update the prebuilt rules. Once you update the prebuilt rules, they will only usev3
machine learning jobs. Refer to Troubleshoot missing alerts for machine learning jobs for more information (#128334).
Features
edit- Renames Endpoint Security integration to "Endpoint and Cloud Security" (#132752).
- Adds a new Detection & Response dashboard, which provides focused visibility into the day-to-day operations of your security environment (#130670, #128335, #129021, #128087, #131828, #131029).
- Introduces a new optional design for the main navigation menu (#132210, #131437, #133719).
- Adds a User risk tab to the User details flyout (#130256).
- Adds an Authentications tab to the User details flyout (#129456).
- Adds the ability to investigate Osquery results in Timeline (#128596).
- Allows multiple alerts to be added to a case (#130958).
- Adds the option to delete case comments from a case (#130254).
- Provides an option to select a severity level for a case (#131626).
- Adds the experimental Alerts tab to cases, which allows users to inspect attached alerts (#131883).
- Adds the Average time to close metric to the Cases page (#131909).
-
Adds new fields to prebuilt detection rules' schemas:
related_integrations
,required_fields
, andsetup
(#132409). - Adds the Related integrations, Required fields, and Setup guide sections to the rule details page to help users identify and meet a rule’s prerequisites. Also adds the related integrations badge to the Rules table (#131475). Content for these new sections is delivered in a prebuilt rules update, independent of Elastic Stack release versioning.
Bug fixes and enhancements
edit- Separates array values with commas in the Alerts table (#133297).
-
Exposes the EQL search settings
event_category_field
,tiebreaker_field
, andtimestamp_field
through the rules API and UI for event correlation rules (#132247). - Adds the Session ID field to the Highlighted fields section of the Alert details flyout (#132219).
- Adds Dashboards and Threat Hunting Landing pages (#130905).
- Allows highlighted fields to be investigated in Timeline (#131255).
- Adds the Run Osquery option to the More actions menu (…) in the Alerts table (#131790).
-
Improves the performance of these actions on the bulk rule actions endpoint (#130924).
-
add_tags
-
delete_tags
-
set_tags
-
add_index_patterns
-
delete_index_patterns
-
set_index_patterns
-
set_timeline
-
- Fixes a bug that caused the rule details page to crash when users opened a deleted or non-existent rule (#133867).
- Allows threshold alerts to be investigated in Timeline if filters are not provided (#133733).
- Prevents events from being added to cases from Timeline (#133410).
- Fixes a bug that prevented the Users and Hosts pages from resetting after being sorted (#133111).
- Removes the filter and investigate in Timeline options from the Elastic Agent status in highlighted fields (#132829, #132586).
- Improves the copy of Timeline tooltips (#132756).
- Fixes a validation bug that occurred when users were building a rule exception and changed the exception statement’s operator (#131989).
- Adds a checkmark to the pagination selection on the Exceptions lists page (#131979).
- Re-adds the success message that displays when users export an exceptions list (#131952).
- Updates import toast logic to accurately report the total number of failures (#131873).
-
Ensures an error is not generated when the
agent.version
provided by an alert is in an unexpected format (#131272). - Improves error checks for threshold rules (#131088).
- Expands support for migrating legacy rule actions (#130511).
- Fixes a bug that caused the Add Rule Exception flyout to unexpectedly close when users create the first exception for the rule from an alert (#130187).
- Corrects Rule name sorting so detection rules are ordered alphabetically, regardless of their casing (#130105).
- Improves the Reporter column in the Cases table (#132200).
- Adds the option to create a new case to the Select case pane (#128882).
- Allows preconfigured connectors to be used with cases (#130372).
- Inserts the deprecated icon next to deprecated preconfigured connectors (#132237).
- Updates the Case table so that all tags assigned to the case are displayed when users go to the case and hover over the Tags column (#132023).
- Adds Oauth support to the ServiceNow ITSM, SecOps, and ITOM connectors (#131248).
- Adds a setting to specify a list of allowed email domains, which can be used with the email connector (#129001).