8.9

edit

8.9.2

edit

Bug fixes

edit
  • Fixes a bug that prevented inline actions on the Alerts page from completing (#165099).
  • Fixes a bug that prevented blocklist file path entries for Windows and macOS applications from being passed as case insensitive (#164200).
  • Fixes a bug in the confirmation message that appears when duplicating a single rule (#163908).
  • Fixes a bug on the rule details page that showed the Data view label twice if you were viewing a rule using a data view (#164494).
  • Fixes a bug that affected Timeline when you investigated an alert created from a rule with exceptions (#162190).

8.9.1

edit

Known issues

edit
  • A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:

    • Open alerts in Timeline.
    • Adjust the Alerts table size. Do one of the following:

      • Use the Fields browser to remove fields from the Alerts table until the table’s width is smaller than its container.
      • Adjust your OS zoom settings and refresh the page.
      • Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.)
  • Alert table rendering issues occur when threat indicator match alerts contain nested file.name values, and the Alerts table displays the file.name column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (#97684).

    When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents.

    The workaround for this issue depends on the types of alerts you want to display. Choose the case that’s most relevant to you:

    Case #1: You want to display threat indicator match alerts with nested file.name fields but the Alerts table won’t render. To fix this, manually edit your browser’s local storage and refresh the Alerts page:

    These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you’re using.

    1. Right-click anywhere on the Alerts page, then select Inspect to open Chrome’s Developer Tools.
    2. Go to Application → Storage, then expand Local Storage.
    3. Click on the name of your Kibana instance, for example, http://localhost:1234.
    4. Search for the detection-engine-alert-table-securitySolution-rule-details-gridView key and copy its value. The value you copied is the JSON blob that’s used to persist the Alert table’s state, including the table’s selected columns.
    5. Paste the JSON blob into a text file and edit it as follows:

      1. Remove the id:file.name string from the columns array.
      2. Remove the file.name string from the visibleColumns array.
    6. Go back to Chrome’s Developer Tools, and paste the edited JSON into the value for the detection-engine-alert-table-securitySolution-rule-details-gridView key.
    7. Click the Enter or Return key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the file.name column.

      To avoid further issues, do not re-add the file.name field to the table.

    Case #2: You want to display threat indicator match alerts with nested file.name fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue:

    1. Go to the toolbar in the upper-left of the Alerts table, and click Fields.
    2. Search for the file.name field, de-select it, and click Close.
    3. Refresh the Alerts page.

Enhancements

edit
  • Event correlation queries and rules can now detect missing events in EQL sequences.

Bug fixes

edit
  • Fixes a copy to clipboard bug that affected non-ECS fields (#162883).
  • Fixes number rounding issues in the Top alerts by table on the Alerts page (#162647).
  • Fixes bug that prevented controls from being rendered on Elastic Security dashboards (#162514).
  • Fixes a bug that prevented rule changes from being saved if a rule’s action frequency was shorter than the rule run interval (#160798).

8.9.0

edit

Known issues

edit
  • On the new Detection rule monitoring dashboard, total Rule executions will not always equal the sum of Succeeded, Warning, and Failed executions. This is expected because rules can write multiple statuses per execution. One typical example is gap detection: if a rule detects a gap in rule execution it will write an intermediate Failed status, then continue to run, and write a final status (such as Warning) before finishing its execution.
  • Rule changes can’t be saved and existing rule actions are removed if the action’s frequency is shorter than the rule’s run interval.
  • The upload response action does not report the correct amount of available disk space. The correct amount is approximately four.
  • A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:

    • Open alerts in Timeline.
    • Adjust the Alerts table size. Do one of the following:

      • Use the Fields browser to remove fields from the Alerts table until the table’s width is smaller than its container.
      • Adjust your OS zoom settings and refresh the page.
      • Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.)
  • Alert table rendering issues occur when threat indicator match alerts contain nested file.name values, and the Alerts table displays the file.name column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (#97684).

    When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents.

    The workaround for this issue depends on the types of alerts you want to display. Choose the case that’s most relevant to you:

    Case #1: You want to display threat indicator match alerts with nested file.name fields but the Alerts table won’t render. To fix this, manually edit your browser’s local storage and refresh the Alerts page:

    These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you’re using.

    1. Right-click anywhere on the Alerts page, then select Inspect to open Chrome’s Developer Tools.
    2. Go to Application → Storage, then expand Local Storage.
    3. Click on the name of your Kibana instance, for example, http://localhost:1234.
    4. Search for the detection-engine-alert-table-securitySolution-rule-details-gridView key and copy its value. The value you copied is the JSON blob that’s used to persist the Alert table’s state, including the table’s selected columns.
    5. Paste the JSON blob into a text file and edit it as follows:

      1. Remove the id:file.name string from the columns array.
      2. Remove the file.name string from the visibleColumns array.
    6. Go back to Chrome’s Developer Tools, and paste the edited JSON into the value for the detection-engine-alert-table-securitySolution-rule-details-gridView key.
    7. Click the Enter or Return key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the file.name column.

      To avoid further issues, do not re-add the file.name field to the table.

    Case #2: You want to display threat indicator match alerts with nested file.name fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue:

    1. Go to the toolbar in the upper-left of the Alerts table, and click Fields.
    2. Search for the file.name field, de-select it, and click Close.
    3. Refresh the Alerts page.

Breaking changes

edit

There are no breaking changes in 8.9.0.

Deprecations

edit
  • Removes the option to use the legacy navigation menu (#158094).
  • General prebuilt threat indicator match rules were deprecated and replaced with improved indicator-type rules.

New features

edit
  • Introduces the top command for MacOS and Linux, which shows active processes that Elastic Endpoint is monitoring and recording. Processes are sorted by how much CPU they are causing Elastic Endpoint to consume. Learn more about the top command by referring to the (readme).
  • Allows you to install the Cloud Security Posture Management (CSPM) integration via CloudFormation (#159994).
  • Creates a new dashboard, Cloud Native Vulnerability Management, that provides an overview of vulnerabilities on your cloud hosts (#159699).
  • Allows you to group vulnerabilities by resource (host) on the Vulnerabilities Findings page, and creates a Resource flyout that displays detailed vulnerability findings for individual hosts (#159873, #158987).
  • Adds a new custom dashboard, "Detection rule monitoring" (#159875).
  • Allows you to anonymize event field values sent to AI Assistant (#159857).
  • Adds a Chat button that opens AI Assistant to the alert details flyout (#159633).
  • Updates AI Assistant to let you create and delete custom system prompts and default conversations (#159365).
  • Allows you to add alert tags (#157786).
  • Adds the ability to automatically isolate a host through a rule’s endpoint response action (#152424).
  • Moves response actions to General Availability.
  • Adds a new response action that allows you to upload files to an endpoint that has Elastic Endpoint installed (#157208).
  • Makes the Lateral Movement Detection advanced analytics package General Availability, and adds the ability to detect malicious activities in Windows RDP events (#6588).

Enhancements

edit
  • Makes it easier to set up exceptions by auto-populating exception conditions and values with relevant alert data (#159075).
  • Adds a Last response dropdown menu to the Rules table that allows you to filter rules by the status of their last execution ("Succeeded", "Warning", or "Failed") (#159865).
  • Creates a Lens dashboard for monitoring the use of tokens by AI Assistant (#159075).
  • Creates a connector for D3 Security (#158569).
  • Improves the interface for installing and upgrading Elastic prebuilt rules (#158450).
  • Shows a rule’s actions on its details page (#158189).
  • Allows you to add Lens visualizations to cases from the visualization’s More actions menu (#154918).
  • Adds a tooltip to snoozed rules that shows exactly when alerting will resume (#157407).
  • Enhances the Data Exfiltration Detection package by adding the ability to detect exfiltration anomalies through USB devices and Airdrop (#6577).

Bug fixes

edit
  • Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them (#161331).
  • Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert’s Take action menu (#159908).
  • Fixes a UI bug that overlaid Default Risk score values as you created a new rule.
  • Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 (#157233).
  • Fixes a bug that allowed you to save a rule with an alert filter missing a query (#159690).
  • Fixes unexpected filtering behavior on the Alerts page. Now, when you select a filter that excludes all alerts, an empty table now appears as expected (#160374).
  • Fixes a UI bug where the Label field in the Investigation Guide form incorrectly turns red when the entered value is correct (#160574, #160577).
  • Fixes a bug that caused rules to snooze longer than specified (#152873).