« Release notes 8.16 »
Elastic Docs Elastic Security Solution [8.17] Release notes

8.17

edit

8.17

edit

8.17.0

edit

Known issues

edit
The Exceptions tab won’t properly load if exceptions contain comments with newline characters (\n)

Details
On December 5, 2024, it was discovered that the Exceptions tab won’t load properly if any exceptions contain comments with newline characters (\n). This issue occurs when you upgrade to 8.16.0 or later (#201820).

Workaround

For custom rules:

  1. From the Rules page, export the rule or rules with the affected exception lists.
  2. Modify the .ndjson file so comments no longer contain newline characters.
  3. Return to the Rules page and re-import the rules. Ensure you select the Overwrite existing exception lists with conflicting "list_id" option.

For prebuilt rules:

If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the Shared Exception Lists page.

  1. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule:

    1. Find the affected rule’s ID (id). From the Rules page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (167a5f6f-2148-4792-8226-b5e7a58ef46e) is the id.

    2. Specify the id when fetching the rule’s details using the Retrieve a detection rule API. Here is an example request that includes the id:

      curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e

    3. The JSON response contains the id, list_id, and namespace_type values within the exceptions_list key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list.

      {
  "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
  "exceptions_list": [
    {
      "id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
      "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
      "namespace_type": "single"
    }
  ]
}

  2. Use the export exceptions API to retrieve the affected exception list. Insert the values for the id, list_id, and namespace_type parameters into the following API call:

    curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson
  3. Modify the exception list’s .ndjson file to ensure comments[].comment values don’t contain newline characters (\n).
  4. Re-import the modified exception list using Import exception lists option on the Shared Exception Lists page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list.
Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

New features

edit
  • Adds a signature option for trusted applications on macOS (#197821).
  • Allows you to use alert suppression on EQL sequence alerts (#189725).
  • Adds GA support for the case action feature, which lets rules automatically create cases (#196973).

Enhancements

edit
  • Checks user permissions before initializing the entity engine (#198661).
  • Updates LangChain dependencies, adding support for the new Bedrock cross-region inference profiles (#198622).

Bug fixes

edit
  • Clears the error on the second entity engine initialization (#202903).
  • Modifies the empty state message that appears when installing prebuilt rules (#202226).
  • Rejects CEF logs from Automatic Import and instead redirects you to the CEF integration (#201792, #202994).
  • Fixes a bug in Automatic Import where icons did not display after the integration was installed (#201139).
  • Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file (#201622).
  • Turns off the Install All button on the Add Elastic Rules page while rules are being installed (#201731).
  • Turns off the Add note button in the alert details flyout if you don’t have the appropriate permission (#201707).
  • Removes fields with an @ from the script processor (#201548).
  • Fixes an issue that could interfere with Knowledge Base setup (#201175).
  • Fixes an issue with Gemini streaming in the AI Assistant (#201299).
  • Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints (#198622).
  • Fixes a bug with threshold rules that prevented cardinality details from appearing (#201162).
  • Fixes a bug that caused an entity engine to get stuck in the Installing status if the default Security data view didn’t exist. With this fix, engines now correctly report the Error state (#201140).
  • Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you’re on Windows (#199791).
  • Fixes asset criticality index issue when setting up entity engines concurrently (#199486).
  • Fixes a bug where the @timestamp field wouldn’t update upon asset criticality soft delete (#196722).
  • Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes (#198652).
  • Improves the flow for the Insights section in the alert details flyout (#197349).
  • Fixes an issue where users without the Fleet read permission were blocked from interacting with any onboarding card (#202413).
  • Improves Elastic Defend for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled.
  • Improves Elastic Defend by refactoring the kernel driver to work around a CRITICAL_PROCESS_DIED bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon.
  • Fixes an issue in Elastic Defend versions 8.15.2 and 8.15.3 which can result in Windows boot failure 0xC000007B referencing ElasticElam.sys or recovery mode prompt at boot. We have only received reports of this happening when Elastic Defend is installed alongside CrowdStrike Falcon.
  • Fixes an Elastic Defend bug where the Linux system call (setsid) wasn’t properly gathered for RHEL 9/CentOS Stream 9 process events.
  • Fixes an issue where Elastic Defend can enter an infinite loop if an external application opens and retains handles to files within Elastic Defends directory while it is processing a get-file response action. This can result in Elastic Defend flooding Elasticsearch with documents until the handles are closed.
« Release notes 8.16 »