8.4

edit

8.4.3

edit

Bug fixes and enhancements

edit
  • Aligns the delete icon in the Add Rule Exception flyout (#141365).
  • Aligns the warning message title on the Rule details page with the warning icon (#140719).
  • Fixes a bug that sometimes caused Elastic Endpoint to stop running on Windows endpoints (#29).

8.4.2

edit

Known issues

edit
  • A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).
  • In some situations, Elastic Endpoint might change to a non-running state on Windows endpoints and fail to restart. Elastic Agent will have an Unhealthy status when this happens (#29).

    To determine whether Elastic Endpoint has stopped running because of this issue, run the following PowerShell command as an administrator:

    PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe"
    
    
       ProviderName: Microsoft-Windows-CodeIntegrity
    
    TimeCreated                      Id LevelDisplayName Message
    -----------                      -- ---------------- -------
    9/22/2022 10:47:35 AM          3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...
    9/19/2022 2:10:14 PM           3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...

    If Elastic Endpoint is not running, there are several workarounds you can take:

    • Manually uninstall, then reinstall Elastic Endpoint on affected hosts: Remove an invalid Elastic Endpoint installation by running the Elastic Endpoint uninstall command on affected hosts. Once the uninstallation process has finished, run the following command to restart Elastic Agent, which automatically reinstalls Elastic Endpoint:

      c:\Program Files\Elastic\Agent\elastic-agent.exe restart
    • Uninstall, then reinstall the Endpoint and Cloud Security integration on affected hosts: Uninstalling and reinstalling the Endpoint and Cloud Security integration on affected hosts will also force the uninstallation and reinstallation of Elastic Endpoint on these hosts.

      Uninstalling the Endpoint and Cloud Security integration may temporarily cause Elastic Agent’s status to be Unhealthy. The status will change to Healthy once the integration is reinstalled.

    • Downgrade Elastic Agent and Elastic Endpoint versions: Downgrading to unaffected Elastic Agent and Elastic Endpoint versions resolves this issue.

Bug fixes and enhancements

edit
  • Removes access to the Notes and Pinned tabs in Timeline templates (#140478).
  • Fixes a bug with the Attach to existing case option in Timeline (#139929).
  • Fixes bugs in the Rules table that affected the selected rule count and bulk select feature (#139461).
  • Fixes a bug that caused the Rules page to incorrectly notify users that a prebuilt rules update was available, even after rules were fully updated (#139287).
  • Fixes a bug that prevented users from accessing alert details if they didn’t have the appropriate privileges to view the internal index .internal.alerts-security.alerts-<Kibana-space>. Now, the Alert details flyout correctly uses the public alias index .alerts-security.alerts-<Kibana-space> (#138331).

8.4.1

edit

Known issues

edit
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).
  • In some situations, Elastic Endpoint might change to a non-running state on Windows endpoints and fail to restart. Elastic Agent will have an Unhealthy status when this happens (#29).

    To determine whether Elastic Endpoint has stopped running because of this issue, run the following PowerShell command as an administrator:

    PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe"
    
    
       ProviderName: Microsoft-Windows-CodeIntegrity
    
    TimeCreated                      Id LevelDisplayName Message
    -----------                      -- ---------------- -------
    9/22/2022 10:47:35 AM          3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...
    9/19/2022 2:10:14 PM           3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...

    If Elastic Endpoint is not running, there are several workarounds you can take:

    • Manually uninstall, then reinstall Elastic Endpoint on affected hosts: Remove an invalid Elastic Endpoint installation by running the Elastic Endpoint uninstall command on affected hosts. Once the uninstallation process has finished, run the following command to restart Elastic Agent, which automatically reinstalls Elastic Endpoint:

      c:\Program Files\Elastic\Agent\elastic-agent.exe restart
    • Uninstall, then reinstall the Endpoint and Cloud Security integration on affected hosts: Uninstalling and reinstalling the Endpoint and Cloud Security integration on affected hosts will also force the uninstallation and reinstallation of Elastic Endpoint on these hosts.

      Uninstalling the Endpoint and Cloud Security integration may temporarily cause Elastic Agent’s status to be Unhealthy. The status will change to Healthy once the integration is reinstalled.

    • Downgrade Elastic Agent and Elastic Endpoint versions: Downgrading to unaffected Elastic Agent and Elastic Endpoint versions resolves this issue.

Bug fixes and enhancements

edit
  • Fixes a bug that caused the Rules page to incorrectly notify users that a prebuilt rules update was available, even after rules were fully updated (#139287).

8.4.0

edit

Known issues

edit
  • If additional look-back time is set for the advanced query rule preview, alerts from source documents that are outside the preview time frame may not appear in the preview (#137422).
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).
  • The Rules page incorrectly displays a notification that an update for prebuilt rules is available even if the rules have been fully updated. Currently, there is no way to remove or hide the notification (#139095).
  • In some situations, Elastic Endpoint might change to a non-running state on Windows endpoints and fail to restart. Elastic Agent will appear Unhealthy when this happens (#29).

    To determine whether Elastic Endpoint has stopped running because of this issue, run the following PowerShell command as an administrator:

    PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe"
    
    
       ProviderName: Microsoft-Windows-CodeIntegrity
    
    TimeCreated                      Id LevelDisplayName Message
    -----------                      -- ---------------- -------
    9/22/2022 10:47:35 AM          3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...
    9/19/2022 2:10:14 PM           3004 Error            Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo...

    If Elastic Endpoint is not running, there are several workarounds you can take:

    • Manually uninstall, then reinstall Elastic Endpoint on affected hosts: Remove an invalid Elastic Endpoint installation by running the Elastic Endpoint uninstall command on affected hosts. Once the uninstallation process has finished, run the following command to restart Elastic Agent, which automatically reinstalls Elastic Endpoint:

      c:\Program Files\Elastic\Agent\elastic-agent.exe restart
    • Uninstall, then reinstall the Endpoint and Cloud Security integration on affected hosts: Uninstalling and reinstalling the Endpoint and Cloud Security integration on affected hosts will also force the uninstallation and reinstallation of Elastic Endpoint on these hosts.

      Uninstalling the Endpoint and Cloud Security integration may put Elastic Agent in an Unhealthy state. This is temporary and the state will change to Healthy once the integration is reinstalled.

    • Downgrade Elastic Agent and Elastic Endpoint versions: Downgrading to unaffected Elastic Agent and Elastic Endpoint versions resolves this issue.

Breaking changes

edit

There are no breaking changes in 8.4.0.

Features

edit
  • Creates a new rule type, New Terms, that creates an alert when a value appears for the first time in a particular field (#134526).
  • Adds the Insights section to the Alert details flyout to show related cases and alerts (#136009, #138419)
  • Shows process alerts in the event process analyzer (#135340).
  • Adds support for wildcard exceptions for detection rules. New operators are matches and does not match (#136147).
  • Adds a new search query parameter, dry_run, to the bulk actions API that allows you to simulate a bulk action without permanently updating rules (#134664).
  • Creates the response console, an interface that enables you to take actions on specific hosts (#135360, #134520).
  • Includes integration policy errors and statuses in Fleet and Elastic Security to help troubleshoot when an Elastic Agent has an Unhealthy status (#136241, #136038).
  • Adds Attack surface reduction protections feature to reduce vulnerabilities on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory.
  • Adds an endpoint self-healing feature to roll back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features.
  • Adds the ability to run query packs as live queries (#132198).
  • Provides support for process, file, and network events in Kubernetes. You must enable the session view data setting on your Endpoint and Cloud Security integration policy to enrich these events with session data and Kubernetes metadata fields.
  • Adds support for Amazon Elastic Kubernetes Service (EKS) to Kubernetes Security Posture Management (KSPM).
  • Adds new fields to prebuilt detection rules' schemas: related_integrations, required_fields, and setup (#132409).
  • Adds the Related integrations, Required fields, and Setup guide sections to the rule details page to help users identify and meet a rule’s prerequisites. Also adds the related integrations badge to the Rules table (#131475).

Bug fixes and enhancements

edit
  • Updates the Network page’s UI to match the Hosts and Users pages (#137541, #136913).
  • Improves the experience of bulk editing index patterns on rules by warning users early that machine learning rules can’t be edited (#134664).
  • Enhances rule previews with configurable rule intervals and look-back times (#137102).
  • Enhances the status pending badge for endpoint actions with a detailed status when you hover on it (#136966).
  • Turns grouped navigation on by default (#136819).
  • Improves the experience of bulk exporting rules by informing users early which rules can and cannot be exported (#136418).
  • Adds index pattern information to the Inspect panel (#136407).
  • Adds a custom dashboards table to the Dashboards page (#136221, #136671).
  • Fixes a performance issue with creating alerts from source documents that contain a large number of fields (#135956).
  • Updates the rule exceptions UI (#135255).
  • Fixes performance issues with rules management (#135311).
  • Allows you to disable @timestamp as a fallback timestamp field when you’ve defined a timestamp override (#135116).
  • Enhances the host risk score UI (#133708).
  • Updates the lists index template to use new logic (#133067).
  • Adds event filters to event correlation rules (#132507).
  • Allows you to define a data view as the rule’s data source, making runtime fields available for rule configuration (#130929).
  • Creates a single visualization pane on the Alerts page, and adds a treemap visualization that shows the distribution of alerts as nested, proportionally-sized tiles (#126896).
  • Fixes an incorrect counter for exported rules (#138598).
  • Fixes event filters based on OS version (#138517).
  • Fixes a bug that could change the batch size for event search in indicator rules (#138356).
  • Fixes a bug that prevented users from accessing alert details if they didn’t have the appropriate privileges to view the internal index .internal.alerts-security.alerts-<Kibana-space>. Now, the Alert details flyout correctly uses the public alias index .alerts-security.alerts-<Kibana-space> (#138331).
  • Fixes the preview button for machine learning rules (#137878).
  • Fixes a bug that could crash the Endpoints list when a policy ID was missing (#137788).
  • Fixes a bug that could interfere with opening host or user details pages (#137719).
  • Fixes several bugs related to refreshing the Alerts page (#137620).
  • Fixes a bug that prevented threshold rules' Timeline templates from being respected during investigations (#137233).
  • Fixes a permissions bug related to the Save Timeline button (#136724).
  • Fixes a bug with selecting Timeline templates with the same name (#135694).
  • Fixes field aliases to signal-threshold_result.* (#135565).
  • Fixes a bug that lost track of which rules you had selected after refreshing the Rules page (#135533).
  • Fixes a bug that lost track of which rules you had selected after applying a bulk action on the Rules page (#135291).
  • Fixes a bug that prevented the Rules table from pausing auto-refresh while bulk actions were being applied (135208).
  • Fixes a bug that could cause queries with nested fields to fail when opened (#134866).
  • Fixes a bug that slowed down the display of network details (#133539).
  • Various minor bug fixes and enhancements (#133079, #138135, #137588, #137511, #137492, #135907, #135426).
  • Fixes an Endpoint and Cloud Security bug on macOS and Linux that could cause CPU spikes if malware protection is enabled on an Endpoint and Cloud Security integration policy (#22).
  • Fixes a bug that could cause Endpoint and Cloud Security to crash when outputting log data to Logstash.
  • Allows Endpoint and Cloud Security to be added to agents running on Ubuntu 22.04 and Debian 11.