8.15
edit8.15
edit8.15.5
editBug fixes
edit- Ensures that only the asset criticality index is refreshed after you bulk upload asset criticality data (#200897).
- Fixes Elastic Agent to Elastic Defend communication on endpoints using a proxy. With this fix, localhost TCP traffic should skip any proxies.
- Fixes a time skew bug that occurs when Linux virtual machines that are using eBPF event probes are suspended and then resumed.
- Fixes an Elastic Defend bug where Windows API events might be dropped if they contain Unicode characters that can’t be converted to ANSI.
- Fixes a bug where Elastic Defend could fail to properly enrich Windows API events for short-lived processes on older operating systems that don’t natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events.
-
Ensures that Elastic Defend does not emit an empty
memory_region
if it can’t enrich a memory region in an API event. With this fix, Elastic Defend removes these fields. -
Enhances Elastic Defend by improving the
call_stack_final_user_module
attribution where potentialproxy_call
modules are encountered during Windows call stack analysis.
8.15.4
editEnhancements
edit-
Enhances Elastic Defend by improving the
call_stack_final_user_module
attribution where potentialproxy_call
modules are encountered during Windows call stack analysis.
Bug fixes
edit-
Fixes a conflict that could result in a Windows boot failure
0xC000007B
forElasticElam.sys
when Elastic Defend 8.15.2 or 8.15.3 was installed alongside CrowdStrike. - Fixes a bug that caused an Elastic AI Assistant error if you had over 20 conversations and tried to access or update any of them (#197305).
- Makes Automatic Import more forgiving if LLMs return ECS mappings in unexpected formats (#195167).
- Fixes a bug that caused fields from all indices to display when adding a filter to a rule that you were editing. Now, only fields from the rule’s specified indices appear (#194678, #181643).
-
Improves Elastic Defend by making the
elastic-endpoint status
command more reliable. Before this fix, the command occasionally failed with an I/O error. - Fixes an Elastic Defend process crash that could occur if it was configured to use the Kafka output.
- Fixes a bug where Elastic Defend could fail to properly enrich Windows API events for short-lived processes on older operating systems that didn’t natively include this telemetry, such as Windows Server 2019. This could result in dropped or unattributed API events.
-
Ensures that Elastic Defend does not emit an empty
memory_region
if it can’t enrich a memory region in an API event. After this fix, Elastic Defend removes these fields. - Fixes an Elastic Defend bug where Windows API events could be dropped if they contained Unicode characters that couldn’t be converted to ANSI.
- Fixes a race condition that could allow an attacker with administrative rights to disable Elastic Defend on Windows. We would like to acknowledge Sean Moore (@Fr0g) at strafecybersecurity.com for their assistance.
8.15.3
editBug fixes
edit- Fixes a bug that could cause Elastic Defend to crash on Linux when scanning paths (or paths with children) which include virtual file systems, such as procfs.
- Fixes a bug that made alerts wrongfully inherit previously-selected tags (#194428).
- Prevents Automatic Import from requesting that LLMs map to reserved ECS fields (#195168).
- Fixes an Automatic Import bug that prevented non-ECS compatible fields from resolving in structured and unstructured system logs (#194727).
- Fixes an Automatic Import bug that occurred when uploading a new version of an existing integration (#194298).
- Fixes an Automatic Import bug that caused integration deployments to fail after you edited the ingest pipeline (#194203).
-
Improves Attack discoveries by including the
user.target.name
field in the default anonymization allow list (#193496). - Fixes an Attack discovery UI bug where entities repeated in a description were displayed with a UUID instead of a value (#193428).
8.15.2
editKnown issues
editAlerts wrongfully inherit previously-selected tags
Details
When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select.
Workaround
Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking Apply tags. This removes the old tags from the alert.
Resolved
On October 17, 2024, this issue was resolved.
New features
editEnhancements
edit- Adds Ubuntu 24.04 support for Elastic Defend.
- Improves Elastic Defend’s support of call stack module stomp detection in Windows 11 24H2 (#192490).
- Allows you to use the Google Gemini, OpenAI, and Azure OpenAI connectors with Automatic Import (#191577).
- Allows Automatic Import to use unstructured system logs (#192817).
- Displays error messages in Automatic Import when logs sample files don’t successfully upload (#191310).
- Ensures that Automatic Import performs reproducible sampling from a list of log entries instead of truncating them (#191598).
Bug fixes
edit- Prevents the Google Gemini connector from accepting unknown properties in responses, which resolves an error that occurred when generating Attack discoveries (#192915).
- Fixes the View in AI Assistant button in Attack discovery, which previously did not work (#192416).
-
Changes the owner of integrations created by Automatic Import from
Elastic
toCommunity
(#193002). - Fixes issues with rendering the package manifest in Automatic Import (#192316).
-
Fixes an issue that prevented the
http_endpoint
input configuration from loading correctly in the Automatic Import workflow (#191964). -
Fixes a bug that prevented the
enable
field from being respected when you import rules (#192302).
8.15.1
editKnown issues
editAlerts wrongfully inherit previously-selected tags
Details
When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select.
Workaround
Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking Apply tags. This removes the old tags from the alert.
Resolved
On October 17, 2024, this issue was resolved.
New features
edit- Introduces a new feature for Elastic Defend where Windows Image load events now include process protection status, making it easier to detect both legitimate and malicious PPL activity.
- Allows you to examine Jamf data in the visual event analyzer (#190965).
Enhancements
edit- Elastic Defend now supports proxy configuration with Logstash output.
- Improves Elastic Defend by reducing Malware Protection disk I/O and CPU usage when recently written files are subsequently executed. This update is for Windows endpoints only.
- Makes several improvements to the detection and parsing of log samples uploaded to automatic import (#190588, #191502, #190656, #190046).
- Improves error handling for the Tines connector, and provides an option to use a webhook URL when connecting to the Tines API (#191263).
Bug fixes
edit- Fixes an Elastic Defend bug that affected CPU usage for Windows process events where the same executable is repeatedly launched, for example, during compilation workloads. With this fix, CPU usage is improved.
- Fixes an Elastic Defend bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory.
- Fixes an Elastic Defend bug that sometimes caused Elastic Endpoint to report an incorrect version if it used an independent Elastic Agent release.
-
Fixes an Elastic Defend bug where the
process.thread.Ext.call_stack_final_user_module.protection_provenance_path
field might be populated with a non-path value. This fix is for Windows endpoints only. -
Fixes an Elastic Defend bug that can lead to Elastic Endpoint reporting
STATUS_ACCESS_DENIED
when attempting to open files forGENERIC_READ
. Elastic Endpoint almost always recovered from this issue, but with this fix, it succeeds on the first try. This fix is for Windows endpoints only. -
Fixes an Elastic Defend regression that was introduced in 8.14.0, where security events did not populate the
user.name
field. This fix is for Windows endpoints only. - Fixes an Elastic Defend bug where Elastic Endpoint sometimes missed file and network events on newer kernels that support eBPF. This only occurred if Elastic Endpoint failed to enable eBPF probes and fell back to Kprobes. This fix is for Linux endpoints only.
- Fixes a bug that caused errors if you used Azure OpenAI connector for streaming (#191552).
- Fixes a bug that caused Elastic AI Assistant’s responses to sometimes include tags when using Bedrock Sonnet 3.5.
- Fixes a bug that prevented duplicated prebuilt rules from inheriting Required fields and Related integrations field values (#191065).
- Turns off the option to assign users to an alert if no assignees exist (#190937).
- Fixes a bug that prevented Timeline template settings from being applied to new Timelines that were generated by a rule (#190511).
- Fixes a bug that hid the option to select a connector for Elastic AI Assistant (#189944).
- Removes the option to manually bulk-run multiple rules (#190781).
8.15.0
editKnown issues
editTags appear in Elastic AI Assistant’s responses
Details
On August 1, 2024, it was discovered that Elastic AI Assistant’s responses when using Bedrock Sonnet 3.5 may include <antThinking>
tags, for example <search_quality_reflection>
(#189676).
Workaround
Upgrade to 8.15.1.
Resolved
On September 5, 2024, this issue was resolved.
The option to manually run multiple rules is available in the bulk actions menu on the Rules page
Details
On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules.
Workaround
Upgrade to 8.15.1.
Resolved
On September 5, 2024, this issue was resolved.
Elastic Endpoint does not properly populate the user.name
field in security events
Details
Elastic Endpoint for Windows will not properly populate the user.name
field with security events.
Workaround
Upgrade to 8.15.1.
Resolved
On September 5, 2024, this issue was resolved.
CrowdStrike response actions (isolate and release host) not working
Details
A bug prevented third-party response actions with CrowdStrike from working.
Workaround
Upgrade to 8.15.1.
Alerts wrongfully inherit previously-selected tags
Details
When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select.
Workaround
Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking Apply tags. This removes the old tags from the alert.
Resolved
On October 17, 2024, this issue was resolved.
Breaking changes
edit- If you previously created any user-defined quick prompts for Elastic AI Assistant, they will no longer appear after you upgrade to 8.15. To resolve this, copy your existing quick prompts prior to upgrading, then add them again after upgrading. Additionally, in 8.15, quick prompts are shared by all users in your deployment, rather than saved at the user level (#187040).
New features
edit- Introduces Automatic Import, a feature that helps you to quickly parse, ingest, and create ECS mappings for data from sources that don’t yet have prebuilt Elastic integrations (#186304).
- Creates an LLM connector for Google Gemini (#183668).
- Adds an API for Elastic AI Assistant (#184485).
-
Adds the
scan
action to the response console, which allows you to scan a specific file or directory on a host for malware (#184723). - Adds an Elastic Defend integration policy option in Advanced Settings that allows you to opt out of registry event filtering (#186564).
- Allows you to specify additional file and registry paths to monitor for read access (#181361).
- Allows you to use Elastic Security to isolate and release hosts running a CrowdStrike agent (#186801).
- Allows you to retrieve files from SentinelOne-enrolled hosts (#181162).
- Allows you to create an event filter that excludes the descendant events of a specific process (#184947).
- Recalculates entity risk scores when asset criticality changes on an individual entity (#182234).
- Adds an Asset criticality column to user and host data tables. If asset criticality levels are assigned to your users and hosts, this information appears in the Asset criticality column (#186375, #186456).
- Adds an API that allows you to perform paginated KQL searches through asset criticality records (#186568).
- Adds public APIs for managing asset criticality (#186169).
-
Allows you to edit the
max_signals
,related_integrations
, andrequired_fields
fields for custom rules (#179680, #178295, #180682). - Provides help from AI Assistant when you’re correcting rule query errors (#179091).
- Allows you to bulk update custom highlighted fields for rules (#179312).
- Adds alert suppression for machine learning and ES|QL rules (#181926, #180927).
- Provides previews of hosts, users, and alerts that you’re examining in the alert details flyout (#186850, #186857).
- Enhances Timeline’s data exploration experience by incorporating components from Discover, such as the sidebar and table, which allow you to quickly find fields of interest. Timeline’s overall performance is also improved (#176064).
- Adds an option for toggling row renderers on and off, and moves notes to a new flyout in Timeline (#186948).
- Revamps the Dashboards landing page (#186465).
Enhancements
edit- Allows Attack discovery generation to continue when you navigate to another page, and allows you to run Attack discovery with multiple connectors simultaneously. (#184949).
- Adds notifications to the connector dropdown menu on the Attack discovery page so you know when other connectors have new discoveries (#186903, #187209).
- Improves AI Assistant’s responses across multiple connectors and in multiple scenarios for streaming and non-streaming use cases (#182041, #187183).
- Enables AI Assistant to remember information you ask it to remember (#184554, #5670).
-
Updates the default Gemini version to
gemini-1.5-pro-001
and the default Bedrock version toanthropic.claude-3-5-sonnet-20240620-v1:0
(#186671). - Simplifies how you enable AI Assistant’s knowledge base (#182763).
- Unifies the AI Assistant’s settings view (#184678).
- Introduces a new Elastic Endpoint policy setting that allows you to control whether the kernel reports Windows network events that happened on a local loopback interface (#181753).
-
Improves how failure messages for the
scan
action appear in the response console (#186284). - Improves the risk engine’s performance. Now, after you turn on the engine, risk data is available sooner (#184797).
- Enhances the risk engine’s normalization accuracy (#184638).
- Updates the copy for bulk assigning asset criticality to multiple entities (#181390).
- Improves visual and logic issues in the Findings table (#184185).
-
Enables the expandable alert details flyout by default and replaces the
securitySolution:enableExpandableFlyout
advanced setting with a feature flag that allows you to revert to the old flyout version (#184169). - Improves the UI design and copy of various places in the alert details flyout (#187430, #187920).
- Updates the MITRE ATT&CK framework to version 15.1 (#183463).
- Improves the warning message about rule actions being unavailable after a rule ran (#182741).
-
Enables the
xMatters
andServer Log connectors
rule actions (#172933).
Bug fixes
edit- Fixes a bug that prevented Timeline from properly retrieving results after upgrading to 8.14.1 (#189031).
- Fixes a bug that showed that Timeline had been changed, even if it hadn’t been (#188106).
- Removes the option to investigate suppressed alerts in Timeline when you’re previewing alert details from a rule preview (#188385).
- Fixes the alignment of the page selector dropdown menu on the Shared Exception Lists page (#187956).
-
Fixes a rule execution error that occurred when ES|QL rules queried source documents with non-ECS compliant sub-fields under the
event.action
field (#187549). -
Fixes a bug that caused the
Enable entity risk scoring
option to display even when you didn’t have the correct requirements (#183517). -
Prevents
maxClauseCount
errors from occurring for indicator match rules (#179748). - Fixes a bug that prevented threat intelligence fields from correctly rendering in the alert details flyout if they had flattened fields (#179395).
- Removes references in the UI that directed users to outdated documentation for the risk scoring feature (#187585).
- Fixes a bug on the Get started page that prevented the correct username from being displayed in the greeting message (#180670).
- Fixes a bug that caused the pagination menu from appearing in the correct place for the Uncommon processes table (#189201).
- Fixes a bug that affected the panel showing the last command details in the Uncommon processes table (#187848).