8.8

edit

8.8.2

edit

Known issues

edit
  • After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (ManageRules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
  • Rule changes can’t be saved and existing rule actions are removed if the action’s frequency is shorter than the rule’s run interval.
  • Setting the max_signals value higher than the xpack.alerting.rules.run.alerts.max value will lead to rule failure.
  • A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:

    • Open alerts in Timeline.
    • Adjust the Alerts table size. Do one of the following:

      • Use the Fields browser to remove fields from the Alerts table until the table’s width is smaller than its container.
      • Adjust your OS zoom settings and refresh the page.
    • Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.)
  • Alerts table rendering issues occur when threat indicator match alerts contain nested file.name values, and the Alerts table displays the file.name column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (#97684).

    When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents.

    The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that’s most relevant to you:

    Case #1: You want to display threat indicator match alerts with nested file.name fields and the Alerts table won’t render. To fix this, manually edit your browser’s local storage and refresh the Alerts page:

    These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you’re using.

    1. Right-click anywhere on the Alerts page, then select Inspect to open Chrome’s Developer Tools.
    2. Go to Application → Storage, then expand Local Storage.
    3. Click on the name of your Kibana instance, for example, http://localhost:1234.
    4. Search for the detection-engine-alert-table-securitySolution-rule-details-gridView key and copy its value. The value you copied is the JSON blob that’s used to persist the Alerts table’s state, including the table’s selected columns.
    5. Paste the JSON blob into a text file and edit it as follows:

      1. Remove the id:file.name string from the columns array.
      2. Remove the file.name string from the visibleColumns array.
    6. Go back to Chrome’s Developer Tools, and paste the edited JSON into the value for the detection-engine-alert-table-securitySolution-rule-details-gridView key.
    7. Click the Enter or Return key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the file.name column.

      To avoid further issues, do not re-add the file.name field to the table.

    Case #2: You want to display threat indicator match alerts with nested file.name fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue:

    1. Go to the toolbar in the upper-left of the Alerts table, and click Fields.
    2. Search for the file.name field, de-select it, and click Close.
    3. Refresh the Alerts page.

Breaking changes

edit

There are no breaking changes in 8.8.2.

Enhancements

edit

There are no user-facing changes in 8.8.2.

Bug fixes

edit
  • Fixes a bug that affected links to Kibana results generated by actions on rules from non-default Kibana spaces (#159966).
  • Fixes a bug that prevented users from saving a Timeline after adding a number field (#159723).
  • Fixes a bug that caused error messages to wrongfully display if users selected uninstalled machine learning jobs while creating a machine learning rule (#159316).
  • Removes hover actions from tables within the Detection & Response dashboard when the alert count is zero (#158902).
  • Fixes bugs in the Anomalies table that left machine learning jobs greyed out after they were installed (#158821) and that stopped some job counts from appearing (#158739).
  • Fixes a bug that caused the Add exceptions flyout to load indefinitely and display an out of memory error when a rule had a large number of unmapped fields in multiple indices (#159216).
  • Fixes a bug that prevented cell actions on fields with multiple values in the Alerts table (#158060).
  • Fixes a bug that caused the Alerts page to query unnecessary indices (#157286).
  • Fixes a bug that broke the mustache syntax for variables in rule actions (#160446).
  • Fixes a bug that caused exception items to be erroneously duplicated if you modified an exception item using the update exception item API and only specified its item_id (#159223).

    If you’ve already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below.

    • Query for finding exception documents that were duplicated from only specifying the item_id:

      // Retrieve exception documents grouped by `item_id`.
      // Each bucket contains all duplicates of that document.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "match": {
                  "type": "exception-list"
                }
              }
            ]
          }
        },
        "aggs": {
          "item_id_duplicates": {
            "terms": {
              "field": "exception-list.item_id",
              "min_doc_count": 2
            },
            "aggs": {
              "ids": {
                "top_hits": {
                  "size": 100, // Increase this if you may have more duplicates.
                  "_source": false
                }
              }
            }
          }
        },
        "size": 0
      }
    • Query for finding exception documents that were duplicated and have lost their item_id because their id was used to update them:

      // Each item returned lost its `item_id`, which is expected to be present and unique.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "term": {
                  "exception-list.list_type": "item"
                }
              }
            ],
            "must_not": [
              {
                "exists": {
                  "field": "exception-list.item_id"
                }
              }
            ]
          }
        }
      }

8.8.1

edit

Known issues

edit
  • After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (ManageRules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
  • Rule changes can’t be saved and existing rule actions are removed if the action’s frequency is shorter than the rule’s run interval.
  • Setting the max_signals value higher than the xpack.alerting.rules.run.alerts.max value will lead to rule failure.
  • If you modify an exception item using the update exception item API and only specify its item_id, the exception item is erroneously duplicated. To avoid this issue, you can either:

    If you’ve already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below.

    • Query for finding exception documents that were duplicated from only specifying the item_id:

      // Retrieve exception documents grouped by `item_id`.
      // Each bucket contains all duplicates of that document.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "match": {
                  "type": "exception-list"
                }
              }
            ]
          }
        },
        "aggs": {
          "item_id_duplicates": {
            "terms": {
              "field": "exception-list.item_id",
              "min_doc_count": 2
            },
            "aggs": {
              "ids": {
                "top_hits": {
                  "size": 100, // Increase this if you may have more duplicates.
                  "_source": false
                }
              }
            }
          }
        },
        "size": 0
      }
    • Query for finding exception documents that were duplicated and have lost their item_id because their id was used to update them:

      // Each item returned lost its `item_id`, which is expected to be present and unique.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "term": {
                  "exception-list.list_type": "item"
                }
              }
            ],
            "must_not": [
              {
                "exists": {
                  "field": "exception-list.item_id"
                }
              }
            ]
          }
        }
      }
  • A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:

    • Open alerts in Timeline.
    • Adjust the Alerts table size. Do one of the following:

      • Use the Fields browser to remove fields from the Alerts table until the table’s width is smaller than its container.
      • Adjust your OS zoom settings and refresh the page.
      • Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.)
  • Alerts table rendering issues occur when threat indicator match alerts contain nested file.name values, and the Alerts table displays the file.name column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (#97684).

    When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents.

    The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that’s most relevant to you:

    Case #1: You want to display threat indicator match alerts with nested file.name fields and the Alerts table won’t render. To fix this, manually edit your browser’s local storage and refresh the Alerts page:

    These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you’re using.

    1. Right-click anywhere on the Alerts page, then select Inspect to open Chrome’s Developer Tools.
    2. Go to Application → Storage, then expand Local Storage.
    3. Click on the name of your Kibana instance, for example, http://localhost:1234.
    4. Search for the detection-engine-alert-table-securitySolution-rule-details-gridView key and copy its value. The value you copied is the JSON blob that’s used to persist the Alerts table’s state, including the table’s selected columns.
    5. Paste the JSON blob into a text file and edit it as follows:

      1. Remove the id:file.name string from the columns array.
      2. Remove the file.name string from the visibleColumns array.
    6. Go back to Chrome’s Developer Tools, and paste the edited JSON into the value for the detection-engine-alert-table-securitySolution-rule-details-gridView key.
    7. Click the Enter or Return key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the file.name column.

      To avoid further issues, do not re-add the file.name field to the table.

    Case #2: You want to display threat indicator match alerts with nested file.name fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue:

    1. Go to the toolbar in the upper-left of the Alerts table, and click Fields.
    2. Search for the file.name field, de-select it, and click Close.
    3. Refresh the Alerts page.

Breaking changes

edit

There are no breaking changes in 8.8.1.

New features

edit

Bug fixes

edit
  • Fixes a bug that made field types appear as unknown within the Fields browser and when examining alert or event details (#158594).
  • Fixes a bug that caused the Add rule exception flyout to load indefinitely when index fields couldn’t be retrieved (#158371).
  • Allows actions to be taken on fields with multiple values (#158060).
  • Provides support for using field names with wildcards in rule queries (#157981).
  • Fixes CSS style issues on the rule details page (#157935).
  • Fixes a bug that caused the A-Z option to incorrectly display on Alerts table sorting menus (#157653).
  • Allows users to scroll through long error messages on the rule details page (#157271).

8.8.0

edit

To view a detailed summary of the latest features and enhancements, check out our release highlights.

Known issues

edit
  • After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (ManageRules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
  • Rule changes can’t be saved and existing rule actions are removed if the action’s frequency is shorter than the rule’s run interval.
  • Setting the max_signals value higher than the xpack.alerting.rules.run.alerts.max value will lead to rule failure.
  • Elastic Security 8.8 contains a bug that makes field types appear as unknown within the Fields browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1.
  • All field types in the Fields browser appear as unknown.
  • If you modify an exception item using the update exception item API and only specify its item_id, the exception item is erroneously duplicated. To avoid this issue, you can either:

    If you’ve already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below.

    • Query for finding exception documents that were duplicated from only specifying the item_id:

      // Retrieve exception documents grouped by `item_id`.
      // Each bucket contains all duplicates of that document.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "match": {
                  "type": "exception-list"
                }
              }
            ]
          }
        },
        "aggs": {
          "item_id_duplicates": {
            "terms": {
              "field": "exception-list.item_id",
              "min_doc_count": 2
            },
            "aggs": {
              "ids": {
                "top_hits": {
                  "size": 100, // Increase this if you may have more duplicates.
                  "_source": false
                }
              }
            }
          }
        },
        "size": 0
      }
    • Query for finding exception documents that were duplicated and have lost their item_id because their id was used to update them:

      // Each item returned lost its `item_id`, which is expected to be present and unique.
      GET .kibana*/_search
      {
        "query": {
          "bool": {
            "filter": [
              {
                "term": {
                  "exception-list.list_type": "item"
                }
              }
            ],
            "must_not": [
              {
                "exists": {
                  "field": "exception-list.item_id"
                }
              }
            ]
          }
        }
      }
  • A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:

    • Open alerts in Timeline.
    • Adjust the Alerts table size. Do one of the following:

      • Use the Fields browser to remove fields from the Alerts table until the table’s width is smaller than its container.
      • Change your OS zoom settings and refresh the page.
      • Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.)
  • Alerts table rendering issues occur when threat indicator match alerts contain nested file.name values, and the Alerts table displays the file.name column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (#97684).

    When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents.

    The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that’s most relevant to you:

    Case #1: You want to display threat indicator match alerts with nested file.name fields and the Alerts table won’t render. To fix this, manually edit your browser’s local storage and refresh the Alerts page:

    These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you’re using.

    1. Right-click anywhere on the Alerts page, then select Inspect to open Chrome’s Developer Tools.
    2. Go to Application → Storage, then expand Local Storage.
    3. Click on the name of your Kibana instance, for example, http://localhost:1234.
    4. Search for the detection-engine-alert-table-securitySolution-rule-details-gridView key and copy its value. The value you copied is the JSON blob that’s used to persist the Alerts table’s state, including the table’s selected columns.
    5. Paste the JSON blob into a text file and edit it as follows:

      1. Remove the id:file.name string from the columns array.
      2. Remove the file.name string from the visibleColumns array.
    6. Go back to Chrome’s Developer Tools, and paste the edited JSON into the value for the detection-engine-alert-table-securitySolution-rule-details-gridView key.
    7. Click the Enter or Return key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the file.name column.

      To avoid further issues, do not re-add the file.name field to the table.

    Case #2: You want to display threat indicator match alerts with nested file.name fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue:

    1. Go to the toolbar in the upper-left of the Alerts table, and click Fields.
    2. Search for the file.name field, de-select it, and click Close.
    3. Refresh the Alerts page.

Breaking changes

edit
  • The privileges for attaching alerts to cases have changed. Now, you need at least Read privileges for Security and All privileges for Cases (#147985).
  • Adds conditional actions to the rules API. In Elastic Security 8.7 and earlier, action frequencies were set on a rule level by defining the throttle field. In 8.8 and later, action frequencies are set at the action level, and the throttle field is replaced by the frequency and alert_filters fields. The following APIs are affected:

Deprecations

edit
  • The rule level throttle field is deprecated in Elastic Security 8.8 and is scheduled for end of life in Q4 of 2024. In Elastic Security 8.8 and later, we strongly recommend using the action level frequency field to set frequencies for individual rule actions.

New features

edit
  • Introduces Cloud native vulnerability management, which scans your cloud VMs for vulnerabilities, and adds a tab to the Findings page that displays vulnerabilities (#154388, #154873, #155045).
  • Introduces container workload protection, which allows you to monitor and protect your Kubernetes workloads.
  • Adds a new response action that allows you to execute commands on a selected host (#150202).
  • Adds the kibana.alert.url field to alert documents. This field provides a shareable URL for the alert (#155069).
  • Adds the ability to duplicate a shared exception list (#154991).
  • Allows Timeline notes to be deleted (#154834).
  • Allows you to specify conditions for when rule actions should run (#154680).
  • Adds the ability to snooze rule notifications from the Rules table, the rule details page, or the Actions tab when editing a rule (#153083, #155407, #155612).
  • Adds controls to the Alerts page that allow you to customize which filters appear at the top of the page (#152450).

Enhancements

edit
  • Renames the Notable Anomalies section in the Entity Analytics dashboard to Anomalies (#155687).
  • Displays additional machine learning anomaly jobs on the Entity Analytics dashboard (#155520).
  • Makes alert count links on the Entity Analytics dashboard navigate to the Alerts page instead of opening in Timeline (#153372).
  • Updates the Data Quality dashboard to include a new tree map and storage size metrics for each index (#155581).
  • Adds cloud infrastructure-related fields to the alert details flyout highlighted fields section (#155247).
  • Allows you to specify how to handle alert suppression for alerts with missing fields (#155055).
  • Gives users more control over how they receive alert notifications and lets them define conditions that must be met for a notification to occur (#154526).
  • Adds a warning message to tell you when a rule has reached the maximum number of alerts limit (#154112).
  • Updates how browser field descriptions are provided to Kibana (#153498).
  • Enables multi-level grouping for alerts on the Alerts page, based on various fields (#152862).
  • Adds links to the Detection & Response and Entity Analytics dashboards that jump to the Alerts page with filters enabled (#152714).
  • Updates the visualizations throughout Elastic Security to Lens visualizations (#150531).
  • Adds a Share alert link to the alert details flyout (#148800).
  • Adds a warning message to the Rules page when a maintenance window is running (#155386).
  • Adds a global search bar to the Detections and Response and Entity Analytics dashboards (#156832).
  • Adds the "Investigate in timeline" inline action to alert counts on the Detections and Response and Entity Analytics dashboards (#154299).
  • Session view: Makes the row representing the session leader remain visible when you scroll past it, and adds a button to this row that allows you to collapse child processes (#154982).
  • Reduces Linux process event volume by about 50% by combining fork, exec, and end events when they occur around the same time (does not affect queries of this data) (#153213).
  • Updates where the technical preview tags appear for host risk score features (#156659, #156514).
  • Allows you to use fully qualified domain names (FQDNs) for hosts. To learn how to set a host name format in Fleet, refer to Elastic Agent policies.

Bug fixes

edit
  • Fixes a bug that interfered with the default time range when you opened an alert in Timeline (#156884).
  • Fixes a bug that could cause the Alerts page to become unresponsive after entering an invalid query (#156542).
  • Updates the colors used for entity analytic graphs to match those used for alert graphs (#156383).
  • Fixes a bug that caused errors on the Data Quality dashboard when a basePath was configured (#156233).
  • Fixes a bug that could cause problems when different users simultaneously edited a Timeline (#155663).
  • Fixes a bug that could cause the wrong number of rules to appear in the modal for duplicating rules (#155959).
  • Fixes a bug that could cause a blank option to appear in the Create rule exception form (#155221).
  • Fixes issues that affected tags in the Add rule exception component of the Shared Exception Lists page (#155219).
  • Fixes a bug that displayed an outdated count of affected rules on the Shared Exception Lists page (#155108).
  • Improves performance for rendering indicator match alerts on the Alerts page (#154821).
  • Fixes a bug that could affect alert prevalence counts on the Alerts page (#154544).
  • Fixes a bug that could prevent you from using breadcrumbs to return to the Rules page (#150322).
  • Fixes a bug that could prevent the View all open alerts button on the Detection and Response dashboard from applying the correct filters (#156893).
  • Fixes several bugs related to session view and and Kubernetes dashboard (#154982).
  • Fixes the delete index API so it only removes Elastic Security 7.x signals indices (.siem-signals-<space-id>), index templates, and ILMs and doesn’t delete 8.x alert indices (.alerts-security.alerts-<space-id>).