« Release notes 8.16 »
Elastic Docs Elastic Security Solution [8.17] Release notes

8.17

edit

8.17

edit

8.17.1

edit

Known issues

edit
Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Bug fixes

edit
  • Fixes Integration and Datastream name validation (#204943).
  • Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari (#203993).
  • Adds role-based access control to the Automatic Import APIs (#203882).
  • Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned (#203820).
  • Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using AND or OR conditions (#201776).
  • Fixes a bug that caused the diff view to incorrectly mark certain characters as changed in specific cases (#205138).
  • Lists all policies to ensure that integrations are properly displayed (#205103).
  • Fixes a bug that prevented the Exceptions tab from properly loading if exceptions contained comments with newline characters (\n) (#202063).

  • Fixes incompatibility issues with Elastic Defend. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a CRITICAL_PROCESS_DIED bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict.

    Affected users who are unable to upgrade should set one or both of the following in their Elastic Defend advanced policy, depending on their version:

    • windows.advanced.events.process.creation_flags: false (8.13.0 - 8.16.1)
    • windows.advanced.memory_protection.shellcode_trampoline_detection: false (8.12.0 - 8.16.2)
  • Fixes an Elastic Defend bug that could cause the Windows API event call stack enrichment to fail for processes that started before Elastic Defend and if another security product was present and hooking system DLLs.
  • Fixes an Elastic Defend bug that caused Windows API events involving mswsock.dll to be mislabeled with the proxy_call behavior.
  • Fixes an Elastic Defend bug that caused the Open Elastic Security button in the Windows Security Center to be non-functional. Now, you’re informed that Elastic Defend is managed by your system administrator.

8.17.0

edit

Known issues

edit
The Exceptions tab won’t properly load if exceptions contain comments with newline characters (\n)

Details
On December 5, 2024, it was discovered that the Exceptions tab won’t load properly if any exceptions contain comments with newline characters (\n). This issue occurs when you upgrade to 8.16.0 or later (#201820).

Workaround

Upgrade to 8.17.1, or follow the workarounds below.

For custom rules:

  1. From the Rules page, export the rule or rules with the affected exception lists.
  2. Modify the .ndjson file so comments no longer contain newline characters.
  3. Return to the Rules page and re-import the rules. Ensure you select the Overwrite existing exception lists with conflicting "list_id" option.

For prebuilt rules:

If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the Shared Exception Lists page.

  1. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule:

    1. Find the affected rule’s ID (id). From the Rules page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (167a5f6f-2148-4792-8226-b5e7a58ef46e) is the id.

    2. Specify the id when fetching the rule’s details using the Retrieve a detection rule API. Here is an example request that includes the id:

      curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e

    3. The JSON response contains the id, list_id, and namespace_type values within the exceptions_list key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list.

      {
  "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
  "exceptions_list": [
    {
      "id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
      "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
      "namespace_type": "single"
    }
  ]
}

  2. Use the export exceptions API to retrieve the affected exception list. Insert the values for the id, list_id, and namespace_type parameters into the following API call:

    curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson
  3. Modify the exception list’s .ndjson file to ensure comments[].comment values don’t contain newline characters (\n).
  4. Re-import the modified exception list using Import exception lists option on the Shared Exception Lists page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list.
Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

New features

edit
  • Adds a signature option for trusted applications on macOS (#197821).
  • Adds GA support for the case action feature, which lets rules automatically create cases (#196973).

Enhancements

edit
  • Checks user permissions before initializing the entity engine (#198661).
  • Updates LangChain dependencies, adding support for the new Bedrock cross-region inference profiles (#198622).

Bug fixes

edit
  • Clears the error on the second entity engine initialization (#202903).
  • Modifies the empty state message that appears when installing prebuilt rules (#202226).
  • Rejects CEF logs from Automatic Import and instead redirects you to the CEF integration (#201792, #202994).
  • Fixes a bug in Automatic Import where icons did not display after the integration was installed (#201139).
  • Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file (#201622).
  • Turns off the Install All button on the Add Elastic Rules page while rules are being installed (#201731).
  • Turns off the Add note button in the alert details flyout if you don’t have the appropriate permission (#201707).
  • Removes fields with an @ from the script processor (#201548).
  • Fixes an issue that could interfere with Knowledge Base setup (#201175).
  • Fixes an issue with Gemini streaming in the AI Assistant (#201299).
  • Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints (#198622).
  • Fixes a bug with threshold rules that prevented cardinality details from appearing (#201162).
  • Fixes a bug that caused an entity engine to get stuck in the Installing status if the default Security data view didn’t exist. With this fix, engines now correctly report the Error state (#201140).
  • Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you’re on Windows (#199791).
  • Fixes asset criticality index issue when setting up entity engines concurrently (#199486).
  • Fixes a bug where the @timestamp field wouldn’t update upon asset criticality soft delete (#196722).
  • Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes (#198652).
  • Improves the flow for the Insights section in the alert details flyout (#197349).
  • Fixes an issue where users without the Fleet read permission were blocked from interacting with any onboarding card (#202413).
  • Improves Elastic Defend for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled.
  • Improves Elastic Defend by refactoring the kernel driver to work around a CRITICAL_PROCESS_DIED bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon.
  • Fixes an issue in Elastic Defend versions 8.15.2 and 8.15.3 which can result in Windows boot failure 0xC000007B referencing ElasticElam.sys or recovery mode prompt at boot. We have only received reports of this happening when Elastic Defend is installed alongside CrowdStrike Falcon.
  • Fixes an Elastic Defend bug where the Linux system call (setsid) wasn’t properly gathered for RHEL 9/CentOS Stream 9 process events.
  • Fixes an issue where Elastic Defend can enter an infinite loop if an external application opens and retains handles to files within Elastic Defends directory while it is processing a get-file response action. This can result in Elastic Defend flooding Elasticsearch with documents until the handles are closed.
« Release notes 8.16 »