diff --git a/.backportrc.json b/.backportrc.json index 749602998b..4d732d9144 100644 --- a/.backportrc.json +++ b/.backportrc.json @@ -1,5 +1,5 @@ { "upstream": "elastic/security-docs", - "branches": ["8.x", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], + "branches": ["8.x", "8.17", "8.16", "8.15", "8.14", "8.13", "8.12", "8.11", "8.10", "8.9", "8.8", "8.7", "8.6", "8.5", "8.4", "8.3", "8.2", "8.1", "8.0", "7.17", "7.16", "7.15", "7.14", "7.13", "7.12", "7.11", "7.10", "7.9", "7.8"], "labels": ["backport"] } diff --git a/.mergify.yml b/.mergify.yml index d23f89f7b6..b547826c0d 100644 --- a/.mergify.yml +++ b/.mergify.yml @@ -26,6 +26,20 @@ pull_request_rules: branches: - "main" title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})" + - name: backport patches to 8.x branch + conditions: + - merged + - base=main + - label=v8.18.0 + actions: + backport: + assignees: + - "{{ author }}" + branches: + - "8.x" + title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})" + labels: + - backport - name: backport patches to 8.17 branch conditions: - merged @@ -36,7 +50,7 @@ pull_request_rules: assignees: - "{{ author }}" branches: - - "8.x" + - "8.17" title: "[{{ destination_branch }}] {{ title }} (backport #{{ number }})" labels: - backport diff --git a/docs/AI-for-security/knowledge-base.asciidoc b/docs/AI-for-security/knowledge-base.asciidoc index 2f5414822b..e345df14be 100644 --- a/docs/AI-for-security/knowledge-base.asciidoc +++ b/docs/AI-for-security/knowledge-base.asciidoc @@ -44,7 +44,7 @@ image::images/knowledge-base-assistant-menu-dropdown.png[AI Assistant's dropdown [discrete] === Option 2: Enable Knowledge Base from the Security AI settings -. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." +. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." . On the **Knowledge Base** tab, click **Setup Knowledge Base**. If the button doesn't appear, Knowledge Base is already enabled. image::images/knowledge-base-assistant-settings-kb-tab.png[AI Assistant's settings menu open to the Knowledge Base tab] @@ -57,7 +57,7 @@ When Knowledge Base is enabled, AI Assistant receives `open` or `acknowledged` a To enable Knowledge Base for alerts: . Ensure that knowledge base is <>. -. Use the slider on the Security AI settings' Knowledge Base tab to select the number of alerts to send to AI Assistant. Click **Save**. +. On the **Security AI settings** page, go to the **Knowledge Base** tab and use the slider to select the number of alerts to send to AI Assistant. Click **Save**. NOTE: Including a large number of alerts may cause your request to exceed the maximum token length of your third-party generative AI provider. If this happens, try selecting a lower number of alerts to send. @@ -65,7 +65,7 @@ NOTE: Including a large number of alerts may cause your request to exceed the ma [[knowledge-base-add-knowledge]] == Add knowledge -To view all knowledge base entries, go to the Security AI settings and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. +To view all knowledge base entries, go to **Security AI settings** and select the **Knowledge Base** tab. You can add individual documents or entire indices containing multiple documents. Each entry in the Knowledge Base (a document or index) has a **Sharing** setting of `private` or `global`. Private entries apply to the current user only and do not affect other users in the {kib} space, whereas global entries affect all users. Each entry can also have a `Required knowledge` setting, which means it will be included as context for every message sent to AI Assistant. NOTE: When you enable Knowledge Base, it comes pre-populated with articles from https://www.elastic.co/security-labs[Elastic Security Labs], current through September 30, 2024, which allows AI Assistant to leverage Elastic's security research during your conversations. This enables it to answer questions such as, “Are there any new tactics used against Windows hosts that I should be aware of when investigating my alerts?” @@ -75,7 +75,7 @@ NOTE: When you enable Knowledge Base, it comes pre-populated with articles from Add an individual document to Knowledge Base when you want AI Assistant to remember a specific piece of information. -. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab. +. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab. . Click **New → Document** and give it a name. . Under **Sharing**, select whether this knowledge should be **Global** or **Private**. . Write the knowledge AI Assistant should remember in the **Markdown text** field. @@ -108,7 +108,7 @@ Add an index as a knowledge source when you want new information added to that i IMPORTANT: Indices added to Knowledge Base must have at least one field mapped as {ref}/semantic-text.html[semantic text]. -. To open Security AI settings, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab. +. To open **Security AI settings**, use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field] to find "AI Assistant for Security." Select the **Knowledge Base** tab. . Click **New → Index**. . Name the knowledge source. . Under **Sharing**, select whether this knowledge should be **Global** or **Private**. @@ -136,3 +136,51 @@ Refer to the following video for an example of adding an index to Knowledge Base
++++ ======= + +[discrete] +[[knowledge-base-crawler-or-connector]] +=== Add knowledge with a connector or web crawler + +You can use an {es} connector or web crawler to create an index that contains data you want to add to Knowledge Base. + +This section provides an example of adding a threat intelligence feed to Knowledge Base using a web crawler. For more information on adding data to {es} using a connector, refer to {ref}/es-connectors.html[Ingest data with Elastic connectors]. For more information on web crawlers, refer to {enterprise-search-ref}/crawler.html[Elastic web crawler]. + +[discrete] +==== Use a web crawler to add threat intelligence to Knowledge Base + +First, you'll need to set up a web crawler to add the desired data to an index, then you'll need to add that index to Knowledge Base. + +. From the **Search** section of {kib}, find **Web crawlers** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. +. Click **New web crawler**. +.. Under **Index name**, name the index where the data from your new web crawler will be stored, for example `threat_intelligence_feed_1`. Click **Create index**. +.. Under **Domain URL**, enter the URL where the web crawler should collect data. Click **Validate Domain** to test it, then **Add domain**. +. The previous step opens a page with the details of your new index. Go to its **Mappings** tab, then click **Add field**. ++ +NOTE: Remember, each index added to Knowledge Base must have at least one semantic text field. ++ +.. Under **Field type**, select `Semantic text`. Under **Select an inference endpoint**, select `elastic-security-ai-assistant-elser2`. Click **Add field**, then **Save mapping**. +. Go to the **Scheduling** tab. Enable the **Enable recurring crawls with the following schedule** setting, and define your desired schedule. +. Go to the **Manage Domains** tab. Select the domain associated with your new web crawler, then go the its **Crawl rules** tab and click **Add crawl rule**. For more information, refer to {enterprise-search-ref}/crawler-extraction-rules.html[Web crawler content extraction rules]. +.. Click **Add crawl rule** again. Under **Policy**, select `Disallow`. Under **Rule**, select `Regex`. Under **Path pattern**, enter `.*`. Click **Save**. +.. Under **Policy**, select `Allow`. Under **Rule**, select `Contains`. Under **Path pattern**, enter your path pattern, for example `threat-intelligence`. Click **Save**. Make sure this rule appears below the rule created in the previous step on the list. +.. Click **Crawl**, then **Crawl all domains on this index**. A success message appears. The crawl process will take longer for larger data sources. Once it finishes, your new web crawler's index will contain documents provided by the crawler. +. Finally, follow the instructions to <>. Add the index that contains the data from your new web crawler (`threat_intelligence_feed_1` in this example). + +Your new threat intelligence data is now included in Knowledge Base and can inform AI Assistant's responses. + +Refer to the following video for an example of creating a web crawler to ingest threat intelligence data and adding it to Knowledge Base. + +======= +++++ + + +
+++++ +======= \ No newline at end of file diff --git a/docs/cases/cases-manage.asciidoc b/docs/cases/cases-manage.asciidoc index f1f85c6025..218da56fb6 100644 --- a/docs/cases/cases-manage.asciidoc +++ b/docs/cases/cases-manage.asciidoc @@ -5,7 +5,7 @@ :frontmatter-tags-content-type: [how-to] :frontmatter-tags-user-goals: [analyze] -You can create and manage cases using the UI or the <>. +You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API]. [float] [[cases-ui-open]] diff --git a/docs/cases/cases-overview.asciidoc b/docs/cases/cases-overview.asciidoc index 757c2fd336..e44968724e 100644 --- a/docs/cases/cases-overview.asciidoc +++ b/docs/cases/cases-overview.asciidoc @@ -5,7 +5,7 @@ :frontmatter-tags-content-type: [overview] :frontmatter-tags-user-goals: [analyze] -Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the <> to perform the same tasks. +Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {api-kibana}/group/endpoint-cases[cases API] to perform the same tasks. You can also send cases to these external systems by <>: diff --git a/docs/cloud-native-security/cloud-native-security-index.asciidoc b/docs/cloud-native-security/cloud-native-security-index.asciidoc index c3dde55d5c..742149aa26 100644 --- a/docs/cloud-native-security/cloud-native-security-index.asciidoc +++ b/docs/cloud-native-security/cloud-native-security-index.asciidoc @@ -1,5 +1,5 @@ [[cloud-native-security-overview]] -= Cloud native security += Cloud Security Elastic Security for Cloud helps you improve your cloud security posture by comparing your cloud configuration to best practices, and scanning for vulnerabilities. It also helps you monitor and investigate your cloud workloads inside and outside Kubernetes. This page describes what each solution does and provides links to more information. diff --git a/docs/cloud-native-security/cspm-get-started-aws.asciidoc b/docs/cloud-native-security/cspm-get-started-aws.asciidoc index bf077097cb..9ac8268747 100644 --- a/docs/cloud-native-security/cspm-get-started-aws.asciidoc +++ b/docs/cloud-native-security/cspm-get-started-aws.asciidoc @@ -43,6 +43,9 @@ beta::[] . Click **Advanced options**, then select **Agentless (BETA)**. . Next, you'll need to authenticate to AWS. Two methods are available: .. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method**, select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. ++ +NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. ++ .. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <>. . Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. @@ -76,7 +79,7 @@ For most use cases, the simplest option is to use AWS CloudFormation to automati . Return to your {kib} tab. Click *Save and continue* at the bottom of the page. . Review the information, then click *Launch CloudFormation*. . A CloudFormation template appears in a new browser tab. -. For organization-level deployments only, you must enter the ID of the organizational unit where you want to deploy into the `OrganizationalUnitIds` field in the CloudFormation template. You can find it in the AWS console under *AWS Organizations -> AWS Accounts* (it appears under the organization name). +. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. . (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. . Tick the checkbox under *Capabilities* to authorize the creation of necessary resources. + diff --git a/docs/detections/alerts-add-to-cases.asciidoc b/docs/detections/alerts-add-to-cases.asciidoc index 75fcb9932e..989b44afc9 100644 --- a/docs/detections/alerts-add-to-cases.asciidoc +++ b/docs/detections/alerts-add-to-cases.asciidoc @@ -9,7 +9,7 @@ From the Alerts table, you can attach one or more alerts to a <>. +* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API]. * Each case can have a maximum of 1,000 alerts. =============================== diff --git a/docs/detections/notes-page-timeline-details.png b/docs/detections/notes-page-timeline-details.png deleted file mode 100644 index 1c83c81df4..0000000000 Binary files a/docs/detections/notes-page-timeline-details.png and /dev/null differ diff --git a/docs/es-overview.asciidoc b/docs/es-overview.asciidoc index eac0ffc78e..d18648c902 100644 --- a/docs/es-overview.asciidoc +++ b/docs/es-overview.asciidoc @@ -18,7 +18,7 @@ * <>: Learn about system requirements, workspaces, configuration, and data ingestion. * <>: Navigate {elastic-sec}'s various tools and interfaces. * <>: Use {elastic-sec}'s detection engine with custom and prebuilt rules. -* <>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs. +* <>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs. * <>: Enable key endpoint protection capabilities like event collection and malicious activity prevention. * https://www.elastic.co/products/stack/machine-learning[{ml-cap}]: Enable built-in {ml} tools to help you identify malicious behavior. * <>: Leverage {elastic-sec}'s detection engine and {ml} capabilities to generate comprehensive risk analytics for hosts and users. diff --git a/docs/getting-started/agentless-troubleshooting.asciidoc b/docs/getting-started/agentless-troubleshooting.asciidoc new file mode 100644 index 0000000000..6629458449 --- /dev/null +++ b/docs/getting-started/agentless-troubleshooting.asciidoc @@ -0,0 +1,47 @@ +[[agentless-integration-troubleshooting]] += Agentless integrations FAQ + +Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration. + +[discrete] +== When I make a new integration, when will I see the agent appear on the Integration Policies page? + +After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete. + +[discrete] +== How do I troubleshoot an `Offline` agent? + +For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. + +To troubleshoot this issue: + +. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab. +. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again. + +NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again. + +[discrete] +== How do I troubleshoot an `Unhealthy` agent? + +On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent: + +* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials: ++ +``` +[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX +``` + +For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. + +[discrete] +== How do I delete an agentless integration? + +NOTE: Deleting your integration will remove all associated resources and stop data ingestion. + +When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`. +. Go to the CSPM Integration's **Integration policies** tab. +. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**. +. Confirm by clicking **Delete integration** again. + diff --git a/docs/getting-started/configure-integration-policy.asciidoc b/docs/getting-started/configure-integration-policy.asciidoc index 255dd9b29e..c9c0797a1d 100644 --- a/docs/getting-started/configure-integration-policy.asciidoc +++ b/docs/getting-started/configure-integration-policy.asciidoc @@ -207,8 +207,7 @@ image::images/install-endpoint/event-collection.png[Detail of event collection s [[register-as-antivirus]] == Register {elastic-sec} as antivirus (optional) -With {elastic-defend} version 7.10 or later on Windows 7 or later, you can -register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**. +You can register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**. NOTE: Windows Server versions are not supported. Antivirus registration requires Windows Security Center, which is not included in Windows Server operating systems. diff --git a/docs/getting-started/index.asciidoc b/docs/getting-started/index.asciidoc index 1ef9d2bcda..dfd51a88b7 100644 --- a/docs/getting-started/index.asciidoc +++ b/docs/getting-started/index.asciidoc @@ -18,6 +18,7 @@ include::ingest-data.asciidoc[leveloffset=+1] include::threat-intel-integrations.asciidoc[leveloffset=+2] include::automatic-import.asciidoc[leveloffset=+2] include::agentless-integrations.asciidoc[leveloffset=+2] +include::agentless-troubleshooting.asciidoc[leveloffset=+3] include::security-spaces.asciidoc[leveloffset=+1] diff --git a/docs/getting-started/install-endpoint.asciidoc b/docs/getting-started/install-endpoint.asciidoc index 4b64a45007..b01cb6a247 100644 --- a/docs/getting-started/install-endpoint.asciidoc +++ b/docs/getting-started/install-endpoint.asciidoc @@ -20,7 +20,7 @@ Like other Elastic integrations, {elastic-defend} is integrated into the {agent} [[security-before-you-begin]] == Before you begin -If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. +If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. NOTE: {elastic-defend} does not support deployment within an {agent} DaemonSet in Kubernetes. diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc index 9a15767810..0f9ae88b36 100644 --- a/docs/management/admin/trusted-apps.asciidoc +++ b/docs/management/admin/trusted-apps.asciidoc @@ -37,7 +37,7 @@ To add a trusted application: * `Field`: Select a field to identify the trusted application: ** `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. ** `Path`: The full file path of the application's executable. -** `Signature`: (Windows only) The name of the application's digital signer. +** `Signature`: (Windows and macOS only) The name of the application's digital signer. + TIP: To find the signer's name for an application, go to *Kibana* -> *Discover* and query the process name of the application's executable (for example, `process.name : "mctray.exe"` for a McAfee security binary). Then, search the results for the `process.code_signature.subject_name` field, which contains the signer's name (for example, `McAfee, Inc.`). diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index ca01ecb5a8..8e84877110 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -1,86 +1,5 @@ [[release-notes]] +[chapter] = Release notes This section summarizes the changes in each release. - -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> -* <> - -include::release-notes/8.16.asciidoc[] -include::release-notes/8.15.asciidoc[] -include::release-notes/8.14.asciidoc[] -include::release-notes/8.13.asciidoc[] -include::release-notes/8.12.asciidoc[] -include::release-notes/8.11.asciidoc[] -include::release-notes/8.10.asciidoc[] -include::release-notes/8.9.asciidoc[] -include::release-notes/8.8.asciidoc[] -include::release-notes/8.7.asciidoc[] -include::release-notes/8.6.asciidoc[] -include::release-notes/8.5.asciidoc[] -include::release-notes/8.4.asciidoc[] -include::release-notes/8.3.asciidoc[] -include::release-notes/8.2.asciidoc[] -include::release-notes/8.1.asciidoc[] -include::release-notes/8.0.asciidoc[] diff --git a/docs/release-notes/8.0.asciidoc b/docs/release-notes/8.0.asciidoc deleted file mode 100644 index ef1c459e4a..0000000000 --- a/docs/release-notes/8.0.asciidoc +++ /dev/null @@ -1,199 +0,0 @@ -[[release-notes-header-8.0.0]] -== 8.0 - -[discrete] -[[release-notes-8.0.1]] -=== 8.0.1 - -[discrete] -[[known-issue-8.0.1]] -==== Known issues -* An {endpoint-sec} integration bug prevents benign Windows files from being deleted under certain circumstances. -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.0.1]] -==== Bug fixes and enhancements -* Fixes a bug that prevented the `kibana.alert.uuid` field from being populated in event correlation sequence shell alerts ({kibana-pull}125890[#125890]). -* Applies updated field aliases to mappings in legacy indices ({kibana-pull}125888[#125888]). -* Updates prebuilt detection rules ({kibana-pull}125316[#125316]). -* Truncates long rule exception descriptions when viewing exception items in rule details ({kibana-pull}125145[#125145]). -* Fixes a bug that caused the import process to fail if an exception list contained an exception item with comments ({kibana-pull}124909[#124909]). -* Fixes a bug that duplicated the navigation button in the *Security news* section on the Overview page ({kibana-pull}124356[#124356]). -* Fixes a bug that caused Timeline to appear if users had access to cases, but not {elastic-sec} ({kibana-pull}123775[#123775]). -* Enforces privilege requirements for displaying the map on the *Network* page and allows users with `Read` or `All` Map feature privileges to expand or hide the map ({kibana-pull}123336[#123336]). - -[discrete] -[[release-notes-8.0.0]] -=== 8.0.0 - -[discrete] -[[upgrade-reqs-8.0.0]] -==== Upgrade requirements -Before you upgrade, review the <> for this release and the <>. - -[discrete] -[[known-issues-8.0.0]] -==== Known issues -*Case migration errors might be logged when upgrading* - -You might find the `Failed to migrate user action alerts` error message in your {kib} migration logs when upgrading to {stack} version 8.0.0. This error is incorrectly logged when migrating cases and can be ignored ({kibana-pull}124950[#124950]). - -Here is an example of an error message you might encounter: - -[code block] ----- -[2022-02-07T20:25:58.614+00:00][ERROR][savedobjects-service] Failed to migrate user action alerts with doc id: 7420fe08-c2ed-51d2-b077-46deb4bf76c9 version: 8.0.0 error: Unexpected token in JSON at position 0 ----- - -*Existing or new rules that use the legacy alerts index may temporarily fail after upgrading* - -After you upgrade to {stack} version 8.0.0, existing and new rules might fail to execute if their source index is configured to use a legacy alert index pattern created in {stack} version 7.x (`.siem-signals-`). Rule failures will likely cause detection gaps, which will be proportional in time to the scheduled interval of the rule. Rules will start to successfully execute after legacy alerts are no longer within the scheduled time period queried by the rule. Despite this automatic correction, coverage gaps might still remain ({kibana-pull}124327[#124327]). - -*The Threat Intel Filebeat Module (v8.x) Indicator Match rule query is misconfigured* - -The indicator index query of the prebuilt rule is misconfigured and will prevent the rule from generating alerts ({kibana-pull}121045[#121045], {kibana-pull}1560[#1560]). To resolve this, duplicate the rule and update its settings: - -. Go to the Rules table (*Detect -> Rules*). -. Locate the Threat Intel Filebeat Module (v8.x) Indicator Match prebuilt rule. -+ -TIP: You can search for the rule by entering the rule name in the Rule table's search bar. - -. Click the rule to view the rule details. -. Click the actions menu, then click *Duplicate rule*. -. Go to the *Indicator index query* field and update the query by removing `event.dataset:ti_*` and replacing it with `event.module:threatintel`. For reference, the correct query is: - -+ -[code block] ----- -`@timestamp >= "now-30d" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)` ----- - -. Under the *Indicator index query* field, update the query's filters by removing `event.dataset:ti_*` and replacing it with `event.module:threatintel`. -. Save the changes. -. Activate the rule. - -*The import process fails for rules with exception comments* - -Comments on rule exceptions cause the import process to fail because the following system-generated fields cannot be validated for exception comments ({kibana-pull}124742[#124742]): - - * `created_at` - * `created_by` - * `updated_at` - * `updated_by` - * `id` - -To complete the rule import process successfully, edit the exported `.ndjson` file and re-import it: - -. Search the exported `.ndjson` file for exceptions with comments. Exception comments are stored within the `exceptionItem` object in the `comments` field. -. Edit the exception comment's fields: -** To preserve the comment during the import process, only delete the `created_at`, `created_by`, `updated_at`, `updated_by`, and `id` fields. -** If you don't want to preserve the comment, remove the comment entirely. -. Save the file and re-import it. - -*Network connection issues might occur if {elastic-endpoint} is used with network traffic tools* - -On macOS versions before 12.4, if {elastic-endpoint} is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later. - -*Lucene 9 validation change may affect event correlation rules* - -A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[breaking-changes-8.0.0]] -==== Breaking Changes - -* Removes the trusted application API. The trusted application interface retains current functionality, but now uses the exception list API ({kibana-pull}120134[#120134]). -* Removes the list endpoint metadata API ({kibana-pull}119401[#119401]). -* Lets you grant privileges for cases separately from {elastic-sec} privileges ({kibana-pull}113573[#113573], {kibana-pull}112980[#112980]). As a result of this change, you must update case privileges for existing roles _before_ upgrading to {stack} 8.0.0. Follow these steps: -. Open the main menu and click *Management -> Stack Management -> Stack -> Upgrade Assistant*. -. From the Upgrade Assistant page, review the Kibana deprecation warnings. A message prompts you to update role privileges because of changes to the {elastic-sec} Cases feature. -. Click the message to open it, then click *Quick resolve*. -. Refresh the page to verify the deprecation was resolved, then return to the guided steps on the Upgrade Assistant page. - -[discrete] -[[deprecations-8.0.0]] -==== Deprecations -* The `output_index` parameter is no longer supported for the APIs that create and update rules. - -[discrete] -[[new-features-8.0.0]] -==== Features -* Shows all historical alerts for a given rule on the rule details page, including those associated with previous versions of the rule ({kibana-pull}120053[#120053]). -* Enhances the UI and functionality for the Rules and Rule Monitoring tables and enables actions on the Rule Monitoring table ({kibana-pull}119644[#119644]). -* The Threat Intelligence view supports {agent}, {filebeat}, and custom integrations ({kibana-pull}116175[#116175]). -* Allows exception lists to be exported and imported with detection rules ({kibana-pull}115144[#115144], {kibana-pull}118816[#118816]). - -[discrete] -[[bug-fixes-8.0.0]] -==== Bug fixes and enhancements -* Enhances the UI for the Exceptions table; improves how dates are displayed in the Rules and Exceptions tables ({kibana-pull}117643[#117643], {kibana-pull}118940[#118940]). -* Updates the mappings of the rule registry to ECS version 8.0.0 so that detection rules can process ECS version 8.0.0 data ({kibana-pull}123012[#123012]). -* Allows you to create and add runtime fields from the Alert and Timeline tables ({kibana-pull}117627[#117627], {kibana-pull}114806[#114806]). -* Enhances the Data view selection UI and hides the Data view dropdown when no data is present ({kibana-pull}117601[#117601], {kibana-pull}119956[#119956]). -* Enhances previews and error flagging during rule creation ({kibana-pull}116374[#116374]). -* Updates rule actions to use `kibana.alert.*` fields instead of `signals.*` fields ({kibana-pull}116491[#116491]). -* Changes the insufficient permissions message type from an error to a warning ({kibana-pull}123777[#123777]). -* Fixes typos in the success messages that appear after you close Timelines or Timeline templates ({kibana-pull}123258[#123258]). -* Updates the Exceptions table header and Export button ({kibana-pull}122870[#122870]). -* Fixes a bug that could break a rule’s details page after you edited, activated, or deactivated the rule ({kibana-pull}122024[#122024]). -* Fixes an overlap between the rule query text field and Timeline banner ({kibana-pull}121967[#121967], {kibana-pull}121127[#121127]). -* Adds support for the `threat.feed.name` field in the alert details flyout and Timeline view ({kibana-pull}120250[#120250]). -* Adds the default threat indicator path (`threat_indicator_path`) to indicator match rules where it was missing ({kibana-pull}118962[#118962]). -* Adds a default value for the threat indicator path that indicator match rules use when creating indicator match rules from the {security-app} UI or the create rule API ({kibana-pull}118821[#118821]). -* Enhances the Endpoint details flyout UI ({kibana-pull}117987[#117987]). -* Fixes a bug that prevented you from clearing a connector’s `Additional comments` field ({kibana-pull}117901[#117901]). -* Allows you to modify the default threat indicator path for the Threat Intel Filebeat Module (v7.x) Indicator Match prebuilt rule ({kibana-pull}116583[#116583]). - -[discrete] -[[release-notes-8.0.0-rc2]] -=== 8.0.0-rc2 - -[discrete] -[[known-issues-8.0.0-rc2]] -==== Known issues - -*The Data view option might not display in upgraded environments with legacy alerts* - -To make the *Data view* option appear, a user with elevated role privileges must visit the {security-app}, open a page that displays alert data (such as the Overview page), then refresh the page ({kibana-pull}121390[#121390]). - -The role must have the following privileges: - -* *Cluster privileges*: The `manage` privilege -* *Index privileges*: The `manage`, `write`,`read`, and `view_index_metadata` index privileges for the following system indices where `` is the {kib} space name: - -** `.siem-signals-` -** `.lists-` -** `.items-` -** `.alerts-security.alerts-` -** `.internal.alerts-security.alerts--*` - -* *{kib} space*: `All` privileges for the `Security` feature (visit -{kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges] for more information) - -NOTE: If new alerts are generated in an upgraded environment without legacy alerts, refreshing any page with alert data in {elastic-sec} will make the *Data view* option appear in the {elastic-sec} UI. - -*Detection rules may not generate alerts after upgrading to {stack} 8.0.0* - -Rules are automatically disabled during the upgrade process and must be manually re-enabled after the process completes. Failure to do so could cause a gap in rule coverage ({kibana-pull}120906[#120906]). - -Before upgrading, use the <> API to retrieve a list of enabled detection rules in your environment. You can reference this list when re-enabling rules after you upgrade. - -We recommend using curl or another HTTP tool to securely run {elastic-sec} APIs. Below is an example curl command that retrieves a list of your enabled rules: - -[source,console] --------------------------------------------------- -GET /api/detection_engine/rules/_find?per_page=10000&filter=alert.attributes.enabled:true --------------------------------------------------- - -After upgrading, follow these steps to re-enable your rules from the Rules page: - -. Go to the All rules table (*Detect -> Rules*). -. Select the rules that you want to enable. -. Click *Bulk actions -> Enable* to re-enable the rules. - -Alternatively, you can use the <> API to re-enable rules. - -*Lucene 9 validation change may affect event correlation rules* - -A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). diff --git a/docs/release-notes/8.1.asciidoc b/docs/release-notes/8.1.asciidoc deleted file mode 100644 index 8dbaa66fea..0000000000 --- a/docs/release-notes/8.1.asciidoc +++ /dev/null @@ -1,93 +0,0 @@ -[[release-notes-header-8.1.0]] -== 8.1 - -[discrete] -[[release-notes-8.1.3]] -=== 8.1.3 - -[discrete] -[[known-issue-8.1.3]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.1.3]] -==== Bug fixes and enhancements -* Improves UI performance in environments with a high number of field mappings ({kibana-pull}129862[#129862], {kibana-pull}128928[#128928], {kibana-pull}128885[#128885], {kibana-pull}128909[#128909], {kibana-pull}128774[#128774]). -* Fixes a bug on the *Host* and *Network* pages that forced table behavior to persist after users updated the pages’ time range ({kibana-pull}130024[#130024]). - -[discrete] -[[release-notes-8.1.2]] -=== 8.1.2 - -[discrete] -[[known-issue-8.1.2]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.1.2]] -==== Bug fixes and enhancements -* Ensures {endpoint-sec} continues to run on all supported Windows versions by changing the primary signer of the `elastic-endpoint.exe` file from `ELASTICSEARCH B.V.` to `Elasticsearch, Inc.` (https://github.com/elastic/endpoint/issues/15[#15]). - -[discrete] -[[release-notes-8.1.1]] -=== 8.1.1 - -[discrete] -[[known-issue-8.1.1]] -==== Known issues -* A bug significantly impacts UI responsiveness. Therefore, we recommend to skip upgrading to this version. -* {endpoint-sec} cannot run on Windows 8.1 or Server 2012 R2 (https://github.com/elastic/endpoint/issues/15[#15]). -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.1.1]] -==== Bug fixes and enhancements -* Fixes an {endpoint-sec} integration bug that prevented benign Windows files from being deleted under certain circumstances. -* Adds a notification to the **Exception lists** page that informs users if they are lacking certain role privileges ({kibana-pull}126874[#126874]). -* Turns off the **Upload value lists** option on the **Rules** page if users have `Read` Security privileges only ({kibana-pull}126829[#126829]). -* Removes the option to select rules in the All Rules table if users have `Read` Security privileges only ({kibana-pull}126827[#126827]). - -[discrete] -[[release-notes-8.1.0]] -=== 8.1.0 - -[discrete] -[[known-issue-8.1.0]] -==== Known issues -* An {endpoint-sec} integration bug prevents benign Windows files from being deleted under certain circumstances. -* On macOS versions before 12.4, if {elastic-endpoint} is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later. -* Indicator match rules cannot use the `.items-*` system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules ({kibana-pull}133457[#133457]). -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[breaking-changes-8.1.0]] -==== Breaking changes - -There are no breaking changes in 8.1.0. - -[discrete] -[[features-8.1.0]] -==== Features -* Adds a *Technical preview* toggle above the Rules table which, when enabled, allows users to sort on all rule management columns ({kibana-pull}119611[#119611]). -* Introduces a new *Host risk classification* column in the All hosts table on the *Hosts* page. In addition, a new *Host by risk* tab has been added to the *Hosts* page and host detail pages. From the *Host by risk* tab, you can access an explanation of how a host’s risk is calculated and scored ({kibana-pull}122980[#122980], {kibana-pull}122586[#122586], {kibana-pull}122018[#122018], {kibana-pull}121075[#121075], {kibana-pull}120487[#120487], {kibana-pull}119734[#119734]). -* Introduces the ability to bulk edit rule index patterns and tags ({kibana-pull}122635[#122635]). -* Expands Endpoint per-policy artifact assignment to include endpoint event filters and host isolation IP exceptions ({kibana-pull}121879[#121879], {kibana-pull}121632[#121632]). -* Adds the rule execution UUID field to alerts. In addition, the `kibana.alert.rule.execution.uuid` field is now part of the alert data schema and can be found in the field browser in the Alerts table.({kibana-pull}113058[#113058]). -* Introduces case metrics that summarize alert information and response times ({kibana-pull}121336[#121336]). -* Improves copy for the privilege check on the Endpoints page ({kibana-pull}124118[#124118]). - -[discrete] -[[bug-fixes-8.1.0]] -==== Bug fixes and enhancements -* Improves the performance of indicator match rules ({kibana-pull}123882[#123882], {kibana-pull}123677[#123677]). -* Changes the default indicator index query of custom and prebuilt indicator match rules to `@timestamp >= "now-30d/d"` ({kibana-pull}123590[#123590]). -* Improves the exceptions interface by replacing the exceptions modal with a flyout ({kibana-pull}123408[#123408]). -* Alert details flyout enhancements: -** Shows different highlighted fields in an alert’s details flyout based on its type, category, and code ({kibana-pull}123239[#123239]). -** Adds overview cards with key data to the alert details flyout ({kibana-pull}120347[#120347]). -* Allows users to aggregate alert data based on a larger selection of ECS fields instead of just 10 preset options ({kibana-pull}120610[#120610]). -* Enriches threshold-related alert data from correct fields ({kibana-pull}125376[#125376]). -* Hides the delete button for disabled exception lists ({kibana-pull}122844[#122844]). -* Fixes various minor UX bugs ({kibana-pull}121410[#121410]). diff --git a/docs/release-notes/8.10.asciidoc b/docs/release-notes/8.10.asciidoc deleted file mode 100644 index dbf02b90d5..0000000000 --- a/docs/release-notes/8.10.asciidoc +++ /dev/null @@ -1,123 +0,0 @@ -[[release-notes-header-8.10.0]] -== 8.10 - -[discrete] -[[release-notes-8.10.4]] -=== 8.10.4 - -[discrete] -[[security-update-8.10.4]] -==== Security updates - -* If {elastic-endpoint} (v7.9.0 - v8.10.3) is configured to use a non-default option in which the logging level is explicitly set to `debug`, and {agent} is simultaneously configured to collect and send those logs to {es}, then {agent} API keys can be viewed in {es} in plaintext. -+ -The issue is resolved in {stack} 8.10.4. -+ -For more information, refer to our related -https://discuss.elastic.co/t/endpoint-v8-10-4-security-update/345203[security -announcement]. - -[discrete] -[[bug-fixes-8.10.4]] -==== Bug fixes -* Fixes a bug in Timeline that prevented the **Show top _x_** action from showing results ({kibana-pull}168339[#168339]). -* Fixes a bug that caused outdated or incorrect data to display on the MITRE ATT&CK® Coverage page ({kibana-pull}167917[#167917]). - -[discrete] -[[release-notes-8.10.3]] -=== 8.10.3 - -[discrete] -[[enhancements-8.10.3]] -==== Enhancements -* Updates the MITRE ATT&CK® framework to `v13.1` ({kibana-pull}166536[#166536]). - -[discrete] -[[bug-fixes-8.10.3]] -==== Bug fixes -* Increases the line height of the session view preview in the alert details flyout ({kibana-pull}166932[#166932]). -* Adds tooltips to the Correlations table in the alert details flyout ({kibana-pull}166913[#166913]). -* Fixes a bug that prevented the prevalence query from considering fields with multiple values ({kibana-pull}166891[#166891]). -* Fixes an alert details flyout bug that affected the way prevalence data was fetched ({kibana-pull}166694[#166694]). -* Fixes a bug in Timeline that prevented the **Show top _x_** action from using the Timeline query ({kibana-pull}165109[#165109]). - -[discrete] -[[release-notes-8.10.2]] -=== 8.10.2 - -[discrete] -[[known-issue-8.10.2]] -==== Known issues - -* The alert <> feature, which shows whether data from the alert was frequently observed on other hosts and user events, behaves inconsistently and may not produce accurate results. - -[discrete] -[[bug-fixes-8.10.2]] -==== Bug fixes - -There are no user-facing changes in 8.10.2. - -[discrete] -[[release-notes-8.10.1]] -=== 8.10.1 - -[discrete] -[[known-issue-8.10.1]] -==== Known issues - -* The alert <> feature, which shows whether data from the alert was frequently observed on other hosts and user events, behaves inconsistently and may not produce accurate results. - -[discrete] -[[bug-fixes-8.10.1]] -==== Bug fixes - -* Updates the Elastic AI Assistant response schema ({kibana-pull}166300[#166300], {kibana-pull}166495[#166495]). - -[discrete] -[[release-notes-8.10.0]] -=== 8.10.0 - -[discrete] -[[known-issue-8.10.0]] -==== Known issues - -* The alert <> feature, which shows whether data from the alert was frequently observed on other hosts and user events, behaves inconsistently and may not produce accurate results. - -[discrete] -[[breaking-changes-8.10.0]] -==== Breaking changes -* {elastic-defend} no longer supports deployment within an {agent} DaemonSet in Kubernetes. - - -[discrete] -[[features-8.10.0]] -==== New features -* Introduces a redesigned alert details flyout that enhances your investigative flows (https://github.com/elastic/security-docs/pull/3816[#3816], https://github.com/elastic/security-docs/pull/3854[#3854]). -* Adds the MITRE ATT&CK® coverage page, which shows how well your active detection rules protect against adversary tactics and techniques ({kibana-pull}161556[#161556], {kibana-pull}163498[#163498], {kibana-pull}164613[#164613], {kibana-pull}164986[#164986]). -* Adds a component under the Elastic AI Assistant header that allows you to select a different connector ({kibana-pull}163666[#163666]). -* Adds role-based access control for the Elastic AI Assistant ({kibana-pull}163031[#163031]). -* Adds a flyout that allows you to examine rule details when installing or updating a prebuilt rule ({kibana-pull}163304[#163304]). -* Adds the ability to specify custom highlighted fields for an alert ({kibana-pull}163235[#163235]). -* Adds the **Reputation service** option to the malicious behavior protection setting on the Elastic Defend integration policy ({kibana-pull}161617[#161617]). - -[discrete] -[[enhancements-8.10.0]] -==== Enhancements -* Modifies the {elastic-sec} main menu by adding the Rules main page and landing page, and shifting the order of the Cases and Explore pages ({kibana-pull}165061[#165061], {kibana-pull}163102[#163102], {kibana-pull}161667[#161667]). -* Adds a `resource.id` column to the "Top 10 vulnerable resources" table on the Cloud Native Vulnerability Management dashboard ({kibana-pull}162668[#162668]). -* Shows the most relevant tab when you open the Findings page, instead of always showing the Misconfigurations tab ({kibana-pull}162289[#162289]). -* Adds the **Building block** label to the rule details page for building block rules ({kibana-pull}162233[#162233]). -* Removes a filter that restricted the fields you could choose from when creating an Endpoint exception or event filter ({kibana-pull}162193[#162193]). -* Shows a confirmation message on the Rules page and rule details page when you delete rules ({kibana-pull}162477[#162477]). - -[discrete] -[[bug-fixes-8.10.0]] -==== Bug fixes -* Fixes a UI bug that caused the rule preview to break when you closed it ({kibana-pull}164973[#164973]). -* Fixes a bug that stopped pre-configured connectors from working with the Elastic AI Assistant ({kibana-pull}164900[#164900]). -* Adds the new Elastic AI Assistant logo and global header menu item ({kibana-pull}164763[#164763]). -* Ensures that users see the appropriate message in the Elastic AI Assistant UI if they don't have the necessary connector and action privileges ({kibana-pull}164382[#164382]). -* Prevents threshold rule error messages from concealing shard failure messages ({kibana-pull}164231[#164231]). -* Removes filter in and out inline actions from the Alerts table on the case details page, and fixes issues with the **Top alerts by** inline action ({kibana-pull}161150[#161150]). -* Uses the {agent} `last_checkin` status for endpoints' `last seen` status ({kibana-pull}160506[#160506]). -* Hides the **Top alerts by** inline action for nested fields ({kibana-pull}159645[#159645]). \ No newline at end of file diff --git a/docs/release-notes/8.11.asciidoc b/docs/release-notes/8.11.asciidoc deleted file mode 100644 index 41f3fbf86d..0000000000 --- a/docs/release-notes/8.11.asciidoc +++ /dev/null @@ -1,119 +0,0 @@ -[[release-notes-header-8.11.0]] -== 8.11 - -[discrete] -[[release-notes-8.11.4]] -=== 8.11.4 - -[discrete] -[[bug-fixes-8.11.4]] -==== Bug fixes -* Stops the **{esql}** tab from rendering until you click on it in Timeline ({kibana-pull}173484[#173484]). -* Adds a feature flag (`timelineEsqlTabDisabled`) to hide the **{esql}** tab in Timeline ({kibana-pull}174029[#174029]). -* Removes the default query from the **{esql}** tab in Timeline ({kibana-pull}174393[#174393]). -* Fixes a bug that caused the **Add to Case** action to fail if you didn't add a comment before isolating and releasing a host ({kibana-pull}172912[#172912]). - -[discrete] -[[release-notes-8.11.3]] -=== 8.11.3 - -[discrete] -[[bug-fixes-8.11.3]] -==== Bug fixes -* Fixes a bug that caused the **Add to Case** action to fail if you didn't add a comment before isolating and releasing a host ({kibana-pull}172912[#172912]). - -[discrete] -[[release-notes-8.11.2]] -=== 8.11.2 - -[discrete] -[[enhancements-8.11.2]] -==== Enhancements -* Updates references on the Entity Risk Score management page ({kibana-pull}171089[#171089]). - -[discrete] -[[bug-fixes-8.11.2]] -==== Bug fixes -* Fixes a bug that caused the Alerts page to crash if you reloaded it while the preview panel in the alert details flyout was open ({kibana-pull}172323[#172323]). -* Fixes the event analyzer panel width ({kibana-pull}172026[#172026]). -* Applies page filters to MITRE ATT&CK® sub-technique cells when displaying rules ({kibana-pull}170988[#170988]). -* Fixes a bug with the **Investigate in timeline** action for Elastic AI Assistant that caused {esql} queries to open in the KQL query bar within Timeline ({kibana-pull}170542[#170542]). - -[discrete] -[[release-notes-8.11.1]] -=== 8.11.1 - -[discrete] -[[enhancements-8.11.1]] -==== Enhancements -* Allows user and host risk score tables to be filtered by time range ({kibana-pull}168826[#168826]). - -[discrete] -[[bug-fixes-8.11.1]] -==== Bug fixes -* Fixes a bug that caused MITRE ATT&CK® technique cells to show duplicate rules ({kibana-pull}169708[#169708]). -* Fixes a bug that caused the incorrect MITRE ATT&CK® sub-technique to be applied after you saved a rule ({kibana-pull}170465[#170465]). -* Adds a privilege check for bulk-changing alert statuses ({kibana-pull}170584[#170584]). - -[discrete] -[[release-notes-8.11.0]] -=== 8.11.0 - -[discrete] -[[known-issue-8.11.0]] -==== Known issues -* MITRE ATT&CK® technique cells show duplicate rules ({kibana-issue}167929[#167929]). -* MITRE ATT&CK® tactic cells show an incorrect rule count ({kibana-issue}167930[#167930]). -* An incorrect MITRE ATT&CK® sub-technique is applied after you save a rule ({kibana-issue}170347[#170347]). -* When using {elastic-defend}'s protection updates feature, if you turn off automatic updates and select the current day as your deployed artifacts version, it's possible that the set of protections has not been released for that day yet. As a result, {agent} could fail to download the artifacts and be set to an Unhealthy state. To avoid this issue, pick a date previous to the current one ({kibana-issue}170847[#170847]). - -[discrete] -[[breaking-changes-8.11.0]] -==== Breaking changes -* Ends support for the `filterQuery` field of the `getLiveQueryResults` and `findLiveQuery` APIs, and replaces it with the KQL field `kuery`. Requests to those APIs that used the `filterQuery` field should replace it with `kuery` ({kibana-pull}161806[#161806]). -* In 8.11, rule APIs will only support `investigation_fields` as `{ field_names: string[] }`. If you've added this field to your rules in 8.10, you don't need to do anything when you import your rules. - -[discrete] -[[deprecations-8.11.0]] -==== Deprecations -* Deprecates the `doc_root.vulnerability.package` and replaces it with the `doc_root.package` ECS package ({kibana-pull}164651[#164651]). - -[discrete] -[[features-8.11.0]] -==== New features -* Upgrades {elastic-defend} to capture a new Windows event type: ETW Threat Intelligence (ETW-TI). Renames the Windows events policy `Credential access` category to `API` in the UI (but not in the `.yaml`, maintaining backwards compatibility). Adds two new advanced options: `windows.advanced.events.api_disabled` and -`windows.advanced.events.api_verbose` ({kibana-pull}167549[#167549]). -* Adds the `Same family` category and tab to the Data Quality dashboard. Fields with mappings in the same family have the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics ({kibana-pull}167480[#167480]). -* Updates the exceptions flyout's `match_any` operator to accept duplicate values that differ in case ({kibana-pull}167208[#167208]). -* beta:[] Enables the Elastic AI Assistant to answer questions about Elasticsearch Query Language (ES|QL) by allowing it to query, via ELSER, an ES|QL knowledge base. Refer to <> to enable the knowledge base ({kibana-pull}167097[#167097]). -* Enables ES|QL in Timeline (technical preview) ({kibana-pull}166764[#166764]). -* Adds the new ES|QL rule type (technical preview) ({kibana-pull}165450[#165450]). -* Updates the Endpoint policy UI (**Manage -> Policies**) to include a `Protection updates` tab, a new column called `Deployed version`, and a banner that highlights outdated policies ({kibana-pull}165256[#165256], {kibana-pull}162719[#162719]). -* Introduces full support for {elastic-endpoint} on macOS Sonoma. -* Updates {elastic-defend} to support AlmaLinux 9 and Rocky Linux 9. -* Adds a new optional parameter to {elastic-endpoint}'s `top` command. The `--limit` parameter specifies how many times to refresh the command's output before a graceful exit. -* Adds Agent tamper protection for {elastic-defend}, which prevents unauthorized attempts to uninstall {agent} and {elastic-endpoint} from a host. - -[discrete] -[[enhancements-8.11.0]] -==== Enhancements -* Adds a new Generative AI connector, Amazon Bedrock, for use with Elastic AI Assistant ({kibana-pull}166662[#166662]). -* Renames the Generative AI connector to OpenAI, since Generative AI is now a category of connectors that include OpenAI and Amazon Bedrock ({kibana-pull}167677[#167677]). -* Adds the `id`, `severity`, and `status` fields to the Webhook - Case Management connector ({kibana-pull}166295[#166295]). -* Updates the order of items on {kib}'s left-side navigation menu to match the order in {elastic-sec}'s left-side navigation menu ({kibana-pull}164268[#164268]). -* Adds tooltips to overview section titles in the alert details flyout ({kibana-pull}166737[#166737]). -* Updates the `.lists` and `.items` indices to data streams ({kibana-pull}162508[#162508]). - - -[discrete] -[[bug-fixes-8.11.0]] -==== Bug fixes -* Updates the Entity Risk Score error message to list the necessary permissions ({kibana-pull}169216[#169216]). -* Displays more descriptive errors for Generative AI connectors ({kibana-pull}167674[#167674]). -* Adds metrics to some rule execution warning messages ({kibana-pull}167551[#167551]). -* Fixes a bug that could cause the exceptions flyout to reload unnecessarily in response to rule updates ({kibana-pull}166914[#166914]). -* Fixes a bug that could cause EQL shell alerts to not include certain common fields ({kibana-pull}166751[#166751]). -* Sets the date and time picker to full width in the expanded Prevalence view within the alert details flyout ({kibana-pull}166714[#166714]). -* Fixes a bug that could prevent the **Install Cloud Native Vulnerability Management** button on the empty state of the Findings page from working ({kibana-pull}166335[#166335]). -* Fixes a bug that could cause an error when you edited a rule's filter ({kibana-pull}165262[#165262]). -* Fixes a bug that caused the Rules table to auto-refresh when auto-refresh was disabled ({kibana-pull}165250[#165250]). \ No newline at end of file diff --git a/docs/release-notes/8.12.asciidoc b/docs/release-notes/8.12.asciidoc deleted file mode 100644 index 0320441d59..0000000000 --- a/docs/release-notes/8.12.asciidoc +++ /dev/null @@ -1,192 +0,0 @@ -[[release-notes-header-8.12.0]] -== 8.12 - -[discrete] -[[release-notes-8.12.2]] -=== 8.12.2 - -[discrete] -[[known-issue-8.12.2]] -==== Known issues -// tag::known-issue-178207[] -[discrete] -.Rule filters can't be adjusted for custom query, indicator match, and new term rules using data views -[%collapsible] -==== -*Details* + -When creating or editing a custom query, indicator match, or new term rule, query filters can't be modified (added, edited, or removed) if the rule queries a data view. - -*Workaround* + -To resolve this issue, upgrade to 8.13 or later. -==== -// end::known-issue-178207[] - -[discrete] -[[bug-fixes-8.12.2]] -==== Bug fixes -* Fixes long-running queries in Timeline and Events tables within Explore pages ({kibana-pull}176838[#176838]). -* Updates the default {bedrock} connector API URL ({kibana-pull}176090[#176090]). -* Ensures the risk score query only searches through alerts associated with the current user ({kibana-pull}175903[#175903]). -* Fixes a bug that prevented scheduled query packs from running if a pack's ID was composed of numbers ({kibana-pull}176507[#176507]). -* Fixes a bug that affected the rule details page layout if rule filters were extremely long. Also fixes a bug that incorrectly caused rule filters to display instead of their custom labels ({kibana-pull}176590[#176590]). -* Fixes a bug that prevented rules from being successfully imported if any rules referenced preconfigured connectors ({kibana-pull}176284[#176284]). -* Fixes a bug that prevented rules from being successfully exported if you exported more than 1000 rules ({kibana-pull}175979[#175979]). -* Turns off the option to install rules if you don't have the appropriate privileges ({kibana-pull}176598[#176598]). -* Fixes a bug that caused data to be lost when you upgraded a prebuilt rule to a new version with a different rule type ({kibana-pull}176421[#176421]). - -[discrete] -[[release-notes-8.12.1]] -=== 8.12.1 - -[discrete] -[[known-issue-8.12.1]] -==== Known issues -// tag::known-issue-178207[] -[discrete] -.Rule filters can't be adjusted for custom query, indicator match, and new term rules using data views -[%collapsible] -==== -*Details* + -When creating or editing a custom query, indicator match, or new term rule, query filters can't be modified (added, edited, or removed) if the rule queries a data view. - -*Workaround* + -To resolve this issue, upgrade to 8.13 or later. -==== -// end::known-issue-178207[] - -[discrete] -[[enhancements-8.12.1]] -==== Enhancements - -* Provides performance improvements related to image load and registry write events ({kibana-pull}175486[#175486]). - -[discrete] -[[bug-fixes-8.12.1]] -==== Bug fixes -* Fixes misaligned elements in the top navigation bar ({kibana-pull}175516[#175516]). -* Fixes a bug that affected search results when you entered an agent name that included a dash (`-`) ({kibana-pull}175134[#175134]). -* Fixes a UI bug that hid frequency options for rule actions when you created or edited a rule ({kibana-pull}175050[#175050]). -* Removes the option to select a data view when modifying a rule's filter ({kibana-pull}174922[#174922]). -* Hides the technical and runtime fields that shouldn't appear in the JSON diff view when you're upgrading a rule ({kibana-pull}174789[#174789]). -* Ensures the current user is used when querying threshold rule history ({kibana-pull}174723[#174723]). -* Updates the document ID used for the visual event analyzer preview and the related by ancestry section of the alert details flyout ({kibana-pull}174651[#174651]). -* Deletes saved searches that are associated with deleted Timelines, and prevents saved searches from being created twice ({kibana-pull}174562[#174562]). -* Fixes a bug that prevented the assignee column from appearing in the Alerts table after upgrading to 8.12.0 ({kibana-pull}174370[#174370]). - -[discrete] -[[release-notes-8.12.0]] -=== 8.12.0 - -[discrete] -[[known-issue-8.12.0]] -==== Known issues - -// tag::known-issue-173958[] -[discrete] -.Data view option incorrectly displays when editing a filter applied to the KQL query bar -[%collapsible] -==== -*Details* + -When editing the Alerts page KQL query bar filter or editing the KQL query bar filter on the rule edit page, you might encounter a UI bug requiring you to select a data view to proceed. - -*Workaround* + -Select the **Edit the query filter using DSL** option. -==== -// end::known-issue-173958[] - -// tag::known-issue-175043[] -[discrete] -.Action frequency settings hidden in the UI when creating and editing a rule -[%collapsible] -==== -*Details* + -Configuration options for rule action frequency are unavailable when creating and editing rules. Rules with action frequencies that are already configured still run correctly. - -*Workaround* + -Use the <> API to change a rule's action frequency settings. Alternatively, export a rule, update its action frequency settings, and then re-import the rule. -==== -// end::known-issue-175043[] - -// tag::known-issue-174844[] -[discrete] -.Unrelated property differences in prebuilt rule update comparison -[%collapsible] -==== -*Details* + -The JSON comparison for updated prebuilt detection rules might display some properties used for internal processing, which doesn't accurately indicate how the rule will change if you update it. - -For example, if you added automated actions or an exception list to an installed rule, the comparison shows the JSON properties `actions`, `response_actions`, or `exceptions_list` in the **Base version** (your installed version) but not in the **Update** column (Elastic's latest version). When you update the rule, it will still include your actions or exceptions — they will not be removed. - -Similarly, the comparison might show a difference in the `enabled` property, but upgrading the rule will not change whether your installed rule is enabled or not. Other properties that might display in the comparison but don't actually indicate rule configuration changes include `execution_summary`, `timestamp_override_fallback_disabled`, `meta`, `filters`, `updated_at`, and `output_index`. - -*Workaround* + -No workaround is needed. You can ignore these unrelated property differences in the JSON comparison. -==== -// end::known-issue-174844[] - -[discrete] -[[breaking-changes-8.12.0]] -==== Breaking changes - -There are no breaking changes in 8.12.0. - -[discrete] -[[deprecations-8.12.0]] -==== Deprecations - -There are no deprecations in 8.12.0. - -[discrete] -[[features-8.12.0]] -==== New features - -* Introduces the ability to assign alerts to specific users ({kibana-pull}170579[#170579], {kibana-pull}171589[#171589]). -* Introduces Retrieval Augmented Generation (RAG) for Alerts, allowing you to give Elastic AI Assistant context about more alerts in your environment ({kibana-pull}172542[#172542]). -* Enables alert suppression for threshold rules ({kibana-pull}171423[#171423]). -* Adds an *Updates* tab to the prebuilt rules upgrade flyout to show differences between the installed and updated versions ({kibana-pull}172535[#172535], {kibana-pull}173187[#173187]). -* Adds a setting that lets you exclude cold and frozen tiers from visual event analyzer queries ({kibana-pull}172162[#172162]). -* Adds a tour to guide users through Timelines UI changes ({kibana-pull}172030[#172030]). -* Adds a timeout option for Osquery queries, so you can customize the maximum time each query should run before timing out ({kibana-pull}169925[#169925]). -* Introduces new grouping capabilities for CSPM and KSPM Findings data ({kibana-pull}169884[#169884]). -* Adds the expandable alert details flyout to the rule preview panel ({kibana-pull}167902[#167902]). -* Introduces bidirectional response actions to isolate and release SentinelOne-protected hosts (technical preview). - -[discrete] -[[enhancements-8.12.0]] -==== Enhancements - -* Refactors the timeline UI — various minor updates ({kibana-pull}168230[#168230]). -* Introduces manual saving for Timeline ({kibana-pull}171027[#171027], {kibana-pull}169239[#169239]). -* Improves forward-compatibility for the rule schema ({kibana-pull}170861[#170861]). -* Simplifies the format of risk engine API error responses ({kibana-pull}170645[#170645]). -* Makes various UI improvements to the alert details flyout ({kibana-pull}170279[#170279], {kibana-pull}169035[#169035], {kibana-pull}173399[#173399], {kibana-pull}170078[#170078], {kibana-pull}168297[#168297]). -* Saves the state of the alert details flyout in the browser. For example, after you use the flyout's *Investigate in timeline* button, you can click your browser's back button to return to the flyout ({kibana-pull}169661[#169661]). -* Adds a button to rule execution error messages that lets you ask AI Assistant to diagnose errors ({kibana-pull}166778[#166778]). -* Integrates a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Win32k) to create new event types that can be used by prebuilt endpoint rules to detect keylogging activity. -* Allows for acting and target memory region buffers within behavior alerts to be scanned against {elastic-sec}'s collection of YARA signatures when collected. Detections are added to alerts. -* Adds a new ReadProcessMemory (lsass) event that can be used by prebuilt endpoint rules to detect credential dumping. -* Adds a link to the Amazon Bedrock connector edit UI that opens the token tracking dashboard ({kibana-pull}172115[#172115]). -* Allows you to use the `matches` and `does not match` operators when defining endpoint exceptions and event filters ({kibana-pull}166002[#166002], {kibana-pull}170495[#170495]). -* Adds support for Kafka as an output type for Endpoint. - -[discrete] -[[bug-fixes-8.12.0]] -==== Bug fixes - -* Fixes response action bugs by mapping the `unisolate` command to the `release` command and the `running-processes` command to the `processes` command ({kibana-pull}173831[#173831]). -* Fixes the dark theme for the alert details flyout footer ({kibana-pull}173577[#173577]). -* Makes the Timeline tour compatible with the Timeline template page ({kibana-pull}173526[#173526]). -* Stops the **{esql}** tab from rendering until you click on it in Timeline ({kibana-pull}173484[#173484]). -* Adds a feature flag (`timelineEsqlTabDisabled`) to show or hide the **{esql}** tab in Timeline ({kibana-pull}174029[#174029]). -* Removes the default query in the **{esql}** tab in Timeline ({kibana-pull}174393[#174393]). -* Fixes a bug that caused {ml} fetch jobs to fail when the default data view (`securitySolution:defaultIndex`) contained special characters ({kibana-pull}173426[#173426]). -* Remove the **Assignees** field from the event details flyout ({kibana-pull}173314[#173314]). -* Fixes a bug that caused the **Add to Case** action to fail if you didn't add a comment before isolating and releasing a host ({kibana-pull}172912[#172912]). -* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule ({kibana-pull}172677[#172677]). -* Fixes a bug that cleared configured fields in the exceptions flyout after the flyout reloaded and refocused ({kibana-pull}172666[#172666]). -* Limits the character length for exception comments to 3000 characters, and makes the error message more descriptive if the limit's exceeded ({kibana-pull}170764[#170764]). -* Re-adds the missing alerts index filtration to Data views ({kibana-pull}170484[#170484]). -* Fixes a bug that didn't allow exceptions to be created or edited after an error displayed ({kibana-pull}169801[#169801]). -* Stops {security-app} pages from crashing when there's a fields error in the **Stack by** component ({kibana-pull}168411[#168411]). -* Deletes saved searches that are associated with deleted Timelines and prevents saved searches from being created twice ({kibana-pull}174562[#174562]). -* Fixes a bug with the **Share alert** feature in the alert details flyout ({kibana-pull}174005[#174005]). \ No newline at end of file diff --git a/docs/release-notes/8.13.asciidoc b/docs/release-notes/8.13.asciidoc deleted file mode 100644 index 4db8f0ad4e..0000000000 --- a/docs/release-notes/8.13.asciidoc +++ /dev/null @@ -1,95 +0,0 @@ -[[release-notes-header-8.13.0]] -== 8.13 - -[discrete] -[[release-notes-8.13.4]] -=== 8.13.4 - -[discrete] -[[bug-fixes-8.13.4]] -==== Bug fixes - -There are no user-facing changes in 8.13.4. - -[discrete] -[[release-notes-8.13.3]] -=== 8.13.3 - -[discrete] -[[enhancements-8.13.3]] -==== Enhancements - -* Ensures that {elastic-defend} can’t be installed on versions earlier than Windows 10 or Server 2016. - -[discrete] -[[bug-fixes-8.13.3]] -==== Bug fixes -* Fixes a bug that caused a warning to display after you added any type of exception to a rule ({kibana-pull}180800[#180800]). -* Fixes a bug with the `is one of` Timeline filter that generated incorrect Query Domain Specific Language (DSL) queries ({kibana-pull}180455[#180455]). -* Fixes the loading page layout on the Intelligence page. Also improves the Indicators table loading speed after you set up a threat intelligence integration ({kibana-pull}178701[#178701]). -* Fixes a bug that stopped indicator filters from working correctly on the Intelligence page ({kibana-pull}179607[#179607]). - -[discrete] -[[release-notes-8.13.2]] -=== 8.13.2 - -[discrete] -[[bug-fixes-8.13.2]] -==== Bug fixes -* Fixes a bug that prevented Alert table filters from retrieving the correct values if you used the **Filter In** or **Filter Out** inline actions ({kibana-pull}179911[#179911]). -* Fixes a bug that automatically checked checkboxes on the Alerts page when you clicked filter labels ({kibana-pull}179610[#179610]). - -[discrete] -[[release-notes-8.13.1]] -=== 8.13.1 - -[discrete] -[[bug-fixes-8.13.1]] -==== Bug fixes -* Fixes a bug that automatically checked checkboxes on the Alerts page when you clicked filter labels ({kibana-pull}179610[#179610]). -* Fixes a bug that prevented the KQL bar on the Intelligence page from providing suggestions and applying filters correctly ({kibana-pull}179153[#179153]). - -[discrete] -[[release-notes-8.13.0]] -=== 8.13.0 - -[discrete] -[[features-8.13.0]] -==== Features - -* Allows you to define an entity's (such as a host's or user's) `Asset criticality`, which can affect risk scores ({kibana-pull}176815[#176815], {kibana-pull}176294[#176294], {kibana-pull}172417[#172417], {kibana-pull}176056[#176056]). -* Allows information on the Data Quality dashboard to now persist in {elastic-sec} rather than disappearing after each session ({kibana-pull}175673[#175673], {kibana-pull}173185[#173185]). -* Adds field-by-field diffs to the rules upgrade flyout so you can see what's changed between versions ({kibana-pull}174564[#174564]). -* Adds alert suppression to the Indicator Match rule type ({kibana-pull}174241[#174241]). -* You can add Elastic Defend’s `kill-process` or `suspend-process` response actions to detection rules to automatically terminate or suspend a process on an affected host ({kibana-pull}161645[#161645]). -* Allows you to isolate and release a SentinelOne-protected host from detection alerts and the response console, and view third-party actions in the response actions history log ({kibana-pull}173927[#173927], {kibana-pull}175810[#175810]). -* Allows you to enable and disable cloud security Benchmark rules ({kibana-pull}174575[#174575]). - -[discrete] -[[enhancements-8.13.0]] -==== Enhancements - -* Enables advanced sorting and customization options for the Findings page's **Vulnerabilities** table ({kibana-pull}174413[#174413]). -* Adds the ability to analyze an event within a specific time range and data view ({kibana-pull}176364[#176364]). -* Enables the newly expanded host and user details flyouts, which allow you to view host or user details, risk data and inputs, and asset criticality ({kibana-pull}175899[#175899]). -* Improves the header layout in the alert details flyout so basic alert details are better organized ({kibana-pull}175075[#175075]). -* Adds inline actions and a search bar to the left panel in the event analyzer UI and improves formatting issues ({kibana-pull}172397[#172397]). - -[discrete] -[[bug-fixes-8.13.0]] -==== Bug fixes - -* Fixes a bug that prevented the event analyzer preview from loading properly for {esql} rules ({kibana-pull}178389[#178389]). -* Fixes a bug that prevented you from editing, adding, or removing query filters when creating or editing a custom query, indicator match, or new terms rule ({kibana-pull}178207[#178207]). -* Fixes a bug that caused unnecessary error messages to appear in {kib} server logs when using the MITRE ATT&CK® Coverage page ({kibana-pull}178126[#178126]). -* Prevents an infinite loading state on the Add Rules page for users with limited permissions ({kibana-pull}178005[#178005]). -* Fixes a bug that prevented the **Reset Fields** action on the Alerts table from resetting the table's columns ({kibana-pull}177986[#177986]). -* Fixes a bug that interfered with the rule filtering interface when you opened it from specific parts of {elastic-sec} ({kibana-pull}177946[#177946]). -* Ensures that text within the risk score preview table translates correctly ({kibana-pull}177680[#177680]). -* Fixes a bug that could prevent the correct `kibana.alert.threshold_result.terms.value` field value from appearing in the alert details flyout ({kibana-pull}177472[#177472]). -* Fixes multiple bugs affecting the rule filters on the rule details page ({kibana-pull}177081[#177081]). -* Updates the alert assignment UI to make its data model and intended usage clearer ({kibana-pull}176442[#176442]). -* Fixes rule overwrite behavior when importing new rules. Now, when a new rule overwrites an existing rule, the new rule completely replaces all the fields of the old one, and the old rule's fields are never included in the new rule ({kibana-pull}176166[#176166]). -* Fixes a bug that allowed you to add a Timeline as a favorite before it was saved ({kibana-pull}175161[#175161]). -* Fixes a bug that could result in an unnecessary negative sign in the risk score table within the expandable user and host flyouts ({kibana-pull}177015[#177015]). -* Adds file and size constraints to value lists ({kibana-pull}176074[#176074]). \ No newline at end of file diff --git a/docs/release-notes/8.14.asciidoc b/docs/release-notes/8.14.asciidoc deleted file mode 100644 index c4eceace3b..0000000000 --- a/docs/release-notes/8.14.asciidoc +++ /dev/null @@ -1,260 +0,0 @@ -[[release-notes-header-8.14.0]] -== 8.14 - -[discrete] -[[release-notes-8.14.3]] -=== 8.14.3 - -[discrete] -[[known-issue-8.14.3]] -==== Known issues - -// tag::known-issue-14686[] -[discrete] -.{elastic-endpoint} does not properly populate the `user.name` field in security events -[%collapsible] -==== -*Details* + -{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-14686[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[bug-fixes-8.14.3]] -==== Bug fixes - -* Fixes a bug that prevented widgets on the Alerts page from updating after the status of alerts grouped by `rule.name` was changed with a bulk action ({kibana-pull}183674[#183674]). - -[discrete] -[[release-notes-8.14.2]] -=== 8.14.2 - -[discrete] -[[known-issue-8.14.2]] -==== Known issues - -// tag::known-issue-14686[] -[discrete] -.{elastic-endpoint} does not properly populate the `user.name` field in security events -[%collapsible] -==== -*Details* + -{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-14686[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[bug-fixes-8.14.2]] -==== Bug fixes - -There are no user-facing changes in 8.14.2. - -[discrete] -[[release-notes-8.14.1]] -=== 8.14.1 - -[discrete] -[[known-issue-8.14.1]] -==== Known issues - -// tag::known-issue-14686[] -[discrete] -.{elastic-endpoint} does not properly populate the `user.name` field in security events -[%collapsible] -==== -*Details* + -{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-14686[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[bug-fixes-8.14.1]] -==== Bug fixes - -* Fixes a bug that caused the Osquery flyout to appear behind Timeline ({kibana-pull}184951[#184951]). -* Fixes a bug that prevented dates from being displayed properly in Timeline if the {kib} space used a custom date and time format ({kibana-pull}184799[#184799]). -* Fixes a bug that didn't allow you to use leading wildcards in queries when filtering data in the Summary and Treemap charts on the Alerts page ({kibana-pull}182875[#182875]). -* Fixes a text formatting issue in the visual analyzer's left panel, where you can find event details ({kibana-pull}xc[#183453]). -* Fixes a bug that that incorrectly led you to Timeline's **Query** tab if you opened the detailed visual analyzer view from the alert details flyout. Now, you're correctly navigated to Timeline's **Analyzer** tab ({kibana-pull}182749[#182749]). - -[discrete] -[[release-notes-8.14.0]] -=== 8.14.0 - -[discrete] -[[known-issue-8.14.0]] -==== Known issues - -// tag::known-issue-14686[] -[discrete] -.{elastic-endpoint} does not properly populate the `user.name` field in security events -[%collapsible] -==== -*Details* + -{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-14686[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[features-8.14.0]] -==== New features -* Introduces Attack discovery, a new feature that uses AI to identify potential attacks and help you quickly triage multiple alerts ({kibana-pull}181818[#181818]). -* Creates the **Asset criticality** page within the **Manage** menu, which lets you bulk assign asset criticality levels to your assets ({kibana-pull}179891[#179891]). -* Adds alert suppression for New Terms rules ({kibana-pull}178294[#178294]). -* Adds alert suppression for EQL rules with non-sequence queries ({kibana-pull}176422[#176422]). -* Allows you to edit value lists from the UI, anywhere you use them ({kibana-pull}179339[#179339]). -* Adds a **Setup guide** markdown field to custom rules ({kibana-pull}178131[#178131]). - -[discrete] -[[enhancements-8.14.0]] -==== Enhancements -* Removes the "Technical preview" tag for {esql} and makes it generally available ({kibana-pull}180838[#180838]). -* Allows you to add calculated values to an {esql} rule's highlighted fields ({kibana-pull}177746[#177746]). -* Connects {esql} functionality in {elastic-sec} to the `general:enableESQL` advanced setting ({kibana-pull}181616[#181616]). -* Removes the "Technical preview" tag for custom query rule alert suppression and makes it generally available ({kibana-pull}181279[#181279]). -* Makes conversations with Elastic AI Assistant persist across sessions ({kibana-pull}173487[#173487]). -* Adds conversation streaming for Elastic AI Assistant ({kibana-pull}180095[#180095]). -* Adds support for Anthropic Claude 3 to the Amazon Bedrock connector and makes it the default model ({kibana-pull}179304[#179304]). -* Adds an **AI Assistant** settings section to the **Management** menu ({kibana-pull}176656[#176656]). -* Updates the **AI Assistant** design from modal to flyout ({kibana-pull}176657[#176657]). -* Adds the `_source` field to the alert details flyout's JSON view ({kibana-pull}180477[#180477]). -* Improves the UI for row renderers in Timeline ({kibana-pull}180669[#180669]). -* Allows data collected by Auditbeat to appear in Session View ({kibana-pull}179985[#179985]). -* Improves the visual appearance of the asset criticality alert column ({kibana-pull}180868[#180868]). -* Adds an advanced setting that allows you to turn off alert enrichment from memory scanning for malicious behavior alerts ({kibana-pull}180636[#180636]). -* Adds an advanced setting that lets you turn off a performance optimization that makes malware on-write and file event processing asynchronous ({kibana-pull}179179[#179179]). -* Makes some of the flyout's state persist for alert and event details ({kibana-pull}178746[#178746], {kibana-pull}179511[#179511]). -* Limits the alerts that can affect an entity's risk score to the 10,000 riskiest ({kibana-pull}178324[#178324]). -* Adds a tooltip to the **Asset Criticality** section of the entity details flyout ({kibana-pull}176927[#176927]). -* Updates MITRE ATT&CK framework to version 14.1 ({kibana-pull}174120[#174120]). -* Allows you to choose whether {elastic-defend} scans files when they're modified or executed ({kibana-pull}179176[#179176]). -* Allows you to automatically register {elastic-defend} as the antivirus software for Windows endpoints when {elastic-defend}'s malware protection has prevention enabled ({kibana-pull}180484[#180484]). -* Enables the expandable event flyout by default ({kibana-pull}182178[#182178]). -* Enables the expandable Timeline flyout by default ({kibana-pull}182179[#182179]). - - - -[discrete] -[[bug-fixes-8.14.0]] -==== Bug fixes -* Fixes a bug that prevented the **{esql}** Timeline tab from being turned off after you removed the `xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"]` feature flag from the {kib} user settings ({kibana-pull}182816[#182816]). -* Fixes a bug that removed pinned events and comments in unsaved Timelines ({kibana-pull}178212[#178212]). -* Fixes a bug in Timeline that prevented the **Show top _x_** action from showing accurate results ({kibana-pull}177213[#177213]). -* Fixes a bug with the `is one of` Timeline filter that generated incorrect Query Domain Specific Language (DSL) queries ({kibana-pull}180455[#180455]). -* Ensures the `securitySolution:enableAssetCriticality` advanced setting is enabled before the asset criticality levels to your entities are updated ({kibana-pull}181780[#181780]). -* Corrects the color theme for the entity risk score UI to ensure it works in dark mode ({kibana-pull}181431[#181431]). -* Improves the Entity Analytics dashboard load time ({kibana-pull}179510[#179510]). -* Fixes a bug that didn't allow you to save Timelines if your {kib} account name was an email address ({kibana-pull}181709[#181709]). -* Moves the `observer.serial_number` field to the Highlighted Fields section for alerts generated by SentinelOne and removes the {agent} status field ({kibana-pull}181038[#181038]). -* Fixes an issue that caused {kib} Task Manager to become overloaded when rules were bulk enabled ({kibana-pull}180796[#180796]). -* Ensures you can preview {ml} rules while creating a new rule ({kibana-pull}180792[#180792]). -* Fixes a UI bug on the rule details page for EQL and {esql} rules that caused the **Custom query** label to incorrectly display in the rule type field ({kibana-pull}178821[#178821]). -* Deactivates the **Create new list** option if you attempt to import another exception list for the Endpoint Security rule ({kibana-pull}178674[#178674]). -* Fixes a bug that stopped indicator filters from working correctly on the Intelligence page ({kibana-pull}179607[#179607]). -* Fixes the loading page layout on the Intelligence page, and improves the Indicators table loading speed after you set up a threat intelligence integration ({kibana-pull}178701[#178701]). -* Fixes a bug that caused the wrong {security-app} page name to display in your browser tab ({kibana-pull}181056[#181056]). - diff --git a/docs/release-notes/8.15.asciidoc b/docs/release-notes/8.15.asciidoc deleted file mode 100644 index 0393936ee9..0000000000 --- a/docs/release-notes/8.15.asciidoc +++ /dev/null @@ -1,366 +0,0 @@ -[[release-notes-header-8.15.0]] -== 8.15 - -[discrete] -[[release-notes-8.15.4]] -=== 8.15.4 - -[discrete] -[[known-issue-8.15.4]] -==== Known issues - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - -==== -// end::known-issue-189676[] - -[discrete] -[[enhancements-8.15.4]] -==== Enhancements -* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. - -[discrete] -[[bug-fixes-8.15.4]] -==== Bug fixes -* Fixes a conflict that could result in a Windows boot failure `0xC000007B` for `ElasticElam.sys` when {elastic-defend} 8.15.2 or 8.15.3 was installed alongside CrowdStrike. -* Fixes a bug that caused an Elastic AI Assistant error if you had over 20 conversations and tried to access or update any of them ({kibana-pull}197305[#197305]). -* Makes Automatic Import more forgiving if LLMs return ECS mappings in unexpected formats ({kibana-pull}195167[#195167]). -* Fixes a bug that caused fields from all indices to display when adding a filter to a rule that you were editing. Now, only fields from the rule's specified indices appear ({kibana-pull}194678[#194678], {kibana-issue}181643[#181643]). -* Improves {elastic-defend} by making the `elastic-endpoint status` command more reliable. Before this fix, the command occasionally failed with an I/O error. -* Fixes an {elastic-defend} process crash that could occur if it was configured to use the Kafka output. -* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that didn't natively include this telemetry, such as Windows Server 2019. This could result in dropped or unattributed API events. -* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. After this fix, {elastic-defend} removes these fields. -* Fixes an {elastic-defend} bug where Windows API events could be dropped if they contained Unicode characters that couldn't be converted to ANSI. - -[discrete] -[[release-notes-8.15.3]] -=== 8.15.3 - -[discrete] -[[known-issue-8.15.3]] -==== Known issues - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - -==== -// end::known-issue-189676[] - -[discrete] -[[bug-fixes-8.15.3]] -==== Bug fixes -* Fixes a bug that could cause {elastic-defend} to crash on Linux when scanning paths (or paths with children) which include virtual file systems, such as procfs. -* Fixes a bug that made alerts wrongfully inherit previously-selected tags ({kibana-pull}194428[#194428]). -* Prevents Automatic Import from requesting that LLMs map to reserved ECS fields ({kibana-pull}195168[#195168]). -* Fixes an Automatic Import bug that prevented non-ECS compatible fields from resolving in structured and unstructured system logs ({kibana-pull}194727[#194727]). -* Fixes an Automatic Import bug that occurred when uploading a new version of an existing integration ({kibana-pull}194298[#194298]). -* Fixes an Automatic Import bug that caused integration deployments to fail after you edited the ingest pipeline ({kibana-pull}194203[#194203]). -* Improves Attack discoveries by including the `user.target.name` field in the default anonymization allow list ({kibana-pull}193496[#193496]). -* Fixes an Attack discovery UI bug where entities repeated in a description were displayed with a UUID instead of a value ({kibana-pull}193428[#193428]). - -[discrete] -[[release-notes-8.15.2]] -=== 8.15.2 - -[discrete] -[[known-issue-8.15.2]] -==== Known issues - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - -==== -// end::known-issue-189676[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[features-8.15.2]] -==== New features -* Allows Automatic Import to use sample input logs to identify log format types ({kibana-pull}190407[#190407]). -* Allows Automatic Import to use system logs with structured message bodies ({kibana-pull}191749[#191749]). - -[discrete] -[[enhancements-8.15.2]] -==== Enhancements -* Adds Ubuntu 24.04 support for {elastic-defend}. -* Improves {elastic-defend}'s support of call stack module stomp detection in Windows 11 24H2 ({kibana-pull}192490[#192490]). -* Allows you to use the Google Gemini, OpenAI, and Azure OpenAI connectors with Automatic Import ({kibana-pull}191577[#191577]). -* Allows Automatic Import to use unstructured system logs ({kibana-pull}192817[#192817]). -* Displays error messages in Automatic Import when logs sample files don't successfully upload ({kibana-pull}191310[#191310]). -* Ensures that Automatic Import performs reproducible sampling from a list of log entries instead of truncating them ({kibana-pull}191598[#191598]). - -[discrete] -[[bug-fixes-8.15.2]] -==== Bug fixes -* Prevents the Google Gemini connector from accepting unknown properties in responses, which resolves an error that occurred when generating Attack discoveries ({kibana-pull}192915[#192915]). -* Fixes the **View in AI Assistant** button in Attack discovery, which previously did not work ({kibana-pull}192416[#192416]). -* Changes the owner of integrations created by Automatic Import from `Elastic` to `Community` ({kibana-pull}193002[#193002]). -* Fixes issues with rendering the package manifest in Automatic Import ({kibana-pull}192316[#192316]). -* Fixes an issue that prevented the `http_endpoint` input configuration from loading correctly in the Automatic Import workflow ({kibana-pull}191964[#191964]). -* Fixes a bug that prevented the `enable` field from being respected when you import rules ({kibana-pull}192302[#192302]). - -[discrete] -[[release-notes-8.15.1]] -=== 8.15.1 - -[discrete] -[[known-issue-8.15.1]] -==== Known issues - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - - -==== -// end::known-issue-189676[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[features-8.15.1]] -==== New features - -* Introduces a new feature for {elastic-defend} where Windows Image load events now include process protection status, making it easier to detect both legitimate and malicious PPL activity. -* Allows you to examine Jamf data in the visual event analyzer ({kibana-pull}190965[#190965]). - -[discrete] -[[enhancements-8.15.1]] -==== Enhancements - -* {elastic-defend} now supports proxy configuration with {ls} output. -* Improves {elastic-defend} by reducing Malware Protection disk I/O and CPU usage when recently written files are subsequently executed. This update is for Windows endpoints only. -* Makes several improvements to the detection and parsing of log samples uploaded to automatic import ({kibana-pull}190588[#190588], {kibana-pull}191502[#191502], {kibana-pull}190656[#190656], {kibana-pull}190046[#190046]). -* Improves error handling for the Tines connector, and provides an option to use a webhook URL when connecting to the Tines API ({kibana-pull}191263[#191263]). - -[discrete] -[[bug-fixes-8.15.1]] -==== Bug fixes - -* Fixes an {elastic-defend} bug that affected CPU usage for Windows process events where the same executable is repeatedly launched, for example, during compilation workloads. With this fix, CPU usage is improved. -* Fixes an {elastic-defend} bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory. -* Fixes an {elastic-defend} bug that sometimes caused {elastic-endpoint} to report an incorrect version if it used an independent {agent} release. -* Fixes an {elastic-defend} bug where the `process.thread.Ext.call_stack_final_user_module.protection_provenance_path` field might be populated with a non-path value. This fix is for Windows endpoints only. -* Fixes an {elastic-defend} bug that can lead to {elastic-endpoint} reporting `STATUS_ACCESS_DENIED` when attempting to open files for `GENERIC_READ`. {elastic-endpoint} almost always recovered from this issue, but with this fix, it succeeds on the first try. This fix is for Windows endpoints only. -* Fixes an {elastic-defend} regression that was introduced in 8.14.0, where security events did not populate the `user.name` field. This fix is for Windows endpoints only. -* Fixes an {elastic-defend} bug where {elastic-endpoint} sometimes missed file and network events on newer kernels that support eBPF. This only occurred if {elastic-endpoint} failed to enable eBPF probes and fell back to Kprobes. This fix is for Linux endpoints only. -* Fixes a bug that caused errors if you used Azure OpenAI connector for streaming ({kibana-pull}191552[#191552]). -* Fixes a bug that prevented duplicated prebuilt rules from inheriting **Required fields** and **Related integrations** field values ({kibana-pull}191065[#191065]). -* Turns off the option to assign users to an alert if no assignees exist ({kibana-pull}190937[#190937]). -* Fixes a bug that prevented Timeline template settings from being applied to new Timelines that were generated by a rule ({kibana-pull}190511[#190511]). -* Fixes a bug that hid the option to select a connector for Elastic AI Assistant ({kibana-pull}189944[#189944]). -* Removes the option to manually bulk-run multiple rules ({kibana-pull}190781[#190781]). - -[discrete] -[[release-notes-8.15.0]] -=== 8.15.0 - -[discrete] -[[known-issue-8.15.0]] -==== Known issues - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - - -==== -// end::known-issue-189676[] - -// tag::known-issue-5713[] -[discrete] -.The option to manually run multiple rules is available in the bulk actions menu on the Rules page -[%collapsible] -==== -*Details* + -On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-5713[] - -// tag::known-issue-14686[] -[discrete] -.{elastic-endpoint} does not properly populate the `user.name` field in security events -[%collapsible] -==== -*Details* + -{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events. - -*Workaround* + -Upgrade to 8.15.1. - -*Resolved* + -On September 5, 2024, this issue was resolved. - -==== -// end::known-issue-14686[] - -// tag::known-issue-crowdstrike-response-actions[] -[discrete] -.CrowdStrike response actions (isolate and release host) not working -[%collapsible] -==== -*Details* + -A bug prevented third-party response actions with CrowdStrike from working. - -*Workaround* + -Upgrade to 8.15.1 or later. - -==== -// end::known-issue-crowdstrike-response-actions[] - -// tag::known-issue-192084[] -[discrete] -.Alerts wrongfully inherit previously-selected tags -[%collapsible] -==== -*Details* + - -When you add tags to alerts from the Alerts table, the previously-selected tags are incorrectly applied in addition to the new ones that you select. - -*Workaround* + - -Upgrade to 8.15.3. Alternatively, when adding tags to an alert, click the previously-applied tags to re-apply them, then click them again to remove them. Save your changes by clicking *Apply tags*. This removes the old tags from the alert. - -*Resolved* + -On October 17, 2024, this issue was resolved. - -==== -// end::known-issue-192084[] - -[discrete] -[[breaking-changes-8.15.0]] -==== Breaking changes - -* If you previously created any user-defined quick prompts for Elastic AI Assistant, they will no longer appear after you upgrade to 8.15. To resolve this, copy your existing quick prompts prior to upgrading, then add them again after upgrading. Additionally, in 8.15, quick prompts are shared by all users in your deployment, rather than saved at the user level ({kibana-pull}187040[#187040]). - -[discrete] -[[features-8.15.0]] -==== New features - -* Introduces Automatic Import, a feature that helps you to quickly parse, ingest, and create ECS mappings for data from sources that don't yet have prebuilt Elastic integrations ({kibana-pull}186304[#186304]). -* Creates an LLM connector for Google Gemini ({kibana-pull}183668[#183668]). -* Adds an API for Elastic AI Assistant ({kibana-pull}184485[#184485]). -* Adds the `scan` action to the response console, which allows you to scan a specific file or directory on a host for malware ({kibana-pull}184723[#184723]). -* Adds an {elastic-defend} integration policy option in Advanced Settings that allows you to opt out of registry event filtering ({kibana-pull}186564[#186564]). -* Allows you to specify additional file and registry paths to monitor for read access ({kibana-pull}181361[#181361]). -* Allows you to use {elastic-sec} to isolate and release hosts running a CrowdStrike agent ({kibana-pull}186801[#186801]). -* Allows you to retrieve files from SentinelOne-enrolled hosts ({kibana-pull}181162[#181162]). -* Allows you to create an event filter that excludes the descendant events of a specific process ({kibana-pull}184947[#184947]). -* Recalculates entity risk scores when asset criticality changes on an individual entity ({kibana-pull}182234[#182234]). -* Adds an **Asset criticality** column to user and host data tables. If asset criticality levels are assigned to your users and hosts, this information appears in the **Asset criticality** column ({kibana-pull}186375[#186375], {kibana-pull}186456[#186456]). -* Adds an API that allows you to perform paginated KQL searches through asset criticality records ({kibana-pull}186568[#186568]). -* Adds public APIs for managing asset criticality ({kibana-pull}186169[#186169]). -* Allows you to edit the `max_signals`, `related_integrations`, and `required_fields` fields for custom rules ({kibana-pull}179680[#179680], {kibana-pull}178295[#178295], {kibana-pull}180682[#180682]). -* Provides help from AI Assistant when you're correcting rule query errors ({kibana-pull}179091[#179091]). -* Allows you to bulk update custom highlighted fields for rules ({kibana-pull}179312[#179312]). -* Adds alert suppression for {ml} and {esql} rules ({kibana-pull}181926[#181926], {kibana-pull}180927[#180927]). -* Provides previews of hosts, users, and alerts that you're examining in the alert details flyout ({kibana-pull}186850[#186850], {kibana-pull}186857[#186857]). -* Enhances Timeline’s data exploration experience by incorporating components from Discover, such as the sidebar and table, which allow you to quickly find fields of interest. Timeline’s overall performance is also improved ({kibana-pull}176064[#176064]). -* Adds an option for toggling row renderers on and off, and moves notes to a new flyout in Timeline ({kibana-pull}186948[#186948]). -* Revamps the Dashboards landing page ({kibana-pull}186465[#186465]). - -[discrete] -[[enhancements-8.15.0]] -==== Enhancements - -* Allows Attack discovery generation to continue when you navigate to another page, and allows you to run Attack discovery with multiple connectors simultaneously. ({kibana-pull}184949[#184949]). -* Adds notifications to the connector dropdown menu on the Attack discovery page so you know when other connectors have new discoveries ({kibana-pull}186903[#186903], {kibana-pull}187209[#187209]). -* Improves AI Assistant's responses across multiple connectors and in multiple scenarios for streaming and non-streaming use cases ({kibana-pull}182041[#182041], {kibana-pull}187183[#187183]). -* Enables AI Assistant to remember information you ask it to remember ({kibana-pull}184554[#184554], https://github.com/elastic/security-docs/issues/5670[#5670]). -* Updates the default Gemini version to `gemini-1.5-pro-001` and the default Bedrock version to `anthropic.claude-3-5-sonnet-20240620-v1:0` ({kibana-pull}186671[#186671]). -* Simplifies how you enable AI Assistant's knowledge base ({kibana-pull}182763[#182763]). -* Unifies the AI Assistant's settings view ({kibana-pull}184678[#184678]). -* Introduces a new {elastic-endpoint} policy setting that allows you to control whether the kernel reports Windows network events that happened on a local loopback interface ({kibana-pull}181753[#181753]). -* Improves how failure messages for the `scan` action appear in the response console ({kibana-pull}186284[#186284]). -* Improves the risk engine's performance. Now, after you turn on the engine, risk data is available sooner ({kibana-pull}184797[#184797]). -* Enhances the risk engine's normalization accuracy ({kibana-pull}184638[#184638]). -* Updates the copy for bulk assigning asset criticality to multiple entities ({kibana-pull}181390[#181390]). -* Improves visual and logic issues in the Findings table ({kibana-pull}184185[#184185]). -* Enables the expandable alert details flyout by default and replaces the `securitySolution:enableExpandableFlyout` advanced setting with a feature flag that allows you to revert to the old flyout version ({kibana-pull}184169[#184169]). -* Improves the UI design and copy of various places in the alert details flyout ({kibana-pull}187430[#187430], {kibana-pull}187920[#187920]). -* Updates the MITRE ATT&CK framework to version 15.1 ({kibana-pull}183463[#183463]). -* Improves the warning message about rule actions being unavailable after a rule ran ({kibana-pull}182741[#182741]). -* Enables the `xMatters` and `Server Log connectors` rule actions ({kibana-pull}172933[#172933]). - -[discrete] -[[bug-fixes-8.15.0]] -==== Bug fixes - -* Fixes a bug that prevented Timeline from properly retrieving results after upgrading to 8.14.1 ({kibana-pull}189031[#189031]). -* Fixes a bug that showed that Timeline had been changed, even if it hadn't been ({kibana-pull}188106[#188106]). -* Removes the option to investigate suppressed alerts in Timeline when you're previewing alert details from a rule preview ({kibana-pull}188385[#188385]). -* Fixes the alignment of the page selector dropdown menu on the Shared Exception Lists page ({kibana-pull}187956[#187956]). -* Fixes a rule execution error that occurred when {esql} rules queried source documents with non-ECS compliant sub-fields under the `event.action` field ({kibana-pull}187549[#187549]). -* Fixes a bug that caused the `Enable entity risk scoring` option to display even when you didn't have the correct requirements ({kibana-pull}183517[#183517]). -* Prevents `maxClauseCount` errors from occurring for indicator match rules ({kibana-pull}179748[#179748]). -* Fixes a bug that prevented threat intelligence fields from correctly rendering in the alert details flyout if they had flattened fields ({kibana-pull}179395[#179395]). -* Removes references in the UI that directed users to outdated documentation for the risk scoring feature ({kibana-pull}187585[#187585]). -* Fixes a bug on the Get started page that prevented the correct username from being displayed in the greeting message ({kibana-pull}180670[#180670]). -* Fixes a bug that caused the pagination menu from appearing in the correct place for the Uncommon processes table ({kibana-pull}189201[#189201]). -* Fixes a bug that affected the panel showing the last command details in the Uncommon processes table ({kibana-pull}187848[#187848]). \ No newline at end of file diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc deleted file mode 100644 index 6f647d96e4..0000000000 --- a/docs/release-notes/8.16.asciidoc +++ /dev/null @@ -1,181 +0,0 @@ -[[release-notes-header-8.16.0]] -== 8.16 - -[discrete] -[[release-notes-8.16.0]] -=== 8.16.0 - -[discrete] -[[known-issue-8.16.0]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error -[%collapsible] -==== -*Details* + -Updating a Knowledge Base entry of type "index" results in an error. - -*Workaround* + -Instead of updating an "index" entry, delete it and add it again with the desired changes. - -==== -// end::known-issue[] - -// tag::known-issue-189676[] -[discrete] -.Tags appear in Elastic AI Assistant's responses -[%collapsible] -==== -*Details* + -On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `` tags, for example `` ({kibana-issue}189676[#189676]). - -==== -// end::known-issue-189676[] - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -// tag::known-issue-53[] -[discrete] -.Alerts page crashes if you upgrade to 8.16 and access it in a non-default {kib} space -[%collapsible] -==== -*Details* + -On November 14, 2024, it was discovered that the **Alerts** page would crash and display an `Unable to load` error if you upgraded to 8.16 and accessed the page in a non-default {kib} space. - -*Workaround* + -Manually edit your browser's local storage and refresh the **Alerts** page: - -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on the browser you're using. - -. Right-click anywhere on the **Alerts** page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. -. Refresh the **Alerts** page to reload it. - -==== -// end::known-issue-53[] - -[discrete] -[[breaking-changes-8.16.0]] -==== Breaking changes - -* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body `{ "message": "{kib} is shutting down and not accepting new incoming requests" }`. - -[discrete] -[[features-8.16.0]] -==== New features - -* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]). -* Enables agentless deployment for Elastic's Cloud Security Posture Management integration and the new Cloud Asset Inventory integration ({kibana-pull}191557[#191557]). -* Enables data collected by the Wiz and AWS Security Hub integrations to appear on the Findings page and in entity details flyouts (https://github.com/elastic/integrations/pull/10790[#10790], https://github.com/elastic/integrations/pull/11158[#11158]). -* Enables alerts collected by the Falco integration to appear on the Alerts page (https://github.com/elastic/integrations/pull/9619[#9619], https://github.com/elastic/integrations/pull/11051[#11051]). -* Adds ability to manually run rules for a specified time period, either for testing purposes or to generate alerts for past events. -* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]). -* Adds the ability to attach notes to alerts and events and introduces the Notes page, which allows you to manage all existing notes ({kibana-pull}186787[#186787], {kibana-pull}186807[#186807], {kibana-pull}186931[#186931], {kibana-pull}186946[#186946], {kibana-pull}187214[#187214], {kibana-pull}193373[#193373]). -* Enables detection rules to automatically execute system actions, such as opening a case ({kibana-pull}183937[#183937]). -* Adds role-based access control (RBAC) for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]). -* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]). -* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <> workflows by default ({kibana-pull}196270[#196270]). -* Introduces the entity store as a technical preview feature, which allows observed, imported, integrated, or uploaded entities to be stored persistently ({kibana-pull}192806[#192806]). -* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]). -* Allows you to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]). -* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]). -* Introduces a new advanced setting, `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531], {kibana-pull}192643[#192643]). -* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule executions ({kibana-pull}186908[#186908]). -+ -IMPORTANT: Even when the `excludedDataTiersForRuleExecution` advanced setting is enabled, indicator match, event correlation, and {esql} rules may still fail if a frozen or cold shard that matches the rule's specified index pattern is unavailable during rule executions. If failures occur, we recommend modifying the rule's index patterns to only match indices containing hot tier data. -* Enhances the Insights section of the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]). -* Turns off the host field size reduction setting on {elastic-defend}'s integration policy by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <>. -* Allows you to reduce CPU usage, I/O, and event sizes by turning off MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`. -* Allows you to configure your {elastic-defend} integration policy to collect SHA-256 file hashes in file events. Before doing so, consider the following caveats: -** This can greatly increase {elastic-defend}'s CPU and I/O utilization and impact system responsiveness. -** This can significantly delay event enrichment and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior. -** This can cause event processing queues to overflow and lead to dropped events. -** Many file events won't contain hashes. Hash collection is the best effort and is not guaranteed to be present in every event. Hashes are collected asynchronously and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing]. -* Improves {elastic-defend} by enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the Kafka output. -* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity. - -[discrete] -[[enhancements-8.16.0]] -==== Enhancements -* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]). -* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]). -* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]). -* Adds an **Other** option to the OpenAI connector's **Select an OpenAI provider** dropdown menu. Select this option when <> ({kibana-pull}194831[#194831]). -* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]). -* Adds an **Install and enable** button to the **Add Elastic Rules** page, which allows for rules to be immediately enabled after they're installed ({kibana-pull}191529[#191529]). -* Adds the **Alert Suppression** and **Investigative guide** fields to the rule upgrade workflow ({kibana-pull}195499[#195499]). -* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]). -* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]): -** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page and is stored locally instead of in {es}. -** Attack Discovery now combines related discoveries that would previously have appeared separately. -** Attack Discovery now detects and displays an error instead of hallucinated output. -* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]). -* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]). -* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]). -* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]). -* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]). -* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]). -* Allows Automatic Import to analyze a larger number of sample events when generating a new integration ({kibana-pull}196233[#196233]). -* Allows Automatic Import to recognize CSV logs and create integrations for CSV data ({kibana-pull}196228[#196228], {kibana-pull}194386[#194386]). -* Allows you to open the rule details flyout from the Alerts table ({kibana-pull}191764[#191764]). -* Allows you to resize the alert and event details flyouts and choose how it's displayed in relation to the Alerts table (over or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]). -* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]). -* Adds support in all detection rule types for {elastic-defend}'s automated response actions ({kibana-pull}193390[#193390], {kibana-pull}191874[#191874]). -* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis. -* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`. -* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions. -* Ensures security artifacts are updated when the {elastic-defend} service starts. -* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy. -* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context. -* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output. -* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables the detection of certain defense evasions. You can turn this feature off in {elastic-defend} <> ({kibana-pull}190553[#190553]). -* Restores {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0. -* Improves {elastic-defend}'s caching to reduce memory usage on Windows. -* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID. -* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver. - -[discrete] -[[bug-fixes-8.16.0]] -==== Bug fixes - -* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]). -* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]). -* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]). -* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]). -* Improves the performance of the Alerts table ({kibana-pull}192827[#192827]). -* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture findings ({kibana-pull}194069[#194069]). -* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events. -* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI. -* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields. -* Fixes a bug where {elastic-defend} could fail to properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events. -* Fixes a bug that prevented host name uniformity with {beats} products. If you request {elastic-defend} to use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default. -* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts. -* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy. -* Fixes scenarios where Automatic Import could generate invalid processors containing array access ({kibana-pull}196207[#196207]). -* Improves Timeline's table performance when row renderers are switched on ({kibana-pull}193316[#193316]). -* Fixes misaligned filter control labels on the Alerts page ({kibana-pull}192094[#192094]). \ No newline at end of file diff --git a/docs/release-notes/8.2.asciidoc b/docs/release-notes/8.2.asciidoc deleted file mode 100644 index 303d004aea..0000000000 --- a/docs/release-notes/8.2.asciidoc +++ /dev/null @@ -1,124 +0,0 @@ -[[release-notes-header-8.2.0]] -== 8.2 - -[discrete] -[[release-notes-8.2.3]] -=== 8.2.3 - -[discrete] -[[known-issue-8.2.3]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.2.3]] -==== Bug fixes and enhancements -* Fixes a bug that caused incorrect enrichment data to be attached to alerts ({kibana-pull}133591[#133591]). - -[discrete] -[[release-notes-8.2.2]] -=== 8.2.2 - -[discrete] -[[known-issue-8.2.2]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.2.2]] -==== Bug fixes and enhancements -* Fixes a sorting and tooltip issue in Timeline for non-ECS fields that don’t have nested values ({kibana-pull}132570[#132570]). - -[discrete] -[[release-notes-8.2.1]] -=== 8.2.1 - -[discrete] -[[known-issue-8.2.1]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.2.1]] -==== Bug fixes and enhancements -* Allows {kibana-ref}/pre-configured-connectors.html[preconfigured connectors] to be used with cases ({kibana-pull}130372[#130372]). -* Adds pagination to the *Table* tab on the Alert details flyout to fix a performance issue on the Timelines page ({kibana-pull}131358[#131358]). -* Fixes sorting issues that were related to unmapped fields ({kibana-pull}132190[#132190]). -* Fixes a bug in the *Filter In*, *Filter Out*, and *Add to timeline investigation* inline actions that caused incorrect results to be retrieved ({kibana-pull}132251[#132251]). -* Enhances performance by improving calculations for the top count function and hover action in data tables ({kibana-pull}131363[#131363]). - -[discrete] -[[release-notes-8.2.0]] -=== 8.2.0 - -[discrete] -[[known-issue-8.2.0]] -==== Known issues -* On macOS versions before 12.4, if {elastic-endpoint} is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later. -* Indicator match rules cannot use the `.items-*` system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules ({kibana-pull}133457[#133457]). -* The `matches` operator in the *Add Rule Exception* flyout does not work because wildcard matches are not supported for rule exceptions. Using the `matches` operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting unsupported exceptions and refreshing the rules ({kibana-issue}136340[#136340]). -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[deprecations-8.2.0]] -==== Deprecations -The following endpoints are deprecated ({kibana-pull}129448[#129448]) and will be removed in a future release. They will remain active for at least the next 18 months: - -* <> -* <> -* <> - -To avoid breakage, we recommend using the <> API instead for similar bulk actions. You can also use the <>, <>, and <> rule APIs to manage rules individually. - -[discrete] -[[breaking-changes-8.2.0]] -==== Breaking changes - -There are no breaking changes in 8.2.0. - -[discrete] -[[features-8.2.0]] -==== Features -* Enables rule previews for indicator match rules ({kibana-pull}126651[#126651]). -* Displays the alerts table when previewing a rule ({kibana-pull}127986[#127986]). -* Introduces a new beta feature, <>. Session view contextualizes and provides insight into Linux process data ({kibana-pull}127828[#127828], {kibana-pull}126997[#126997], {kibana-pull}127520[#127520], {kibana-pull}124575[#124575]). -* Creates a <> page under *Explore* to help you better understand authentication and usage information ({kibana-pull}127617[#127617], {kibana-pull}127953[#127953], {kibana-pull}126434[#126434], {kibana-pull}126079[#126079], {kibana-pull}128375[#128375], {kibana-pull}130030[#130030]). -* Creates a User details flyout ({kibana-pull}127019[#127019]). -* Creates a <> that enables you to prevent applications from running on hosts ({kibana-pull}127098[#127098], {kibana-pull}127031[#127031], {kibana-pull}126390[#126390]). -* Creates a *Policies* page, which lists all of the integration policies configured for {endpoint-sec}. Use the page to quickly view and manage your {endpoint-sec} integration policies ({kibana-pull}123760[#123760]). -* Enables you to bulk-apply Timeline templates to rules ({kibana-pull}128691[#128691]). -* Enables users to filter the rules management table by index pattern or MITRE ATT&CK tactic or technique (name or ID) ({kibana-pull}128245[#128245]). -* Allows you to run Osquery searches from the **Take action** button on the Alert details flyout (**Alerts** and **Timelines** pages) ({kibana-pull}128142[#128142]). -* Adds a list of linked cases to the alert details flyout ({kibana-pull}128033[#128033]). -* Expands the actions you can take on visualizations throughout {elastic-sec} to *Inspect*, *Open in Lens*, *Add to new case*, and *Add to existing case* ({kibana-pull}126507[#126507]). -* Adds rule execution logs to the rule details page to consolidate information about a rule's execution history ({kibana-pull}126215[#126215]). -* Enables wildcard entries for `file.path.text` fields within event filters with the *matches* operator ({kibana-pull}125202[#125202]). - -[discrete] -[[bug-fixes-8.2.0]] -==== Bug fixes and enhancements -* Performance enhancements for indicator match rules: -** Adds point in time (PIT) search ({kibana-pull}128433[#128433]). -** Adds events-first (reverse) search ({kibana-pull}127428[#127428]). -** Includes filters from indicator match rule mappings to reduce the search load when rules run ({kibana-pull}127411[#127411]). -* Fixes a bug that affected the accuracy of rule preview results ({kibana-pull}128003[#128003]). -* Adds event log telemetry for detection rules ({kibana-pull}128216[#128216]). -* Adds support for Osquery pack integration assets ({kibana-pull}128109[#128109]). -* Fixes minor Osquery issues on alerts ({kibana-pull}128676[#128676]). -* Allows users to reduce resource usage by collapsing KPIs and table queries running on the *Hosts* and *Network* pages ({kibana-pull}127930[#127930]). -* Adds the *Alert prevalence* column to the Highlighted fields table ({kibana-pull}127599[#127599]). -* Introduces a new landing page that provides guidance for adding data ({kibana-pull}127324[#127324]). -* Redesigns the *Fields* browser ({kibana-pull}126105[#126105]). -* Allows runtime fields to be managed from the *Fields* browser ({kibana-pull}127037[#127037]). -* Adds the *Blocklist enabled* toggle to Malware protection settings ({kibana-pull}127031[#127031]). -* Updates MITRE ATT&CK mappings for detection rules to v10.1 ({kibana-pull}126288[#126288]). -* Adds an Advanced Settings toggle to turn off `read` privilege warnings for detection rules using a remote cross-cluster search (CCS) index pattern ({kibana-pull}124459[#124459]). -* Adds four new Timeline templates that are focused on key event categories to provide relevant alert data and assist with investigation and resolution efforts ({kibana-pull}125172[#125172]). -* Excludes malware and ransomware alerts from detection rule telemetry ({kibana-pull}130233[#130233]). -* Fixes alert and external alert filters on the *Hosts* page and *Users* page ({kibana-pull}129451[#129451]). -* Passes threshold alert filters to the Timeline ({kibana-pull}129405[#129405]). -* Displays a confirmation message when a user creates the first event filter ({kibana-pull}128810[#128810]). -* Fixes a bug that ignored exceptions when loading the threshold alert count in a Timeline ({kibana-pull}128495[#128495]). -* Adds a fallback mechanism to EQL rules so that rules fall back to `@timestamp` if `timestamp_override` doesn't exist ({kibana-pull}127989[#127989]). -* Fixes a bug that stopped EQL rules from using a `max_signals` value greater than 100 ({kibana-pull}127839[#127839]). -* Updates EQL rules to use the EQL method of the {es} client ({kibana-pull}127684[#127684]). diff --git a/docs/release-notes/8.3.asciidoc b/docs/release-notes/8.3.asciidoc deleted file mode 100644 index 8b3cd82d9d..0000000000 --- a/docs/release-notes/8.3.asciidoc +++ /dev/null @@ -1,231 +0,0 @@ -[[release-notes-header-8.3.0]] -== 8.3 - -[discrete] -[[release-notes-8.3.3]] -=== 8.3.3 - -[discrete] -[[known-issue-8.3.3]] -==== Known issues -* An {endpoint-cloud-sec} bug on macOS and Linux can cause CPU spikes if malware protection is enabled on an {endpoint-cloud-sec} integration policy. When this happens, {endpoint-cloud-sec} may experience system coverage gaps. To avoid this, we recommend using {agent} version 8.3.2 or earlier. If you are using {agent} version 8.3.3 and have encountered this issue, you can temporarily resolve it by rebooting your computer and disabling <> on your {endpoint-cloud-sec} integration policy (https://github.com/elastic/endpoint/issues/22[#22]). -* A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.3.3]] -==== Bug fixes and enhancements -* Fixes a bug that prevented the *Create field* button from appearing in the Fields browser when you accessed it from a Timeline created using the Alerts page's *Open in timeline* button ({kibana-pull}135842[#135842]). -* Removes the unsupported `matches` operator from the *Add Rule Exception* flyout ({kibana-pull}136340[#136340]). -* Prevents rule execution log events from being wrongly ordered when the maximum number of events are reached and events are filtered by status ({kibana-pull}131675[#131675]). - -[discrete] -[[release-notes-8.3.2]] -=== 8.3.2 - -[discrete] -[[known-issue-8.3.2]] -==== Known issue -* The `matches` operator in the *Add Rule Exception* flyout does not work because wildcard matches are not supported for rule exceptions. Using the `matches` operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting unsupported exceptions and refreshing the rules ({kibana-issue}136340[#136340]). -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.3.2]] -==== Bug fixes and enhancements -* Allows indices created from value lists to be used with indicator match rules ({kibana-pull}135128[#135128]). -* Fixes an issue where detection rules that were created or edited in 8.2.x failed to execute after you upgraded to {stack} 8.3.0 or 8.3.1 ({kibana-pull}135663[#135663]). - -==== - -[IMPORTANT] - -If you already upgraded to 8.3.0 or 8.3.1 and noticed that rules created or updated in 8.2.x were failing with an error similar to the message below, complete the appropriate steps to restore your rules after you upgrade to 8.3.2. Refer to the <> of the 8.3.1 release notes for more information. - -[source,text] ----- -:: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: "" ----- - -==== - -[discrete] -[[release-notes-8.3.1]] -=== 8.3.1 - -[discrete] -[[known-issue-8.3.1]] -==== Known issue - -*Detection rules stop running after upgrade* - -8.3.1 has a bug where detection rules that were created or edited in 8.2.x will stop running after you upgrade. Because of this, we advise against upgrading from 8.2.x to 8.3.1. - -If you already upgraded from 8.2.x to 8.3.1, detection rules affected by the bug will have stopped running with an error that is similar to the following example: - -[source,text] ----- -:: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: "" ----- - -To restore the affected rules and reset their statuses, complete the following. - -IMPORTANT: To restore custom and prebuilt rules, you need privileges to <>. - - -*Restore affected custom and prebuilt rules* - -. Go to the Rules page (*Detect -> Rules*). -. Click the *Rows per page* menu under the rules table and select *100 rows*. -. In the rules table, click the *Rule* column to sort by rule name. -. Identify affected rules. They will have a `Failed` status in the *Last response* column. -. Select the affected rules, then click *Bulk actions -> Disable*. -. Select the same rules, then click *Bulk actions -> Enable*. -+ -NOTE: After you've re-enabled the affected rules, the rules' *Last Response* values will change to `Pending` and then update to `Active` or `OK`. -+ -. Go to the next page of results in the rules table and repeat steps 1 through 6. - -*Restore affected custom rules only (optional)* - -NOTE: This is an alternative option for users who have only enabled custom rules and/or duplicated and enabled prebuilt rules. - -. Go to the *Rules* page (*Detect -> Rules*) and click *Elastic rules*. -. Switch on the *Technical preview* toggle above the table. -. In the rules table, click *Custom rules*. -. Sort the rules table by the *Last Response* column to show the latest rule statuses. -. Select rules with the `Failed` status, then click *Bulk actions -> Tags -> Add Tags*. -. Add a new tag, for example `rules_to_fix`. This will generate new API keys and resolve the bug. -+ -On the next scheduled rule execution, the *Last Response* value for the rule will change to `Pending`, and then to `Active` or `OK`. - -*The `matches` operator is not supported for rule exceptions* - -The `matches` operator in the *Add Rule Exception* flyout does not work because wildcard matches are not supported for rule exceptions. Using the `matches` operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting the unsupported exceptions and refreshing the rules ({kibana-issue}136340[#136340]). - -*Lucene 9 validation change might affect event correlation rules* - -A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[bug-fixes-8.3.1]] -==== Bug fixes and enhancements -* Fixes a bug that prevented the Cases widget in the Detection & Response dashboard from updating ({kibana-pull}135128[#135128]). - -[discrete] -[[release-notes-8.3.0]] -=== 8.3.0 - -[discrete] -[[known-issue-8.3.0]] -==== Known issue - -*Detection rules stop running after upgrade* - -8.3.0 has a bug where detection rules that were created or edited in 8.2.x will stop running after you upgrade. Because of this, we advise against upgrading from 8.2.x to 8.3.0. - -If you already upgraded from 8.2.x to 8.3.0, detection rules affected by the bug will have stopped running with an error that is similar to the following example: - -[source,text] ----- -:: execution failed - security_exception: [security_exception] Reason: missing authentication credentials for REST request [/_security/user/_has_privileges], caused by: "" ----- - -To restore the affected rules and reset their statuses, complete the following. - -IMPORTANT: To restore custom and prebuilt rules, you need privileges to <>. - -*Restore affected custom and prebuilt rules* - -. Go to the Rules page (*Detect -> Rules*). -. Click the *Rows per page* menu under the rules table and select *100 rows*. -. In the rules table, click the *Rule* column to sort by rule name. -. Identify affected rules. They will have a `Failed` status in the *Last response* column. -. Select the affected rules, then click *Bulk actions -> Disable*. -. Select the same rules, then click *Bulk actions -> Enable*. -+ -NOTE: After you've re-enabled the affected rules, the rules' *Last Response* values will change to `Pending` and then update to `Active` or `OK`. - -. Go to the next page of results in the rules table and repeat steps 1 through 6. - -*Restore affected custom rules only (optional)* - -NOTE: This is an alternative option for users who have only enabled custom rules and/or duplicated and enabled prebuilt rules. - -. Go to the *Rules* page (*Detect -> Rules*) and click *Elastic rules*. -. Switch on the *Technical preview* toggle above the table. -. In the rules table, click *Custom rules*. -. Sort the rules table by the *Last Response* column to show the latest rule statuses. -. Select rules with the `Failed` status, then click *Bulk actions -> Tags -> Add Tags*. -. Add a new tag, for example `rules_to_fix`. This will generate new API keys and resolve the bug. - -On the next scheduled rule execution, the *Last Response* value for the rule will change to `Pending`, and then to `Active` or `OK`. - -*The `matches` operator is not supported for rule exceptions* - -The `matches` operator in the *Add Rule Exception* flyout does not work because wildcard matches are not supported for rule exceptions. Using the `matches` operator will cause rule exceptions and their associated rules to fail. You can restore failed rules by deleting the unsupported exceptions and refreshing the rules ({kibana-issue}136340[#136340]). - -*Lucene 9 validation change might affect event correlation rules* - -A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). - -[discrete] -[[breaking-changes-8.3.0]] -==== Breaking changes - -* Updates Elastic prebuilt {ml} detection rules for some Windows and Linux anomalies with new `v3` {ml} jobs. A confirmation modal is displayed when updating rules if `v1`/`v2` jobs are installed. If you're using 8.2 or earlier versions of {beats} or {agent}, you may need to duplicate prebuilt rules or create new custom rules _before_ you update the prebuilt rules. Once you update the prebuilt rules, they will only use `v3` {ml} jobs. Refer to {security-guide}/alerts-ui-monitor.html#ml-job-compatibility[Troubleshoot missing alerts for machine learning jobs] for more information ({kibana-pull}128334[#128334]). - -[discrete] -[[features-8.3.0]] -==== Features -* Renames Endpoint Security integration to "{endpoint-cloud-sec}" ({kibana-pull}132752[#132752]). -* Adds a new {security-guide}/detection-response-dashboard.html[Detection & Response dashboard], which provides focused visibility into the day-to-day operations of your security environment ({kibana-pull}130670[#130670], {kibana-pull}128335[#128335], {kibana-pull}129021[#129021], {kibana-pull}128087[#128087], {kibana-pull}131828[#131828], {kibana-pull}131029[#131029]). -* Introduces a new optional design for the main navigation menu ({kibana-pull}132210[#132210], {kibana-pull}131437[#131437], {kibana-pull}133719[#133719]). -* Adds a *User risk* tab to the User details flyout ({kibana-pull}130256[#130256]). -* Adds an *Authentications* tab to the User details flyout ({kibana-pull}129456[#129456]). -* Adds the ability to investigate Osquery results in Timeline ({kibana-pull}128596[#128596]). -* Allows multiple alerts to be added to a case ({kibana-pull}130958[#130958]). -* Adds the option to delete case comments from a case ({kibana-pull}130254[#130254]). -* Provides an option to select a severity level for a case ({kibana-pull}131626[#131626]). -* Adds the experimental *Alerts* tab to cases, which allows users to inspect attached alerts ({kibana-pull}131883[#131883]). -* Adds the *Average time to close* metric to the Cases page ({kibana-pull}131909[#131909]). -* Adds new fields to prebuilt detection rules' schemas: `related_integrations`, `required_fields`, and `setup` ({kibana-pull}132409[#132409]). -* Adds the *Related integrations*, *Required fields*, and *Setup guide* sections to the rule details page to help users identify and meet a rule's prerequisites. Also adds the related integrations badge to the Rules table ({kibana-pull}131475[#131475]). Content for these new sections is delivered in a prebuilt rules update, independent of {stack} release versioning. - -[discrete] -[[bug-fixes-8.3.0]] -==== Bug fixes and enhancements -* Separates array values with commas in the Alerts table ({kibana-pull}133297[#133297]). -* Exposes the EQL search settings `event_category_field`, `tiebreaker_field`, and `timestamp_field` through the rules API and UI for event correlation rules ({kibana-pull}132247[#132247]). -* Adds the *Session ID* field to the *Highlighted fields* section of the Alert details flyout ({kibana-pull}132219[#132219]). -* Adds Dashboards and Threat Hunting Landing pages ({kibana-pull}130905[#130905]). -* Allows highlighted fields to be investigated in Timeline ({kibana-pull}131255[#131255]). -* Adds the *Run Osquery* option to the *More actions* menu (*...*) in the Alerts table ({kibana-pull}131790[#131790]). -* Improves the performance of these actions on the bulk rule actions endpoint ({kibana-pull}130924[#130924]). -** `add_tags` -** `delete_tags` -** `set_tags` -** `add_index_patterns` -** `delete_index_patterns` -** `set_index_patterns` -** `set_timeline` -* Fixes a bug that caused the rule details page to crash when users opened a deleted or non-existent rule ({kibana-pull}133867[#133867]). -* Allows threshold alerts to be investigated in Timeline if filters are not provided ({kibana-pull}133733[#133733]). -* Prevents events from being added to cases from Timeline ({kibana-pull}133410[#133410]). -* Fixes a bug that prevented the Users and Hosts pages from resetting after being sorted ({kibana-pull}133111[#133111]). -* Removes the filter and investigate in Timeline options from the {agent} status in highlighted fields ({kibana-pull}132829[#132829], {kibana-pull}132586[#132586]). -* Improves the copy of Timeline tooltips ({kibana-pull}132756[#132756]). -* Fixes a validation bug that occurred when users were building a rule exception and changed the exception statement’s operator ({kibana-pull}131989[#131989]). -* Adds a checkmark to the pagination selection on the *Exceptions lists* page ({kibana-pull}131979[#131979]). -* Re-adds the success message that displays when users export an exceptions list ({kibana-pull}131952[#131952]). -* Updates import toast logic to accurately report the total number of failures ({kibana-pull}131873[#131873]). -* Ensures an error is not generated when the `agent.version` provided by an alert is in an unexpected format ({kibana-pull}131272[#131272]). -* Improves error checks for threshold rules ({kibana-pull}131088[#131088]). -* Expands support for migrating legacy rule actions ({kibana-pull}130511[#130511]). -* Fixes a bug that caused the *Add Rule Exception* flyout to unexpectedly close when users create the first exception for the rule from an alert ({kibana-pull}130187[#130187]). -* Corrects Rule name sorting so detection rules are ordered alphabetically, regardless of their casing ({kibana-pull}130105[#130105]). -* Improves the *Reporter* column in the Cases table ({kibana-pull}132200[#132200]). -* Adds the option to create a new case to the Select case pane ({kibana-pull}128882[#128882]). -* Allows {kibana-ref}/pre-configured-connectors.html[preconfigured connectors] to be used with cases ({kibana-pull}130372[#130372]). -* Inserts the deprecated icon next to deprecated preconfigured connectors ({kibana-pull}132237[#132237]). -* Updates the Case table so that all tags assigned to the case are displayed when users go to the case and hover over the *Tags* column ({kibana-pull}132023[#132023]). -* Adds Oauth support to the {sn} ITSM, SecOps, and ITOM connectors ({kibana-pull}131248[#131248]). -* Adds a setting to specify a list of allowed email domains, which can be used with the email connector ({kibana-pull}129001[#129001]). diff --git a/docs/release-notes/8.4.asciidoc b/docs/release-notes/8.4.asciidoc deleted file mode 100644 index 7228c4d1c6..0000000000 --- a/docs/release-notes/8.4.asciidoc +++ /dev/null @@ -1,224 +0,0 @@ -[[release-notes-header-8.4.0]] -== 8.4 - -[discrete] -[[release-notes-8.4.3]] -=== 8.4.3 - -[discrete] -[[bug-fixes-8.4.3]] -==== Bug fixes and enhancements -* Aligns the delete icon in the Add Rule Exception flyout ({kibana-pull}141365[#141365]). -* Aligns the warning message title on the Rule details page with the warning icon ({kibana-pull}140719[#140719]). -* Fixes a bug that sometimes caused {elastic-endpoint} to stop running on Windows endpoints (https://github.com/elastic/endpoint/issues/29[#29]). - -[discrete] -[[release-notes-8.4.2]] -=== 8.4.2 - -[discrete] -[[known-issue-8.4.2]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation rule (EQL) errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). -* In some situations, {elastic-endpoint} might change to a non-running state on Windows endpoints and fail to restart. {agent} will have an `Unhealthy` status when this happens (https://github.com/elastic/endpoint/issues/29[#29]). -+ -To determine whether {elastic-endpoint} has stopped running because of this issue, run the following PowerShell command as an administrator: - -+ -[source,console] --------------------------------------------------- -PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe" - - - ProviderName: Microsoft-Windows-CodeIntegrity - -TimeCreated Id LevelDisplayName Message ------------ -- ---------------- ------- -9/22/2022 10:47:35 AM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... -9/19/2022 2:10:14 PM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... --------------------------------------------------- - -+ - -If {elastic-endpoint} is not running, there are several workarounds you can take: - -** **Manually uninstall, then reinstall {elastic-endpoint} on affected hosts**: Remove an invalid {elastic-endpoint} installation by running the {elastic-endpoint} <> on affected hosts. Once the uninstallation process has finished, run the following command to restart {agent}, which automatically reinstalls {elastic-endpoint}: -+ -[source,console] --------------------------------------------------- -c:\Program Files\Elastic\Agent\elastic-agent.exe restart --------------------------------------------------- - -** **Uninstall, then reinstall the {endpoint-cloud-sec} integration on affected hosts**: Uninstalling and reinstalling the {endpoint-cloud-sec} integration on affected hosts will also force the uninstallation and reinstallation of {elastic-endpoint} on these hosts. -+ -NOTE: Uninstalling the {endpoint-cloud-sec} integration may temporarily cause {agent}'s status to be `Unhealthy`. The status will change to `Healthy` once the integration is reinstalled. - -** **Downgrade {agent} and {elastic-endpoint} versions**: Downgrading to unaffected {agent} and {elastic-endpoint} versions resolves this issue. - -[discrete] -[[bug-fixes-8.4.2]] -==== Bug fixes and enhancements -* Removes access to the **Notes** and **Pinned** tabs in Timeline templates ({kibana-pull}140478[#140478]). -* Fixes a bug with the **Attach to existing case** option in Timeline ({kibana-pull}139929[#139929]). -* Fixes bugs in the Rules table that affected the selected rule count and bulk select feature ({kibana-pull}139461[#139461]). -* Fixes a bug that caused the Rules page to incorrectly notify users that a prebuilt rules update was available, even after rules were fully updated ({kibana-pull}139287[#139287]). -* Fixes a bug that prevented users from accessing alert details if they didn't have the appropriate privileges to view the internal index `.internal.alerts-security.alerts-`. Now, the Alert details flyout correctly uses the public alias index `.alerts-security.alerts-` ({kibana-pull}138331[#138331]). - -[discrete] -[[release-notes-8.4.1]] -=== 8.4.1 - -[discrete] -[[known-issue-8.4.1]] -==== Known issues -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). -* In some situations, {elastic-endpoint} might change to a non-running state on Windows endpoints and fail to restart. {agent} will have an `Unhealthy` status when this happens (https://github.com/elastic/endpoint/issues/29[#29]). -+ -To determine whether {elastic-endpoint} has stopped running because of this issue, run the following PowerShell command as an administrator: - -+ -[source,console] --------------------------------------------------- -PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe" - - - ProviderName: Microsoft-Windows-CodeIntegrity - -TimeCreated Id LevelDisplayName Message ------------ -- ---------------- ------- -9/22/2022 10:47:35 AM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... -9/19/2022 2:10:14 PM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... --------------------------------------------------- - -+ - -If {elastic-endpoint} is not running, there are several workarounds you can take: - -** **Manually uninstall, then reinstall {elastic-endpoint} on affected hosts**: Remove an invalid {elastic-endpoint} installation by running the {elastic-endpoint} <> on affected hosts. Once the uninstallation process has finished, run the following command to restart {agent}, which automatically reinstalls {elastic-endpoint}: -+ -[source,console] --------------------------------------------------- -c:\Program Files\Elastic\Agent\elastic-agent.exe restart --------------------------------------------------- - -** **Uninstall, then reinstall the {endpoint-cloud-sec} integration on affected hosts**: Uninstalling and reinstalling the {endpoint-cloud-sec} integration on affected hosts will also force the uninstallation and reinstallation of {elastic-endpoint} on these hosts. -+ -NOTE: Uninstalling the {endpoint-cloud-sec} integration may temporarily cause {agent}'s status to be `Unhealthy`. The status will change to `Healthy` once the integration is reinstalled. - -** **Downgrade {agent} and {elastic-endpoint} versions**: Downgrading to unaffected {agent} and {elastic-endpoint} versions resolves this issue. - -[discrete] -[[bug-fixes-8.4.1]] -==== Bug fixes and enhancements -* Fixes a bug that caused the Rules page to incorrectly notify users that a prebuilt rules update was available, even after rules were fully updated ({kibana-pull}139287[#139287]). - -[discrete] -[[release-notes-8.4.0]] -=== 8.4.0 - -[discrete] -[[known-issue-8.4.0]] -==== Known issues -* If additional look-back time is set for the advanced query rule preview, alerts from source documents that are outside the preview time frame may not appear in the preview ({kibana-pull}137422[#137422]). -* A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`). -* The Rules page incorrectly displays a notification that an update for prebuilt rules is available even if the rules have been fully updated. Currently, there is no way to remove or hide the notification ({kibana-pull}139095[#139095]). -* In some situations, {elastic-endpoint} might change to a non-running state on Windows endpoints and fail to restart. {agent} will appear `Unhealthy` when this happens (https://github.com/elastic/endpoint/issues/29[#29]). -+ -To determine whether {elastic-endpoint} has stopped running because of this issue, run the following PowerShell command as an administrator: - -+ -[source,console] --------------------------------------------------- -PS C:\Users\user> Get-WinEvent Microsoft-Windows-CodeIntegrity/Operational | where Id -eq 3004 | where Message -match "elastic-endpoint.exe" - - - ProviderName: Microsoft-Windows-CodeIntegrity - -TimeCreated Id LevelDisplayName Message ------------ -- ---------------- ------- -9/22/2022 10:47:35 AM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... -9/19/2022 2:10:14 PM 3004 Error Windows is unable to verify the image integrity of the file \Device\HarddiskVolume3\Program Files\Elastic\Endpoint\elastic-endpo... --------------------------------------------------- - -+ - -If {elastic-endpoint} is not running, there are several workarounds you can take: - -** **Manually uninstall, then reinstall {elastic-endpoint} on affected hosts**: Remove an invalid {elastic-endpoint} installation by running the {elastic-endpoint} <> on affected hosts. Once the uninstallation process has finished, run the following command to restart {agent}, which automatically reinstalls {elastic-endpoint}: -+ -[source,console] --------------------------------------------------- -c:\Program Files\Elastic\Agent\elastic-agent.exe restart --------------------------------------------------- - -** **Uninstall, then reinstall the {endpoint-cloud-sec} integration on affected hosts**: Uninstalling and reinstalling the {endpoint-cloud-sec} integration on affected hosts will also force the uninstallation and reinstallation of {elastic-endpoint} on these hosts. -+ -NOTE: Uninstalling the {endpoint-cloud-sec} integration may put {agent} in an `Unhealthy` state. This is temporary and the state will change to `Healthy` once the integration is reinstalled. - -** **Downgrade {agent} and {elastic-endpoint} versions**: Downgrading to unaffected {agent} and {elastic-endpoint} versions resolves this issue. - -[discrete] -[[breaking-changes-8.4.0]] -==== Breaking changes - -There are no breaking changes in 8.4.0. - -[discrete] -[[features-8.4.0]] -==== Features -* Creates a new rule type, New Terms, that creates an alert when a value appears for the first time in a particular field ({kibana-pull}134526[#134526]). -* Adds the Insights section to the Alert details flyout to show related cases and alerts ({kibana-pull}136009[#136009], {kibana-pull}138419[#138419]) -* Shows process alerts in the event process analyzer ({kibana-pull}135340[#135340]). -* Adds support for wildcard exceptions for detection rules. New operators are `matches` and `does not match` ({kibana-pull}136147[#136147]). -* Adds a new search query parameter, `dry_run`, to the bulk actions API that allows you to simulate a bulk action without permanently updating rules ({kibana-pull}134664[#134664]). -* Creates the response console, an interface that enables you to take actions on specific hosts ({kibana-pull}135360[#135360], {kibana-pull}134520[#134520]). -* Includes integration policy errors and statuses in {fleet} and {elastic-sec} to help troubleshoot when an {agent} has an `Unhealthy` status ({kibana-pull}136241[#136241], {kibana-pull}136038[#136038]). -* Adds Attack surface reduction protections feature to reduce vulnerabilities on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. -* Adds an endpoint self-healing feature to roll back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. -* Adds the ability to run query packs as live queries ({kibana-pull}132198[#132198]). -* Provides support for process, file, and network events in Kubernetes. You must enable the session view data setting on your {endpoint-cloud-sec} integration policy to enrich these events with session data and Kubernetes metadata fields. -* Adds support for Amazon Elastic Kubernetes Service (EKS) to Kubernetes Security Posture Management (KSPM). -* Adds new fields to prebuilt detection rules' schemas: `related_integrations`, `required_fields`, and `setup` ({kibana-pull}132409[#132409]). -* Adds the *Related integrations*, *Required fields*, and *Setup guide* sections to the rule details page to help users identify and meet a rule's prerequisites. Also adds the related integrations badge to the Rules table ({kibana-pull}131475[#131475]). - -[discrete] -[[bug-fixes-8.4.0]] -==== Bug fixes and enhancements -* Updates the Network page's UI to match the Hosts and Users pages ({kibana-pull}137541[#137541], {kibana-pull}136913[#136913]). -* Improves the experience of bulk editing index patterns on rules by warning users early that machine learning rules can’t be edited ({kibana-pull}134664[#134664]). -* Enhances rule previews with configurable rule intervals and look-back times ({kibana-pull}137102[#137102]). -* Enhances the `status pending` badge for endpoint actions with a detailed status when you hover on it ({kibana-pull}136966[#136966]). -* Turns grouped navigation on by default ({kibana-pull}136819[#136819]). -* Improves the experience of bulk exporting rules by informing users early which rules can and cannot be exported ({kibana-pull}136418[#136418]). -* Adds index pattern information to the Inspect panel ({kibana-pull}136407[#136407]). -* Adds a custom dashboards table to the Dashboards page ({kibana-pull}136221[#136221], {kibana-pull}136671[#136671]). -* Fixes a performance issue with creating alerts from source documents that contain a large number of fields ({kibana-pull}135956[#135956]). -* Updates the rule exceptions UI ({kibana-pull}135255[#135255]). -* Fixes performance issues with rules management ({kibana-pull}135311[#135311]). -* Allows you to disable `@timestamp` as a fallback timestamp field when you've defined a timestamp override ({kibana-pull}135116[#135116]). -* Enhances the host risk score UI ({kibana-pull}133708[#133708]). -* Updates the lists index template to use new logic ({kibana-pull}133067[#133067]). -* Adds event filters to event correlation rules ({kibana-pull}132507[#132507]). -* Allows you to define a data view as the rule's data source, making runtime fields available for rule configuration ({kibana-pull}130929[#130929]). -* Creates a single visualization pane on the Alerts page, and adds a treemap visualization that shows the distribution of alerts as nested, proportionally-sized tiles ({kibana-pull}126896[#126896]). -* Fixes an incorrect counter for exported rules ({kibana-pull}138598[#138598]). -* Fixes event filters based on OS version ({kibana-pull}138517[#138517]). -* Fixes a bug that could change the batch size for event search in indicator rules ({kibana-pull}138356[#138356]). -* Fixes a bug that prevented users from accessing alert details if they didn't have the appropriate privileges to view the internal index `.internal.alerts-security.alerts-`. Now, the Alert details flyout correctly uses the public alias index `.alerts-security.alerts-` ({kibana-pull}138331[#138331]). -* Fixes the preview button for {ml} rules ({kibana-pull}137878[#137878]). -* Fixes a bug that could crash the Endpoints list when a policy ID was missing ({kibana-pull}137788[#137788]). -* Fixes a bug that could interfere with opening host or user details pages ({kibana-pull}137719[#137719]). -* Fixes several bugs related to refreshing the Alerts page ({kibana-pull}137620[#137620]). -* Fixes a bug that prevented threshold rules' Timeline templates from being respected during investigations ({kibana-pull}137233[#137233]). -* Fixes a permissions bug related to the **Save Timeline** button ({kibana-pull}136724[#136724]). -* Fixes a bug with selecting Timeline templates with the same name ({kibana-pull}135694[#135694]). -* Fixes field aliases to `signal-threshold_result.*` ({kibana-pull}135565[#135565]). -* Fixes a bug that lost track of which rules you had selected after refreshing the Rules page ({kibana-pull}135533[#135533]). -* Fixes a bug that lost track of which rules you had selected after applying a bulk action on the Rules page ({kibana-pull}135291[#135291]). -* Fixes a bug that prevented the Rules table from pausing auto-refresh while bulk actions were being applied ({kibana-pull}135208[135208]). -* Fixes a bug that could cause queries with nested fields to fail when opened ({kibana-pull}134866[#134866]). -* Fixes a bug that slowed down the display of network details ({kibana-pull}133539[#133539]). -* Various minor bug fixes and enhancements ({kibana-pull}133079[#133079], {kibana-pull}138135[#138135], {kibana-pull}137588[#137588], {kibana-pull}137511[#137511], {kibana-pull}137492[#137492], {kibana-pull}135907[#135907], {kibana-pull}135426[#135426]). -* Fixes an {endpoint-cloud-sec} bug on macOS and Linux that could cause CPU spikes if malware protection is enabled on an {endpoint-cloud-sec} integration policy (https://github.com/elastic/endpoint/issues/22[#22]). -* Fixes a bug that could cause {endpoint-cloud-sec} to crash when outputting log data to {ls}. -* Allows {endpoint-cloud-sec} to be added to agents running on Ubuntu 22.04 and Debian 11. diff --git a/docs/release-notes/8.5.asciidoc b/docs/release-notes/8.5.asciidoc deleted file mode 100644 index a33ffc41a2..0000000000 --- a/docs/release-notes/8.5.asciidoc +++ /dev/null @@ -1,148 +0,0 @@ -[[release-notes-header-8.5.0]] -== 8.5 - -[discrete] -[[release-notes-8.5.3]] -=== 8.5.3 - -[discrete] -[[known-issue-8.5.3]] -==== Known issues -* The rule details page and **Edit rule settings** page load indefinitely if you edit a rule that has the `saved_id` property configured. All rule types, except for the custom query rule, are affected. -+ -Upgrading to 8.6 or higher resolves this issue. If you’d prefer to stay on 8.5, use the <> to remove the `saved_id` field from the non-functioning `query`, `eql`, `machine_learning`, `threat_match`, `threshold`, or `new_terms` rule. - -[discrete] -[[bug-fixes-8.5.3]] -==== Bug fixes and enhancements -* Fixes a bug that caused {elastic-endpoint} to crash when running on busy Linux systems, and when network event collection or malicious behavior protection was enabled. -* Fixes a bug that prevented Osquery packs from being ran outside of the default {kib} space ({kibana-pull}146410[#146410]). -* Improves the "permissions required" message that appears on Cloud Posture pages for users without necessary permissions ({kibana-pull}145794[#145794]). - -[discrete] -[[release-notes-8.5.2]] -=== 8.5.2 - -[discrete] -[[known-issue-8.5.2]] -==== Known issues -* The rule details page and **Edit rule settings** page load indefinitely if you edit a rule that has the `saved_id` property configured. All rule types, except for the custom query rule, are affected. -+ -Upgrading to 8.6 or higher resolves this issue. If you’d prefer to stay on 8.5, use the <> to remove the `saved_id` field from the non-functioning `query`, `eql`, `machine_learning`, `threat_match`, `threshold`, or `new_terms` rule. - -[discrete] -[[bug-fixes-8.5.2]] -==== Bug fixes and enhancements -There are no user-facing changes in 8.5.2. - -[discrete] -[[release-notes-8.5.1]] -=== 8.5.1 - -[discrete] -[[known-issue-8.5.1]] -==== Known issues -* The rule details page and **Edit rule settings** page load indefinitely if you edit a rule that has the `saved_id` property configured. All rule types, except for the custom query rule, are affected. -+ -Upgrading to 8.6 or higher resolves this issue. If you’d prefer to stay on 8.5, use the <> to remove the `saved_id` field from the non-functioning `query`, `eql`, `machine_learning`, `threat_match`, `threshold`, or `new_terms` rule. - -[discrete] -[[bug-fixes-8.5.1]] -==== Bug fixes and enhancements -* Fixes a bug that caused {elastic-endpoint}s running on Linux systems with many CPUs to sometimes become unhealthy (https://github.com/elastic/endpoint/issues/34[#34]). -* Fixes a bug that caused incorrect alerts to display in Timeline when investigating alerts from the Detection & Response dashboard ({kibana-pull}144319[#144319]). -* Updates the User authentication area chart so it can be opened in Lens ({kibana-pull}144011[#144011]). -* Fixes the {jira} connector icon for users with a Basic license ({kibana-pull}143916[#143916]). -* Updates the link in the machine learning rule type card to direct users towards the Elastic licensing page ({kibana-pull}143836[#143836]). -* Turns off the option to edit machine learning rules if users don’t have the Machine Learning privilege in Kibana set to `All` ({kibana-pull}143260[#143260]). -* Removes the ability to enable and disable machine learning rules from the UI for users without the Machine Learning privilege in Kibana set to `All` ({kibana-pull}143252[#143252]). -* Fixes bug that caused the Indicators page to crash ({kibana-pull}144348[#144348], {kibana-pull}144651[#144651]). - -[discrete] -[[release-notes-8.5.0]] -=== 8.5.0 - -[discrete] -[[known-issue-8.5.0]] -==== Known issues -* Users might experience slightly longer installation and upgrade times for the user and host risk score features ({kibana-pull}142434[#142434]). -* Version 8.5.0 {elastic-endpoint}s running on Linux systems with many CPUs may become unhealthy. For a workaround refer to https://github.com/elastic/endpoint/issues/34[issue #34]. -* The rule details page and **Edit rule settings** page load indefinitely if you edit a rule that has the `saved_id` property configured. All rule types, except for the custom query rule, are affected. -+ -Upgrading to 8.6 or higher resolves this issue. If you’d prefer to stay on 8.5, use the <> to remove the `saved_id` field from the non-functioning `query`, `eql`, `machine_learning`, `threat_match`, `threshold`, or `new_terms` rule. - -[discrete] -[[breaking-changes-8.5.0]] -==== Breaking changes - -* Host and user risk score features that were installed in 8.4 or earlier are not ECS-compatible and, therefore, cannot generate new risk scores in 8.5. Before upgrading, users can archive their existing risk indices if they want to keep their old host and user risk scores. Otherwise, new risk indices will be generated once users upgrade host and user risk score features ({kibana-pull}140377[#140377]). - -[discrete] -[[deprecations-8.5.0]] -==== Deprecations -* Deprecates the risk score index and displays the **Upgrade** button in host and user risk score cards on the Entity Analytics dashboard ({kibana-pull}140143[#140143]). - -[discrete] -[[features-8.5.0]] -==== Features -* Endpoint response actions history can be filtered and searched ({kibana-pull}134520[#134520], {kibana-pull}140259[#140259], {kibana-pull}138982[#138982], {kibana-pull}140975[#140975]). -* Endpoint response actions history has a standalone page for all endpoints ({kibana-pull}140306[#140306]). -* Introduces the Entity Analytics dashboard, which showcases host and user risk scores and anomalies. Also adds host and user risk data to the user and host detail pages. These features require a Platinum license or higher. ({kibana-pull}137688[#137688], {kibana-pull}140270[#140270], {kibana-pull}139462[#139462]). -* Updates the *Anomalies* tab to display the same quantity of anomalies when navigating from the Entity Analytics dashboard ({kibana-pull}139910[#139910]). -* Enriches alerts with host and user risk scores ({kibana-pull}139478[#139478]). -* Enables the Indicators page by default if users have an https://www.elastic.co/pricing[Enterprise subscription] and makes the functionality generally available ({kibana-pull}141117[#141117]). -* Allows indicator data to be investigated in Timeline by including the *Add to Timeline* button throughout the Indicators table ({kibana-pull}138836[#138836], {kibana-pull}140496[#140496]). -* Removes the Host risk score card from the Overview dashboard ({kibana-pull}140177[#140177]). -* Adds the option to bulk edit rule schedules to the bulk actions menu in the Rules table ({kibana-pull}140166[#140166]). -* Adds the option to bulk edit rule actions to the bulk actions menu in the Rules table ({kibana-pull}138900[#138900]). -* Adds an alert count card to the User, Host, and Network detail pages. The card shows alerts per rule and can be filtered by alert status ({kibana-pull}140150[#140150]). -* Allows users to examine alerts associated with events and enables the Alerts related by process ancestry section by default if they have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({kibana-pull}140006[#140006]). -* Enables the Alerts related by session ID section by default. It appears in the Alert details flyout if users have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({kibana-pull}140006[#140006]). -* Renames the Elastic Endpoint and Cloud Security integration to the Elastic Defend integration ({kibana-pull}139517[#139517]). -* Adds preconfigured use cases to the setup wizard for the {elastic-defend} integration (formerly known as Endpoint and Cloud Security), each with different default settings ({kibana-pull}139230[#139230]). -* Updates the UI for the rule details page's *Exceptions* tab ({kibana-pull}138770[#138770]). -* Enables the Osquery Response Action on custom query detection rules, and adds an *Osquery Results* tab to the Alert details flyout. Users can use the Osquery Response Action to immediately query hosts that generate alerts ({kibana-pull}133279[#133279]). -* Enables rule exceptions to reference value lists, regardless of rule type. One caveat is that text type value lists still do not work for EQL and threshold rules ({kibana-pull}133254[#133254]). -* Introduces the new alert renderer, which concisely displays a detailed summary of the `kibana.alert.reason` field. It appears in Timeline, throughout the Alerts page, and on the Alert details flyout ({kibana-pull}140825[#140825]). -* Introduces the <> (KSPM) integration as GA. You can now use it to monitor the security posture of your self-managed and Amazon EKS clusters, in addition to unmanaged clusters. -* Adds a status filter to the Endpoints Response actions page ({kibana-pull}139982[#139982]). -* Shows host names on the Endpoints Response actions page ({kibana-pull}139379[#139379]). - -[discrete] -[[bug-fixes-8.5.0]] -==== Bug fixes and enhancements -* Endpoint response actions console UI indicates if response action commands aren't supported by the installed version of {agent} ({kibana-pull}138662[#138662]). -* Fixes a bug that sometimes caused event correlation rule (EQL) errors whenever rule queries contained regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`) (https://github.com/elastic/elasticsearch/pull/90064[#90064]). -* Adds the `has_guide` tag to all prebuilt rules with investigation guides. Users can filter the Rules table by this tag to quickly find prebuilt rules with investigation guides (https://github.com/elastic/detection-rules/pull/2297[#2297]). -* Informs users when the event analyzer's current time range is too narrow to include event data ({kibana-pull}140831[#140831]). -* Lets users inspect bar charts and data grids, as with other data visualizations ({kibana-pull}140810[#140810]). -* Makes the Indicators table sortable by any column ({kibana-pull}140582[#140582]). -* Provides the ability to add fields to Indicators table ({kibana-pull}138882[#138882]). -* Updates the rule preview UI to be available at any step of creating or editing a detection rule. Rule previews are also now available for Elastic prebuilt rules, and include exceptions and field overrides ({kibana-pull}140221[#140221]). -* Adds an overview tab to the Indicator details flyout ({kibana-pull}140073[#140073]). -* Improves the UI for saved rule queries ({kibana-pull}140064[#140064]). -* Computes `threat.indicator.name` on the {es} server instead of on the client ({kibana-pull}139814[#139814]). -* Makes the state of tables throughout {elastic-sec} persist; for example, when users toggle between table view and grid view ({kibana-pull}139696[#139696]). -* Lets users enable multiple filters using various plus `+` and minus `-` buttons. Previously, adding a new filter in this way could remove the existing filters ({kibana-pull}139616[#139616]). -* Updates rule details page URLs to specify which tab to focus ({kibana-pull}139592[#139592]). -* Simplifies the process of adding a rule exception ({kibana-pull}138169[#138169]). -* Hides the process ancestry insights interface when data is unavailable ({kibana-pull}141751[#141751]). -* Formats the Rules table's `Last Gap` column in a human readable way ({kibana-pull}141363[#141363]). -* Introduces fuzzy search for user names in the Actions Log ({kibana-pull}141239[#141239]). -* Improves the layout for the *Add Field* menu ({kibana-pull}141084[#141084]). -* Restores users' ability to create exceptions with leading or trailing white space ({kibana-pull}139617[#139617]). -* Fixes two minor bugs with the *Overwrite existing rules* option for rule import ({kibana-pull}138758[#138758], {kibana-pull}139470[#139470]). -* Fixes a bug that made the `binary` field type appear usable in Exception entries despite not being supported ({kibana-pull}139370[#139370]). -* Fixes a bug that prevented a toast message from appearing after users export a rule from the rule details page ({kibana-pull}139209[#139209]). -* Fixes sorting and pagination bugs on the *Import value lists* menu ({kibana-pull}138381[#138381]). -* Mimics native link behavior for single-page application links ({kibana-pull}142304[#142304]). -* Fixes validation issues within the rule Actions tab ({kibana-pull}141811[#141811]). -* Fixes a bug with visualization types on the Hosts, Network, Users page ({kibana-pull}141235[#141235]). -* Updates the documentation link on the Trusted applications page ({kibana-pull}142467[#142467]). -* Provides the ability to run Osquery from a rule's investigation guide ({kibana-pull}95149[#95149]). -* Improves Timeline’s performance when users investigate alerts related by process ancestry ({kibana-pull}142805[#142805]). -* Fixes a rule import bug that removed references to exception lists ({kibana-pull}143882[#143882]). -* Fixes a bug that prevented the authentication area chart on the Users page to be opened in Lens ({kibana-pull}144011[#144011]). -* Shows the Host isolation exceptions page if users have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({kibana-pull}143362[#143362]). -* Fixes displayed commands in the Endpoint response actions log ({kibana-pull}140378[#140378]). -* Updates the pagination header color in the Endpoint response actions history table ({kibana-pull}141847[#141847]). diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc deleted file mode 100644 index 1ea7b898f0..0000000000 --- a/docs/release-notes/8.6.asciidoc +++ /dev/null @@ -1,128 +0,0 @@ -[[release-notes-header-8.6.0]] -== 8.6 - -[discrete] -[[release-notes-8.6.2]] -=== 8.6.2 - -[discrete] -[[known-issue-8.6.2]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. - -[discrete] -[[bug-fixes-8.6.2]] -==== Bug fixes and enhancements -* Fixes a bug that prevented related alerts from closing when the *Close all alerts that match this exception* option was selected on an exception ({kibana-pull}150765[#150765]). -* Ensures {elastic-endpoint} sends intermediate certificates to the server for SSL validation. - -[discrete] -[[release-notes-8.6.1]] -=== 8.6.1 - -[discrete] -[[known-issue-8.6.1]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. - -[discrete] -[[bug-fixes-8.6.1]] -==== Bug fixes and enhancements -* Fixes a bug that prevented Osquery results from being viewed in {kib} when using the Osquery Manager integration with {agent}. Upgrade to {stack} version 8.6.1 and {agent} 8.6.1 to apply this fix to your deployment (https://github.com/elastic/beats/issues/34250[#34250]). -* Fixes a bug that impacted the way Osquery results were displayed in Lens and Discover ({kibana-pull}148260[#148260]). -* Adds an advanced setting to the {elastic-defend} policy that allows users to enable or disable host isolation on Linux endpoints ({kibana-pull}149177[#149177]). - -[discrete] -[[release-notes-8.6.0]] -=== 8.6.0 - -[discrete] -[[known-issue-8.6.0]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* When using the Osquery Manager integration with {agent}, Osquery results aren't properly written to {es} and, therefore, cannot be viewed in Kibana (https://github.com/elastic/beats/issues/34250)[#34250]). We recommend that Osquery users skip {stack} version 8.6.0 and upgrade to {stack} version 8.6.1 or later when available. -* Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as `\"`). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (https://github.com/elastic/detection-rules/pull/2447[#2447]). - -[discrete] -[[breaking-changes-8.6.0]] -==== Breaking changes - -There are no breaking changes in 8.6.0. - -[discrete] -[[deprecations-8.6.0]] -==== Deprecations -There are no deprecations in 8.6.0. - - -[discrete] -[[features-8.6.0]] -==== Features -* Allows you to add indicators to new or existing cases ({kibana-pull}145121[#145121]). -* Adds the `is one of` operator to the *Add field* menu in Timeline ({kibana-pull}144988[#144988]). -* Adds an "Add to timeline investigation" button to the User Risk Scores and Host Risk Scores cards on the Entity Analytics dashboard ({kibana-pull}144819[#144819]). -* Provides the option to duplicate rules and their exceptions or rules only ({kibana-pull}144782[#144782]). -* Improves the Shared Exception Lists page and allows you to export read-only exception lists ({kibana-pull}144383[#144383]). -* Enables you to build runtime queries using alert data or hard-coded literal values. (Technical preview only). ({kibana-pull}145240[#145240]). -* Creates a new connector for Tines ({kibana-pull}143505[#143505]). -* Updates the UI for adding and editing exceptions ({kibana-pull}143127[#143127]). -* Creates a Shared Exception Lists page for creating, viewing, and modifying shared exception lists ({kibana-pull}143041[#143041]). -* Enables you to bulk-add up to 4000 events to Timeline ({kibana-pull}142737[#142737]). -* Enables alert suppression per rule execution for custom query rules ({kibana-pull}142686[#142686]). -* Improves role-based access controls for {kib} users performing response actions ({kibana-pull}142825[#142825]). - -[discrete] -[[bug-fixes-8.6.0]] -==== Bug fixes and enhancements -* Adds the *View indicators* button to the Threat Intelligence card ({kibana-pull}145125[#145125]). -* Improves the interface for creating rule exceptions and shared exception lists ({kibana-pull}144575[#144575]). -* Adds cases metadata in the Cases panel on the alert details page ({kibana-pull}144430[#144430]). -* Improves the UX for managing {ml} jobs while managing {ml} rules ({kibana-pull}144080[#144080]). -* Enables you to run {ml} jobs from the Notable Anomalies table ({kibana-pull}142861[#142861]). -* Updates the take action UI for charts on the Hosts, Users, and Network pages ({kibana-pull}138369[#138369]). -* Adds a *Respond* button to the Host Details page for hosts with an {agent} installed ({kibana-pull}143988[#143988]). -* Allows you to add up to three new terms to New Terms rule queries, enabling you to create alerts when multiple new terms appear in the same event ({kibana-pull}143943[#143943]). -* Allows you to launch Timeline from the Entity Analytics dashboard by clicking alert counts ({kibana-pull}143841[#143841]). -* Adds missing TLP Marking badges to the Indicators table and Indicator details flyout ({kibana-pull}143431[#143431]). -* Ensures the empty state of the Indicators page does not appear when threat intelligence integrations are installed ({kibana-pull}143328[#143328]). -* Turns the anomalies count on the Entity Analytics dashboard into a link that goes to the Anomalies table ({kibana-pull}143085[#143085]). -* Pre-selects the `threat` category when you open the Fields browser ({kibana-pull}142698[#142698]). -* Adds a `copy to clipboard` action for indicators in the Indicators table ({kibana-pull}142675[#142675]). -* Adds a `User risk classification` column to the Users table ({kibana-pull}142610[#142610]). -* Adds a label to the Indicators page that states when it was last updated ({kibana-pull}142560[#142560]). -* Specifies that links from the Threat Intelligence page to the Integrations page should open the Threat Intelligence integrations category ({kibana-pull}142538[#142538]). -* Enables full-screen mode on the Indicators table ({kibana-pull}142519[#142519]). -* Implements the standard search bar and date picker on the Threat Intelligence page ({kibana-pull}142336[#142336]). -* Updates the design of the Shared Exception Lists page ({kibana-pull}142289[#142289]). -* Displays comments for expanded items in the Action history page ({kibana-pull}141938[#141938]). -* Adds HTTP 409 conflict response status codes to error messages for several API requests ({kibana-pull}146389[#146389]). -* Adds the new Data Exfiltration Detection (DED) integration package (https://github.com/elastic/integrations/pull/4486[#4486]). -* Renames the sorting toggle on the Rules page from *Technical preview* to *Advanced sorting* (https://github.com/elastic/kibana/pull/144733[#144733]). -// Items below this line were labeled as "bugfixes" rather than "enhancements" -* Replaces the *Run job* button with a *Stop job* button when the job is running ({kibana-pull}146407[#146407]). -* Fixes a bug that prevented you from editing an exception while adding a comment to it from the Rules details flyout ({kibana-pull}145575[#145575]). -* Fixes a bug that could cause rule previews for New Terms rules to fail ({kibana-pull}145707[#145707]). -* Fixes a bug that could cause a "Page not found" error when you navigated to a shared exception list ({kibana-pull}145833[#145833]). -* Fixes a bug with the loading indicator that appears when bulk actions are pending ({kibana-pull}145905[#145905]). -* Fixes a bug with the linked rules count for shared exception lists ({kibana-pull}145976[#145976]). -* Fixes a bug that prevented you from editing policies created before {stack} version 8.3.0 if you had a basic license ({kibana-pull}146050[#146050]). -* Fixes a bug that sometimes prevented the Rules table from updating as expected ({kibana-pull}146271[#146271]). -* Fixes a bug that sometimes prevented the display of rule preview graphs for custom rules ({kibana-pull}142120[#142120]). -* Removes the `Optional` label from the `Additional look-back time` rule setting ({kibana-pull}142375[#142375]). -* Fixes a bug that could result in duplicate entries in the Host's page's Events table query ({kibana-pull}143239[#143239]). -* Fixes a bug that could interfere with Platinum users' access to the Host Isolation page ({kibana-pull}143366[#143366]). -* Fixes a bug that prevented the event analyzer's state from persisting when you switched tabs on the Alerts page ({kibana-pull}144291[#144291]). -* Fixes a bug that sometimes caused a page crash when you searched for an indicator ID on the Intelligence page ({kibana-pull}144344[#144344]). -* Fixes a bug that prevented newly imported rules from appearing on the Rules page before the page was refreshed ({kibana-pull}144359[#144359]). -* Fixes a bug with the toast message for successful bulk editing of rules ({kibana-pull}144497[#144497]). -* Fixes a bug that prevented the Event Analyzer from opening in Timeline when the *Show only detection alerts* option is enabled ({kibana-pull}144705[#144705]). -* Fixes bugs that affected the display and persistence of event action menus ({kibana-pull}145025[#145025]). -* Fixes a bug that limited the display of breadcrumbs on the Shared Exception Lists page ({kibana-pull}145605[#145605]). -* Fixes various minor UI bugs on the Shared Exception Lists page ({kibana-pull}145334[#145334]). -* Improves the "permissions required" message that appears on Cloud Posture pages for users without necessary permissions ({kibana-pull}145794[#145794]). -* Fixes a bug that could cause a "Page not found" error when navigating to an exception list without a description ({kibana-pull}145833[#145833]). -* Fixes a visual bug with the fullscreen view of rule preview results ({kibana-pull}146687[#146687]). -* Fixes a visual bug with the fullscreen view of Osquery results ({kibana-pull}147076[#147076]). -* Fixes a bug with the refresh indicator on the Rule details page ({kibana-pull}147806[#147806]). -* Reenables ransomware canary files. -* Fixes a bug that caused the rule details page and the **Edit rule settings** page to load indefinitely if you edited a rule that had the `saved_id` property configured. \ No newline at end of file diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc deleted file mode 100644 index f3b61e7aee..0000000000 --- a/docs/release-notes/8.7.asciidoc +++ /dev/null @@ -1,304 +0,0 @@ -[[release-notes-header-8.7.0]] -== 8.7 - -[discrete] -[[release-notes-8.7.1]] -=== 8.7.1 - -[discrete] -[[known-issue-8.7.1]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view. -* The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <> to manage exceptions. -* If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the <> API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -[discrete] -[[enhancements-8.7.1]] -==== Enhancements -There are no user-facing changes in 8.7.1. - -[discrete] -[[bug-fixes-8.7.1]] -==== Bug fixes -* Fixes a bug that caused the {agent} upgrade from 8.6.2 to 8.7.0 to fail for {agents} running the Osquery Manager integration (https://github.com/elastic/elastic-agent/pull/2448[#2448]). - -+ - -[NOTE] - -===== -To prevent upgrade issues while upgrading {agent} from 8.6.2 or 8.7.0, delete the Osquery Manager integration from your {agents} before upgrading them, then re-add it after upgrading. - - -If you already upgraded your {agents} and they're stuck in the `Updating` state, you'll need to upgrade them using the API instead of {fleet}. First, remove the Osquery integration from the {agents}, then use the https://petstore.swagger.io/?url=https://raw.githubusercontent.com/elastic/kibana/8.7/x-pack/plugins/fleet/common/openapi/bundled.json#/default/upgrade-agent[Agent upgrade API] to start the upgrade. After the upgrade completes, add the Osquery Manager integration to the {agents} again. - -===== - - -* Fixes a UI bug that affected the rule details page when rules had long queries ({kibana-pull}153338[#153338]). -* Fixes exception operator logic for mapping field conflicts ({kibana-pull}155071[#155071]). -* Fixes a bug that stopped {elastic-defend} from working when malware protection was enabled on Linux hosts. -* Fixes a bug that prevented policy artifacts from being properly updated after being added to the `.fleet-artifacts` index ({kibana-pull}154810[#154810]). -+ - -[NOTE] - -===== -If the error message `Failed to download or validate user artifacts` appears in the Policy Response section of your Elastic Defend integration policy, you can resolve the error by adding the affected endpoint policy artifacts as <>, <>, <>, <>, or <>. - - -To find the affected endpoint policy artifacts: - -. Go to *Fleet -> Agent policies*. -. Open the impacted {agent} policy. -. Select *Actions -> View policy*. -. Search for `compression_algorithm: none` in the policy details. This field-value pair will appear under the affected endpoint policy artifacts. - -===== - -[discrete] -[[release-notes-8.7.0]] -=== 8.7.0 - -[discrete] -[[known-issue-8.7.0]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* After alerts are generated for the first time, you may have to refresh your browser before your alert data appears on pages that use data views (for example, Timeline). Navigating between pages will not work (https://github.com/elastic/security-docs/issues/3046[#3046]). - - -* The {agent} upgrade from 8.6.2 to 8.7.0 might fail for {agents} running the Osquery Manager integration (https://github.com/elastic/elastic-agent/issues/2433[#2433]). To prevent this, delete the Osquery Manager integration from your {agents} before upgrading them to 8.7.0, then re-add it after upgrading. - -+ -If you already upgraded your {agents}, and they're are stuck in the `Updating` state, you'll need to upgrade them using the API instead of {fleet}. First, remove the Osquery integration from the {agents}, then use the https://petstore.swagger.io/?url=https://raw.githubusercontent.com/elastic/kibana/8.7/x-pack/plugins/fleet/common/openapi/bundled.json#/default/upgrade-agent[Agent upgrade API] to start the upgrade. After the upgrade completes, add the Osquery Manager integration to the {agents} again. -+ - -NOTE: This problem can occur when upgrading {agents} from 8.6.2 or 8.7.0 to any other version. Keep this in mind when upgrading {agents} running 8.6.2 or 8.7.0 to newer versions. - -* Enabling malware protection on Linux hosts might cause {elastic-defend} to enter a failed state when mount points are unmounted, which will stop the integration from working. To fix this, turn off <> on the {elastic-defend} integration policy. - -* Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view. -* The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <> to manage exceptions. -* If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the <> API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -[discrete] -[[breaking-changes-8.7.0]] -==== Breaking changes - -There are no breaking changes in 8.7.0. - -[discrete] -[[deprecations-8.7.0]] -==== Deprecations -There are no deprecations in 8.7.0. - - -[discrete] -[[features-8.7.0]] -==== New features - -* Creates a new dashboard, Data Quality, which highlights any issues in your ECS field mappings ({kibana-pull}150063[#150063]). -* Introduces a new event type (`Credential access`) to represent credential dumping attempts on Windows using tools like Mimikatz or fgdump. -* Creates a Torq connector that can trigger Torq workflows. You must have at least a https://www.elastic.co/pricing[Platinum subscription] to use this connector ({kibana-pull}149405[#149405]). -* Adds more key performance indicator charts to the Alerts page ({kibana-pull}150242[#150242], {kibana-pull}149173[#149173], and {kibana-pull}146938[#146938]). -* Allows you to set expiration dates for rule exceptions and choose whether to include expired exceptions when you export shared exception lists ({kibana-pull}145180[#145180]). -* Adds two more inline actions (*Copy to clipboard* and *Add to timeline investigation*) to chart legends and tables ({kibana-pull}146779[#146779]). -* Allows you to include connectors when exporting and importing rules ({kibana-pull}148703[#148703]). -* Adds "Group by" functionality to the Alerts table (technical preview only)({kibana-pull}149145[#149145]). -* Improves the UI for building an Investigation Guide query ({kibana-pull}150363[#150363]). -* Adds the ability to create a rule from a Timeline ({kibana-pull}143020[#143020]). -* Adds the option to suppress custom query rule alerts during a specific time window. Duplicate alerts within that time window will be grouped ({kibana-pull}148868[#148868]). -* Introduces the <>, which detects misconfigured cloud resources in AWS accounts. - -[discrete] -[[enhancements-8.7.0]] -==== Enhancements - -* Improves the formatting and readability of machine learning job names ({kibana-pull}148974[#148974], {kibana-pull}148780[#148780]). -* Improves sorting of the Rules table: allows you to sort it by any column, removes the *Advanced sorting* toggle, and removes the `Version` column ({kibana-pull}149840[#149840]). -* Adds a *Clear table filters* button to the Rules page so you can clear all filters in one click ({kibana-pull}150059[#150059]). -* Warns you about type conflicts and unmapped indices when creating rule exceptions ({kibana-pull}149149[#149149]). -* Adds buttons to the Rules page that allow you to view only enabled or disabled rules ({kibana-pull}150153[#150153]). -* The *Related alerts by process ancestry* section of the alert details flyout is now generally available (GA) ({kibana-pull}152011[#152011]). -* Adds the option to suppress custom query rule alerts during a specific time window. Duplicate alerts within that time window will be grouped ({kibana-pull}148868[#148868]). -* Reduces alert creation errors by stopping the detection engine from writing non-ECS-compliant fields to alerts from source events ({kibana-pull}147628[#147628]). -* Simplifies the interface for navigating from a rule's details page back to the Rules page ({kibana-pull}147357[#147357]). -* Allows you to resize the Rule preview panel ({kibana-pull}147351[#147351]). -* Improves the Bulk Edit API by adding a `skipped` property to rules that weren't updated, and updates the toast message to show which were skipped ({kibana-pull}147345[#147345]). -* Allows placeholder fields in Osquery queries ({kibana-pull}146598[#146598]). -* Allows the Rules table state to persist even after you refresh or navigate to another page ({kibana-pull}145111[#145111]). -* Improves data fetch performance throughout {elastic-sec}, especially for deployments with large indices and multiple integrations ({kibana-pull}142904[#142904]). -* Introduces cross-cluster search support for Indicator Match rules by improving rule performance ({kibana-pull}149113[#149113]). -* Improves the toast message that appears when you export an exception list ({kibana-pull}152301[#152301]). - -[discrete] -[[bug-fixes-8.7.0]] -==== Bug fixes -* Various bug fixes and UX enhancements for the Alerts page ({kibana-pull}152402[#152402]). -* Fixes a bug that could cause your cursor to jump to the end of the text field when editing a rule action message ({kibana-pull}150823[#150823]). -* Fixes a bug that could result in incorrect links to machine learning jobs from search results ({kibana-pull}150881[#150881]). -* Fixes a bug that caused a fade in and out effect on rule descriptions ({kibana-pull}150998[#150998]). -* Fixes a bug that caused the Alerts page to default to the wrong chart type ({kibana-pull}151073[#151073]). -* Fixes a bug that could hide some shared exception lists when you changed the number of rows in the exceptions lists view ({kibana-pull}151393[#151393]). -* Removes a blank option from the *Field* browser in the Add rule exception flyout ({kibana-pull}151398[#151398]). -* Fixes a UI text bug that conflated Endpoint exceptions with regular rule exceptions ({kibana-pull}151532[#151532]). -* Fixes a bug that could cause an unnecessary warning to display in the Add rule exception flyout ({kibana-pull}151570[#151570]). -* Fixes a bug with the empty state that appears when your exception lists search yields no results ({kibana-pull}151530[#151530]). -* Fixes a bug that sometimes prevented a Timeline from saving when it was created using the *Investigate in timeline* action on an alert ({kibana-pull}151616[#151616]). -* Fixes a bug that could cause unnecessary validation errors in text entry fields in the Add rule exception flyout ({kibana-pull}151654[#151654]). -* Fixes a bug that caused some module names to be partially hidden on the Overview dashboard ({kibana-pull}151843[#151843]). -* Fixes a visual bug that affected empty rule previews ({kibana-pull}151869[#151869]). -* Fixes a bug that could cause a rule's related integrations to incorrectly appear as not installed on the Rules table and the rule details page ({kibana-pull}152055[#152055], {kibana-pull}149646[#149646]). -* Changes the *Import list* button name to *Import value list* ({kibana-pull}152281[#152281]). -* Fixes a bug that broke the visual analyzer for sysmon data ingested via {agent} ({kibana-pull}152418[#152418]). -* Fixes a bug that incorrectly allowed you to use custom fields in the Add Endpoint Exception flyout ({kibana-pull}152619[#152619]). -* Fixes a bug where the two breadcrumbs on shared exception lists pages did not use the same text ({kibana-pull}152629[#152629]). -* Fixes an issue in the Update exception item API that incorrectly merged existing objects with updated objects ({kibana-pull}151952[#151952]). -* Fixes a bug that affected the rule status refresh loading indicator ({kibana-pull}147806[#147806]). \ No newline at end of file diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc deleted file mode 100644 index a5337b2696..0000000000 --- a/docs/release-notes/8.8.asciidoc +++ /dev/null @@ -1,508 +0,0 @@ -[[release-notes-header-8.8.0]] -== 8.8 - -[discrete] -[[release-notes-8.8.2]] -=== 8.8.2 - -[discrete] -[[known-issue-8.8.2]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. - -** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.2]] -==== Breaking changes - -There are no breaking changes in 8.8.2. - -[discrete] -[[enhancements-8.8.2]] -==== Enhancements -There are no user-facing changes in 8.8.2. - -[discrete] -[[bug-fixes-8.8.2]] -==== Bug fixes -* Fixes a bug that affected links to {kib} results generated by actions on rules from non-default {kib} spaces ({kibana-pull}159966[#159966]). -* Fixes a bug that prevented users from saving a Timeline after adding a `number` field ({kibana-pull}159723[#159723]). -* Fixes a bug that caused error messages to wrongfully display if users selected uninstalled {ml} jobs while creating a {ml} rule ({kibana-pull}159316[#159316]). -* Removes hover actions from tables within the Detection & Response dashboard when the alert count is zero ({kibana-pull}158902[#158902]). -* Fixes bugs in the Anomalies table that left {ml} jobs greyed out after they were installed ({kibana-pull}158821[#158821]) and that stopped some job counts from appearing ({kibana-pull}158739[#158739]). -* Fixes a bug that caused the **Add exceptions flyout** to load indefinitely and display an out of memory error when a rule had a large number of unmapped fields in multiple indices ({kibana-pull}159216[#159216]). -* Fixes a bug that prevented cell actions on fields with multiple values in the Alerts table ({kibana-pull}158060[#158060]). -* Fixes a bug that caused the Alerts page to query unnecessary indices ({kibana-pull}157286[#157286]). -* Fixes a bug that broke the mustache syntax for variables in rule actions ({kibana-pull}160446[#160446]). -* Fixes a bug that caused exception items to be erroneously duplicated if you modified an exception item using the <> API and _only_ specified its `item_id` ({kibana-pull}159223[#159223]). -+ -NOTE: If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - - -[discrete] -[[release-notes-8.8.1]] -=== 8.8.1 - -[discrete] -[[known-issue-8.8.1]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. - -* If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the <> API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.1]] -==== Breaking changes - -There are no breaking changes in 8.8.1. - -[discrete] -[[features-8.8.1]] -==== New features - -* Introduces the Generative AI connector and <> for {elastic-sec} ({kibana-pull}157228[#157228], {kibana-pull}156933[#156933]). - -[discrete] -[[bug-fixes-8.8.1]] -==== Bug fixes -* Fixes a bug that made field types appear as `unknown` within the **Fields** browser and when examining alert or event details ({kibana-pull}158594[#158594]). -* Fixes a bug that caused all field types in the **Fields** browser to appear as `unknown` ({kibana-pull}158594[#158594]). -* Fixes a bug that caused the **Add rule exception** flyout to load indefinitely when index fields couldn't be retrieved ({kibana-pull}158371[#158371]). -* Provides support for using field names with wildcards in rule queries ({kibana-pull}157981[#157981]). -* Fixes CSS style issues on the rule details page ({kibana-pull}157935[#157935]). -* Fixes a bug that caused the `A-Z` option to incorrectly display on Alerts table sorting menus ({kibana-pull}157653[#157653]). -* Allows users to scroll through long error messages on the rule details page ({kibana-pull}157271[#157271]). - -[discrete] -[[release-notes-8.8.0]] -=== 8.8.0 - -To view a detailed summary of the latest features and enhancements, check out our {security-guide}/whats-new.html[release highlights]. - -[discrete] -[[known-issue-8.8.0]] -==== Known issues -* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. -* {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1. -* All field types in the **Fields** browser appear as `unknown`. -* If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: - -** <> through the {security-app} UI. -** Specify an exception item's `item_id` _and_ its `id` when modifying an exception through the <> API. - -+ -If you've already encountered this issue and want to find erroneously duplicated exceptions, use the queries provided below. - -** **Query for finding exception documents that were duplicated from only specifying the `item_id`:** -+ -[source,kibana] ----------------------------------- -// Retrieve exception documents grouped by `item_id`. -// Each bucket contains all duplicates of that document. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "match": { - "type": "exception-list" - } - } - ] - } - }, - "aggs": { - "item_id_duplicates": { - "terms": { - "field": "exception-list.item_id", - "min_doc_count": 2 - }, - "aggs": { - "ids": { - "top_hits": { - "size": 100, // Increase this if you may have more duplicates. - "_source": false - } - } - } - } - }, - "size": 0 -} ----------------------------------- - -** **Query for finding exception documents that were duplicated and have lost their `item_id` because their `id` was used to update them:** -+ -[source,kibana] ----------------------------------- -// Each item returned lost its `item_id`, which is expected to be present and unique. -GET .kibana*/_search -{ - "query": { - "bool": { - "filter": [ - { - "term": { - "exception-list.list_type": "item" - } - } - ], - "must_not": [ - { - "exists": { - "field": "exception-list.item_id" - } - } - ] - } - } -} ----------------------------------- - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Change your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alerts table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display in the Alerts table. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields and the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alerts table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.8.0]] -==== Breaking changes - -* The privileges for attaching alerts to cases have changed. Now, you need at least `Read` privileges for Security and `All` privileges for Cases ({kibana-pull}147985[#147985]). -* Adds conditional actions to the rules API. In {elastic-sec} 8.7 and earlier, action frequencies were set on a rule level by defining the `throttle` field. In 8.8 and later, action frequencies are set at the action level, and the `throttle` field is replaced by the `frequency` and `alert_filters` fields. The following APIs are affected: -** https://www.elastic.co/guide/en/security/8.8/rules-api-get.html[Get rule] -** https://www.elastic.co/guide/en/security/8.8/rules-api-find.html[Find rules] -** https://www.elastic.co/guide/en/security/8.8/rules-api-create.html#optional-actions-fields-rule-create[Create rule] -** https://www.elastic.co/guide/en/security/8.8/rules-api-update.html#optional-actions-fields-rule-update[Update rule] -** https://www.elastic.co/guide/en/security/8.8/bulk-actions-rules-api.html#optional-actions-fields-bulk-update[Bulk rule actions] - -[discrete] -[[deprecations-8.8.0]] -==== Deprecations - -* The rule level `throttle` field is deprecated in {elastic-sec} 8.8 and is scheduled for end of life in Q4 of 2024. In {elastic-sec} 8.8 and later, we strongly recommend using the action level `frequency` field to set frequencies for individual rule actions. - -[discrete] -[[features-8.8.0]] -==== New features - -* Introduces <>, which scans your cloud VMs for vulnerabilities, and adds a tab to the Findings page that displays vulnerabilities ({kibana-pull}154388[#154388], {kibana-pull}154873[#154873], {kibana-pull}155045[#155045]). -* Introduces <>, which allows you to monitor and protect your Kubernetes workloads. -* Adds a new response action that allows you to execute commands on a selected host ({kibana-pull}150202[#150202]). -* Adds the `kibana.alert.url` field to alert documents. This field provides a shareable URL for the alert ({kibana-pull}155069[#155069]). -* Adds the ability to duplicate a shared exception list ({kibana-pull}154991[#154991]). -* Allows Timeline notes to be deleted ({kibana-pull}154834[#154834]). -* Allows you to specify conditions for when rule actions should run ({kibana-pull}154680[#154680]). -* Adds the ability to snooze rule notifications from the Rules table, the rule details page, or the Actions tab when editing a rule ({kibana-pull}153083[#153083], {kibana-pull}155407[#155407], {kibana-pull}155612[#155612]). -* Adds controls to the Alerts page that allow you to customize which filters appear at the top of the page ({kibana-pull}152450[#152450]). - -[discrete] -[[enhancements-8.8.0]] -==== Enhancements - -* Renames the Notable Anomalies section in the Entity Analytics dashboard to Anomalies ({kibana-pull}155687[#155687]). -* Displays additional {ml} anomaly jobs on the Entity Analytics dashboard ({kibana-pull}155520[#155520]). -* Makes alert count links on the Entity Analytics dashboard navigate to the Alerts page instead of opening in Timeline ({kibana-pull}153372[#153372]). -* Updates the Data Quality dashboard to include a new tree map and storage size metrics for each index ({kibana-pull}155581[#155581]). -* Adds cloud infrastructure-related fields to the alert details flyout highlighted fields section ({kibana-pull}155247[#155247]). -* Allows you to specify how to handle alert suppression for alerts with missing fields ({kibana-pull}155055[#155055]). -* Gives users more control over how they receive alert notifications and lets them define conditions that must be met for a notification to occur ({kibana-pull}154526[#154526]). -* Adds a warning message to tell you when a rule has reached the maximum number of alerts limit ({kibana-pull}154112[#154112]). -* Updates how browser field descriptions are provided to {kib} ({kibana-pull}153498[#153498]). -* Enables multi-level grouping for alerts on the Alerts page, based on various fields ({kibana-pull}152862[#152862]). -* Adds links to the Detection & Response and Entity Analytics dashboards that jump to the Alerts page with filters enabled ({kibana-pull}152714[#152714]). -* Updates the visualizations throughout {elastic-sec} to Lens visualizations ({kibana-pull}150531[#150531]). -* Adds a *Share alert* link to the alert details flyout ({kibana-pull}148800[#148800]). -* Adds a warning message to the Rules page when a maintenance window is running ({kibana-pull}155386[#155386]). -* Adds a global search bar to the Detections and Response and Entity Analytics dashboards ({kibana-pull}156832[#156832]). -* Adds the "Investigate in timeline" inline action to alert counts on the Detections and Response and Entity Analytics dashboards ({kibana-pull}154299[#154299]). -* Session view: Makes the row representing the session leader remain visible when you scroll past it, and adds a button to this row that allows you to collapse child processes ({kibana-pull}154982[#154982]). -* Reduces Linux process event volume by about 50% by combining `fork`, `exec`, and `end` events when they occur around the same time (does not affect queries of this data) ({kibana-pull}153213[#153213]). -* Updates where the technical preview tags appear for host risk score features ({kibana-pull}156659[#156659], {kibana-pull}156514[#156514]). -* Allows you to use fully qualified domain names (FQDNs) for hosts. To learn how to set a host name format in {fleet}, refer to {fleet-guide}/agent-policy.html[Elastic Agent policies]. - -[discrete] -[[bug-fixes-8.8.0]] -==== Bug fixes - -* Fixes a bug that interfered with the default time range when you opened an alert in Timeline ({kibana-pull}156884[#156884]). -* Fixes a bug that could cause the Alerts page to become unresponsive after entering an invalid query ({kibana-pull}156542[#156542]). -* Updates the colors used for entity analytic graphs to match those used for alert graphs ({kibana-pull}156383[#156383]). -* Fixes a bug that caused errors on the Data Quality dashboard when a `basePath` was configured ({kibana-pull}156233[#156233]). -* Fixes a bug that could cause problems when different users simultaneously edited a Timeline ({kibana-pull}155663[#155663]). -* Fixes a bug that could cause the wrong number of rules to appear in the modal for duplicating rules ({kibana-pull}155959[#155959]). -* Fixes a bug that could cause a blank option to appear in the Create rule exception form ({kibana-pull}155221[#155221]). -* Fixes issues that affected tags in the Add rule exception component of the Shared Exception Lists page ({kibana-pull}155219[#155219]). -* Fixes a bug that displayed an outdated count of affected rules on the Shared Exception Lists page ({kibana-pull}155108[#155108]). -* Improves performance for rendering indicator match alerts on the Alerts page ({kibana-pull}154821[#154821]). -* Fixes a bug that could affect alert prevalence counts on the Alerts page ({kibana-pull}154544[#154544]). -* Fixes a bug that could prevent you from using breadcrumbs to return to the Rules page ({kibana-pull}150322[#150322]). -* Fixes a bug that could prevent the *View all open alerts* button on the Detection and Response dashboard from applying the correct filters ({kibana-pull}156893[#156893]). -* Fixes several bugs related to session view and and Kubernetes dashboard ({kibana-pull}154982[#154982]). -* Fixes the delete index API so it only removes {elastic-sec} 7.x signals indices (`.siem-signals-`), index templates, and ILMs and doesn't delete 8.x alert indices (`.alerts-security.alerts-`). diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc deleted file mode 100644 index 21f0e521e2..0000000000 --- a/docs/release-notes/8.9.asciidoc +++ /dev/null @@ -1,187 +0,0 @@ -[[release-notes-header-8.9.0]] -== 8.9 - -[discrete] -[[release-notes-8.9.2]] -=== 8.9.2 - -[discrete] -[[bug-fixes-8.9.2]] -==== Bug fixes - -* Fixes a bug that prevented inline actions on the Alerts page from completing ({kibana-pull}165099[#165099]). -* Fixes a bug that prevented blocklist file path entries for Windows and macOS applications from being passed as case insensitive ({kibana-pull}164200[#164200]). -* Fixes a bug in the confirmation message that appears when duplicating a single rule ({kibana-pull}163908[#163908]). -* Fixes a bug on the rule details page that showed the **Data view** label twice if you were viewing a rule using a data view ({kibana-pull}164494[#164494]). -* Fixes a bug that affected Timeline when you investigated an alert created from a rule with exceptions ({kibana-pull}162190[#162190]). - -[discrete] -[[release-notes-8.9.1]] -=== 8.9.1 - -[discrete] -[[known-issue-8.9.1]] -==== Known issues - -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[enhancements-8.9.1]] -==== Enhancements -* Event correlation queries and rules can now detect {ref}/eql-syntax.html#eql-missing-events[missing events] in EQL sequences. - -[discrete] -[[bug-fixes-8.9.1]] -==== Bug fixes - -* Fixes a copy to clipboard bug that affected non-ECS fields ({kibana-pull}162883[#162883]). -* Fixes number rounding issues in the *Top alerts by* table on the Alerts page ({kibana-pull}162647[#162647]). -* Fixes bug that prevented controls from being rendered on {elastic-sec} dashboards ({kibana-pull}162514[#162514]). -* Fixes a bug that prevented rule changes from being saved if a rule's action frequency was shorter than the rule run interval ({kibana-pull}160798[#160798]). - -[discrete] -[[release-notes-8.9.0]] -=== 8.9.0 - -[discrete] -[[known-issue-8.9.0]] -==== Known issues - -* On the new Detection rule monitoring dashboard, total `Rule executions` will not always equal the sum of `Succeeded`, `Warning`, and `Failed` executions. This is expected because rules can write multiple statuses per execution. One typical example is gap detection: if a rule detects a gap in rule execution it will write an intermediate `Failed` status, then continue to run, and write a final status (such as `Warning`) before finishing its execution. -* Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. -* The `upload` response action does not report the correct amount of available disk space. The correct amount is approximately four. -* A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: - -** Open alerts in Timeline. -** Adjust the Alerts table size. Do one of the following: - -*** Use the **Fields** browser to remove fields from the Alerts table until the table's width is smaller than its container. -*** Adjust your OS zoom settings and refresh the page. -*** Zoom your browser in and out, then refresh the page. (Row height issues can occur at some zoom levels.) - -* Alert table rendering issues occur when threat indicator match alerts contain nested `file.name` values, and the Alerts table displays the `file.name` column. The rendering issues stem from a known bug that occurs when the Alerts table sends a request to the Elasticsearch Fields API (https://github.com/elastic/elasticsearch/issues/97684[#97684]). -+ -NOTE: When customizing the Alerts table, avoid adding or displaying fields that also exist as nested properties within any alert documents. - -+ -The workaround for this issue depends on the types of alerts you want to display. Choose the case that's most relevant to you: - -+ -**Case #1:** You want to display threat indicator match alerts with nested `file.name` fields but the Alerts table won't render. To fix this, manually edit your browser's local storage and refresh the Alerts page: - -+ -NOTE: These instructions only apply to the Google Chrome browser. Modify the steps based on of browser you're using. -+ - -. Right-click anywhere on the Alerts page, then select *Inspect* to open Chrome's Developer Tools. -. Go to *Application -> Storage*, then expand *Local Storage*. -. Click on the name of your Kibana instance, for example, http://localhost:1234. -. Search for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key and copy its value. The value you copied is the JSON blob that's used to persist the Alert table's state, including the table's selected columns. -. Paste the JSON blob into a text file and edit it as follows: -.. Remove the `id:file.name` string from the `columns` array. -.. Remove the `file.name` string from the `visibleColumns` array. -. Go back to Chrome's Developer Tools, and paste the edited JSON into the value for the `detection-engine-alert-table-securitySolution-rule-details-gridView` key. -. Click the *Enter* or *Return* key on your keyboard, and refresh the Alerts page. The Alerts table re-renders without the `file.name` column. -+ -NOTE: To avoid further issues, _do not_ re-add the `file.name` field to the table. - -+ -**Case #2:** You want to display threat indicator match alerts with nested `file.name` fields and other types of alerts, but the Alerts table is rendering with empty rows. To resolve this issue: - -. Go to the toolbar in the upper-left of the Alerts table, and click *Fields*. -. Search for the `file.name` field, de-select it, and click *Close*. -. Refresh the Alerts page. - -[discrete] -[[breaking-changes-8.9.0]] -==== Breaking changes - -There are no breaking changes in 8.9.0. - -[discrete] -[[deprecations-8.9.0]] -==== Deprecations -* Removes the option to use the legacy navigation menu ({kibana-pull}158094[#158094]). -* General prebuilt threat indicator match rules were deprecated and replaced with improved indicator-type rules. - -[discrete] -[[features-8.9.0]] -==== New features -* Introduces the `top` command for MacOS and Linux, which shows active processes that {elastic-endpoint} is monitoring and recording. Processes are sorted by how much CPU they are causing {elastic-endpoint} to consume. Learn more about the `top` command by referring to the (https://www.github.com/elastic/endpoint/blob/main/EndpointTopCommand.md[readme]). -* Allows you to install the Cloud Security Posture Management (CSPM) integration via CloudFormation ({kibana-pull}159994[#159994]). -* Creates a new dashboard, Cloud Native Vulnerability Management, that provides an overview of vulnerabilities on your cloud hosts ({kibana-pull}159699[#159699]). -* Allows you to group vulnerabilities by resource (host) on the Vulnerabilities Findings page, and creates a Resource flyout that displays detailed vulnerability findings for individual hosts ({kibana-pull}159873[#159873], {kibana-pull}158987[#158987]). -* Adds a new custom dashboard, "Detection rule monitoring" ({kibana-pull}159875[#159875]). -* Allows you to anonymize event field values sent to AI Assistant ({kibana-pull}159857[#159857]). -* Adds a *Chat* button that opens AI Assistant to the alert details flyout ({kibana-pull}159633[#159633]). -* Updates AI Assistant to let you create and delete custom system prompts and default conversations ({kibana-pull}159365[#159365]). -* Allows you to add alert tags ({kibana-pull}157786[#157786]). -* Adds the ability to automatically isolate a host through a rule’s endpoint response action ({kibana-pull}152424[#152424]). -* Moves response actions to General Availability. -* Adds a new response action that allows you to upload files to an endpoint that has {elastic-endpoint} installed ({kibana-pull}157208[#157208]). -* Makes the Lateral Movement Detection advanced analytics package General Availability, and adds the ability to detect malicious activities in Windows RDP events (https://github.com/elastic/integrations/pull/6588[#6588]). - -[discrete] -[[enhancements-8.9.0]] -==== Enhancements -* Makes it easier to set up exceptions by auto-populating exception conditions and values with relevant alert data ({kibana-pull}159075[#159075]). -* Adds a *Last response* dropdown menu to the Rules table that allows you to filter rules by the status of their last execution ("Succeeded", "Warning", or "Failed") ({kibana-pull}159865[#159865]). -* Creates a Lens dashboard for monitoring the use of tokens by AI Assistant ({kibana-pull}159075[#159075]). -* Creates a connector for D3 Security ({kibana-pull}158569[#158569]). -* Improves the interface for installing and upgrading Elastic prebuilt rules ({kibana-pull}158450[#158450]). -* Shows a rule's actions on its details page ({kibana-pull}158189[#158189]). -* Allows you to add Lens visualizations to cases from the visualization's *More actions* menu ({kibana-pull}154918[#154918]). -* Adds a tooltip to snoozed rules that shows exactly when alerting will resume ({kibana-pull}157407[#157407]). -* Enhances the Data Exfiltration Detection package by adding the ability to detect exfiltration anomalies through USB devices and Airdrop (https://github.com/elastic/integrations/pull/6577[#6577]). - -[discrete] -[[bug-fixes-8.9.0]] -==== Bug fixes -* Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them ({kibana-pull}161331[#161331]). -* Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu ({kibana-pull}159908[#159908]). -* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule. -* Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({kibana-pull}157233[#157233]). -* Fixes a bug that allowed you to save a rule with an alert filter missing a query ({kibana-pull}159690[#159690]). -* Fixes unexpected filtering behavior on the Alerts page. Now, when you select a filter that excludes all alerts, an empty table now appears as expected ({kibana-pull}160374[#160374]). -* Fixes a UI bug where the **Label** field in the Investigation Guide form incorrectly turns red when the entered value is correct ({kibana-pull}160574[#160574], {kibana-pull}160577[#160577]). -* Fixes a bug that caused rules to snooze longer than specified ({kibana-pull}152873[#152873]). diff --git a/docs/serverless/AI-for-security/ai-assistant.asciidoc b/docs/serverless/AI-for-security/ai-assistant.asciidoc index ff86a5d84a..f570b80604 100644 --- a/docs/serverless/AI-for-security/ai-assistant.asciidoc +++ b/docs/serverless/AI-for-security/ai-assistant.asciidoc @@ -4,7 +4,6 @@ // :description: Elastic AI Assistant is a generative AI open-code chat assistant. // :keywords: security, overview, get-started -preview:[] The Elastic AI Assistant utilizes generative AI to bolster your cybersecurity operations team. It allows users to interact with {elastic-sec} for tasks such as alert investigation, incident response, and query generation or conversion using natural language and much more. diff --git a/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.asciidoc b/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.asciidoc index 7e62b9f5a6..c7d7b93323 100644 --- a/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.asciidoc +++ b/docs/serverless/advanced-entity-analytics/advanced-behavioral-detections.asciidoc @@ -4,7 +4,6 @@ // :description: Learn about advanced behavioral detections and its capabilities. // :keywords: serverless, security, overview, analyze -preview:[] Elastic's {ml} capabilities and advanced correlation, scoring, and visualization techniques can help you identify potential behavioral threats that may be associated with security incidents. diff --git a/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc b/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc index 209e706cea..0b6b3d9a7b 100644 --- a/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc +++ b/docs/serverless/advanced-entity-analytics/advanced-entity-analytics-overview.asciidoc @@ -4,8 +4,6 @@ // :description: Learn about Advanced Entity Analytics and its capabilities. // :keywords: serverless, security, overview, analyze -preview:[] - Advanced Entity Analytics generates a set of threat detection and risk analytics that allows you to expedite alert triage and hunt for new threats from within an entity's environment. This feature combines the power of the SIEM detection engine and Elastic's {ml} capabilities to identify unusual user behaviors and generate comprehensive risk analytics for hosts and users. Advanced Entity Analytics provides two key capabilities: diff --git a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc index ed2b5e9c5e..040cc16723 100644 --- a/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc +++ b/docs/serverless/advanced-entity-analytics/analyze-risk-score-data.asciidoc @@ -8,8 +8,6 @@ View risk score data ++++ -preview:[] - The {security-app} provides several options to monitor the change in the risk posture of hosts and users from your environment. Use the following places in the {security-app} to view and analyze risk score data: * <> diff --git a/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc b/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc index 5a8ff35b53..21ef9565a6 100644 --- a/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/serverless/advanced-entity-analytics/asset-criticality.asciidoc @@ -4,8 +4,6 @@ // :description: Learn how to use asset criticality to improve your security operations. // :keywords: serverless, security, overview, analyze -preview:[] - .Requirements [NOTE] ==== diff --git a/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc b/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc index b7c9553f6f..53b6fb3ca2 100644 --- a/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc +++ b/docs/serverless/advanced-entity-analytics/behavioral-detection-use-cases.asciidoc @@ -4,7 +4,6 @@ // :description: Detect internal and external threats using behavioral detection integrations. // :keywords: serverless, security, overview, analyze -preview:[] Behavioral detection identifies potential internal and external threats based on user and host activity. It uses a threat-centric approach to flag suspicious activity by analyzing patterns, anomalies, and context enrichment. diff --git a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc index a31a175358..7c17c3dee1 100644 --- a/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc +++ b/docs/serverless/advanced-entity-analytics/entity-risk-scoring.asciidoc @@ -4,7 +4,6 @@ // :description: Learn about the risk scoring engine and its features. // :keywords: serverless, security, overview, analyze -preview:[] Entity risk scoring is an advanced {elastic-sec} analytics feature that helps security analysts detect changes in an entity's risk posture, hunt for new threats, and prioritize incident response. diff --git a/docs/serverless/advanced-entity-analytics/machine-learning.asciidoc b/docs/serverless/advanced-entity-analytics/machine-learning.asciidoc index fe353bd8d7..6564db5923 100644 --- a/docs/serverless/advanced-entity-analytics/machine-learning.asciidoc +++ b/docs/serverless/advanced-entity-analytics/machine-learning.asciidoc @@ -4,7 +4,6 @@ // :description: Use the power of machine learning to detect outliers and suspicious events. // :keywords: serverless, security, overview, manage -preview:[] {ml-docs}/ml-ad-overview.html[{ml-cap}] functionality is available when you have the appropriate role. Refer to <> for more information. diff --git a/docs/serverless/advanced-entity-analytics/ml-requirements.asciidoc b/docs/serverless/advanced-entity-analytics/ml-requirements.asciidoc index c1a282209f..6273602a07 100644 --- a/docs/serverless/advanced-entity-analytics/ml-requirements.asciidoc +++ b/docs/serverless/advanced-entity-analytics/ml-requirements.asciidoc @@ -4,7 +4,6 @@ // :description: Requirements for using {ml} jobs and rules. // :keywords: serverless, security, reference, manage -preview:[] To run and create {ml} jobs and rules, you need the appropriate <>. diff --git a/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.asciidoc b/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.asciidoc index c7aa5e24a0..65c36e006a 100644 --- a/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.asciidoc +++ b/docs/serverless/advanced-entity-analytics/prebuilt-ml-jobs.asciidoc @@ -3,6 +3,5 @@ // :keywords: serverless, security, reference -preview:[] Refer to {security-guide}/prebuilt-ml-jobs.html[Prebuilt job reference] for information on available prebuilt {ml} jobs. diff --git a/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.asciidoc b/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.asciidoc index f6825215a4..dc40bb9166 100644 --- a/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.asciidoc +++ b/docs/serverless/advanced-entity-analytics/tuning-anomaly-results.asciidoc @@ -4,7 +4,6 @@ // :description: Learn how to fine-tune and filter anomaly results. // :keywords: serverless, security, how-to -preview:[] To gain clearer insights into real threats, you can tune the anomaly results. The following procedures help to reduce the number of false positives: diff --git a/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc b/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc index 48eeafe71d..2462493115 100644 --- a/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc +++ b/docs/serverless/advanced-entity-analytics/turn-on-risk-engine.asciidoc @@ -8,7 +8,6 @@ Turn on risk scoring ++++ -preview:[] .Requirements [NOTE] @@ -24,7 +23,7 @@ You can preview risky entities before installing the risk engine. The preview sh [NOTE] ==== -The preview is limited to two risk scores per {serverless-short} {elastic-sec} project. +The preview is limited to two risk scores per serverless project. ==== To preview risky entities, go to **Project settings** → **Management** → **Entity Risk Score**: diff --git a/docs/serverless/alerts/alert-schema.asciidoc b/docs/serverless/alerts/alert-schema.asciidoc index 6f84f68b85..0bfbd63ee6 100644 --- a/docs/serverless/alerts/alert-schema.asciidoc +++ b/docs/serverless/alerts/alert-schema.asciidoc @@ -4,7 +4,6 @@ // :description: The alert schema describes all the fields present in alert events. // :keywords: serverless, security, alerting, reference, manage -preview:[] {elastic-sec} stores alerts that have been generated by detection rules in hidden {es} indices. The index pattern is `.alerts-security.alerts-`. diff --git a/docs/serverless/alerts/alert-suppression.asciidoc b/docs/serverless/alerts/alert-suppression.asciidoc index 0b413a6636..9f54d69312 100644 --- a/docs/serverless/alerts/alert-suppression.asciidoc +++ b/docs/serverless/alerts/alert-suppression.asciidoc @@ -8,7 +8,6 @@ Suppress alerts ++++ -preview:[] .Requirements and notice [IMPORTANT] diff --git a/docs/serverless/alerts/alerts-ui-manage.asciidoc b/docs/serverless/alerts/alerts-ui-manage.asciidoc index b51443485c..c5b5f47ca1 100644 --- a/docs/serverless/alerts/alerts-ui-manage.asciidoc +++ b/docs/serverless/alerts/alerts-ui-manage.asciidoc @@ -8,7 +8,6 @@ Alerts ++++ -preview:[] The Alerts page displays all detection alerts. diff --git a/docs/serverless/alerts/query-alert-indices.asciidoc b/docs/serverless/alerts/query-alert-indices.asciidoc index cf167fe27c..4eecfdf8f9 100644 --- a/docs/serverless/alerts/query-alert-indices.asciidoc +++ b/docs/serverless/alerts/query-alert-indices.asciidoc @@ -4,7 +4,6 @@ // :description: Index patterns for querying alert data. // :keywords: serverless, security, how-to -preview:[] This page explains how you should query alert indices, for example, when building rule queries, custom dashboards, or visualizations. For more information about alert event field definitions, review the <>. diff --git a/docs/serverless/alerts/reduce-notifications-alerts.asciidoc b/docs/serverless/alerts/reduce-notifications-alerts.asciidoc index f9f0f278bc..fecb120735 100644 --- a/docs/serverless/alerts/reduce-notifications-alerts.asciidoc +++ b/docs/serverless/alerts/reduce-notifications-alerts.asciidoc @@ -4,7 +4,6 @@ // :description: A comparison of alert-reduction features. // :keywords: serverless, security, how-to -preview:[] {elastic-sec} offers several features to help reduce the number of notifications and alerts generated by your detection rules. This table provides a general comparison of these features, with links for more details: diff --git a/docs/serverless/alerts/signals-to-cases.asciidoc b/docs/serverless/alerts/signals-to-cases.asciidoc index 17de0c71d7..4c4961c59b 100644 --- a/docs/serverless/alerts/signals-to-cases.asciidoc +++ b/docs/serverless/alerts/signals-to-cases.asciidoc @@ -8,13 +8,12 @@ Add alerts to cases ++++ -preview:[] From the Alerts table, you can attach one or more alerts to a <> or <>. Alerts from any rule type can be added to a case. [NOTE] ==== -* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {security-guide}/cases-api-overview.html[{elastic-sec} Cases API]. +* After you add an alert to a case, you can remove it from the case activity under the alert summary or by using the {api-kibana}/group/endpoint-cases[cases API]. * Each case can have a maximum of 1,000 alerts. // Link to classic docs until serverless API docs are available. diff --git a/docs/serverless/alerts/view-alert-details.asciidoc b/docs/serverless/alerts/view-alert-details.asciidoc index 62e141319e..5565ee7917 100644 --- a/docs/serverless/alerts/view-alert-details.asciidoc +++ b/docs/serverless/alerts/view-alert-details.asciidoc @@ -8,7 +8,6 @@ View alert details ++++ -preview:[] To learn more about an alert, click the **View details** button from the Alerts table. This opens the alert details flyout, which helps you understand and manage the alert. diff --git a/docs/serverless/alerts/visual-event-analyzer.asciidoc b/docs/serverless/alerts/visual-event-analyzer.asciidoc index 3e4ca14a21..631a2eefb4 100644 --- a/docs/serverless/alerts/visual-event-analyzer.asciidoc +++ b/docs/serverless/alerts/visual-event-analyzer.asciidoc @@ -4,7 +4,6 @@ // :description: Examine events and processes in a graphical timeline. // :keywords: serverless, security, how-to -preview:[] {elastic-sec} allows any event detected by {elastic-endpoint} to be analyzed using a process-based visual analyzer, which shows a graphical timeline of processes that led up to the alert and the events that occurred immediately after. Examining events in the visual event analyzer is useful to determine the origin of potentially malicious activity and other areas in your environment that may be compromised. It also enables security analysts to drill down into all related hosts, processes, and other events to aid in their investigations. diff --git a/docs/serverless/alerts/visualize-alerts.asciidoc b/docs/serverless/alerts/visualize-alerts.asciidoc index 28b5762bde..9a1ac6a33e 100644 --- a/docs/serverless/alerts/visualize-alerts.asciidoc +++ b/docs/serverless/alerts/visualize-alerts.asciidoc @@ -8,7 +8,6 @@ Visualize alerts ++++ -preview:[] Visualize and group detection alerts by specific parameters in the visualization section of the Alerts page. diff --git a/docs/serverless/assets/asset-management.asciidoc b/docs/serverless/assets/asset-management.asciidoc index 3544f3c00e..b561644b9b 100644 --- a/docs/serverless/assets/asset-management.asciidoc +++ b/docs/serverless/assets/asset-management.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, overview, manage -preview:[] The **Assets** page allows you to manage the following features: diff --git a/docs/serverless/billing.asciidoc b/docs/serverless/billing.asciidoc index 6bb731696c..5ebe05c4a9 100644 --- a/docs/serverless/billing.asciidoc +++ b/docs/serverless/billing.asciidoc @@ -4,8 +4,6 @@ // :description: Learn about how Security usage affects pricing. // :keywords: serverless, security, overview -preview:[] - {elastic-sec} serverless projects provide you with all the capabilities of {elastic-sec} to perform SIEM, security analytics, endpoint security, and cloud security workflows. Projects are provided using a Software as a Service (SaaS) model, and pricing is entirely consumption based. Security Analytics/SIEM is available in two tiers of carefully selected features to enable common security operations: * **Security Analytics Essentials** — Includes everything you need to operationalize traditional SIEM in most organizations. @@ -16,13 +14,13 @@ Your monthly bill is based on the capabilities you use. When you use Security An * **Ingest** — Measured by the number of GB of log/event/info data that you send to your Security project over the course of a month. * **Retention** — Measured by the total amount of ingested data stored in your Security project. -Data volumes for both ingest and retention are based on the uncompressed data size at the point of ingest, before {es} compression is performed, and will be higher than the volumes traditionally reported by {es} index size. In addition, these volumes might be larger than the volumes reported by cloud provider proxy logs for data going into {es}. +Data volumes for ingest and retention are based on the fully enriched normalized data size at the end of the ingest pipeline, before {es} compression is performed, and will be higher than the volumes traditionally reported by {es} index size. In addition, these volumes might be larger than those reported by cloud provider proxy logs for data going into Elasticsearch. This allows you to have flexibility in choosing your preferred ingest architecture for enrichment, whether it's through {agent}, {ls}, OpenTelemetry, or collectors — with no impact on the cost. [discrete] [[security-billing-endpoint-protection]] == Endpoint Protection -Endpoint Protection is an _optional_ add-on to Security Analytics that provides on-endpoint protection and prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations: +Endpoint Protection is an _optional_ add-on to Security Analytics that provides endpoint protection and threat prevention. Endpoint Protection is available in two tiers of selected features to enable common endpoint security operations: * **Endpoint Protection Essentials** — Includes robust protection against malware, ransomware, and other malicious behaviors. * **Endpoint Protection Complete** — Adds endpoint response actions and advanced policy management. @@ -36,7 +34,7 @@ You pay based on the number of protected endpoints you configure with the {elast Cloud Protection is an _optional_ add-on to Security Analytics that provides value-added protection capabilities for cloud assets. Cloud Protection is available in two tiers of carefully selected features to enable common cloud security operations: * **Cloud Protection Essentials** — Protects your cloud workloads, continuously tracks posture of your cloud assets, and helps you manage risks by detecting configuration issues per CIS benchmarks. -* **Cloud Protection Complete** — Adds response capabilities and configuration drift prevention for Cloud Workloads. +* **Cloud Protection Complete** — Adds response capabilities. Your total cost depends on the number of protected cloud workloads and other billable cloud assets you configure for use with Elastic Cloud Security. @@ -62,8 +60,6 @@ For <>, billing is based on how many Kubernetes nodes (`agen For <>, billing is based on how many cloud assets (`cloud.instance.id` s) you monitor. -For <>, billing is based on how many agents (`agent.id` s) you use. - Logs, events, alerts, and configuration data ingested into your security project are billed using the **Ingest** and **Retention** pricing described above. For more details about {elastic-sec} serverless project rates and billable assets, refer to Cloud Protection in the https://cloud.elastic.co/cloud-pricing-table?productType=serverless&project=security[Elastic Cloud pricing table]. diff --git a/docs/serverless/cloud-native-security/benchmark-rules.asciidoc b/docs/serverless/cloud-native-security/benchmark-rules.asciidoc index d9fcc2eb7b..296f051376 100644 --- a/docs/serverless/cloud-native-security/benchmark-rules.asciidoc +++ b/docs/serverless/cloud-native-security/benchmark-rules.asciidoc @@ -8,7 +8,6 @@ // tag::content[] -preview:[] The Benchmarks page lets you view the cloud security posture (CSP) benchmarks for the <> (CSPM) and <> (KSPM) integrations. diff --git a/docs/serverless/cloud-native-security/cloud-native-security-overview.asciidoc b/docs/serverless/cloud-native-security/cloud-native-security-overview.asciidoc index 0b4b4523e7..46c1c11bd8 100644 --- a/docs/serverless/cloud-native-security/cloud-native-security-overview.asciidoc +++ b/docs/serverless/cloud-native-security/cloud-native-security-overview.asciidoc @@ -1,10 +1,9 @@ [[security-cloud-native-security-overview]] -= Secure cloud native resources += Cloud Security // :description: Helps you improve your cloud security posture. // :keywords: serverless, security, overview, cloud security -preview:[] Elastic Security for Cloud helps you improve your cloud security posture by comparing your cloud configuration to best practices, and scanning for vulnerabilities. It also helps you monitor and investigate your cloud workloads inside and outside Kubernetes. @@ -35,14 +34,6 @@ Scans your cloud workloads for known vulnerabilities. When it finds a vulnerabil <>. -[discrete] -[[security-cloud-native-security-overview-cloud-workload-protection-for-kubernetes]] -== Cloud Workload Protection for Kubernetes - -Provides cloud-native runtime protections for containerized environments by identifying and (optionally) blocking unexpected system behavior in Kubernetes containers. These capabilities are sometimes referred to as container drift detection and prevention. The solution also captures detailed process and file telemetry from monitored containers, allowing you to set up custom alerts and protection rules. - -<>. - [discrete] [[security-cloud-native-security-overview-cloud-workload-protection-for-vms]] == Cloud Workload Protection for VMs diff --git a/docs/serverless/cloud-native-security/cloud-workload-protection.asciidoc b/docs/serverless/cloud-native-security/cloud-workload-protection.asciidoc index 1d62e8d285..dd9ab8b743 100644 --- a/docs/serverless/cloud-native-security/cloud-workload-protection.asciidoc +++ b/docs/serverless/cloud-native-security/cloud-workload-protection.asciidoc @@ -4,7 +4,6 @@ // :description: Use cloud workload protection to monitor and protect your Linux VMs. // :keywords: serverless, security, overview, cloud security -preview:[] Cloud workload protection helps you monitor and protect your Linux VMs. It uses the <> integration to capture cloud workload telemetry containing process, file, and network activity. @@ -22,5 +21,4 @@ To continue setting up your cloud workload protection, learn more about: * <>: configure {elastic-defend} to protect your hosts. Be sure to select one of the "Cloud workloads" presets if you want to collect session data by default, including process, file, and network telemetry. * <>: examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. Use it to monitor and investigate session activity, and to understand user and service behavior on your Linux infrastructure. -* <>: Explore an overview of your protected Kubernetes clusters, and drill down into individual sessions within your Kubernetes infrastructure. * <>: Capture the environment variables associated with process events, such as `PATH`, `LD_PRELOAD`, or `USER`. diff --git a/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc b/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc index 05facdc6d0..77b4089c70 100644 --- a/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-findings-page.asciidoc @@ -8,7 +8,6 @@ // tag::content[] -preview:[] The **Misconfigurations** tab on the **Findings** page displays the configuration risks identified by the <> and <> integrations, as well as data from <>. diff --git a/docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc b/docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc index 01c42f26e1..b04d071412 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-get-started-azure.asciidoc @@ -4,7 +4,6 @@ // :description: Start monitoring the security posture of your Azure cloud assets. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[cspm-overview-azure]] diff --git a/docs/serverless/cloud-native-security/cspm-get-started-gcp.asciidoc b/docs/serverless/cloud-native-security/cspm-get-started-gcp.asciidoc index 4eea50b7bf..2f72852609 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started-gcp.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-get-started-gcp.asciidoc @@ -4,7 +4,6 @@ // :description: Start monitoring the security posture of your GCP cloud assets. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[cspm-overview-gcp]] diff --git a/docs/serverless/cloud-native-security/cspm-get-started.asciidoc b/docs/serverless/cloud-native-security/cspm-get-started.asciidoc index 5883b97b99..aad18b1033 100644 --- a/docs/serverless/cloud-native-security/cspm-get-started.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-get-started.asciidoc @@ -4,7 +4,6 @@ // :description: Start monitoring the security posture of your AWS cloud assets. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[cspm-overview]] @@ -45,6 +44,9 @@ beta:[] . Click **Advanced options**, then select **Agentless (BETA)**. . Next, you'll need to authenticate to AWS. Two methods are available: .. Option 1: Direct access keys/CloudFormation (Recommended). Under **Preferred method** select **Direct access keys**. Expand the **Steps to Generate AWS Account Credentials** section, then follow the displayed instructions to automatically create the necessary credentials using CloudFormation. ++ +NOTE: If you don't want to monitor every account in your organization, specify which to monitor using the `OrganizationalUnitIDs` field that appears after you click **Launch CloudFormation**. ++ .. Option 2: Temporary keys. To authenticate using temporary keys, refer to the instructions for <>. . Once you've selected an authentication method and provided all necessary credentials, click **Save and continue** to finish deployment. Your data should start to appear within a few minutes. @@ -79,7 +81,7 @@ For most use cases, the simplest option is to use AWS CloudFormation to automati . Return to your {kib} tab. Click **Save and continue** at the bottom of the page. . Review the information, then click **Launch CloudFormation**. . A CloudFormation template appears in a new browser tab. -. For organization-level deployments only, you must enter the ID of the organizational unit where you want to deploy into the `OrganizationalUnitIds` field in the CloudFormation template. You can find it in the AWS console under **AWS Organizations → AWS Accounts** (it appears under the organization name). +. For organization-level deployments only, you must enter the ID of the organizational units where you want to deploy into the CloudFormation template's `OrganizationalUnitIds` field. You can find organizational unit IDs in the AWS console under *AWS Organizations -> AWS Accounts* (under each organization's name). You can also use this field to specify which accounts in your organization to monitor, and which to skip. . (Optional) Switch to the AWS region where you want to deploy using the controls in the upper right corner. . Tick the checkbox under **Capabilities** to authorize the creation of necessary resources. + diff --git a/docs/serverless/cloud-native-security/cspm-security-posture-faq.asciidoc b/docs/serverless/cloud-native-security/cspm-security-posture-faq.asciidoc index ea2bff56bd..c5618d94d9 100644 --- a/docs/serverless/cloud-native-security/cspm-security-posture-faq.asciidoc +++ b/docs/serverless/cloud-native-security/cspm-security-posture-faq.asciidoc @@ -4,7 +4,6 @@ // :description: Frequently asked questions about the CSPM and KSPM integrations. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[cspm-security-posture-faq]] diff --git a/docs/serverless/cloud-native-security/cspm.asciidoc b/docs/serverless/cloud-native-security/cspm.asciidoc index 85112cddde..677abfdab0 100644 --- a/docs/serverless/cloud-native-security/cspm.asciidoc +++ b/docs/serverless/cloud-native-security/cspm.asciidoc @@ -4,7 +4,6 @@ // :description: Identify misconfigured cloud resources. // :keywords: serverless, security, overview -preview:[] The Cloud Security Posture Management (CSPM) feature discovers and evaluates the services in your cloud environment — like storage, compute, IAM, and more — against configuration security guidelines defined by the https://www.cisecurity.org/[Center for Internet Security] (CIS) to help you identify and remediate risks that could undermine the confidentiality, integrity, and availability of your cloud data. diff --git a/docs/serverless/cloud-native-security/d4c-get-started.asciidoc b/docs/serverless/cloud-native-security/d4c-get-started.asciidoc deleted file mode 100644 index e23b27fc8d..0000000000 --- a/docs/serverless/cloud-native-security/d4c-get-started.asciidoc +++ /dev/null @@ -1,92 +0,0 @@ -[[security-d4c-get-started]] -= Get started with CWP - -// :description: Secure your containerized workloads and start detecting threats and vulnerabilities. -// :keywords: security, how-to, get-started, cloud security - -preview:[] - -beta:[] - -This page describes how to set up Cloud Workload Protection (CWP) for Kubernetes. - -.Requirements -[NOTE] -==== -* Kubernetes node operating systems must have Linux kernels 5.10.16 or higher. -==== - -[discrete] -[[security-d4c-get-started-initial-setup]] -== Initial setup - -First, you'll need to deploy Elastic's Defend for Containers integration to the Kubernetes clusters you wish to monitor. - -. Find **Container Workload Security** in the navigation menu or use the global search field. Click **Add D4C Integration**. -. Name the integration. The default name, which you can change, is `cloud_defend-1`. -. Optional — make any desired changes to the integration's policy by adjusting the **Selectors** and **Responses** sections. (For more information, refer to the <>). You can also change these later. -. Under **Where to add this integration**, select an existing or new agent policy. -. Click **Save & Continue**, then **Add {agent} to your hosts**. -. On the {agent} policy page, click **Add agent** to open the Add agent flyout. -. In the flyout, go to step 3 (**Install {agent} on your host**) and select the **Kubernetes** tab. -. Download or copy the manifest (`elastic-agent-managed-kubernetes.yml`). -. Open the manifest using your favorite editor, and uncomment the `#capabilities` section: -+ -[source,console] ----- -#capabilities: -# add: -# - BPF # (since Linux 5.8) allows loading of BPF programs, create most map types, load BTF, iterate programs and maps. -# - PERFMON # (since Linux 5.8) allows attaching of BPF programs used for performance metrics and observability operations. -# - SYS_RESOURCE # Allow use of special resources or raising of resource limits. Used by 'Defend for Containers' to modify 'rlimit_memlock' ----- -. From the directory where you saved the manifest, run the command `kubectl apply -f elastic-agent-managed-kubernetes.yml`. -. Wait for the **Confirm agent enrollment** dialogue to show that data has started flowing from your newly-installed agent, then click **Close**. - -[discrete] -[[d4c-get-started-threat]] -== Get started with threat detection - -One of the <> sends process telemetry events (`fork` and `exec`) to {es}. - -In order to detect threats using this data, you'll need active <>. Elastic has prebuilt detection rules designed for this data. (You can also create your own <>.) - -To install and enable the prebuilt rules: - -. Find **Detection rules (SIEM)** in the navigation menu or use the global search field, then click **Add Elastic rules**. -. Click the **Tags** filter next to the search bar, and search for the `Data Source: Elastic Defend for Containers` tag. -. Select all the displayed rules, then click **Install _x_ selected rule(s)**. -. Return to the **Rules** page. Click the **Tags** filter next to the search bar, and search for the `Data Source: Elastic Defend for Containers` tag. -. Select all the rules with the tag, and then click **Bulk actions → Enable**. - -[discrete] -[[d4c-get-started-drift]] -== Get started with drift detection and prevention - -{elastic-sec} defines container drift as the creation or modification of an executable within a container. Blocking drift restricts the number of attack vectors available to bad actors by prohibiting them from using external tools. - -To enable drift detection, you can use the default D4C policy: - -. Make sure the <> is active. -. Make sure you enabled at least the "Container Workload Protection" rule, by following the steps to install prebuilt rules, above. - -To enable drift prevention, create a new policy: - -. Find **Container Workload Security** in the navigation menu or use the global search field, then select your integration. -. Under **Selectors**, click **Add selector → File Selector**. By default, it selects the operations `createExecutable` and `modifyExecutable`. -. Name the selector, for example: `blockDrift`. -. Scroll down to the **Responses** section and click **Add response → File Response**. -. Under **Match selectors**, add the name of your new selector, for example: `blockDrift`. -. Select the **Alert** and **Block** actions. -. Click **Save integration**. - -[IMPORTANT] -==== -Before you enable blocking, we strongly recommend you observe a production workload that's using the default D4C policy to ensure that the workload does not create or modify executables as part of its normal operation. -==== - -[discrete] -[[d4c-get-started-validation]] -== Policy validation - -To ensure the stability of your production workloads, you should test policy changes before implementing them in production workloads. We also recommend you test policy changes on a simulated environment with workloads similar to production. This approach allows you to test that policy changes prevent undesirable behavior without disrupting your production workloads. diff --git a/docs/serverless/cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc b/docs/serverless/cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc deleted file mode 100644 index f883ec0c21..0000000000 --- a/docs/serverless/cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc +++ /dev/null @@ -1,8 +0,0 @@ -:append: -d4c - -[id="security-kubernetes-dashboard-dash{append}"] -= Kubernetes dashboard - -include::../dashboards/kubernetes-dashboard-dash.asciidoc[tag=content] - -:append!: diff --git a/docs/serverless/cloud-native-security/d4c-overview.asciidoc b/docs/serverless/cloud-native-security/d4c-overview.asciidoc deleted file mode 100644 index 5871762204..0000000000 --- a/docs/serverless/cloud-native-security/d4c-overview.asciidoc +++ /dev/null @@ -1,88 +0,0 @@ -[[security-d4c-overview]] -= Container workload protection - -// :description: Identify and block unexpected system behavior in Kubernetes containers. -// :keywords: security, cloud, reference, manage - -preview:[] - -beta:[] - -Elastic Cloud Workload Protection (CWP) for Kubernetes provides cloud-native runtime protections for containerized environments by identifying and optionally blocking unexpected system behavior in Kubernetes containers. - -[discrete] -[[d4c-use-cases]] -== Use cases - -[discrete] -[[security-d4c-overview-threat-detection-and-threat-hunting]] -=== Threat detection & threat hunting - -CWP for Kubernetes sends system events from your containers to {es}. {elastic-sec}'s prebuilt security rules include many designed to detect malicious behavior in container runtimes. These can help you detect events that should never occur in containers, such as reverse shell executions, privilege escalation, container escape attempts, and more. - -[discrete] -[[security-d4c-overview-drift-detection-and-prevention]] -=== Drift detection & prevention - -Cloud-native containers should be immutable, meaning that their file systems should not change during normal operations. By leveraging this principle, security teams can detect unusual system behavior with a high degree of accuracy — without relying on more resource-intensive techniques like memory scanning or attack signature detection. Elastic’s Drift Detection mechanism has a low rate of false positives, so you can deploy it in most environments without worrying about creating excessive alerts. - -[discrete] -[[security-d4c-overview-workload-protection-policies]] -=== Workload protection policies - -CWP for Kubernetes uses a flexible policy language to restrict container workloads to a set of allowlisted capabilities chosen by you. When employed with Drift and Threat Detection, this can provide multiple layers of defense. - -[discrete] -[[security-d4c-overview-support-matrix]] -== Support matrix: - -|=== -| | EKS 1.24-1.27 (AL2022)| GKE 1.24-1.27 (COS) - -| Process event exports -| ✓ -| ✓ - -| Network event exports -| ✓ -| ✓ - -| File event exports -| ✓ -| ✓ - -| File blocking -| ✓ -| ✓ - -| Process blocking -| ✓ -| ✓ - -| Network blocking -| ✗ -| ✗ - -| Drift prevention -| ✓ -| ✓ - -| Mount point awareness -| ✓ -| ✓ -|=== - -[discrete] -[[security-d4c-overview-how-cwp-for-kubernetes-works]] -== How CWP for Kubernetes works - -CWP for Kubernetes uses a lightweight integration, Defend for Containers (D4C). When you set up the D4C integration, it gets deployed by {agent}. Specifically, the {agent} is installed as a DaemonSet on your Kubernetes clusters, where it enables D4C to use eBPF Linux Security Modules (https://docs.kernel.org/bpf/prog_lsm.html[LSM]) and tracepoint probes to record system events. Events are evaluated against LSM hook points, enabling {agent} to evaluate system activity against your policy before allowing it to proceed. - -Your D4C integration policy determines which system behaviors (for example, process execution or file creation or deletion) will result in which actions. _Selectors_ and _responses_ define each policy. Selectors define the conditions which cause the associated responses to run. Responses are associated with one or more selectors, and specify one or more actions (such as `log`, `alert`, or `block`) that will occur when the conditions defined in an associated selector are met. - -The default D4C policy sends data about all running processes to your {es} cluster. This data is used by {elastic-sec}'s prebuilt detection rules to detect malicious behavior in container workloads. - -[IMPORTANT] -==== -To learn more about D4C policies, including how to create your own, refer to the <>. -==== diff --git a/docs/serverless/cloud-native-security/d4c-policy-guide.asciidoc b/docs/serverless/cloud-native-security/d4c-policy-guide.asciidoc deleted file mode 100644 index 5fc4091077..0000000000 --- a/docs/serverless/cloud-native-security/d4c-policy-guide.asciidoc +++ /dev/null @@ -1,163 +0,0 @@ -[[security-d4c-policy-guide]] -= Container workload protection policies - -// :description: Learn to build policies for cloud workload protection for Kubernetes. -// :keywords: security, cloud, reference, manage, cloud security - -preview:[] - -To unlock the full functionality of the Defend for Containers (D4C) integration, you'll need to understand its policy syntax. This will enable you to construct policies that precisely allow expected container behaviors and prevent unexpected behaviors — thereby hardening your container workloads' security posture. - -D4C integration policies consist of _selectors_ and _responses_. Each policy must contain at least one selector and one response. Currently, the system supports two types of selectors and responses: `file` and `process`. -Selectors define which system operations to match and can include multiple conditions (grouped using a logical `AND`) to precisely select events. Responses define which actions to take when a system operation matches the conditions specified in an associated selector. - -The default policy described on this page provides an example that's useful for understanding D4C policies in general. Following the description, you'll find a comprehensive glossary of selector conditions, response fields, and actions. - -[discrete] -[[d4c-default-policies]] -== Default policies: - -The default D4C integration policy includes two selector-response pairs. It is designed to implement core container workload protection capabilities: - -* **Threat Detection:** The first selector-response pair is designed to stream process telemetry data to your {es} cluster so {elastic-sec} can evaluate it to detect threats. Both the selector and response are named `allProcesses`. The selector selects all fork and exec events. The associated response specifies that selected events should be logged. -* **Drift Detection & Prevention:** The second selector-response pair is designed to create alerts when container drift is detected. Both the selector and response are named `executableChanges`. The selector selects all `createExecutable` and `modifyExecutable` events. The associated response specifies that the selected events should create alerts, which will be sent to your {es} cluster. You can modify the response to block drift operations by setting it to block. - -[role="screenshot"] -image::images/d4c-policy-guide/-cloud-native-security-d4c-policy-editor.png[The defend for containers policy editor with the default policies] - -[discrete] -[[d4c-selectors-glossary]] -== Selectors - -A selector requires a name and at least one operation. It will select all events of the specified operation types, unless you also include _conditions_ to narrow down the selection. Some conditions are available for both `file` and `process` selectors, while others only available for one type of selector. - -[discrete] -[[security-d4c-policy-guide-common-conditions]] -=== Common conditions - -These conditions are available for both `file` and `process` selectors. - -// [cols="1,1", options="header"] - -|=== -| Name| Description - -| containerImageFullName -| A list of full container image names to match on. For example: `docker.io/nginx`. - -| containerImageName -| A list of container image names to match on. For example: `nginx`. - -| containerImageTag -| A list of container image tags to match on. For example: `latest`. - -| kubernetesClusterId -| A list of Kubernetes cluster IDs to match on. For consistency with KSPM, the `kube-system` namespace's UID is used as a cluster ID. - -| kubernetesClusterName -| A list of Kubernetes cluster names to match on. - -| kubernetesNamespace -| A list of Kubernetes namespaces to match on. - -| kubernetesPodName -| A list of Kubernetes pod names to match on. Trailing wildcards supported. - -| kubernetesPodLabel -| A list of resource labels. Trailing wildcards supported (value only), for example: `key1:val*`. -|=== - -[discrete] -[[security-d4c-policy-guide-file-selector-conditions]] -=== File-selector conditions - -These conditions are available only for `file` selectors. - -// [cols="1,1", options="header"] - -|=== -| Name| Description - -| operation -| The list of system operations to match on. Options include `createExecutable`, `modifyExecutable`, `createFile`, `modifyFile`, `deleteFile`. - -| ignoreVolumeMounts -| If set, ignores file operations on _all_ volume mounts. - -| ignoreVolumeFiles -| If set, ignores operations on file mounts only. For example: mounted files, `configMaps`, and secrets. - -| targetFilePath -| A list of file paths to include. Paths are absolute and wildcards are supported. The `*` wildcard matches any sequence of characters within a single directory, while the `**` wildcard matches any sequence of characters across multiple directories and subdirectories. -|=== - -[NOTE] -==== -In order to ensure precise targeting of file integrity monitoring operations, a `TargetFilePath` is required whenever the `deleteFile`, `modifyFile`, or `createFile` operations are used within a selector. -==== - -[discrete] -[[security-d4c-policy-guide-process-selector-conditions]] -=== Process-selector conditions - -These conditions are available only for `process` selectors. - -// [cols="1,1", options="header"] - -|=== -| Name| Description - -| operation -| The list of system operations to match on. Options include `fork` and `exec`. - -| processExecutable -| A list of executables (full path included) to match on. For example: `/usr/bin/cat`. Wildcard support is same as targetFilePath above. - -| processName -| A list of process names (executable basename) to match on. For example: `bash`, `vi`, `cat`. - -| sessionLeaderInteractive -| If set to `true`, will only match on interactive sessions (defined as sessions with a controlling TTY). -|=== - -[discrete] -[[security-d4c-policy-guide-response-fields]] -=== Response fields - -A policy can include one or more responses. Each response is comprised of the following fields: - -// [cols="1,1", options="header"] - -|=== -| Field| Description - -| match -| An array of one or more selectors of the same type (`file` or `process`). - -| exclude -| Optional. An array of one or more selectors to use as exclusions to everything in `match`. - -| actions -| An array of actions to perform when at least one `match` selector matches and none of the `exclude` selectors match. Options include `log`, `alert`, and `block`. -|=== - -[discrete] -[[security-d4c-policy-guide-response-actions]] -=== Response actions - -D4C responses can include the following actions: - -|=== -| Action | Description - -| log -| Sends events to the `logs-cloud_defend.file-*` data stream for file responses, and the `logs-cloud_defend.process-*` data stream for process responses. - -| alert -| Writes events (file or process) to the `logs-cloud_defend.alerts-*` data stream. - -| block -a| Prevents the system operation from proceeding. This blocking action happens prior to the execution of the event. It is required that the alert action be set if block is enabled. - -**Note:** Currently, block is only supported on file operations. -|=== diff --git a/docs/serverless/cloud-native-security/environment-variable-capture.asciidoc b/docs/serverless/cloud-native-security/environment-variable-capture.asciidoc index 311796c7a3..2e6e78ab6f 100644 --- a/docs/serverless/cloud-native-security/environment-variable-capture.asciidoc +++ b/docs/serverless/cloud-native-security/environment-variable-capture.asciidoc @@ -4,7 +4,6 @@ // :description: Capture environment variables from monitored Linux sessions. // :keywords: serverless, security, overview, cloud security -preview:[] You can configure an {agent} policy to capture up to five environment variables (`env vars`). diff --git a/docs/serverless/cloud-native-security/get-started-with-kspm.asciidoc b/docs/serverless/cloud-native-security/get-started-with-kspm.asciidoc index 2380fb9fef..3208a1f9ae 100644 --- a/docs/serverless/cloud-native-security/get-started-with-kspm.asciidoc +++ b/docs/serverless/cloud-native-security/get-started-with-kspm.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, overview, cloud security -preview:[] This page explains how to configure the Kubernetes Security Posture Management (KSPM) integration. diff --git a/docs/serverless/cloud-native-security/kspm.asciidoc b/docs/serverless/cloud-native-security/kspm.asciidoc index a5a9e8b200..a58f66aba8 100644 --- a/docs/serverless/cloud-native-security/kspm.asciidoc +++ b/docs/serverless/cloud-native-security/kspm.asciidoc @@ -4,7 +4,6 @@ // :description: Identify configuration risks in your Kubernetes clusters. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[kspm-overview]] diff --git a/docs/serverless/cloud-native-security/security-posture-faq.asciidoc b/docs/serverless/cloud-native-security/security-posture-faq.asciidoc index e130505bd0..0293f456ce 100644 --- a/docs/serverless/cloud-native-security/security-posture-faq.asciidoc +++ b/docs/serverless/cloud-native-security/security-posture-faq.asciidoc @@ -4,7 +4,6 @@ // :description: Frequently asked questions about the CSPM integration. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] [[cspm-faq]] diff --git a/docs/serverless/cloud-native-security/security-posture-management.asciidoc b/docs/serverless/cloud-native-security/security-posture-management.asciidoc index 0975975752..4a536ba2ef 100644 --- a/docs/serverless/cloud-native-security/security-posture-management.asciidoc +++ b/docs/serverless/cloud-native-security/security-posture-management.asciidoc @@ -4,7 +4,6 @@ // :description: Discovers and evaluates your cloud services and resources against security best practices. // :keywords: serverless, security, overview, cloud security -preview:[] [discrete] == Overview diff --git a/docs/serverless/cloud-native-security/session-view.asciidoc b/docs/serverless/cloud-native-security/session-view.asciidoc index 42092ec300..b8c4514f1f 100644 --- a/docs/serverless/cloud-native-security/session-view.asciidoc +++ b/docs/serverless/cloud-native-security/session-view.asciidoc @@ -4,7 +4,6 @@ // :description: Examine Linux process data in context with Session View. // :keywords: serverless, security, overview, how to, cloud security -preview:[] Session View is an investigation tool that allows you to examine Linux process data organized in a tree-like structure according to the Linux logical event model, with processes organized by parentage and time of execution. @@ -20,11 +19,6 @@ Session View has the following features: * **Alerts:** Process, file, and network alerts in the context of the events which caused them. * **Terminal output:** Terminal output associated with each process in the session. -[NOTE] -==== -To view Linux session data from your Kubernetes infrastructure, you'll need to set up the <>. -==== - [discrete] [[enable-session-view]] == Enable Session View data diff --git a/docs/serverless/cloud-native-security/vuln-management-dashboard-dash.asciidoc b/docs/serverless/cloud-native-security/vuln-management-dashboard-dash.asciidoc index e0934f04ff..cdc9e7ce02 100644 --- a/docs/serverless/cloud-native-security/vuln-management-dashboard-dash.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-dashboard-dash.asciidoc @@ -1,8 +1,4 @@ -:append: -2 - -[id="security-kubernetes-dashboard-dash{append}"] -= Kubernetes dashboard += Cloud Native Vulnerability Management dashboard include::../dashboards/vuln-management-dashboard-dash.asciidoc[tag=content] -:append!: diff --git a/docs/serverless/cloud-native-security/vuln-management-faq.asciidoc b/docs/serverless/cloud-native-security/vuln-management-faq.asciidoc index fd3ed19567..a87a6af768 100644 --- a/docs/serverless/cloud-native-security/vuln-management-faq.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-faq.asciidoc @@ -4,7 +4,6 @@ // :description: Frequently asked questions about the CNVM integration. // :keywords: security, cloud, reference, manage -preview:[] Frequently asked questions about the Cloud Native Vulnerability Management (CNVM) integration and features. diff --git a/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc b/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc index 1bd4e6a319..c191049b0b 100644 --- a/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-findings.asciidoc @@ -4,7 +4,6 @@ // :description: The Findings page displays information about cloud vulnerabilities found in your environment. // :keywords: serverless, security, overview, cloud security -preview:[] The **Vulnerabilities** tab on the Findings page displays the vulnerabilities detected by the <>, as well as those detected by <>. diff --git a/docs/serverless/cloud-native-security/vuln-management-get-started.asciidoc b/docs/serverless/cloud-native-security/vuln-management-get-started.asciidoc index b2a2157621..0ecc4d5971 100644 --- a/docs/serverless/cloud-native-security/vuln-management-get-started.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-get-started.asciidoc @@ -4,7 +4,6 @@ // :description: Set up cloud native vulnerability management. // :keywords: serverless, security, overview, cloud security -preview:[] This page explains how to set up Cloud Native Vulnerability Management (CNVM). diff --git a/docs/serverless/cloud-native-security/vuln-management-overview.asciidoc b/docs/serverless/cloud-native-security/vuln-management-overview.asciidoc index 2d65262441..fde9a21689 100644 --- a/docs/serverless/cloud-native-security/vuln-management-overview.asciidoc +++ b/docs/serverless/cloud-native-security/vuln-management-overview.asciidoc @@ -4,7 +4,6 @@ // :description: Find and track vulnerabilities in your cloud. // :keywords: serverless, security, overview, cloud security -preview:[] Elastic's Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads. diff --git a/docs/serverless/dashboards/cloud-posture-dashboard-dash.asciidoc b/docs/serverless/dashboards/cloud-posture-dashboard-dash.asciidoc index f4a6f4eb91..8347befbeb 100644 --- a/docs/serverless/dashboards/cloud-posture-dashboard-dash.asciidoc +++ b/docs/serverless/dashboards/cloud-posture-dashboard-dash.asciidoc @@ -12,7 +12,6 @@ Cloud Security Posture ++++ -preview:[] The Cloud Security Posture dashboard summarizes your cloud infrastructure's overall performance against <> defined by the Center for Internet Security (CIS). To start collecting this data, refer to <> or <>. diff --git a/docs/serverless/dashboards/dashboards-overview.asciidoc b/docs/serverless/dashboards/dashboards-overview.asciidoc index fdb72bdd3b..8c77a3ad78 100644 --- a/docs/serverless/dashboards/dashboards-overview.asciidoc +++ b/docs/serverless/dashboards/dashboards-overview.asciidoc @@ -4,7 +4,6 @@ // :description: Dashboards give you insight into your security environment. // :keywords: security, overview, visualize, monitor, analyze -preview:[] The {security-app}'s default dashboards provide useful visualizations of your security environment. To view them in {elastic-sec}, select **Dashboards** from the navigation menu. From the Dashboards page, you can access the default dashboards, as well as create and access custom dashboards. diff --git a/docs/serverless/dashboards/data-quality-dash.asciidoc b/docs/serverless/dashboards/data-quality-dash.asciidoc index 1fe09e0392..c19a92cb60 100644 --- a/docs/serverless/dashboards/data-quality-dash.asciidoc +++ b/docs/serverless/dashboards/data-quality-dash.asciidoc @@ -8,7 +8,6 @@ Data Quality ++++ -preview:[] The Data Quality dashboard shows you whether your data is correctly mapped to the https://www.elastic.co/guide/en/ecs/current/ecs-reference.html[Elastic Common Schema] (ECS). Successful {ref}/mapping.html[mapping] enables you to search, visualize, and interact with your data throughout {elastic-sec}. diff --git a/docs/serverless/dashboards/detection-entity-dashboard.asciidoc b/docs/serverless/dashboards/detection-entity-dashboard.asciidoc index 402a86a193..26fc3aaabc 100644 --- a/docs/serverless/dashboards/detection-entity-dashboard.asciidoc +++ b/docs/serverless/dashboards/detection-entity-dashboard.asciidoc @@ -8,7 +8,6 @@ Entity Analytics ++++ -preview:[] The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and anomalies from within your network. Use it to triage, investigate, and respond to these emerging threats. diff --git a/docs/serverless/dashboards/detection-response-dashboard.asciidoc b/docs/serverless/dashboards/detection-response-dashboard.asciidoc index ed14e7a5d4..c4a3f63161 100644 --- a/docs/serverless/dashboards/detection-response-dashboard.asciidoc +++ b/docs/serverless/dashboards/detection-response-dashboard.asciidoc @@ -8,7 +8,6 @@ Detection & Response ++++ -preview:[] The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. diff --git a/docs/serverless/dashboards/kubernetes-dashboard-dash.asciidoc b/docs/serverless/dashboards/kubernetes-dashboard-dash.asciidoc deleted file mode 100644 index 5f8668b950..0000000000 --- a/docs/serverless/dashboards/kubernetes-dashboard-dash.asciidoc +++ /dev/null @@ -1,111 +0,0 @@ -[[security-kubernetes-dashboard-dash]] -= Kubernetes dashboard - -// :description: The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. -// :keywords: serverless, security, overview, cloud security - -:append: - -// tag::content[] - -++++ -Kubernetes -++++ - -preview:[] - -The Kubernetes dashboard provides insight into Linux process data from your Kubernetes clusters. It shows sessions in detail and in the context of your monitored infrastructure. - -[role="screenshot"] -image::images/kubernetes-dashboard/-dashboards-kubernetes-dashboard.png[The Kubernetes dashboard, with numbered labels 1 through 3 for major sections] -The numbered sections are described below: - -. The charts at the top of the dashboard provide an overview of your monitored Kubernetes infrastructure. You can hide them by clicking **Hide charts**. -. The tree navigation menu allows you to navigate through your deployments and select the scope of the sessions table to the right. You can select any item in the menu to show its sessions. In Logical view, the menu is organized by Cluster, Namespace, Pod, and Container image. In Infrastructure view, it is organized by Cluster, Node, Pod, and Container image. -. The sessions table displays sessions collected from the selected element of your Kubernetes infrastructure. You can view it in fullscreen by selecting the button in the table's upper right corner. You can sort the table by any of its fields. - -You can filter the data using the KQL search bar and date picker at the top of the page. - -From the sessions table's Actions column, you can take the following investigative actions: - -* View details -* <> -* <> -* <> -* <> - -Session View displays Kubernetes metadata under the **Metadata** tab of the Detail panel: - -[role="screenshot"] -image::images/kubernetes-dashboard/-dashboards-metadata-tab.png[The Detail panel's metadata tab] - -The **Metadata** tab is organized into these expandable sections: - -* **Metadata:** `hostname`, `id`, `ip`, `mac`, `name`, Host OS information -* **Cloud:** `instance.name`, `provider`, `region`, `account.id`, `project.id` -* **Container:** `id`, `name`, `image.name`, `image.tag`, `image.hash.all` -* **Orchestrator:** `resource.ip`, `resource.name`, `resource.type`, `namespace`, `cluster.id`, `cluster.name`, `parent.type` - -[discrete] -[id="k8s-dash-setup{append}"] -== Setup - -To get data for this dashboard, set up <> for the clusters you want to display on the dashboard. - -.Requirements -[NOTE] -==== -* Kubernetes node operating systems must have Linux kernels 5.10.16 or higher. -==== - -**Support matrix**: -This feature is currently available on GKE and EKS using Linux hosts and Kubernetes versions that match the following specifications: - -|=== -| | | - -| -| EKS 1.24-1.26 (AL2022) -| GKE 1.24-1.26 (COS) - -| Process event exports -| ✓ -| ✓ - -| Network event exports -| ✗ -| ✗ - -| File event exports -| ✓ -| ✓ - -| File blocking -| ✓ -| ✓ - -| Process blocking -| ✓ -| ✓ - -| Network blocking -| ✗ -| ✗ - -| Drift prevention -| ✓ -| ✓ - -| Mount point awareness -| ✓ -| ✓ -|=== - -[IMPORTANT] -==== -This dashboard uses data from the `logs-*` index pattern, which is included by default in the <>. To collect data from multiple {es} clusters (as in a cross-cluster deployment), update `logs-*` to `*:logs-*`. -==== - -// end::content[] - -:append!: diff --git a/docs/serverless/dashboards/overview-dashboard.asciidoc b/docs/serverless/dashboards/overview-dashboard.asciidoc index b07348d836..257988cdab 100644 --- a/docs/serverless/dashboards/overview-dashboard.asciidoc +++ b/docs/serverless/dashboards/overview-dashboard.asciidoc @@ -8,7 +8,6 @@ Overview ++++ -preview:[] The Overview dashboard provides a high-level snapshot of alerts and events. It helps you assess overall system health and find anomalies that may require further investigation. diff --git a/docs/serverless/dashboards/rule-monitoring-dashboard.asciidoc b/docs/serverless/dashboards/rule-monitoring-dashboard.asciidoc index 40d6ec377b..005135052a 100644 --- a/docs/serverless/dashboards/rule-monitoring-dashboard.asciidoc +++ b/docs/serverless/dashboards/rule-monitoring-dashboard.asciidoc @@ -8,7 +8,6 @@ Detection rule monitoring ++++ -preview:[] The Detection rule monitoring dashboard provides visualizations to help you monitor the overall health and performance of {elastic-sec}'s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they're taking to run, search data, and create alerts. diff --git a/docs/serverless/dashboards/vuln-management-dashboard-dash.asciidoc b/docs/serverless/dashboards/vuln-management-dashboard-dash.asciidoc index 4bd37ad17c..548c48ea80 100644 --- a/docs/serverless/dashboards/vuln-management-dashboard-dash.asciidoc +++ b/docs/serverless/dashboards/vuln-management-dashboard-dash.asciidoc @@ -9,10 +9,9 @@ // tag::content[] ++++ -Cloud Native Vulnerability Management +Cloud Native Vulnerability Management dashboard ++++ -preview:[] The Cloud Native Vulnerability Management (CNVM) dashboard gives you an overview of vulnerabilities detected in your cloud infrastructure. diff --git a/docs/serverless/edr-install-config/agent-tamper-protection.asciidoc b/docs/serverless/edr-install-config/agent-tamper-protection.asciidoc index f5ec1bf419..56a1342d1e 100644 --- a/docs/serverless/edr-install-config/agent-tamper-protection.asciidoc +++ b/docs/serverless/edr-install-config/agent-tamper-protection.asciidoc @@ -4,7 +4,6 @@ // :description: Block unauthorized attempts to uninstall {agent} on hosts. // :keywords: serverless, security, how-to -preview:[] For hosts enrolled in {elastic-defend}, you can prevent unauthorized attempts to uninstall {agent} and {elastic-endpoint} by enabling **Agent tamper protection** on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {elastic-defend}'s endpoint protections. diff --git a/docs/serverless/edr-install-config/artifact-control.asciidoc b/docs/serverless/edr-install-config/artifact-control.asciidoc index a98916511d..b2ea1694c4 100644 --- a/docs/serverless/edr-install-config/artifact-control.asciidoc +++ b/docs/serverless/edr-install-config/artifact-control.asciidoc @@ -8,7 +8,6 @@ Configure protection updates ++++ -preview:[] On the **Protection updates** tab of the {elastic-defend} integration policy, you can configure how {elastic-defend} receives updates from Elastic with the latest threat detections, global exceptions, malware models, rule packages, and other protection artifacts. By default, these artifacts are automatically updated regularly, ensuring your environment is up to date with the latest protections. diff --git a/docs/serverless/edr-install-config/configure-endpoint-integration-policy.asciidoc b/docs/serverless/edr-install-config/configure-endpoint-integration-policy.asciidoc index def6970348..f1c6d7cec0 100644 --- a/docs/serverless/edr-install-config/configure-endpoint-integration-policy.asciidoc +++ b/docs/serverless/edr-install-config/configure-endpoint-integration-policy.asciidoc @@ -4,7 +4,6 @@ // :description: Configure settings on an {elastic-defend} integration policy. // :keywords: serverless, security, how-to -preview:[] After the {agent} is installed with the {elastic-defend} integration, several protections features — including preventions against malware, ransomware, memory threats, and malicious behavior — are automatically enabled @@ -246,8 +245,7 @@ image::images/configure-endpoint-integration-policy/-getting-started-install-end [[register-as-antivirus]] == Register {elastic-sec} as antivirus (optional) -With {elastic-defend} version 7.10 or later on Windows 7 or later, you can -register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**. +You can register {elastic-sec} as your hosts' antivirus software by enabling **Register as antivirus**. [NOTE] ==== diff --git a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc index 353ca6997f..1f58efdc85 100644 --- a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc +++ b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc @@ -4,7 +4,6 @@ // :description: Manage user roles and privileges to grant access to {elastic-defend} features. // :keywords: security, defend, reference, manage -preview:[] You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features. diff --git a/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc b/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc index 7173b63bda..fdfe8c6df5 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc +++ b/docs/serverless/edr-install-config/deploy-endpoint-macos-cat-mont.asciidoc @@ -4,7 +4,6 @@ // :description: Configure access for deploying {elastic-defend} on macOS Monterey. // :keywords: security, how-to, secure -preview:[] To properly install and configure {elastic-defend} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {elastic-endpoint}—the installed component that performs {elastic-defend}'s threat monitoring and prevention—is fully functional: @@ -47,17 +46,17 @@ After successfully loading the {elastic-endpoint} system extension, an addition [role="screenshot"] image::images/deploy-elastic-endpoint/-getting-started-install-endpoint-filter-network-content.png[] -* Click **Allow** to enable content filtering for the {elastic-endpoint} system extension. Without this approval, {elastic-endpoint} cannot receive network events and, therefore, cannot enable network-related features such as <>. +Click **Allow** to enable content filtering for the {elastic-endpoint} system extension. Without this approval, {elastic-endpoint} cannot receive network events and, therefore, cannot enable network-related features such as <>. [discrete] [[enable-fda-endpoint]] == Enable Full Disk Access for {elastic-endpoint} -{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {elastic-endpoint}. +{elastic-endpoint} requires Full Disk Access to subscribe to system events using the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. To enable Full Disk Access on endpoints running macOS Catalina (10.15) and later, you must manually approve {elastic-endpoint}. [NOTE] ==== -The following instructions apply only to {elastic-endpoint} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame's documentation. +The following instructions apply only to {elastic-endpoint} version 8.0.0 and later. Versions 7.17.0 and earlier are not supported. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame's documentation. ==== // Might need to revisit this note and the section. Keep an eye on https://github.com/elastic/staging-serverless-security-docs/issues/124 @@ -78,15 +77,3 @@ image::images/deploy-elastic-endpoint/-getting-started-fda-select-fda.png[Select [role="screenshot"] image::images/deploy-elastic-endpoint/-getting-started-fda-select-endpoint-ext.png[] -If the endpoint is running {elastic-endpoint} version 7.17.0 or earlier: - -// Might need to revisit this note and the section. Keep an eye on https://github.com/elastic/staging-serverless-security-docs/issues/124 - -. In the lower-left corner of the pane, click the **Lock button**, then enter your credentials to authenticate. -. Click the **+** button to view **Finder**. -. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. -. Click **Open**. -. In the **Privacy** tab, confirm that `elastic-endpoint` AND `co.elastic.systemextension` are selected to properly enable Full Disk Access. -+ -[role="screenshot"] -image::images/deploy-elastic-endpoint/-getting-started-fda-fda-7-16.png[] diff --git a/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.asciidoc b/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.asciidoc index f908d5e522..3f98025fe0 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.asciidoc +++ b/docs/serverless/edr-install-config/deploy-endpoint-macos-ven.asciidoc @@ -4,7 +4,6 @@ // :description: Configure access for deploying {elastic-defend} on macOS Ventura and higher. // :keywords: security, how-to, secure -preview:[] To properly install and configure {elastic-defend} manually without a Mobile Device Management (MDM) profile, there are additional permissions that must be enabled on the host before {elastic-endpoint}—the installed component that performs {elastic-defend}'s threat monitoring and prevention—is fully functional: @@ -57,7 +56,7 @@ Click **Allow** to enable content filtering for the ElasticEndpoint system exten [[enable-fda-endpoint-ven]] == Enable Full Disk Access for {elastic-endpoint} -{elastic-endpoint} requires Full Disk Access to subscribe to system events via the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. +{elastic-endpoint} requires Full Disk Access to subscribe to system events using the {elastic-defend} framework and to protect your network from malware and other cybersecurity threats. Full Disk Access permissions is a privacy feature introduced in macOS Mojave (10.14) that prevents some applications from accessing your data. If you have not granted Full Disk Access, the following notification prompt will appear. @@ -68,7 +67,7 @@ To enable Full Disk Access, you must manually approve {elastic-endpoint}. [NOTE] ==== -The following instructions apply only to {elastic-endpoint} version 8.0.0 and later. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame's documentation. +The following instructions apply only to {elastic-endpoint} version 8.0.0 and later. Versions 7.17.0 and earlier are not supported. To see Full Disk Access requirements for the Endgame sensor, refer to Endgame's documentation. ==== . Open the **System Settings** application. @@ -85,16 +84,3 @@ image::images/deploy-elastic-endpoint-ven/-getting-started-install-endpoint-ven- [role="screenshot"] image::images/deploy-elastic-endpoint-ven/-getting-started-install-endpoint-ven-allow_fda_ven.png[] -If the endpoint is running {elastic-endpoint} version 7.17.0 or earlier: - -. Click the **+** button to view **Finder**. -. The system may prompt you to enter your username and password if you haven't already. -+ -[role="screenshot"] -image::images/deploy-elastic-endpoint-ven/-getting-started-install-endpoint-ven-enter_login_details_to_confirm_ven.png[] -. Navigate to `/Library/Elastic/Endpoint`, then select the `elastic-endpoint` file. -. Click **Open**. -. In the **Privacy** tab, confirm that `ElasticEndpoint` and `co.elastic.systemextension` are selected to properly enable Full Disk Access. - -[role="screenshot"] -image::images/deploy-elastic-endpoint-ven/-getting-started-install-endpoint-ven-verify_fed_granted_ven.png[Select Full Disk Access] diff --git a/docs/serverless/edr-install-config/deploy-endpoint-reqs.asciidoc b/docs/serverless/edr-install-config/deploy-endpoint-reqs.asciidoc index 8da996e354..0b469f9d2c 100644 --- a/docs/serverless/edr-install-config/deploy-endpoint-reqs.asciidoc +++ b/docs/serverless/edr-install-config/deploy-endpoint-reqs.asciidoc @@ -4,7 +4,6 @@ // :description: System requirements for {elastic-defend}. // :keywords: security, other, secure -preview:[] To properly deploy {elastic-defend} without a Mobile Device Management (MDM) profile, you must manually enable additional permissions on the host before {elastic-endpoint}—the installed component that performs {elastic-defend}'s threat monitoring and prevention—is fully functional. For more information, refer to the instructions for your macOS version: diff --git a/docs/serverless/edr-install-config/deploy-with-mdm.asciidoc b/docs/serverless/edr-install-config/deploy-with-mdm.asciidoc index 8dd36182f8..64d08766aa 100644 --- a/docs/serverless/edr-install-config/deploy-with-mdm.asciidoc +++ b/docs/serverless/edr-install-config/deploy-with-mdm.asciidoc @@ -8,7 +8,6 @@ Deploy on macOS with MDM ++++ -preview:[] To silently install and deploy {elastic-defend} without the need for user interaction, you need to configure a mobile device management (MDM) profile for {elastic-endpoint}—the installed component that performs {elastic-defend}'s threat monitoring and prevention. This allows you to pre-approve the {elastic-endpoint} system extension and grant Full Disk Access to all the necessary components. diff --git a/docs/serverless/edr-install-config/endpoint-diagnostic-data.asciidoc b/docs/serverless/edr-install-config/endpoint-diagnostic-data.asciidoc index 730f22ca69..8c242c5248 100644 --- a/docs/serverless/edr-install-config/endpoint-diagnostic-data.asciidoc +++ b/docs/serverless/edr-install-config/endpoint-diagnostic-data.asciidoc @@ -4,7 +4,6 @@ // :description: Stop producing diagnostic data for Elastic defend by configuring your integration policy. // :keywords: serverless, security, how-to -preview:[] By default, {elastic-defend} streams diagnostic data to your cluster, which Elastic uses to tune protection features. You can stop producing this diagnostic data by configuring the advanced settings in the {elastic-defend} integration policy. diff --git a/docs/serverless/edr-install-config/endpoint-protection-intro.asciidoc b/docs/serverless/edr-install-config/endpoint-protection-intro.asciidoc index 565439d52b..208e419774 100644 --- a/docs/serverless/edr-install-config/endpoint-protection-intro.asciidoc +++ b/docs/serverless/edr-install-config/endpoint-protection-intro.asciidoc @@ -4,6 +4,5 @@ // :description: Start protecting your endpoints with {elastic-defend}. // :keywords: serverless, security, overview -preview:[] This section contains information on installing and configuring {elastic-defend} for endpoint protection. diff --git a/docs/serverless/edr-install-config/install-elastic-defend.asciidoc b/docs/serverless/edr-install-config/install-elastic-defend.asciidoc index 46908d1128..b590f19acd 100644 --- a/docs/serverless/edr-install-config/install-elastic-defend.asciidoc +++ b/docs/serverless/edr-install-config/install-elastic-defend.asciidoc @@ -8,7 +8,6 @@ Install Elastic Defend ++++ -preview:[] Like other Elastic integrations, {elastic-defend} is integrated into the {agent} using {fleet-guide}/fleet-overview.html[{fleet}]. Upon configuration, the integration allows the {agent} to monitor events on your host and send data to the {security-app}. @@ -28,7 +27,7 @@ Like other Elastic integrations, {elastic-defend} is integrated into the {agent} [[security-before-you-begin]] == Before you begin -If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. +If you're using macOS, some versions may require you to grant Full Disk Access to different kernels, system extensions, or files. Refer to <> for more information. [NOTE] ==== diff --git a/docs/serverless/edr-install-config/linux-file-monitoring.asciidoc b/docs/serverless/edr-install-config/linux-file-monitoring.asciidoc index cd65c719c8..f8c94a4d29 100644 --- a/docs/serverless/edr-install-config/linux-file-monitoring.asciidoc +++ b/docs/serverless/edr-install-config/linux-file-monitoring.asciidoc @@ -8,7 +8,6 @@ File system monitoring (Linux) ++++ -preview:[] By default, {elastic-defend} monitors specific Linux file system types that Elastic has tested for compatibility. If your network includes nonstandard, proprietary, or otherwise unrecognized Linux file systems, you can configure the integration policy to extend monitoring and protections to those additional file systems. You can also have {elastic-defend} ignore unrecognized file system types if they don't require monitoring or cause unexpected problems. diff --git a/docs/serverless/edr-install-config/self-healing-rollback.asciidoc b/docs/serverless/edr-install-config/self-healing-rollback.asciidoc index fac21460db..3425309f84 100644 --- a/docs/serverless/edr-install-config/self-healing-rollback.asciidoc +++ b/docs/serverless/edr-install-config/self-healing-rollback.asciidoc @@ -8,7 +8,6 @@ Self-healing rollback (Windows) ++++ -preview:[] {elastic-defend}'s self-healing feature rolls back file changes on Windows endpoints when a prevention alert is generated by enabled protection features. File changes that occurred on the host within five minutes before the prevention alert will revert to their previous state (which may be up to two hours before the alert). diff --git a/docs/serverless/edr-install-config/uninstall-agent.asciidoc b/docs/serverless/edr-install-config/uninstall-agent.asciidoc index 6f8813a040..f07443259d 100644 --- a/docs/serverless/edr-install-config/uninstall-agent.asciidoc +++ b/docs/serverless/edr-install-config/uninstall-agent.asciidoc @@ -4,7 +4,6 @@ // :description: Remove {agent} from a host. // :keywords: serverless, security, how-to -preview:[] To uninstall {agent} from a host, run the `uninstall` command from the directory where it's running. Refer to the {fleet-guide}/uninstall-elastic-agent.html[{fleet} and {agent} documentation] for more information. diff --git a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.asciidoc b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.asciidoc index 76d3f219da..1cba130a7d 100644 --- a/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.asciidoc +++ b/docs/serverless/edr-manage/allowlist-endpoint-3rd-party-av.asciidoc @@ -4,7 +4,6 @@ // :description: Add {elastic-endpoint} as a trusted application in third-party antivirus (AV) software. // :keywords: serverless, security, overview -preview:[] [NOTE] ==== diff --git a/docs/serverless/edr-manage/blocklist.asciidoc b/docs/serverless/edr-manage/blocklist.asciidoc index 668cf8b9ba..73571e8be3 100644 --- a/docs/serverless/edr-manage/blocklist.asciidoc +++ b/docs/serverless/edr-manage/blocklist.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, how-to -preview:[] The blocklist allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. This helps ensure that known malicious processes aren't accidentally executed by end users. diff --git a/docs/serverless/edr-manage/endpoint-command-ref.asciidoc b/docs/serverless/edr-manage/endpoint-command-ref.asciidoc index d1bf4ef839..1f79488745 100644 --- a/docs/serverless/edr-manage/endpoint-command-ref.asciidoc +++ b/docs/serverless/edr-manage/endpoint-command-ref.asciidoc @@ -4,7 +4,6 @@ // :description: Manage and troubleshoot {elastic-endpoint} using CLI commands. // :keywords: security, reference, manage -preview:[] This page lists the commands for management and troubleshooting of {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention. diff --git a/docs/serverless/edr-manage/endpoint-event-capture.asciidoc b/docs/serverless/edr-manage/endpoint-event-capture.asciidoc index 87a24eb111..b35fcd7184 100644 --- a/docs/serverless/edr-manage/endpoint-event-capture.asciidoc +++ b/docs/serverless/edr-manage/endpoint-event-capture.asciidoc @@ -4,7 +4,6 @@ // :description: Learn more about how {elastic-defend} collects event data. // :keywords: serverless, security, reference -preview:[] {elastic-defend} collects select data on system activity in order to detect and prevent as many threats as possible, while balancing storage and performance overhead. To that end, {elastic-defend} isn't designed to capture all system events. Some event data that {elastic-defend} generates gets aggregated, truncated, or deduplicated as needed to optimize threat detection and prevention. diff --git a/docs/serverless/edr-manage/endpoint-self-protection.asciidoc b/docs/serverless/edr-manage/endpoint-self-protection.asciidoc index 74522e1a82..58418b4575 100644 --- a/docs/serverless/edr-manage/endpoint-self-protection.asciidoc +++ b/docs/serverless/edr-manage/endpoint-self-protection.asciidoc @@ -4,7 +4,6 @@ // :description: Learn how {elastic-endpoint} guards itself from tampering and attacks. // :keywords: serverless, security, overview -preview:[] {elastic-endpoint}, the installed component that performs {elastic-defend}'s threat monitoring and prevention, protects itself against users and attackers that may try to interfere with its functionality. Protection features are consistently enhanced to prevent attackers who may attempt to use newer, more sophisticated tactics to interfere with the {elastic-endpoint}. Self-protection is enabled by default when {elastic-endpoint} installs on supported platforms, listed below. diff --git a/docs/serverless/edr-manage/endpoints-page.asciidoc b/docs/serverless/edr-manage/endpoints-page.asciidoc index a03e1f6e46..fb8396f152 100644 --- a/docs/serverless/edr-manage/endpoints-page.asciidoc +++ b/docs/serverless/edr-manage/endpoints-page.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, overview -preview:[] The **Endpoints** page (**Assets** → **Endpoints**) allows administrators to view and manage endpoints that are running the <>. diff --git a/docs/serverless/edr-manage/event-filters.asciidoc b/docs/serverless/edr-manage/event-filters.asciidoc index 587411f867..950cf27b84 100644 --- a/docs/serverless/edr-manage/event-filters.asciidoc +++ b/docs/serverless/edr-manage/event-filters.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, how-to -preview:[] Event filters allow you to filter out endpoint events that you don't want stored in {es} — for example, high-volume events. By creating event filters, you can optimize your storage in {es}. diff --git a/docs/serverless/edr-manage/host-isolation-exceptions.asciidoc b/docs/serverless/edr-manage/host-isolation-exceptions.asciidoc index 1a4a274c37..aa53e95e8b 100644 --- a/docs/serverless/edr-manage/host-isolation-exceptions.asciidoc +++ b/docs/serverless/edr-manage/host-isolation-exceptions.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, how-to -preview:[] You can configure host isolation exceptions for specific IP addresses that <> are still allowed to communicate with, even when blocked from the rest of your network. Isolated hosts can still send data to {elastic-sec}, so you don't need to set up host isolation exceptions for them. diff --git a/docs/serverless/edr-manage/manage-endpoint-protection.asciidoc b/docs/serverless/edr-manage/manage-endpoint-protection.asciidoc index b0a4487cdf..8ab979cb2c 100644 --- a/docs/serverless/edr-manage/manage-endpoint-protection.asciidoc +++ b/docs/serverless/edr-manage/manage-endpoint-protection.asciidoc @@ -4,6 +4,5 @@ // :description: Manage endpoint protection artifacts for {elastic-defend}. // :keywords: serverless, security, overview -preview:[] This section provides an overview of the management tools on the **Assets** page that administrators can use to manage endpoints, integration policies, trusted applications, event filters, host isolation exceptions, and blocked applications. diff --git a/docs/serverless/edr-manage/optimize-edr.asciidoc b/docs/serverless/edr-manage/optimize-edr.asciidoc index 1ef4375f5b..b732ee12a2 100644 --- a/docs/serverless/edr-manage/optimize-edr.asciidoc +++ b/docs/serverless/edr-manage/optimize-edr.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, how-to -preview:[] If you encounter problems like incompatibilities with other antivirus software, too many false positive alerts, or excessive storage or CPU usage, you can optimize {elastic-defend} to mitigate these issues. diff --git a/docs/serverless/edr-manage/policies-page-ov.asciidoc b/docs/serverless/edr-manage/policies-page-ov.asciidoc index 10afde8cda..caa1b6aa50 100644 --- a/docs/serverless/edr-manage/policies-page-ov.asciidoc +++ b/docs/serverless/edr-manage/policies-page-ov.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, reference -preview:[] The **Policies** page (**Assets** → **Policies**) lists all of the integration policies configured for {elastic-defend}. diff --git a/docs/serverless/edr-manage/trusted-apps-ov.asciidoc b/docs/serverless/edr-manage/trusted-apps-ov.asciidoc index 3fd5307aff..5c55b6f1f6 100644 --- a/docs/serverless/edr-manage/trusted-apps-ov.asciidoc +++ b/docs/serverless/edr-manage/trusted-apps-ov.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, how-to -preview:[] [NOTE] ==== @@ -43,7 +42,7 @@ To add a trusted application: + *** `Hash`: The MD5, SHA-1, or SHA-256 hash value of the application's executable. *** `Path`: The full file path of the application's executable. -*** `Signature`: (Windows only) The name of the application's digital signer. +*** `Signature`: (Windows and macOS only) The name of the application's digital signer. + [TIP] ==== diff --git a/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc b/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc index c3085b9344..ce4ddff3e9 100644 --- a/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc +++ b/docs/serverless/endpoint-response-actions/automated-response-actions.asciidoc @@ -4,7 +4,6 @@ // :description: Automatically respond to events with endpoint response actions triggered by detection rules. // :keywords: serverless, security, defend, how-to, manage -preview:[] Add {elastic-defend}'s <> to detection rules to automatically perform actions on an affected host when an event meets the rule's criteria. Use these actions to support your response to detected threats and suspicious events. diff --git a/docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc b/docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc index 151182625a..73de009985 100644 --- a/docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc +++ b/docs/serverless/endpoint-response-actions/host-isolation-ov.asciidoc @@ -4,7 +4,6 @@ // :description: Host isolation allows you to cut off a host's network access until you release it. // :keywords: serverless, security, defend, how-to, manage -preview:[] Host isolation allows you to isolate hosts from your network, blocking communication with other hosts on your network until you release the host. Isolating a host is useful for responding to malicious activity or preventing potential attacks, as it prevents lateral movement across other hosts. diff --git a/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc b/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc index bd521a744c..8d870d646d 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc +++ b/docs/serverless/endpoint-response-actions/response-actions-config.asciidoc @@ -4,7 +4,6 @@ // :description: Configure {elastic-sec} to perform response actions on hosts protected by third-party systems. // :keywords: serverless, security, how-to, configure -preview:[] preview::[] diff --git a/docs/serverless/endpoint-response-actions/response-actions-history.asciidoc b/docs/serverless/endpoint-response-actions/response-actions-history.asciidoc index 6966293814..6feccc0111 100644 --- a/docs/serverless/endpoint-response-actions/response-actions-history.asciidoc +++ b/docs/serverless/endpoint-response-actions/response-actions-history.asciidoc @@ -4,7 +4,6 @@ // :description: The response actions history log keeps a record of actions taken on endpoints. // :keywords: serverless, security, defend, reference, manage -preview:[] {elastic-sec} keeps a log of the <> performed on endpoints, such as isolating a host or terminating a process. The log displays when each command was performed, the host on which the action was performed, the user who requested the action, any comments added to the action, and the action's current status. diff --git a/docs/serverless/endpoint-response-actions/response-actions.asciidoc b/docs/serverless/endpoint-response-actions/response-actions.asciidoc index eb00192900..82012f892a 100644 --- a/docs/serverless/endpoint-response-actions/response-actions.asciidoc +++ b/docs/serverless/endpoint-response-actions/response-actions.asciidoc @@ -4,7 +4,6 @@ // :description: Perform response actions on endpoints using a terminal-like interface. // :keywords: serverless, security, defend, reference, manage -preview:[] The response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also recorded in the endpoint's <> for reference. diff --git a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc index c0d38cb0e1..9963946888 100644 --- a/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc +++ b/docs/serverless/endpoint-response-actions/third-party-actions.asciidoc @@ -4,7 +4,6 @@ // :description: Respond to threats on hosts enrolled in third-party security systems. // :keywords: serverless, security, defend, reference, manage -preview:[] preview::[] diff --git a/docs/serverless/explore/conf-map-ui.asciidoc b/docs/serverless/explore/conf-map-ui.asciidoc index 7b4ae3e0c6..c81ec62f0d 100644 --- a/docs/serverless/explore/conf-map-ui.asciidoc +++ b/docs/serverless/explore/conf-map-ui.asciidoc @@ -4,7 +4,6 @@ // :description: Requirements for setting up and using the Network page. // :keywords: serverless, security, how-to, manage -preview:[] Depending on your setup, to display and interact with data on the **Network** page's map you might need to: diff --git a/docs/serverless/explore/data-views-in-sec.asciidoc b/docs/serverless/explore/data-views-in-sec.asciidoc index dfaeb02f04..a1b54d1180 100644 --- a/docs/serverless/explore/data-views-in-sec.asciidoc +++ b/docs/serverless/explore/data-views-in-sec.asciidoc @@ -4,7 +4,6 @@ // :description: Use data views to control what data displays on {elastic-sec} pages with event or alert data. // :keywords: serverless, security, reference, manage -preview:[] {data-sources-cap} determine what data displays on {elastic-sec} pages with event or alert data. {data-sources-cap} are defined by the index patterns they include. diff --git a/docs/serverless/explore/explore-your-data.asciidoc b/docs/serverless/explore/explore-your-data.asciidoc index 02f53a9f34..3f5ea175d9 100644 --- a/docs/serverless/explore/explore-your-data.asciidoc +++ b/docs/serverless/explore/explore-your-data.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, overview -preview:[] This section contains the following pages: diff --git a/docs/serverless/explore/hosts-overview.asciidoc b/docs/serverless/explore/hosts-overview.asciidoc index 2e00548bdf..06e904f705 100644 --- a/docs/serverless/explore/hosts-overview.asciidoc +++ b/docs/serverless/explore/hosts-overview.asciidoc @@ -4,7 +4,6 @@ // :description: Explore the Hosts page to analyze hosts and related security events. // :keywords: serverless, security, how-to, analyze -preview:[] The Hosts page provides a comprehensive overview of all hosts and host-related security events. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data, drill down for deeper insights, and interact with Timeline for further investigation. diff --git a/docs/serverless/explore/network-page-overview.asciidoc b/docs/serverless/explore/network-page-overview.asciidoc index 434175ba2a..45dba9cece 100644 --- a/docs/serverless/explore/network-page-overview.asciidoc +++ b/docs/serverless/explore/network-page-overview.asciidoc @@ -4,7 +4,6 @@ // :description: Analyze key network activity metrics on an interactive map, and use network event tables for deeper insights. // :keywords: serverless, security, how-to, analyze -preview:[] The Network page provides key network activity metrics in an interactive map, and network event tables that enable interaction with Timeline. You can drag and drop items of interest from the Network view to Timeline for further investigation. diff --git a/docs/serverless/explore/runtime-fields.asciidoc b/docs/serverless/explore/runtime-fields.asciidoc index a2aa1bc986..d603729924 100644 --- a/docs/serverless/explore/runtime-fields.asciidoc +++ b/docs/serverless/explore/runtime-fields.asciidoc @@ -8,7 +8,6 @@ Create runtime fields ++++ -preview:[] Runtime fields are fields that you can add to documents after you've ingested your data. For example, you could combine two fields and treat them as one, or perform calculations on existing data and use the result as a separate field. Runtime fields are evaluated when a query is run. diff --git a/docs/serverless/explore/siem-field-reference.asciidoc b/docs/serverless/explore/siem-field-reference.asciidoc index 89e054ca88..ce815a77db 100644 --- a/docs/serverless/explore/siem-field-reference.asciidoc +++ b/docs/serverless/explore/siem-field-reference.asciidoc @@ -4,7 +4,6 @@ // :description: Learn which ECS fields are used by {elastic-sec} to display various data. // :keywords: serverless, security, reference, manage -preview:[] This section lists {ecs-ref}[Elastic Common Schema] (ECS) fields used by {elastic-sec} to provide an optimal SIEM and security analytics experience to users. These fields are used to display data, provide rule previews, enable detection by prebuilt detection rules, provide context during rule triage and investigation, escalate to cases, and more. diff --git a/docs/serverless/explore/users-page.asciidoc b/docs/serverless/explore/users-page.asciidoc index e71450de5b..9f6a095ae2 100644 --- a/docs/serverless/explore/users-page.asciidoc +++ b/docs/serverless/explore/users-page.asciidoc @@ -4,7 +4,6 @@ // :description: Analyze authentication and user behavior within your environment. // :keywords: serverless, security, how-to, analyze -preview:[] The Users page provides a comprehensive overview of user data to help you understand authentication and user behavior within your environment. Key performance indicator (KPI) charts, data tables, and interactive widgets let you view specific data and drill down for deeper insights. diff --git a/docs/serverless/index.asciidoc b/docs/serverless/index.asciidoc index db363424b1..45ee882f50 100644 --- a/docs/serverless/index.asciidoc +++ b/docs/serverless/index.asciidoc @@ -4,7 +4,7 @@ include::{asciidoc-dir}/../../shared/versions/stack/master.asciidoc[] include::{asciidoc-dir}/../../shared/attributes.asciidoc[] [[what-is-security-serverless]] -== Elastic Security serverless +== {sec-serverless} ++++ Elastic Security @@ -43,6 +43,7 @@ include::./ingest/ingest-data.asciidoc[leveloffset=+2] include::./ingest/threat-intelligence.asciidoc[leveloffset=+3] include::./ingest/auto-import.asciidoc[leveloffset=+3] include::./ingest/agentless-integrations.asciidoc[leveloffset=+3] +include::./ingest/agentless-troubleshooting.asciidoc[leveloffset=+4] include::./edr-install-config/endpoint-protection-intro.asciidoc[leveloffset=+2] include::./edr-install-config/deploy-endpoint-reqs.asciidoc[leveloffset=+3] @@ -103,10 +104,6 @@ include::./cloud-native-security/vuln-management-get-started.asciidoc[leveloffse include::./cloud-native-security/vuln-management-findings.asciidoc[leveloffset=+4] include::./cloud-native-security/vuln-management-dashboard-dash.asciidoc[leveloffset=+4] include::./cloud-native-security/vuln-management-faq.asciidoc[leveloffset=+4] -include::./cloud-native-security/d4c-overview.asciidoc[leveloffset=+3] -include::./cloud-native-security/d4c-get-started.asciidoc[leveloffset=+4] -include::./cloud-native-security/d4c-policy-guide.asciidoc[leveloffset=+4] -include::./cloud-native-security/d4c-kubernetes-dashboard-dash.asciidoc[leveloffset=+4] include::./cloud-native-security/cloud-workload-protection.asciidoc[leveloffset=+3] include::./cloud-native-security/environment-variable-capture.asciidoc[leveloffset=+4] include::./cloud-native-security/ingest-cncf-data.asciidoc[leveloffset=+3] @@ -126,7 +123,6 @@ include::./explore/siem-field-reference.asciidoc[leveloffset=+3] include::./dashboards/dashboards-overview.asciidoc[leveloffset=+2] include::./dashboards/overview-dashboard.asciidoc[leveloffset=+3] include::./dashboards/detection-response-dashboard.asciidoc[leveloffset=+3] -include::./dashboards/kubernetes-dashboard-dash.asciidoc[leveloffset=+3] include::./dashboards/cloud-posture-dashboard-dash.asciidoc[leveloffset=+3] include::./dashboards/detection-entity-dashboard.asciidoc[leveloffset=+3] include::./dashboards/data-quality-dash.asciidoc[leveloffset=+3] @@ -135,6 +131,7 @@ include::./dashboards/rule-monitoring-dashboard.asciidoc[leveloffset=+3] include::./rules/detection-engine-overview.asciidoc[leveloffset=+2] include::./rules/detections-permissions-section.asciidoc[leveloffset=+3] +include::./rules/detections-logsdb-impact.asciidoc[leveloffset=+3] include::./rules/about-rules.asciidoc[leveloffset=+2] include::./rules/rules-ui-create.asciidoc[leveloffset=+3] @@ -200,6 +197,4 @@ include::./settings/advanced-settings.asciidoc[leveloffset=+3] include::./troubleshooting/troubleshooting-intro.asciidoc[leveloffset=+2] include::./troubleshooting/ts-detection-rules.asciidoc[leveloffset=+3] -include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3] - -include::./technical-preview-limitations.asciidoc[leveloffset=+2] +include::./troubleshooting/troubleshoot-endpoints.asciidoc[leveloffset=+3] \ No newline at end of file diff --git a/docs/serverless/ingest/agentless-troubleshooting.asciidoc b/docs/serverless/ingest/agentless-troubleshooting.asciidoc new file mode 100644 index 0000000000..6629458449 --- /dev/null +++ b/docs/serverless/ingest/agentless-troubleshooting.asciidoc @@ -0,0 +1,47 @@ +[[agentless-integration-troubleshooting]] += Agentless integrations FAQ + +Frequently asked questions and troubleshooting steps for {elastic-sec}'s agentless CSPM integration. + +[discrete] +== When I make a new integration, when will I see the agent appear on the Integration Policies page? + +After you create a new agentless integration, the new integration policy may show a button that says **Add agent** instead of the associated agent for several minutes during agent enrollment. No action is needed other than refreshing the page once enrollment is complete. + +[discrete] +== How do I troubleshoot an `Offline` agent? + +For agentless integrations to successfully connect to {elastic-sec}, the {fleet} server host value must be the default. Otherwise, the agent status on the {fleet} page will be `Offline`, and logs will include the error `[elastic_agent][error] Cannot checkin in with fleet-server, retrying`. + +To troubleshoot this issue: + +. Find **{fleet}** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]. Go to the **Settings** tab. +. Under **{fleet} server hosts**, click the **Actions** button for the policy named `Default`. This opens the Edit {fleet} Server flyout. The policy named `Default` should have the **Make this {fleet} server the default one** setting enabled. If not, enable it, then delete your integration and create it again. + +NOTE: If the **Make this {fleet} server the default one** setting was already enabled but problems persist, it's possible someone changed the default {fleet} server's **URL** value. In this case, contact Elastic Support to find out what the original **URL** value was, update the settings to match this value, then delete your integration and create it again. + +[discrete] +== How do I troubleshoot an `Unhealthy` agent? + +On the **{fleet}** page, the agent associated with an agentless integration has a name that begins with `agentless`. To troubleshoot an `Unhealthy` agent: + +* Confirm that you entered the correct credentials for the cloud provider you're monitoring. The following is an example of an error log resulting from using incorrect AWS credentials: ++ +``` +[elastic_agent.cloudbeat][error] Failed to update registry: failed to get AWS accounts: operation error Organizations: ListAccounts, get identity: get credentials: failed to refresh cached credentials, operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: XXX, api error AccessDenied: User: XXX is not authorized to perform: sts:AssumeRole on resource:XXX +``` + +For instructions on checking {{fleet}} logs, refer to {fleet-guide}/fleet-troubleshooting.html[{fleet} troubleshooting]. + +[discrete] +== How do I delete an agentless integration? + +NOTE: Deleting your integration will remove all associated resources and stop data ingestion. + +When you create a new agentless CSPM integration, a new agent policy appears within the **Agent policies** tab on the **{fleet}** page, but you can't use the **Delete integration** button on this page. Instead, you must delete the integration from the CSPM Integration's **Integration policies** tab. + +. Find **Integrations** in the navigation menu or use the {kibana-ref}/introduction.html#kibana-navigation-search[global search field], then search for and select `CSPM`. +. Go to the CSPM Integration's **Integration policies** tab. +. Find the integration policy for the integration you want to delete. Click **Actions**, then **Delete integration**. +. Confirm by clicking **Delete integration** again. + diff --git a/docs/serverless/ingest/auto-import.asciidoc b/docs/serverless/ingest/auto-import.asciidoc index 605d846245..2cbc100c9a 100644 --- a/docs/serverless/ingest/auto-import.asciidoc +++ b/docs/serverless/ingest/auto-import.asciidoc @@ -4,7 +4,6 @@ // :description: Use Automatic Import to quickly normalize and ingest third-party data. // :keywords: serverless, security, how-to -preview:[] .Technical preview [IMPORTANT] diff --git a/docs/serverless/ingest/ingest-data.asciidoc b/docs/serverless/ingest/ingest-data.asciidoc index fc2bb73c70..79544e8b27 100644 --- a/docs/serverless/ingest/ingest-data.asciidoc +++ b/docs/serverless/ingest/ingest-data.asciidoc @@ -8,7 +8,6 @@ Ingest data ++++ -preview:[] To ingest data, you can use: diff --git a/docs/serverless/ingest/threat-intelligence.asciidoc b/docs/serverless/ingest/threat-intelligence.asciidoc index 1f89cadc63..bceb8c4337 100644 --- a/docs/serverless/ingest/threat-intelligence.asciidoc +++ b/docs/serverless/ingest/threat-intelligence.asciidoc @@ -4,7 +4,6 @@ // :description: Use threat indicators to detect known threats and malicious activity. // :keywords: serverless, security, how-to -preview:[] The Threat Intelligence view provides a streamlined way to collect threat intelligence data that you can use for threat detection and matching. Threat intelligence data consists of <> ingested from third-party threat intelligence sources. diff --git a/docs/serverless/investigate/add-manage-notes.asciidoc b/docs/serverless/investigate/add-manage-notes.asciidoc index 63540f13a4..2aac9b004e 100644 --- a/docs/serverless/investigate/add-manage-notes.asciidoc +++ b/docs/serverless/investigate/add-manage-notes.asciidoc @@ -4,7 +4,6 @@ // :description: Create and manage notes for alerts, events, and Timeline. // :keywords: serverless, security, how-to, manage -preview:[] Incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. You can attach notes to alerts, events, and Timelines and manage them from the **Notes** page. diff --git a/docs/serverless/investigate/case-permissions.asciidoc b/docs/serverless/investigate/case-permissions.asciidoc index e883d761b7..237a29c724 100644 --- a/docs/serverless/investigate/case-permissions.asciidoc +++ b/docs/serverless/investigate/case-permissions.asciidoc @@ -4,7 +4,6 @@ // :description: Requirements for using and managing cases. // :keywords: serverless, security, reference, manage -preview:[] To access cases, you need either the appropriate <> or a <> with the right privileges. diff --git a/docs/serverless/investigate/cases-open-manage.asciidoc b/docs/serverless/investigate/cases-open-manage.asciidoc index f3c90ee27f..16dce41c40 100644 --- a/docs/serverless/investigate/cases-open-manage.asciidoc +++ b/docs/serverless/investigate/cases-open-manage.asciidoc @@ -4,9 +4,8 @@ // :description: Create a case in {elastic-sec}, and add files and visualizations. // :keywords: serverless, security, how-to, analyze, manage -preview:[] -You can create and manage cases using the UI or the {security-guide}/cases-api-overview.html[Cases API]. +You can create and manage cases using the UI or the {api-kibana}/group/endpoint-cases[cases API]. // Link to classic docs until serverless API docs are available. @@ -18,8 +17,7 @@ Open a new case to keep track of security issues and share their details with colleagues. . Go to **Cases**, then click **Create case**. If no cases exist, the Cases table will be empty and you'll be prompted to create one by clicking the **Create case** button inside the table. -. (Optional) If you defined <>, select one to use its default field values. preview:[] -. Give the case a name, assign a severity level, and provide a description. You can use +. (Optional) If you defined <>, select one to use its default field values. . Give the case a name, assign a severity level, and provide a description. You can use https://www.markdownguide.org/cheat-sheet[Markdown] syntax in the case description. + [NOTE] diff --git a/docs/serverless/investigate/cases-overview.asciidoc b/docs/serverless/investigate/cases-overview.asciidoc index b0d0721f97..fbc820ff29 100644 --- a/docs/serverless/investigate/cases-overview.asciidoc +++ b/docs/serverless/investigate/cases-overview.asciidoc @@ -4,9 +4,8 @@ // :description: Cases enable you to track investigation details about security issues. // :keywords: security, overview, analyze -preview:[] -Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {security-guide}/cases-api-overview.html[Cases API] to perform the same tasks. +Collect and share information about security issues by opening a case in {elastic-sec}. Cases allow you to track key investigation details, collect alerts in a central location, and more. The {elastic-sec} UI provides several ways to create and manage cases. Alternatively, you can use the {api-kibana}/group/endpoint-cases[cases API] to perform the same tasks. // Link to classic docs until serverless API docs are available. diff --git a/docs/serverless/investigate/cases-settings.asciidoc b/docs/serverless/investigate/cases-settings.asciidoc index 851d0478c6..54c8e1db2e 100644 --- a/docs/serverless/investigate/cases-settings.asciidoc +++ b/docs/serverless/investigate/cases-settings.asciidoc @@ -4,7 +4,6 @@ // :description: Change the default behavior of {elastic-sec} cases by adding connectors, custom fields, templates, and closure options. // :keywords: serverless, security, how-to, configure -preview:[] To access case settings in an {elastic-sec} project, go to **Cases** → **Settings**. diff --git a/docs/serverless/investigate/indicators-of-compromise.asciidoc b/docs/serverless/investigate/indicators-of-compromise.asciidoc index 03a1e8f9b0..f02f82f759 100644 --- a/docs/serverless/investigate/indicators-of-compromise.asciidoc +++ b/docs/serverless/investigate/indicators-of-compromise.asciidoc @@ -4,7 +4,6 @@ // :description: Set up the Indicators page to detect, analyze, and respond to threats. // :keywords: serverless, security, how-to, analyze, manage -preview:[] The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view of indicators, also known as indicators of compromise (IoCs). This topic helps you set up the Indicators page and explains how to work with IoCs. diff --git a/docs/serverless/investigate/investigate-events.asciidoc b/docs/serverless/investigate/investigate-events.asciidoc index c3f627d562..4f7cfe7d2a 100644 --- a/docs/serverless/investigate/investigate-events.asciidoc +++ b/docs/serverless/investigate/investigate-events.asciidoc @@ -4,7 +4,6 @@ // :description: Investigate security events and track security issues in {elastic-sec}. // :keywords: serverless, security, overview -preview:[] The following sections describe tools for investigating security events and tracking security issues directly in {elastic-sec}. diff --git a/docs/serverless/investigate/timeline-object-schema.asciidoc b/docs/serverless/investigate/timeline-object-schema.asciidoc index 2e768128f3..459353264b 100644 --- a/docs/serverless/investigate/timeline-object-schema.asciidoc +++ b/docs/serverless/investigate/timeline-object-schema.asciidoc @@ -4,7 +4,6 @@ // :description: A list of JSON elements inside the timeline object. // :keywords: serverless, security, reference -preview:[] The Timeline schema lists all the JSON fields and objects required to create a Timeline or a Timeline template using the Create Timeline API. diff --git a/docs/serverless/investigate/timeline-templates-ui.asciidoc b/docs/serverless/investigate/timeline-templates-ui.asciidoc index 4356ad7c86..98025e7e61 100644 --- a/docs/serverless/investigate/timeline-templates-ui.asciidoc +++ b/docs/serverless/investigate/timeline-templates-ui.asciidoc @@ -4,7 +4,6 @@ // :description: Attach Timeline templates to detection rules to streamline investigations. // :keywords: serverless, security, how-to, analyze, manage -preview:[] You can attach Timeline templates to detection rules. When attached, the rule's alerts use the template when they are investigated in Timeline. This enables immediately viewing the alert's most interesting fields when you start an investigation. diff --git a/docs/serverless/investigate/timelines-ui.asciidoc b/docs/serverless/investigate/timelines-ui.asciidoc index 0cfcba0667..16019c0b1c 100644 --- a/docs/serverless/investigate/timelines-ui.asciidoc +++ b/docs/serverless/investigate/timelines-ui.asciidoc @@ -4,7 +4,6 @@ // :description: Investigate events and complex threats in your network. // :keywords: serverless, security, how-to, analyze, manage -preview:[] Use Timeline as your workspace for investigations and threat hunting. You can add alerts from multiple indices to a Timeline to facilitate advanced investigations. diff --git a/docs/serverless/osquery/alerts-run-osquery.asciidoc b/docs/serverless/osquery/alerts-run-osquery.asciidoc index 8efa489aa3..ae24a24cf7 100644 --- a/docs/serverless/osquery/alerts-run-osquery.asciidoc +++ b/docs/serverless/osquery/alerts-run-osquery.asciidoc @@ -4,7 +4,6 @@ // :description: Run live queries against an alert's host to investigate potential security threats and system compromises. // :keywords: serverless, security, how-to, analyze -preview:[] Run live queries on hosts associated with alerts to learn more about your infrastructure and operating systems. For example, with Osquery, you can search your system for indicators of compromise that might have contributed to the alert. You can then use this data to inform your investigation and alert triage efforts. diff --git a/docs/serverless/osquery/invest-guide-run-osquery.asciidoc b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc index bc536194fc..a5281adc29 100644 --- a/docs/serverless/osquery/invest-guide-run-osquery.asciidoc +++ b/docs/serverless/osquery/invest-guide-run-osquery.asciidoc @@ -4,7 +4,6 @@ // :description: Add and run live queries from a rule's investigation guide. // :keywords: serverless, security, how-to, analyze -preview:[] Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. When you build a custom rule, you can also set up an investigation guide that incorporates Osquery. This allows you to run live queries from a rule's investigation guide as you analyze alerts produced by the rule. diff --git a/docs/serverless/osquery/osquery-placeholder-fields.asciidoc b/docs/serverless/osquery/osquery-placeholder-fields.asciidoc index e8f22c0b9e..02a7c4370c 100644 --- a/docs/serverless/osquery/osquery-placeholder-fields.asciidoc +++ b/docs/serverless/osquery/osquery-placeholder-fields.asciidoc @@ -4,7 +4,6 @@ // :description: Pass data into queries dynamically, to enhance their flexibility and reusability. // :keywords: serverless, security, how-to, manage -preview:[] Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and reusable queries. diff --git a/docs/serverless/osquery/osquery-response-action.asciidoc b/docs/serverless/osquery/osquery-response-action.asciidoc index 0b97338b82..3fa9253f1f 100644 --- a/docs/serverless/osquery/osquery-response-action.asciidoc +++ b/docs/serverless/osquery/osquery-response-action.asciidoc @@ -4,7 +4,6 @@ // :description: Osquery Response Actions allow you to add live queries to custom query rules so you can automatically collect data on systems the rules are monitoring. // :keywords: serverless, security, how-to, manage -preview:[] preview::[] diff --git a/docs/serverless/osquery/use-osquery.asciidoc b/docs/serverless/osquery/use-osquery.asciidoc index cc2da6f6ef..f8c3f7a57b 100644 --- a/docs/serverless/osquery/use-osquery.asciidoc +++ b/docs/serverless/osquery/use-osquery.asciidoc @@ -4,7 +4,6 @@ // :description: Integrate Osquery with {elastic-sec} for comprehensive data collection and security monitoring. // :keywords: serverless, security, overview -preview:[] Osquery is an open source tool that lets you use SQL to query operating systems like a database. When you add the {kibana-ref}/manage-osquery-integration.html[Osquery manager integration] to an {agent} policy, Osquery is deployed to all agents assigned to that policy. After completing this setup, you can {kibana-ref}/osquery.html[run live queries and schedule recurring queries] for agents and begin gathering data from your entire environment. diff --git a/docs/serverless/osquery/view-osquery-results.asciidoc b/docs/serverless/osquery/view-osquery-results.asciidoc index 2e79d5fca3..e19821a8a8 100644 --- a/docs/serverless/osquery/view-osquery-results.asciidoc +++ b/docs/serverless/osquery/view-osquery-results.asciidoc @@ -4,7 +4,6 @@ // :description: Analyze results from queries and query packs. // :keywords: serverless, security, how-to, analyze -preview:[] Osquery provides relevant, timely data that you can use to better understand and monitor your environment. When you run queries, results are indexed and displayed the Results table, which you can filter, sort, and interact with. diff --git a/docs/serverless/projects-create/create-project.asciidoc b/docs/serverless/projects-create/create-project.asciidoc index 3723ab8710..7f8dfa589c 100644 --- a/docs/serverless/projects-create/create-project.asciidoc +++ b/docs/serverless/projects-create/create-project.asciidoc @@ -1,30 +1,29 @@ [[security-create-project]] = Create a Security project -// :description: Get started with {serverless-short} {elastic-sec} in a few steps. +// :description: Get started with {sec-serverless} in a few steps. // :keywords: serverless, security, how-to, get-started -preview:[] -A {serverless-short} project allows you to run {elastic-sec} in an autoscaled and fully-managed environment, where you don't have to manage the underlying {es} cluster and {kib} instances. +A serverless project allows you to run {elastic-sec} in an autoscaled and fully managed environment, where you don't have to manage the underlying {es} cluster and {kib} instances. [discrete] [[security-create-project-create-project]] == Create project -Use your {ecloud} account to create a fully-managed {elastic-sec} project: +Use your {ecloud} account to create a fully managed {sec-serverless} project: . Navigate to https://cloud.elastic.co/[cloud.elastic.co]. . Log in to your {ecloud} account and select **Create project** from the **Serverless projects** panel. . Select **Next** from the **Security** panel. -. Edit your project settings. (Click **Edit settings** to access all settings.) +. Edit your project settings (click **Edit settings** to access all settings). + ** **Name**: A unique name for your project. ** **Cloud provider**: The cloud platform where you’ll deploy your project. We currently support Amazon Web Services (AWS). ** **Region**: The cloud platform’s <> where your project will live. + -You can also check https://cloud.elastic.co/pricing[the pricing details] to see how you consume {serverless-short} {elastic-sec}. +You can also check https://www.elastic.co/pricing/serverless-security[the pricing details] to see how you consume {sec-serverless}. . Select **Create project**. It takes a few minutes before your project gets created. -. Once the project is ready, select **Continue** to open the **Get started** page. (You might need to log into {ecloud} again.) +. Once the project is ready, select **Continue** to open the **Get started** page (you might need to log in to {ecloud} again). + From here, you can learn more about {elastic-sec} features and start setting up your workspace. diff --git a/docs/serverless/rules/about-rules.asciidoc b/docs/serverless/rules/about-rules.asciidoc index 73a8ed7a70..08f6bb88de 100644 --- a/docs/serverless/rules/about-rules.asciidoc +++ b/docs/serverless/rules/about-rules.asciidoc @@ -8,7 +8,6 @@ Rules ++++ -preview:[] Rules run periodically and search for source events, matches, sequences, or {ml} job anomaly results that meet their criteria. When a rule's criteria are met, a detection alert is created. diff --git a/docs/serverless/rules/add-exceptions.asciidoc b/docs/serverless/rules/add-exceptions.asciidoc index 7bee5592c1..5013dc4db8 100644 --- a/docs/serverless/rules/add-exceptions.asciidoc +++ b/docs/serverless/rules/add-exceptions.asciidoc @@ -4,7 +4,6 @@ // :description: Learn how to create and manage rule exceptions. // :keywords: serverless, security, how-to, configure -preview:[] You can add exceptions to a rule from the rule details page, the Alerts table, the alert details flyout, or the Shared Exception Lists page. When you add an exception, you can also close all alerts that meet the exception’s criteria. diff --git a/docs/serverless/rules/alerts-ui-monitor.asciidoc b/docs/serverless/rules/alerts-ui-monitor.asciidoc index c736b52bab..93f706aeb3 100644 --- a/docs/serverless/rules/alerts-ui-monitor.asciidoc +++ b/docs/serverless/rules/alerts-ui-monitor.asciidoc @@ -4,7 +4,6 @@ // :description: Find out how your rules are performing, and troubleshoot common rule issues. // :keywords: serverless, security, how-to, monitor, manage -preview:[] Several tools can help you gain insight into the performance of your detection rules: diff --git a/docs/serverless/rules/building-block-rule.asciidoc b/docs/serverless/rules/building-block-rule.asciidoc index 7bf6da4418..9d3cac2452 100644 --- a/docs/serverless/rules/building-block-rule.asciidoc +++ b/docs/serverless/rules/building-block-rule.asciidoc @@ -4,7 +4,6 @@ // :description: Set up building block rules and view building block alerts. // :keywords: serverless, security, how-to -preview:[] Create building block rules when you do not want to see their generated alerts in the UI. This is useful when you want: diff --git a/docs/serverless/rules/detection-engine-overview.asciidoc b/docs/serverless/rules/detection-engine-overview.asciidoc index 6058afcba7..f4fbdc269b 100644 --- a/docs/serverless/rules/detection-engine-overview.asciidoc +++ b/docs/serverless/rules/detection-engine-overview.asciidoc @@ -4,7 +4,6 @@ // :description: Learn about the detection engine and its features. // :keywords: serverless, security, overview -preview:[] Use the detection engine to create and manage rules and view the alerts these rules create. Rules periodically search indices (such as `logs-*` and @@ -127,3 +126,9 @@ Refer to <> for a list of all If you get this message, you do not have the <> to view the **Detections** feature, and you should contact your project administrator. + +[discrete] +[[detections-logsdb-index-mode]] +== Using logsDB index mode + +LogsDB is enabled by default for Elastic serverless. Refer to <> to learn more. \ No newline at end of file diff --git a/docs/serverless/rules/detections-logsdb-impact.asciidoc b/docs/serverless/rules/detections-logsdb-impact.asciidoc new file mode 100644 index 0000000000..f3f97a3f38 --- /dev/null +++ b/docs/serverless/rules/detections-logsdb-impact.asciidoc @@ -0,0 +1,63 @@ +[[detections-logsdb-index-mode-impact]] += Using logsDB index mode with {sec-serverless} + +LogsDB is enabled by default for {serverless-full}. This topic explains the impact of using logsDB index mode with {sec-serverless}. + +With logsDB index mode, the original `_source` field is not stored in the index but can be reconstructed using {ref}/mapping-source-field.html#synthetic-source[synthetic `_source`]. + +When the `_source` is reconstructed, {ref}/mapping-source-field.html#synthetic-source-modifications[modifications] are possible. Therefore, there could be a mismatch between user's expectations and how fields are formatted. + +Continue reading to find out how this affects specific {sec-serverless} components. + +[discrete] +[[logsdb-alerts]] +== Alerts + +When alerts are generated, the `_source` event is copied into the alert to retain the original data. When the logsDB index mode is applied, the `_source` event stored in the alert is reconstructed using synthetic `_source`. + +If you're switching to use logsDB index mode, the `_source` field stored in the alert might look different in certain situations: + +* {ref}/mapping-source-field.html#synthetic-source-modifications-leaf-arrays[Arrays can be reconstructed differently or deduplicated] +* {ref}/mapping-source-field.html#synthetic-source-modifications-field-names[Field names] +* `geo_point` data fields (refer to {ref}/mapping-source-field.html#synthetic-source-modifications-ranges[Representation of ranges] and {ref}/mapping-source-field.html#synthetic-source-precision-loss-for-point-types[Reduced precision of `geo_point` values] for more information) + +Alerts generated by the following rule types could be affected: + +* Custom query +* Event correlation (non-sequence only) +* Non-aggregate rule types (for example, {esql} rules that use non-aggregating queries) + +Alerts that are generated by threshold, {ml}, and event correlation sequence rules are not affected since they do not contain copies of the original source. + +[discrete] +[[logsdb-rule-actions]] +== Rule actions + +While we do not recommend using `_source` for actions, in cases where the action relies on the `_source`, the same limitations and changes apply. + +If you send alert notifications by enabling {kibana-ref}/alerting-getting-started.html#alerting-concepts-actions[actions] to the external systems that have workflows or automations based on fields formatted from the original source, they may be affected. In particular, this can happen when the fields used are arrays of objects. + +We recommend checking and adjusting the rule actions using `_source` before switching to logsDB index mode. + +[discrete] +[[logsdb-runtime-fields]] +== Runtime fields + +Runtime fields that reference `_source` may be affected. Some runtime fields might not work and need to be adjusted. For example, if an event was indexed with the value of `agent.name` in the dot-notation form, it will be returned in the nested form and might not work. + +The following is an example of accessing `_source` that works with the logsDB index mode enabled: + +[source,console] +---- +"source": """ emit(params._source.agent.name + "_____" + doc['agent.name'].value ); """ +"source": """ emit(params._source['agent']['name'] + "_____" + doc['agent.name'].value ); """ +"source": """ emit(field('agent.name').get(null) + "_____" + doc['agent.name'].value ); """ +"source": """ emit($('agent.name', null) + "_____" + doc['agent.name'].value ); """ +---- + +The following will not work with synthetic source (logsDB index mode enabled): + +[source,console] +---- +"source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """ +---- \ No newline at end of file diff --git a/docs/serverless/rules/detections-permissions-section.asciidoc b/docs/serverless/rules/detections-permissions-section.asciidoc index f185b54887..c955c8c987 100644 --- a/docs/serverless/rules/detections-permissions-section.asciidoc +++ b/docs/serverless/rules/detections-permissions-section.asciidoc @@ -4,7 +4,6 @@ // :description: Requirements for setting up and configuring the detections feature. // :keywords: serverless, security, reference, manage -preview:[] To use the <>, you first need to configure a few settings. You also need the appropriate role to send diff --git a/docs/serverless/rules/detections-ui-exceptions.asciidoc b/docs/serverless/rules/detections-ui-exceptions.asciidoc index f5f7ed3f7f..7cdff538da 100644 --- a/docs/serverless/rules/detections-ui-exceptions.asciidoc +++ b/docs/serverless/rules/detections-ui-exceptions.asciidoc @@ -4,7 +4,6 @@ // :description: Understand the different types of rule exceptions. // :keywords: serverless, security, overview -preview:[] You can associate rule exceptions with detection and endpoint rules to prevent trusted processes and network activity from generating unnecessary alerts, therefore, reducing the number of false positives. diff --git a/docs/serverless/rules/interactive-investigation-guides.asciidoc b/docs/serverless/rules/interactive-investigation-guides.asciidoc index 7ec6a3cfae..61e224339f 100644 --- a/docs/serverless/rules/interactive-investigation-guides.asciidoc +++ b/docs/serverless/rules/interactive-investigation-guides.asciidoc @@ -4,7 +4,6 @@ // :description: Pivot from detection alerts to investigations with interactive investigation guide actions. // :keywords: serverless, security, how-to, analyze, configure -preview:[] Detection rule investigation guides suggest steps for triaging, analyzing, and responding to potential security issues. For custom rules, you can create an interactive investigation guide that includes buttons for launching runtime queries in <>, using alert data and hard-coded literal values. This allows you to start detailed Timeline investigations directly from an alert using relevant data. diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc index 1f7d3cd530..76113f5c91 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules-management.asciidoc @@ -8,7 +8,6 @@ Use Elastic prebuilt rules ++++ -preview:[] Follow these guidelines to start using the {security-app}'s <>, keep them updated, and make sure they have the data needed to run successfully. diff --git a/docs/serverless/rules/prebuilt-rules/prebuilt-rules.asciidoc b/docs/serverless/rules/prebuilt-rules/prebuilt-rules.asciidoc index ab1b1bc1a7..43c802e750 100644 --- a/docs/serverless/rules/prebuilt-rules/prebuilt-rules.asciidoc +++ b/docs/serverless/rules/prebuilt-rules/prebuilt-rules.asciidoc @@ -3,7 +3,6 @@ // :description: Learn more about Elastic's prebuilt detection rules. -preview:[] Refer to the following documentation for more details about Elastic's prebuilt rules: diff --git a/docs/serverless/rules/rules-coverage.asciidoc b/docs/serverless/rules/rules-coverage.asciidoc index 31d4ddd969..92e933e691 100644 --- a/docs/serverless/rules/rules-coverage.asciidoc +++ b/docs/serverless/rules/rules-coverage.asciidoc @@ -4,7 +4,6 @@ // :description: Review your current coverage of MITRE ATT&CK® tactics and techniques, based on installed rules. // :keywords: security, how-to, manage, analyze, visualize -preview:[] The **MITRE ATT&CK® coverage** page (**Rules** → **MITRE ATT&CK® Coverage**) shows which https://attack.mitre.org[MITRE ATT&CK®] adversary tactics and techniques are covered by your installed and enabled detection rules. This includes both Elastic prebuilt rules and custom rules. diff --git a/docs/serverless/rules/rules-ui-create.asciidoc b/docs/serverless/rules/rules-ui-create.asciidoc index 626764e7cf..60e7e7d5dd 100644 --- a/docs/serverless/rules/rules-ui-create.asciidoc +++ b/docs/serverless/rules/rules-ui-create.asciidoc @@ -4,7 +4,6 @@ // :description: Create detection rules to monitor your environment for suspicious and malicious behavior. // :keywords: serverless, security, defend, how-to, manage, secure -preview:[] To create a new detection rule, follow these steps: diff --git a/docs/serverless/rules/rules-ui-management.asciidoc b/docs/serverless/rules/rules-ui-management.asciidoc index 6a3a6e69a7..130f8ed91c 100644 --- a/docs/serverless/rules/rules-ui-management.asciidoc +++ b/docs/serverless/rules/rules-ui-management.asciidoc @@ -4,7 +4,6 @@ // :description: Manage your detection rules and enable Elastic prebuilt rules on the Rules page. // :keywords: serverless, security, how-to, manage -preview:[] The Rules page allows you to view and manage all prebuilt and custom detection rules. @@ -82,7 +81,7 @@ Similarly, rules will be skipped if they can't be modified by a bulk edit. For e + [NOTE] ==== -Rule actions won't run during a {kibana-ref}/maintenance-windows.html[maintenance window]. They'll resume running after the maintenance window ends. +Rule actions won't run during a <>. They'll resume running after the maintenance window ends. ==== ** **Update rule schedules**: Update the <> and look-back times on all selected rules. ** **Apply Timeline template**: Apply a specified <> to the selected rules. You can also choose **None** to remove Timeline templates from the selected rules. @@ -178,7 +177,7 @@ If you try to export with both prebuilt and custom rules selected, only the cust The `.ndjson` file also includes any actions, connectors, and exception lists related to the exported rules. However, other configuration items require additional handling when exporting and importing rules: -* **Data views**: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (**Project settings** → **Content** → **Saved Objects**) to share the data view with the destination space. +* **Data views**: For rules that use a {kib} data view as a data source, the exported file contains the associated `data_view_id`, but does _not_ include any other data view configuration. To export/import between {kib} spaces, first use the <> UI (**Project settings** → **Stack Management** → **Saved Objects**) to share the data view with the destination space. To import into a different {stack} deployment, the destination cluster must include a data view with a matching data view ID (configured in the {kibana-ref}/data-views.html[data view's advanced settings]). Alternatively, after importing, you can manually reconfigure the rule to use an appropriate data view in the destination system. @@ -186,7 +185,7 @@ To import into a different {stack} deployment, the destination cluster must incl + [TIP] ==== -You can also use the {kibana-ref}/managing-saved-objects.html#managing-saved-objects-share-to-space[Saved Objects] UI (**Project settings** → **Content** → **Saved Objects**) to export and import necessary connectors before importing detection rules. +You can also use the <> UI (**Project settings** → **Stack Management** → **Saved Objects**) to export and import necessary connectors before importing detection rules. ==== * **Value lists**: Any value lists used for rule exceptions are _not_ included in rule exports or imports. Use the <> UI (**Rules** → **Detection rules (SIEM)** → **Manage value lists**) to export and import value lists separately. diff --git a/docs/serverless/rules/shared-exception-lists.asciidoc b/docs/serverless/rules/shared-exception-lists.asciidoc index c269137996..a6c168a271 100644 --- a/docs/serverless/rules/shared-exception-lists.asciidoc +++ b/docs/serverless/rules/shared-exception-lists.asciidoc @@ -4,7 +4,6 @@ // :description: Learn how to create and manage shared exception lists. // :keywords: serverless, security, how-to -preview:[] Shared exception lists allow you to group exceptions together and then apply them to multiple rules. Use the Shared Exception Lists page to set up shared exception lists. diff --git a/docs/serverless/rules/tuning-detection-signals.asciidoc b/docs/serverless/rules/tuning-detection-signals.asciidoc index 3788a5c580..8916731800 100644 --- a/docs/serverless/rules/tuning-detection-signals.asciidoc +++ b/docs/serverless/rules/tuning-detection-signals.asciidoc @@ -4,7 +4,6 @@ // :description: Tune prebuilt and custom detection rules to optimize alert generation. // :keywords: serverless, security, how-to -preview:[] Using the {security-app}, you can tune prebuilt and custom detection rules to optimize alert generation. To reduce noise, you can: diff --git a/docs/serverless/rules/value-lists-exceptions.asciidoc b/docs/serverless/rules/value-lists-exceptions.asciidoc index d1fe4c39ce..3c2c9c0ec9 100644 --- a/docs/serverless/rules/value-lists-exceptions.asciidoc +++ b/docs/serverless/rules/value-lists-exceptions.asciidoc @@ -4,7 +4,6 @@ // :description: Make and manage value lists. // :keywords: serverless, security, how-to -preview:[] Value lists hold multiple values of the same Elasticsearch data type, such as IP addresses, which are used to determine when an exception prevents an alert from being generated. You can use value lists to define exceptions for detection rules; however, you cannot use value lists to define endpoint rule exceptions. diff --git a/docs/serverless/sec-requirements.asciidoc b/docs/serverless/sec-requirements.asciidoc index 94558fdfa7..ecbf8ac860 100644 --- a/docs/serverless/sec-requirements.asciidoc +++ b/docs/serverless/sec-requirements.asciidoc @@ -4,8 +4,6 @@ // :description: Requirements for using and configuring {elastic-sec}. // :keywords: serverless, security, how-to, manage -preview:[] - The https://www.elastic.co/support/matrix[Support Matrix] page lists officially supported operating systems, platforms, and browsers on which components such as {beats}, {agent}, {elastic-defend}, and {elastic-endpoint} have been tested. diff --git a/docs/serverless/security-overview.asciidoc b/docs/serverless/security-overview.asciidoc index afce3c8dce..c122e800c6 100644 --- a/docs/serverless/security-overview.asciidoc +++ b/docs/serverless/security-overview.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, reference -preview:[] {elastic-sec} combines threat detection analytics, cloud native security, and endpoint protection capabilities in a single solution, so you can quickly detect, investigate, and respond to threats and vulnerabilities across your environment. @@ -20,7 +19,7 @@ preview:[] * <>: Navigate {elastic-sec}'s various tools and interfaces. * <>: Use {elastic-sec}'s detection engine with custom and prebuilt rules. -* <>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud native vulnerability management, and cloud workload protection for Kubernetes and VMs. +* <>: Enable cloud native security capabilities such as Cloud and Kubernetes security posture management, cloud vulnerability management, and cloud workload protection for Kubernetes and VMs. * <>: Enable key endpoint protection capabilities like event collection and malicious activity prevention. * https://www.elastic.co/products/stack/machine-learning[{ml-cap}]: Enable built-in {ml} tools to help you identify malicious behavior. * <>: Leverage {elastic-sec}'s detection engine and {ml} capabilities to generate comprehensive risk analytics for hosts and users. diff --git a/docs/serverless/security-ui.asciidoc b/docs/serverless/security-ui.asciidoc index b5d5050cc7..b2421b829a 100644 --- a/docs/serverless/security-ui.asciidoc +++ b/docs/serverless/security-ui.asciidoc @@ -3,8 +3,6 @@ // :keywords: serverless, security, reference -preview:[] - The {security-app} is a highly interactive workspace designed for security analysts that provides a clear overview of events and alerts from your environment. You can use the interactive UI to drill down into areas of interest. [discrete] @@ -204,8 +202,6 @@ The Assets section allows you to manage the following features: ** <>: View and manage the blocklist, which allows you to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. ** <>: Find the history of response actions performed on hosts. * <> -+ -** <>: Identify and block unexpected system behavior in Kubernetes containers. [discrete] [[security-ui-ml-cap]] diff --git a/docs/serverless/settings/advanced-settings.asciidoc b/docs/serverless/settings/advanced-settings.asciidoc index 3f28e023cd..b100aa047f 100644 --- a/docs/serverless/settings/advanced-settings.asciidoc +++ b/docs/serverless/settings/advanced-settings.asciidoc @@ -4,7 +4,6 @@ // :description: Update advanced {elastic-sec} settings. // :keywords: serverless, security, reference, manage -preview:[] The advanced settings determine: @@ -38,7 +37,7 @@ To access advanced settings, go to **Project Settings** → **Management** → * [TIP] ==== -For more information on non-Security settings, refer to {kibana-ref}/advanced-options.html[Advanced Settings]. Some settings might not be available in {serverless-short} projects. +For more information on non-Security settings, refer to {kibana-ref}/advanced-options.html[Advanced Settings]. Some settings might not be available in serverless projects. ==== [role="screenshot"] diff --git a/docs/serverless/settings/manage-settings.asciidoc b/docs/serverless/settings/manage-settings.asciidoc index 848b489ce9..fd832d1ea7 100644 --- a/docs/serverless/settings/manage-settings.asciidoc +++ b/docs/serverless/settings/manage-settings.asciidoc @@ -3,7 +3,6 @@ // :keywords: serverless, security, overview -preview:[] These pages explain how to manage settings in various areas of the {security-app}: diff --git a/docs/serverless/settings/project-settings.asciidoc b/docs/serverless/settings/project-settings.asciidoc index 9a4b8d70f5..1ded959ff8 100644 --- a/docs/serverless/settings/project-settings.asciidoc +++ b/docs/serverless/settings/project-settings.asciidoc @@ -4,6 +4,5 @@ // :description: Configure project-wide settings related to users, billing, data management, and more. // :keywords: serverless, security, overview, manage -preview:[] Navigate to **Project settings** to configure project-wide settings related to users, billing, data management, and more. diff --git a/docs/serverless/technical-preview-limitations.asciidoc b/docs/serverless/technical-preview-limitations.asciidoc deleted file mode 100644 index 4f507a5b62..0000000000 --- a/docs/serverless/technical-preview-limitations.asciidoc +++ /dev/null @@ -1,14 +0,0 @@ -[[security-technical-preview-limitations]] -= Technical preview limitations - -// :description: Review the limitations that apply to Elastic Security projects in technical preview. -// :keywords: serverless, security - -preview:[] - -Currently, workloads outside of the following ranges may experience higher latencies: - -* Data ingest rate, total of all data sources, greater than 500GB per day -* Number of {ml} jobs greater than 50 -* Searchable data size greater than 10TB -* Number of endpoints and Cloud assets for {fleet} and {agent} management greater than 40,000 diff --git a/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc b/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc index 92c70d7eb1..05800cecd9 100644 --- a/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc +++ b/docs/serverless/troubleshooting/troubleshoot-endpoints.asciidoc @@ -7,7 +7,6 @@ Elastic Defend ++++ -preview:[] This topic covers common troubleshooting issues when using {elastic-defend}'s <>. diff --git a/docs/serverless/troubleshooting/ts-detection-rules.asciidoc b/docs/serverless/troubleshooting/ts-detection-rules.asciidoc index bb66887996..664c0e4e05 100644 --- a/docs/serverless/troubleshooting/ts-detection-rules.asciidoc +++ b/docs/serverless/troubleshooting/ts-detection-rules.asciidoc @@ -8,7 +8,6 @@ Detection rules ++++ -preview:[] This topic covers common troubleshooting issues when creating or managing <>. diff --git a/docs/serverless/what-is-security-serverless.asciidoc b/docs/serverless/what-is-security-serverless.asciidoc index 1d393fed92..375d35c3f1 100644 --- a/docs/serverless/what-is-security-serverless.asciidoc +++ b/docs/serverless/what-is-security-serverless.asciidoc @@ -1,10 +1,9 @@ // :keywords: serverless, security, overview -preview:[] {elastic-sec} combines threat detection analytics, cloud native security, and endpoint protection in a single solution, so you can quickly detect, investigate, and respond to threats and vulnerabilities across your environment. -Serverless projects provide you with the existing {elastic-sec} on-premise and Elastic Cloud deployment functionality, and the following new features and capabilities: +Serverless projects provide you with the existing {elastic-sec} on-premise and {ecloud} deployment functionality, and the following new features and capabilities: * Continuous onboarding hub at the center of the **Get started** page * Security-focused, single-level navigation @@ -17,7 +16,7 @@ Serverless projects provide you with the existing {elastic-sec} on-premise and E [discrete] == Get started -* <>: Create your first {serverless-short} Security project. +* <>: Create your first serverless Security project. * <>: Learn how to add your own data to {elastic-sec}. [discrete] diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 30f9811e84..63ad2a79ae 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -2,170 +2,4 @@ [chapter] = What's new in {minor-version} -Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. - -Other versions: {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | -{security-guide-all}/7.9/whats-new.html[7.9] - -// NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. -// tag::notable-highlights[] - -[float] -== Generative AI enhancements - -[float] -=== Improved Automatic Import capabilities - -{security-guide}/automatic-import.html[Automatic Import] can now use a larger variety of large language models and accept larger log samples in a wider range of common formats. - -[float] -=== Analyze more alerts with Attack Discovery - -{security-guide}/attack-discovery.html[Attack Discovery] can now analyze up to 500 alerts at once, and provides higher-quality responses. - -[role="screenshot"] -image::whats-new/images/8.16/attck-disc-alerts-number-menu.png[Attack Discovery alert settings,60%] - -[float] -=== Customize Elastic AI Assistant using Knowledge Base - -Elastic AI Assistant's new {security-guide}/ai-assistant-knowledge-base.html[Knowledge Base] feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context. This improves the relevance, quality, and customization of its responses. - -[role="screenshot"] -image::whats-new/images/8.16/knowledge-base-add-index-config.png[Knowledge Base's Edit index entry menu,80%] - -[float] -== Entity Analytics enhancements - -[float] -=== Manage persisted entity metadata with entity store - -preview:[] The {security-guide}/entity-store.html[entity store] feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the {elastic-sec} default data view, the entity store lets you query entity metadata without real-time data searches. - -After you enable the entity store, the Entity Analytics dashboard displays the {security-guide}/detection-entity-dashboard.html#entity-entities[**Entities** section], which offers a comprehensive view of all hosts and users in your environment. You can filter them by their source, entity risk level, and asset criticality level. - -[role="screenshot"] -image::whats-new/images/8.16/entities-section.png[Entities section of the Entity Analytics dashboard] - -[float] -=== Asset criticality is available by default - -The advanced setting for enabling {security-guide}/asset-criticality.html[asset criticality] has been removed, and this feature is now available by default. - -[float] -=== Run entity risk scoring in multiple spaces - -You can now enable and run {security-guide}/entity-risk-scoring.html[entity risk scoring] in multiple {kib} spaces. This allows you to analyze and monitor entity risk in different contexts simultaneously. - -[float] -=== Recalculate entity risk scores after file upload - -When you {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] using the file upload feature, the newly assigned criticality levels are automatically factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now** during the file upload process. - -[role="screenshot"] -image::whats-new/images/8.16/recalc-ers.png[Recalculate entity risk scores] - -[float] -== Detection rules and alerts enhancements - -[float] -=== Enable prebuilt detection rules on installation - -Previously, {security-guide}/prebuilt-rules-management.html#load-prebuilt-rules[installing and enabling prebuilt rules] took two steps. You can now do both in one step with the **Install and enable** option. This works for both single and multiple rules. - -[role="screenshot"] -image::whats-new/images/8.16/install-enable-rules.png[Install and enable rules, 80%] - -[float] -=== Run rules manually - -{security-guide}/rules-ui-management.html#manually-run-rules[Manually run rules] for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the **Execution results** tab of the rule details page. - -[role="screenshot"] -image::whats-new/images/8.16/manual-rule-run-table.png[Manual rule run table] - -[float] -=== Exclude cold and frozen data from rules - -Rules that query cold and frozen data tiers might perform more slowly or fail. To ensure that the rules in your {kib} space exclude query results from cold and frozen tiers when executing, configure the `excludedDataTiersForRuleExecution` <>. - -[float] -=== View {es} queries that run during rule execution - -When previewing a rule, you can also {security-guide}/rules-ui-create.html#view-rule-es-queries[learn about its {es} queries], which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for {esql} and EQL rules only. - -[float] -=== Alert suppression is generally available for more rule types - -{security-guide}/alert-suppression.html[Alert suppression] is generally available for the indicator match, threshold, {ml}, {esql}, and new terms rule types. It is still in technical preview for event correlation rules. - -[float] -== Investigations enhancements - -[float] -=== Add notes to alerts, events, and Timelines - -You can now attach {security-guide}/add-manage-notes.html[notes] to alerts, events, and Timelines, and manage them from the **Notes** page. This provides an easy way to incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. - -[role="screenshot"] -image::whats-new/images/8.16/new-note-alert-event.png[New note added to an alert] - -[float] -=== View analyzed events from the alert details flyout - -preview:[] By enabling the new `securitySolution:enableVisualizationsInFlyout` advanced setting, you can {security-guide}/view-alert-details.html#expanded-visualizations-view[view analyzed alerts and events] in the **Visualize** tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events. - -[role="screenshot"] -image::whats-new/images/8.16/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] - -[float] -=== Resize alert and event details flyouts - -You can now resize the alert and event details flyouts and choose how they're displayed—over the Alerts table or next to it. - -[role="screenshot"] -image::whats-new/images/8.16/flyout-settings.gif[Change alert details flyout settings] - -[float] -== {elastic-defend} and response actions enhancements - -[float] -=== More SentinelOne third-party response actions - -Additional third-party response actions are available using Elastic's {security-guide}/third-party-actions.html#sentinelone-response-actions[SentinelOne] integration and connector: - -* Get processes -* Terminate a process - -[float] -=== {elastic-defend}'s automated response actions support all rule types - -You can now configure any detection rule type to perform {elastic-defend}'s {security-guide}/automated-response-actions.html[automated response actions]. - -[float] -=== New rules for {elastic-defend}'s endpoint protection features - -New prebuilt rules tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior—allow you to configure actions tailored for detection or prevention of each type. - -[role="screenshot"] -image::whats-new/images/8.16/endpoint-protection-rules.png[Endpoint protection rules] - -[float] -== Cloud Security enhancements - -[float] -=== Ingest third-party cloud security data - -You can now {security-guide}/ingest-third-party-cloud-security-data.html[ingest cloud security data] from several third-party sources—Falco, AWS Security Hub, and Wiz—into {elastic-sec}. The data appears on the **Alerts** and **Findings** pages, and in the user and host details flyouts. - -[role="screenshot"] -image::whats-new/images/8.16/wiz-findings.png[Wiz data on the Findings page] - -[float] -=== Simplify posture data collection with agentless Cloud Security Posture Management deployment - -Elastic's native {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports agentless deployment, giving you an easier and more streamlined way to collect posture data from your cloud service providers. - - - -// end::notable-highlights[] +Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. \ No newline at end of file diff --git a/docs/whats-new/images/8.0/data-view.png b/docs/whats-new/images/8.0/data-view.png deleted file mode 100644 index 8219a92a8d..0000000000 Binary files a/docs/whats-new/images/8.0/data-view.png and /dev/null differ diff --git a/docs/whats-new/images/8.0/rule-monitor-table.png b/docs/whats-new/images/8.0/rule-monitor-table.png deleted file mode 100644 index 6436e171a1..0000000000 Binary files a/docs/whats-new/images/8.0/rule-monitor-table.png and /dev/null differ diff --git a/docs/whats-new/images/8.0/threat-intel.png b/docs/whats-new/images/8.0/threat-intel.png deleted file mode 100644 index 19359efd9c..0000000000 Binary files a/docs/whats-new/images/8.0/threat-intel.png and /dev/null differ diff --git a/docs/whats-new/images/8.1/alert-details.gif b/docs/whats-new/images/8.1/alert-details.gif deleted file mode 100644 index 1f3e343d76..0000000000 Binary files a/docs/whats-new/images/8.1/alert-details.gif and /dev/null differ diff --git a/docs/whats-new/images/8.1/bulk-actions.png b/docs/whats-new/images/8.1/bulk-actions.png deleted file mode 100644 index 097b5c0981..0000000000 Binary files a/docs/whats-new/images/8.1/bulk-actions.png and /dev/null differ diff --git a/docs/whats-new/images/8.1/cases-kpis.png b/docs/whats-new/images/8.1/cases-kpis.png deleted file mode 100644 index f9ad9a5fc3..0000000000 Binary files a/docs/whats-new/images/8.1/cases-kpis.png and /dev/null differ diff --git a/docs/whats-new/images/8.1/column-sort.gif b/docs/whats-new/images/8.1/column-sort.gif deleted file mode 100644 index 0f10217462..0000000000 Binary files a/docs/whats-new/images/8.1/column-sort.gif and /dev/null differ diff --git a/docs/whats-new/images/8.1/counts-table.gif b/docs/whats-new/images/8.1/counts-table.gif deleted file mode 100644 index 3869916341..0000000000 Binary files a/docs/whats-new/images/8.1/counts-table.gif and /dev/null differ diff --git a/docs/whats-new/images/8.10/ai-assistant-privilege.png b/docs/whats-new/images/8.10/ai-assistant-privilege.png deleted file mode 100644 index 60f36f54e6..0000000000 Binary files a/docs/whats-new/images/8.10/ai-assistant-privilege.png and /dev/null differ diff --git a/docs/whats-new/images/8.10/custom-highlighted-fields.png b/docs/whats-new/images/8.10/custom-highlighted-fields.png deleted file mode 100644 index b31d2a851b..0000000000 Binary files a/docs/whats-new/images/8.10/custom-highlighted-fields.png and /dev/null differ diff --git a/docs/whats-new/images/8.10/nav-overview.gif b/docs/whats-new/images/8.10/nav-overview.gif deleted file mode 100644 index 00c0bb0a7b..0000000000 Binary files a/docs/whats-new/images/8.10/nav-overview.gif and /dev/null differ diff --git a/docs/whats-new/images/8.10/open-alert-details-flyout.gif b/docs/whats-new/images/8.10/open-alert-details-flyout.gif deleted file mode 100644 index ea70b9dae7..0000000000 Binary files a/docs/whats-new/images/8.10/open-alert-details-flyout.gif and /dev/null differ diff --git a/docs/whats-new/images/8.10/prebuilt-rule-details-flyout.png b/docs/whats-new/images/8.10/prebuilt-rule-details-flyout.png deleted file mode 100644 index 32d2942c3e..0000000000 Binary files a/docs/whats-new/images/8.10/prebuilt-rule-details-flyout.png and /dev/null differ diff --git a/docs/whats-new/images/8.10/rules-coverage.png b/docs/whats-new/images/8.10/rules-coverage.png deleted file mode 100644 index b446481ae6..0000000000 Binary files a/docs/whats-new/images/8.10/rules-coverage.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/agent-tamper-protection.png b/docs/whats-new/images/8.11/agent-tamper-protection.png deleted file mode 100644 index 267d1dea23..0000000000 Binary files a/docs/whats-new/images/8.11/agent-tamper-protection.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/cases-add-custom-field.png b/docs/whats-new/images/8.11/cases-add-custom-field.png deleted file mode 100644 index b756445430..0000000000 Binary files a/docs/whats-new/images/8.11/cases-add-custom-field.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/cases-settings.png b/docs/whats-new/images/8.11/cases-settings.png deleted file mode 100644 index efa89aad29..0000000000 Binary files a/docs/whats-new/images/8.11/cases-settings.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/entity-risk-score.png b/docs/whats-new/images/8.11/entity-risk-score.png deleted file mode 100644 index 3306ac0e6a..0000000000 Binary files a/docs/whats-new/images/8.11/entity-risk-score.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/esql-rule.png b/docs/whats-new/images/8.11/esql-rule.png deleted file mode 100644 index c768a1a154..0000000000 Binary files a/docs/whats-new/images/8.11/esql-rule.png and /dev/null differ diff --git a/docs/whats-new/images/8.11/esql-tab.png b/docs/whats-new/images/8.11/esql-tab.png deleted file mode 100644 index ab491d0f5e..0000000000 Binary files a/docs/whats-new/images/8.11/esql-tab.png and /dev/null differ diff --git a/docs/whats-new/images/8.12/alert-assigned-alerts.png b/docs/whats-new/images/8.12/alert-assigned-alerts.png deleted file mode 100644 index 1d63dccf53..0000000000 Binary files a/docs/whats-new/images/8.12/alert-assigned-alerts.png and /dev/null differ diff --git a/docs/whats-new/images/8.12/exclude-cold-frozen-tiers.png b/docs/whats-new/images/8.12/exclude-cold-frozen-tiers.png deleted file mode 100644 index 4206c18fd9..0000000000 Binary files a/docs/whats-new/images/8.12/exclude-cold-frozen-tiers.png and /dev/null differ diff --git a/docs/whats-new/images/8.12/osquery-timeout-setting.png b/docs/whats-new/images/8.12/osquery-timeout-setting.png deleted file mode 100644 index 1706f697e8..0000000000 Binary files a/docs/whats-new/images/8.12/osquery-timeout-setting.png and /dev/null differ diff --git a/docs/whats-new/images/8.12/prebuilt-rules-update-diff.png b/docs/whats-new/images/8.12/prebuilt-rules-update-diff.png deleted file mode 100644 index 64f0728409..0000000000 Binary files a/docs/whats-new/images/8.12/prebuilt-rules-update-diff.png and /dev/null differ diff --git a/docs/whats-new/images/8.12/timeline-ui-updated.png b/docs/whats-new/images/8.12/timeline-ui-updated.png deleted file mode 100644 index ed43e4a4d2..0000000000 Binary files a/docs/whats-new/images/8.12/timeline-ui-updated.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/alert-details-flyout-right-panel.png b/docs/whats-new/images/8.13/alert-details-flyout-right-panel.png deleted file mode 100644 index 1f01cda76a..0000000000 Binary files a/docs/whats-new/images/8.13/alert-details-flyout-right-panel.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/assign-asset-criticality-host-details.png b/docs/whats-new/images/8.13/assign-asset-criticality-host-details.png deleted file mode 100644 index c55e4b5e7d..0000000000 Binary files a/docs/whats-new/images/8.13/assign-asset-criticality-host-details.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/automated-response-actions.png b/docs/whats-new/images/8.13/automated-response-actions.png deleted file mode 100644 index 342e9729b0..0000000000 Binary files a/docs/whats-new/images/8.13/automated-response-actions.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/benchmark-rules.png b/docs/whats-new/images/8.13/benchmark-rules.png deleted file mode 100644 index 107ba0ca1e..0000000000 Binary files a/docs/whats-new/images/8.13/benchmark-rules.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/cnvm-findings-grouped.png b/docs/whats-new/images/8.13/cnvm-findings-grouped.png deleted file mode 100644 index b62bd0564b..0000000000 Binary files a/docs/whats-new/images/8.13/cnvm-findings-grouped.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/data-qual-dash.png b/docs/whats-new/images/8.13/data-qual-dash.png deleted file mode 100644 index ae64e2c729..0000000000 Binary files a/docs/whats-new/images/8.13/data-qual-dash.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/data-view-selection.png b/docs/whats-new/images/8.13/data-view-selection.png deleted file mode 100644 index f0d15645ec..0000000000 Binary files a/docs/whats-new/images/8.13/data-view-selection.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/date-range-selection.png b/docs/whats-new/images/8.13/date-range-selection.png deleted file mode 100644 index 40515f6832..0000000000 Binary files a/docs/whats-new/images/8.13/date-range-selection.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/event-details.png b/docs/whats-new/images/8.13/event-details.png deleted file mode 100644 index 072b19c65d..0000000000 Binary files a/docs/whats-new/images/8.13/event-details.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/host-details-flyout.png b/docs/whats-new/images/8.13/host-details-flyout.png deleted file mode 100644 index 52d97feb95..0000000000 Binary files a/docs/whats-new/images/8.13/host-details-flyout.png and /dev/null differ diff --git a/docs/whats-new/images/8.13/prebuilt-rules-update-diff.png b/docs/whats-new/images/8.13/prebuilt-rules-update-diff.png deleted file mode 100644 index 07bd15ab9d..0000000000 Binary files a/docs/whats-new/images/8.13/prebuilt-rules-update-diff.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/asset-criticality-file-upload.gif b/docs/whats-new/images/8.14/asset-criticality-file-upload.gif deleted file mode 100644 index 2ec6653769..0000000000 Binary files a/docs/whats-new/images/8.14/asset-criticality-file-upload.gif and /dev/null differ diff --git a/docs/whats-new/images/8.14/attack-discovery-full-card.png b/docs/whats-new/images/8.14/attack-discovery-full-card.png deleted file mode 100644 index af90d5c604..0000000000 Binary files a/docs/whats-new/images/8.14/attack-discovery-full-card.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/contribution-scores-per-alert.png b/docs/whats-new/images/8.14/contribution-scores-per-alert.png deleted file mode 100644 index 483980f378..0000000000 Binary files a/docs/whats-new/images/8.14/contribution-scores-per-alert.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/edit-value-lists.png b/docs/whats-new/images/8.14/edit-value-lists.png deleted file mode 100644 index dd53a8dc11..0000000000 Binary files a/docs/whats-new/images/8.14/edit-value-lists.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/malware-protection.png b/docs/whats-new/images/8.14/malware-protection.png deleted file mode 100644 index 21f824edec..0000000000 Binary files a/docs/whats-new/images/8.14/malware-protection.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/register-as-antivirus.png b/docs/whats-new/images/8.14/register-as-antivirus.png deleted file mode 100644 index 17e6b9cc5d..0000000000 Binary files a/docs/whats-new/images/8.14/register-as-antivirus.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/setup-guide-field.png b/docs/whats-new/images/8.14/setup-guide-field.png deleted file mode 100644 index 32c298b982..0000000000 Binary files a/docs/whats-new/images/8.14/setup-guide-field.png and /dev/null differ diff --git a/docs/whats-new/images/8.14/unassign-criticality.png b/docs/whats-new/images/8.14/unassign-criticality.png deleted file mode 100644 index 3c6dcfaa5e..0000000000 Binary files a/docs/whats-new/images/8.14/unassign-criticality.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/auto-import-success-message.png b/docs/whats-new/images/8.15/auto-import-success-message.png deleted file mode 100644 index d7ef0a8530..0000000000 Binary files a/docs/whats-new/images/8.15/auto-import-success-message.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/cases-add-custom-field.png b/docs/whats-new/images/8.15/cases-add-custom-field.png deleted file mode 100644 index 134ea000a8..0000000000 Binary files a/docs/whats-new/images/8.15/cases-add-custom-field.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/cases-add-template.png b/docs/whats-new/images/8.15/cases-add-template.png deleted file mode 100644 index 29075ec9f2..0000000000 Binary files a/docs/whats-new/images/8.15/cases-add-template.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/event-filter-process-descendants.png b/docs/whats-new/images/8.15/event-filter-process-descendants.png deleted file mode 100644 index f41c2fa9f8..0000000000 Binary files a/docs/whats-new/images/8.15/event-filter-process-descendants.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/max-alerts-per-run.png b/docs/whats-new/images/8.15/max-alerts-per-run.png deleted file mode 100644 index d1109318aa..0000000000 Binary files a/docs/whats-new/images/8.15/max-alerts-per-run.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/required-fields-related-integrations.png b/docs/whats-new/images/8.15/required-fields-related-integrations.png deleted file mode 100644 index b41f4424c8..0000000000 Binary files a/docs/whats-new/images/8.15/required-fields-related-integrations.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/timeline-notes-flyout.png b/docs/whats-new/images/8.15/timeline-notes-flyout.png deleted file mode 100644 index 2b46de2658..0000000000 Binary files a/docs/whats-new/images/8.15/timeline-notes-flyout.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/timeline-sidebar-and-table.png b/docs/whats-new/images/8.15/timeline-sidebar-and-table.png deleted file mode 100644 index 3f26511421..0000000000 Binary files a/docs/whats-new/images/8.15/timeline-sidebar-and-table.png and /dev/null differ diff --git a/docs/whats-new/images/8.15/timeline-ui-renderer.png b/docs/whats-new/images/8.15/timeline-ui-renderer.png deleted file mode 100644 index e799fe2236..0000000000 Binary files a/docs/whats-new/images/8.15/timeline-ui-renderer.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png b/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png deleted file mode 100644 index bcbb57ccce..0000000000 Binary files a/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/endpoint-protection-rules.png b/docs/whats-new/images/8.16/endpoint-protection-rules.png deleted file mode 100644 index 9c1627472d..0000000000 Binary files a/docs/whats-new/images/8.16/endpoint-protection-rules.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/entities-section.png b/docs/whats-new/images/8.16/entities-section.png deleted file mode 100644 index 9bb4c5338d..0000000000 Binary files a/docs/whats-new/images/8.16/entities-section.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/flyout-settings.gif b/docs/whats-new/images/8.16/flyout-settings.gif deleted file mode 100644 index 4de1a03c50..0000000000 Binary files a/docs/whats-new/images/8.16/flyout-settings.gif and /dev/null differ diff --git a/docs/whats-new/images/8.16/install-enable-rules.png b/docs/whats-new/images/8.16/install-enable-rules.png deleted file mode 100644 index 797ecbf897..0000000000 Binary files a/docs/whats-new/images/8.16/install-enable-rules.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/knowledge-base-add-index-config.png b/docs/whats-new/images/8.16/knowledge-base-add-index-config.png deleted file mode 100644 index 3fcb91977b..0000000000 Binary files a/docs/whats-new/images/8.16/knowledge-base-add-index-config.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/manual-rule-run-table.png b/docs/whats-new/images/8.16/manual-rule-run-table.png deleted file mode 100644 index ddacb233e2..0000000000 Binary files a/docs/whats-new/images/8.16/manual-rule-run-table.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/new-note-alert-event.png b/docs/whats-new/images/8.16/new-note-alert-event.png deleted file mode 100644 index 33e47fd17e..0000000000 Binary files a/docs/whats-new/images/8.16/new-note-alert-event.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/recalc-ers.png b/docs/whats-new/images/8.16/recalc-ers.png deleted file mode 100644 index d498799f18..0000000000 Binary files a/docs/whats-new/images/8.16/recalc-ers.png and /dev/null differ diff --git a/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif b/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif deleted file mode 100644 index 487f87c74a..0000000000 Binary files a/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif and /dev/null differ diff --git a/docs/whats-new/images/8.16/wiz-findings.png b/docs/whats-new/images/8.16/wiz-findings.png deleted file mode 100644 index 4a5c2ea60b..0000000000 Binary files a/docs/whats-new/images/8.16/wiz-findings.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/alert-prevalance.png b/docs/whats-new/images/8.2/alert-prevalance.png deleted file mode 100644 index 06ad251c39..0000000000 Binary files a/docs/whats-new/images/8.2/alert-prevalance.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/blocklist-page.png b/docs/whats-new/images/8.2/blocklist-page.png deleted file mode 100644 index 87782a099b..0000000000 Binary files a/docs/whats-new/images/8.2/blocklist-page.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/dga.png b/docs/whats-new/images/8.2/dga.png deleted file mode 100644 index e1c2d59986..0000000000 Binary files a/docs/whats-new/images/8.2/dga.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/getting-started.png b/docs/whats-new/images/8.2/getting-started.png deleted file mode 100644 index a782ef6094..0000000000 Binary files a/docs/whats-new/images/8.2/getting-started.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/policies-page.png b/docs/whats-new/images/8.2/policies-page.png deleted file mode 100644 index 81b21f3c91..0000000000 Binary files a/docs/whats-new/images/8.2/policies-page.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/preview-rules.png b/docs/whats-new/images/8.2/preview-rules.png deleted file mode 100644 index 03516a0917..0000000000 Binary files a/docs/whats-new/images/8.2/preview-rules.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/rule-exec-logs.png b/docs/whats-new/images/8.2/rule-exec-logs.png deleted file mode 100644 index 48daaf860a..0000000000 Binary files a/docs/whats-new/images/8.2/rule-exec-logs.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/run-osquery.png b/docs/whats-new/images/8.2/run-osquery.png deleted file mode 100644 index 80856f0239..0000000000 Binary files a/docs/whats-new/images/8.2/run-osquery.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/session-view.png b/docs/whats-new/images/8.2/session-view.png deleted file mode 100644 index dd4e431f54..0000000000 Binary files a/docs/whats-new/images/8.2/session-view.png and /dev/null differ diff --git a/docs/whats-new/images/8.2/users-page.png b/docs/whats-new/images/8.2/users-page.png deleted file mode 100644 index 7e1b18409a..0000000000 Binary files a/docs/whats-new/images/8.2/users-page.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/actions-icon.png b/docs/whats-new/images/8.3/actions-icon.png deleted file mode 100644 index 7cb02ecf39..0000000000 Binary files a/docs/whats-new/images/8.3/actions-icon.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/alert-prevalance.gif b/docs/whats-new/images/8.3/alert-prevalance.gif deleted file mode 100644 index 24d058d76f..0000000000 Binary files a/docs/whats-new/images/8.3/alert-prevalance.gif and /dev/null differ diff --git a/docs/whats-new/images/8.3/cloud-integration.png b/docs/whats-new/images/8.3/cloud-integration.png deleted file mode 100644 index d014f51e8f..0000000000 Binary files a/docs/whats-new/images/8.3/cloud-integration.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/detection-response-dashboard.png b/docs/whats-new/images/8.3/detection-response-dashboard.png deleted file mode 100644 index ae2e9cd18f..0000000000 Binary files a/docs/whats-new/images/8.3/detection-response-dashboard.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/grouped-nav.png b/docs/whats-new/images/8.3/grouped-nav.png deleted file mode 100644 index b3f28a0a0f..0000000000 Binary files a/docs/whats-new/images/8.3/grouped-nav.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/run-osquery.png b/docs/whats-new/images/8.3/run-osquery.png deleted file mode 100644 index 43dcded63a..0000000000 Binary files a/docs/whats-new/images/8.3/run-osquery.png and /dev/null differ diff --git a/docs/whats-new/images/8.3/user-auth.png b/docs/whats-new/images/8.3/user-auth.png deleted file mode 100644 index 43853e4740..0000000000 Binary files a/docs/whats-new/images/8.3/user-auth.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/cases-privs.png b/docs/whats-new/images/8.4/cases-privs.png deleted file mode 100644 index 02f21a3572..0000000000 Binary files a/docs/whats-new/images/8.4/cases-privs.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/cloud-sec-dashboard.png b/docs/whats-new/images/8.4/cloud-sec-dashboard.png deleted file mode 100644 index ae51940f88..0000000000 Binary files a/docs/whats-new/images/8.4/cloud-sec-dashboard.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/credential-hardening.png b/docs/whats-new/images/8.4/credential-hardening.png deleted file mode 100644 index 1ef86f3f6f..0000000000 Binary files a/docs/whats-new/images/8.4/credential-hardening.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/host-risk-score-enable-dev-tools-wn.png b/docs/whats-new/images/8.4/host-risk-score-enable-dev-tools-wn.png deleted file mode 100644 index ed121232d9..0000000000 Binary files a/docs/whats-new/images/8.4/host-risk-score-enable-dev-tools-wn.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/insights.png b/docs/whats-new/images/8.4/insights.png deleted file mode 100644 index 31b36b4c14..0000000000 Binary files a/docs/whats-new/images/8.4/insights.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/ksp-integration.png b/docs/whats-new/images/8.4/ksp-integration.png deleted file mode 100644 index 66d9ffd01f..0000000000 Binary files a/docs/whats-new/images/8.4/ksp-integration.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/new-nav.gif b/docs/whats-new/images/8.4/new-nav.gif deleted file mode 100644 index 9cfce62185..0000000000 Binary files a/docs/whats-new/images/8.4/new-nav.gif and /dev/null differ diff --git a/docs/whats-new/images/8.4/new-terms.png b/docs/whats-new/images/8.4/new-terms.png deleted file mode 100644 index 502fcb1717..0000000000 Binary files a/docs/whats-new/images/8.4/new-terms.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/osquery.png b/docs/whats-new/images/8.4/osquery.png deleted file mode 100644 index cac855a57c..0000000000 Binary files a/docs/whats-new/images/8.4/osquery.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/response-console.png b/docs/whats-new/images/8.4/response-console.png deleted file mode 100644 index 8a6717ace1..0000000000 Binary files a/docs/whats-new/images/8.4/response-console.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/rule-details-prerequisites.png b/docs/whats-new/images/8.4/rule-details-prerequisites.png deleted file mode 100755 index 3579ac86c2..0000000000 Binary files a/docs/whats-new/images/8.4/rule-details-prerequisites.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/rule-preview.png b/docs/whats-new/images/8.4/rule-preview.png deleted file mode 100644 index a675288ef5..0000000000 Binary files a/docs/whats-new/images/8.4/rule-preview.png and /dev/null differ diff --git a/docs/whats-new/images/8.4/treemap-view.png b/docs/whats-new/images/8.4/treemap-view.png deleted file mode 100644 index 06aea4ed99..0000000000 Binary files a/docs/whats-new/images/8.4/treemap-view.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/affects-rule.png b/docs/whats-new/images/8.5/affects-rule.png deleted file mode 100644 index 32608566f4..0000000000 Binary files a/docs/whats-new/images/8.5/affects-rule.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/alert-counts.png b/docs/whats-new/images/8.5/alert-counts.png deleted file mode 100644 index dc032d1bbe..0000000000 Binary files a/docs/whats-new/images/8.5/alert-counts.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/elastic-defend-config.png b/docs/whats-new/images/8.5/elastic-defend-config.png deleted file mode 100644 index 44d08334af..0000000000 Binary files a/docs/whats-new/images/8.5/elastic-defend-config.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/elastic-defend.png b/docs/whats-new/images/8.5/elastic-defend.png deleted file mode 100644 index 9ff2cdb606..0000000000 Binary files a/docs/whats-new/images/8.5/elastic-defend.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/ioc.png b/docs/whats-new/images/8.5/ioc.png deleted file mode 100644 index 7645276104..0000000000 Binary files a/docs/whats-new/images/8.5/ioc.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/render-view.png b/docs/whats-new/images/8.5/render-view.png deleted file mode 100644 index c19c2a0054..0000000000 Binary files a/docs/whats-new/images/8.5/render-view.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/response-history.png b/docs/whats-new/images/8.5/response-history.png deleted file mode 100644 index a69ee0662f..0000000000 Binary files a/docs/whats-new/images/8.5/response-history.png and /dev/null differ diff --git a/docs/whats-new/images/8.5/rule-preview.png b/docs/whats-new/images/8.5/rule-preview.png deleted file mode 100644 index d1bd2ae21a..0000000000 Binary files a/docs/whats-new/images/8.5/rule-preview.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/DED-integration.png b/docs/whats-new/images/8.6/DED-integration.png deleted file mode 100644 index 3bcec6214f..0000000000 Binary files a/docs/whats-new/images/8.6/DED-integration.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/TI-card.png b/docs/whats-new/images/8.6/TI-card.png deleted file mode 100644 index a1b99b2fd8..0000000000 Binary files a/docs/whats-new/images/8.6/TI-card.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/add-alerts.png b/docs/whats-new/images/8.6/add-alerts.png deleted file mode 100644 index 0bf1879fd7..0000000000 Binary files a/docs/whats-new/images/8.6/add-alerts.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/alert-flyout.png b/docs/whats-new/images/8.6/alert-flyout.png deleted file mode 100644 index 9ea22f82ec..0000000000 Binary files a/docs/whats-new/images/8.6/alert-flyout.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/cloud-dashboard.png b/docs/whats-new/images/8.6/cloud-dashboard.png deleted file mode 100644 index 7012e14a73..0000000000 Binary files a/docs/whats-new/images/8.6/cloud-dashboard.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/default-rule-list.png b/docs/whats-new/images/8.6/default-rule-list.png deleted file mode 100644 index 771f2b9b28..0000000000 Binary files a/docs/whats-new/images/8.6/default-rule-list.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/entity-dashboard.png b/docs/whats-new/images/8.6/entity-dashboard.png deleted file mode 100644 index 6eab8ec696..0000000000 Binary files a/docs/whats-new/images/8.6/entity-dashboard.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/rbac.png b/docs/whats-new/images/8.6/rbac.png deleted file mode 100644 index 8abc855115..0000000000 Binary files a/docs/whats-new/images/8.6/rbac.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/rule-exceptions-page.png b/docs/whats-new/images/8.6/rule-exceptions-page.png deleted file mode 100644 index 912feec301..0000000000 Binary files a/docs/whats-new/images/8.6/rule-exceptions-page.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/tines-connector.png b/docs/whats-new/images/8.6/tines-connector.png deleted file mode 100644 index 34f470e2b8..0000000000 Binary files a/docs/whats-new/images/8.6/tines-connector.png and /dev/null differ diff --git a/docs/whats-new/images/8.6/trend-chart.png b/docs/whats-new/images/8.6/trend-chart.png deleted file mode 100644 index 3219eae6db..0000000000 Binary files a/docs/whats-new/images/8.6/trend-chart.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/cases-copy-case-id.png b/docs/whats-new/images/8.7/cases-copy-case-id.png deleted file mode 100644 index cb5e57fb38..0000000000 Binary files a/docs/whats-new/images/8.7/cases-copy-case-id.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/data-qual-dash.png b/docs/whats-new/images/8.7/data-qual-dash.png deleted file mode 100644 index 0e8a5b00f6..0000000000 Binary files a/docs/whats-new/images/8.7/data-qual-dash.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/endpoint-privileges.png b/docs/whats-new/images/8.7/endpoint-privileges.png deleted file mode 100644 index 8a30bcc596..0000000000 Binary files a/docs/whats-new/images/8.7/endpoint-privileges.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/field-warning-icon.png b/docs/whats-new/images/8.7/field-warning-icon.png deleted file mode 100644 index b77960d73e..0000000000 Binary files a/docs/whats-new/images/8.7/field-warning-icon.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/integrations.png b/docs/whats-new/images/8.7/integrations.png deleted file mode 100644 index 0e0cb797df..0000000000 Binary files a/docs/whats-new/images/8.7/integrations.png and /dev/null differ diff --git a/docs/whats-new/images/8.7/timelines-create-rule.png b/docs/whats-new/images/8.7/timelines-create-rule.png deleted file mode 100644 index 7ce994c708..0000000000 Binary files a/docs/whats-new/images/8.7/timelines-create-rule.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/action-frequency.png b/docs/whats-new/images/8.8/action-frequency.png deleted file mode 100644 index ef92c491e9..0000000000 Binary files a/docs/whats-new/images/8.8/action-frequency.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/add-files-case.png b/docs/whats-new/images/8.8/add-files-case.png deleted file mode 100644 index 26d1ff2ead..0000000000 Binary files a/docs/whats-new/images/8.8/add-files-case.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/alert-controls.png b/docs/whats-new/images/8.8/alert-controls.png deleted file mode 100644 index fe7639fdab..0000000000 Binary files a/docs/whats-new/images/8.8/alert-controls.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/dashboard-filter-alerts.gif b/docs/whats-new/images/8.8/dashboard-filter-alerts.gif deleted file mode 100644 index 401ac7f223..0000000000 Binary files a/docs/whats-new/images/8.8/dashboard-filter-alerts.gif and /dev/null differ diff --git a/docs/whats-new/images/8.8/group-alerts.png b/docs/whats-new/images/8.8/group-alerts.png deleted file mode 100644 index 530999864d..0000000000 Binary files a/docs/whats-new/images/8.8/group-alerts.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/inline-actions-menu.png b/docs/whats-new/images/8.8/inline-actions-menu.png deleted file mode 100644 index 48b34cb1f2..0000000000 Binary files a/docs/whats-new/images/8.8/inline-actions-menu.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/inspect-icon.png b/docs/whats-new/images/8.8/inspect-icon.png deleted file mode 100644 index 90da4c23f1..0000000000 Binary files a/docs/whats-new/images/8.8/inspect-icon.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/share-alert.png b/docs/whats-new/images/8.8/share-alert.png deleted file mode 100644 index dcc49045be..0000000000 Binary files a/docs/whats-new/images/8.8/share-alert.png and /dev/null differ diff --git a/docs/whats-new/images/8.8/three-dot-menu.png b/docs/whats-new/images/8.8/three-dot-menu.png deleted file mode 100644 index 2f106edb7c..0000000000 Binary files a/docs/whats-new/images/8.8/three-dot-menu.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/AI-anonymous.png b/docs/whats-new/images/8.9/AI-anonymous.png deleted file mode 100644 index 332d105929..0000000000 Binary files a/docs/whats-new/images/8.9/AI-anonymous.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/AI-system-prompt.gif b/docs/whats-new/images/8.9/AI-system-prompt.gif deleted file mode 100644 index 3463225fbf..0000000000 Binary files a/docs/whats-new/images/8.9/AI-system-prompt.gif and /dev/null differ diff --git a/docs/whats-new/images/8.9/CNVM-dashboard.png b/docs/whats-new/images/8.9/CNVM-dashboard.png deleted file mode 100644 index 680a490c8a..0000000000 Binary files a/docs/whats-new/images/8.9/CNVM-dashboard.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/IG-UI.png b/docs/whats-new/images/8.9/IG-UI.png deleted file mode 100644 index de2770d4e7..0000000000 Binary files a/docs/whats-new/images/8.9/IG-UI.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/alert-tags.png b/docs/whats-new/images/8.9/alert-tags.png deleted file mode 100644 index 44a7926f6c..0000000000 Binary files a/docs/whats-new/images/8.9/alert-tags.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/integrations.png b/docs/whats-new/images/8.9/integrations.png deleted file mode 100644 index 8405b17532..0000000000 Binary files a/docs/whats-new/images/8.9/integrations.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/lateral-movement.gif b/docs/whats-new/images/8.9/lateral-movement.gif deleted file mode 100644 index e02feb8234..0000000000 Binary files a/docs/whats-new/images/8.9/lateral-movement.gif and /dev/null differ diff --git a/docs/whats-new/images/8.9/prebuilt-rules.png b/docs/whats-new/images/8.9/prebuilt-rules.png deleted file mode 100644 index 267f1fab57..0000000000 Binary files a/docs/whats-new/images/8.9/prebuilt-rules.png and /dev/null differ diff --git a/docs/whats-new/images/8.9/rule-monitor-dashboard.png b/docs/whats-new/images/8.9/rule-monitor-dashboard.png deleted file mode 100644 index 901a36a4e1..0000000000 Binary files a/docs/whats-new/images/8.9/rule-monitor-dashboard.png and /dev/null differ