From b857fa8196119bd5d43de18330ae86fdf5e27129 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Mon, 16 Dec 2024 15:33:20 -0500 Subject: [PATCH 1/2] [8.x] Update detections-logsdb-impact.asciidoc (backport #6327) (#6331) * Update detections-logsdb-impact.asciidoc * Update docs/detections/detections-logsdb-impact.asciidoc --------- Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> (cherry picked from commit 180cf67eb185afd60ae260ad239763ff90aefe7c) Co-authored-by: Kseniia Ignatovych <40713348+approksiu@users.noreply.github.com> --- docs/detections/detections-logsdb-impact.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/detections/detections-logsdb-impact.asciidoc b/docs/detections/detections-logsdb-impact.asciidoc index 1b304c7f1e..a245644800 100644 --- a/docs/detections/detections-logsdb-impact.asciidoc +++ b/docs/detections/detections-logsdb-impact.asciidoc @@ -11,6 +11,8 @@ When the `_source` is reconstructed, {ref}/mapping-source-field.html#synthetic-s Continue reading to find out how this affects specific {elastic-sec} components. +NOTE: Logsdb is not recommended for {elastic-sec} at this time. Users must fully understand and accept the documented changes to detection alert documents (see below), and ensure their deployment has excess hot data tier CPU resource capacity before enabling logsdb mode, as logsdb mode requires additional CPU resources during the ingest/indexing process. Enabling logsdb without sufficient hot data tier CPU may result in data ingestion backups and/or security detection rule timeouts and errors. + [discrete] [[logsdb-alerts]] == Alerts @@ -62,4 +64,4 @@ The following will not work with synthetic source (logsdb index mode enabled): [source,console] ---- "source": """ emit(params._source['agent.name'] + "_____" + doc['agent.name'].value ); """ ----- \ No newline at end of file +---- From b72efc1894c2e69426054c503f7d894c5570873f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 16 Dec 2024 18:12:27 -0500 Subject: [PATCH 2/2] 8.16.2 release notes (#6290) * First draft * Adds known issue fix * Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> * Adds edits * Removing space param * Removed extra qoute --------- Co-authored-by: Janeen Mikell Roberts <57149392+jmikell821@users.noreply.github.com> --- docs/release-notes.asciidoc | 1 + docs/release-notes/8.16.asciidoc | 51 +++++++++++++++++++++++++------- 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 49594201f1..986e1a4424 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -4,6 +4,7 @@ This section summarizes the changes in each release. * <> +* <> * <> * <> * <> diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 36b3746536..889fffc24c 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -1,6 +1,26 @@ [[release-notes-header-8.16.0]] == 8.16 +[discrete] +[[release-notes-8.16.2]] +=== 8.16.2 + +[discrete] +[[bug-fixes-8.16.2]] +==== Bug fixes + +* Rejects CEF logs from Automatic Import and redirects you to the CEF integration instead ({kibana-pull}201792[#201792], {kibana-pull}202994[#202994]). +* Fixes an issue that could interfere with Knowledge Base setup ({kibana-pull}201175[#201175]). +* Modifies the empty state message that appears when installing prebuilt rules ({kibana-pull}202226[#202226]). +* Turns off the **Install All** button on the **Add Elastic Rules** page while rules are being installed ({kibana-pull}201731[#201731]). +* Removes fields with an `@` from the script processor ({kibana-pull}201548[#201548]). +* Fixes a bug with threshold rules that prevented cardinality details from appearing ({kibana-pull}201162[#201162]). +* Fixes an exceptions bug that prevented the **Exceptions** tab from properly loading if exceptions contained comments with newline characters (`\n`) ({kibana-pull}202063[#202063]). +* Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). +* Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). +* Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. +* Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. + [discrete] [[release-notes-8.16.1]] === 8.16.1 @@ -17,7 +37,8 @@ *Details* + On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). -*Workaround* + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. For custom rules: @@ -35,7 +56,7 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can + [source,console] ---- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. @@ -58,21 +79,25 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). . Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + ==== // end::known-issue[201820] // tag::known-issue[] [discrete] -.Duplicate alerts can be produced from manually running threshold rules +.Manually running threshold rules may generate duplicate alerts [%collapsible] ==== *Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. ==== // end::known-issue[] @@ -94,6 +119,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul * Fixes a bug that caused the **Alerts** page to crash if you upgraded to 8.16 and accessed the page in a non-default {kib} space ({kibana-pull}200058[#200058]). * Fixes a bug that caused the Elastic AI Assistant Knowledge Base to fail if the current user had a colon (`:`) in their username and attempted to access Knowledge Base entries ({kibana-pull}200131[#200131]). * Fixes a bug that made values unavailable for the Knowledge Base **Index** field, which lets you specify an index as a knowledge source ({kibana-pull}199990[#199990]). +* Fixes a bug in Automatic Import where icons were not shown after the integration was installed ({kibana-pull}201139[#201139]). * Fixes a bug that unset the `required_fields` field if you updated a rule by sending a `PATCH` request that didn't contain the `required_fields` field ({kibana-pull}199901[#199901]). * Fixes the entity store initialization error that was caused by risk engine failures. Now, when you upgrade to 8.16.1, or follow the standard flow for initializing the entity store, the risk engine no longer fails while deleting the component template. In addition, the index template will correctly reference the new component template, ensuring the successful initialization of the entity store ({kibana-pull}199734[#199734]). * Improves the warning message that displays when asset criticality assignments are duplicated during the bulk assignment flow ({kibana-pull}199651[#199651]). @@ -115,7 +141,8 @@ On November 12, 2024, it was discovered that manually running a custom query rul *Details* + On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). -*Workaround* + +*Workaround* + +Upgrade to 8.16.2, or follow the workarounds below. For custom rules: @@ -133,7 +160,7 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can + [source,console] ---- -curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. @@ -156,11 +183,15 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' '${KIBANA_URL}/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). . Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. + +*Resolved* + +On December 17, 2024, this issue was resolved. + ==== // end::known-issue[201820] @@ -191,11 +222,11 @@ On August 1, 2024, it was discovered that Elastic AI Assistant's responses when // tag::known-issue[] [discrete] -.Duplicate alerts can be produced from manually running threshold rules +.Manually running threshold rules may generate duplicate alerts [%collapsible] ==== *Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. +On November 12, 2024, it was discovered that manually running threshold rules could generate duplicate alerts if the date range was already covered in a scheduled rule execution. ==== // end::known-issue[]