From 36a3ef2c51026fad210c1160dc74c15eb4321534 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Oct 2023 16:00:14 -0400 Subject: [PATCH 1/3] First draft --- docs/release-notes/8.6.asciidoc | 11 +++++++++++ docs/release-notes/8.7.asciidoc | 3 ++- docs/release-notes/8.8.asciidoc | 6 +++--- docs/release-notes/8.9.asciidoc | 1 + 4 files changed, 17 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc index 2589619fc1..dbfa73eb5b 100644 --- a/docs/release-notes/8.6.asciidoc +++ b/docs/release-notes/8.6.asciidoc @@ -5,6 +5,11 @@ [[release-notes-8.6.2]] === 8.6.2 +[discrete] +[[known-issue-8.6.2]] +==== Known issues +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. + [discrete] [[bug-fixes-8.6.2]] ==== Bug fixes and enhancements @@ -15,6 +20,11 @@ [[release-notes-8.6.1]] === 8.6.1 +[discrete] +[[known-issue-8.6.1]] +==== Known issues +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. + [discrete] [[bug-fixes-8.6.1]] ==== Bug fixes and enhancements @@ -31,6 +41,7 @@ ==== Known issues * When using the Osquery Manager integration with {agent}, Osquery results aren't properly written to {es} and, therefore, cannot be viewed in Kibana (https://github.com/elastic/beats/issues/34250)[#34250]). We recommend that Osquery users skip {stack} version 8.6.0 and upgrade to {stack} version 8.6.1 or later when available. * Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as `\"`). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (https://github.com/elastic/detection-rules/pull/2447[#2447]). +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. [discrete] [[breaking-changes-8.6.0]] diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc index 5dd151705a..edc0b8b8e3 100644 --- a/docs/release-notes/8.7.asciidoc +++ b/docs/release-notes/8.7.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.7.1]] ==== Known issues - +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. * Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view. * The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <> to manage exceptions. * If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: @@ -137,6 +137,7 @@ To find the affected endpoint policy artifacts: [discrete] [[known-issue-8.7.0]] ==== Known issues +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. * After alerts are generated for the first time, you may have to refresh your browser before your alert data appears on pages that use data views (for example, Timeline). Navigating between pages will not work (https://github.com/elastic/security-docs/issues/3046[#3046]). diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc index 4b050299ae..0fc64c98e7 100644 --- a/docs/release-notes/8.8.asciidoc +++ b/docs/release-notes/8.8.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.8.2]] ==== Known issues - +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: @@ -155,7 +155,7 @@ GET .kibana*/_search [discrete] [[known-issue-8.8.1]] ==== Known issues - +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. @@ -308,7 +308,7 @@ To view a detailed summary of the latest features and enhancements, check out ou [discrete] [[known-issue-8.8.0]] ==== Known issues - +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1. diff --git a/docs/release-notes/8.9.asciidoc b/docs/release-notes/8.9.asciidoc index b057eb8f72..fbd96aa07d 100644 --- a/docs/release-notes/8.9.asciidoc +++ b/docs/release-notes/8.9.asciidoc @@ -176,6 +176,7 @@ There are no breaking changes in 8.9.0. [discrete] [[bug-fixes-8.9.0]] ==== Bug fixes +* Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them ({pull}161331[#161331]). * Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu ({pull}159908[#159908]). * Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule. * Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({pull}157233[#157233]). From 797ce7fddb4c1d10931d5baf399021bd6ddbfda0 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Oct 2023 17:56:59 -0400 Subject: [PATCH 2/3] Revisions --- docs/release-notes/8.6.asciidoc | 6 +++--- docs/release-notes/8.7.asciidoc | 4 ++-- docs/release-notes/8.8.asciidoc | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc index dbfa73eb5b..3979a183eb 100644 --- a/docs/release-notes/8.6.asciidoc +++ b/docs/release-notes/8.6.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.6.2]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. [discrete] [[bug-fixes-8.6.2]] @@ -23,7 +23,7 @@ [discrete] [[known-issue-8.6.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. [discrete] [[bug-fixes-8.6.1]] @@ -39,9 +39,9 @@ [discrete] [[known-issue-8.6.0]] ==== Known issues +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * When using the Osquery Manager integration with {agent}, Osquery results aren't properly written to {es} and, therefore, cannot be viewed in Kibana (https://github.com/elastic/beats/issues/34250)[#34250]). We recommend that Osquery users skip {stack} version 8.6.0 and upgrade to {stack} version 8.6.1 or later when available. * Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as `\"`). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (https://github.com/elastic/detection-rules/pull/2447[#2447]). -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. [discrete] [[breaking-changes-8.6.0]] diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc index edc0b8b8e3..ca3fef9cc0 100644 --- a/docs/release-notes/8.7.asciidoc +++ b/docs/release-notes/8.7.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.7.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view. * The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <> to manage exceptions. * If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: @@ -137,7 +137,7 @@ To find the affected endpoint policy artifacts: [discrete] [[known-issue-8.7.0]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * After alerts are generated for the first time, you may have to refresh your browser before your alert data appears on pages that use data views (for example, Timeline). Navigating between pages will not work (https://github.com/elastic/security-docs/issues/3046[#3046]). diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc index 0fc64c98e7..d74caa4de3 100644 --- a/docs/release-notes/8.8.asciidoc +++ b/docs/release-notes/8.8.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.8.2]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: @@ -155,7 +155,7 @@ GET .kibana*/_search [discrete] [[known-issue-8.8.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. @@ -308,7 +308,7 @@ To view a detailed summary of the latest features and enhancements, check out ou [discrete] [[known-issue-8.8.0]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To resolve this, apply the **Custom rules** filter to the Rules table, then select and delete duplicate prebuilt rules. +* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1. From 1497ea8ccd00793957e099caa9ba3c4a9dc74bd7 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Oct 2023 18:00:17 -0400 Subject: [PATCH 3/3] Minor edits --- docs/release-notes/8.6.asciidoc | 6 +++--- docs/release-notes/8.7.asciidoc | 4 ++-- docs/release-notes/8.8.asciidoc | 6 +++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/docs/release-notes/8.6.asciidoc b/docs/release-notes/8.6.asciidoc index 3979a183eb..fe3340760d 100644 --- a/docs/release-notes/8.6.asciidoc +++ b/docs/release-notes/8.6.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.6.2]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. [discrete] [[bug-fixes-8.6.2]] @@ -23,7 +23,7 @@ [discrete] [[known-issue-8.6.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. [discrete] [[bug-fixes-8.6.1]] @@ -39,7 +39,7 @@ [discrete] [[known-issue-8.6.0]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * When using the Osquery Manager integration with {agent}, Osquery results aren't properly written to {es} and, therefore, cannot be viewed in Kibana (https://github.com/elastic/beats/issues/34250)[#34250]). We recommend that Osquery users skip {stack} version 8.6.0 and upgrade to {stack} version 8.6.1 or later when available. * Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as `\"`). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (https://github.com/elastic/detection-rules/pull/2447[#2447]). diff --git a/docs/release-notes/8.7.asciidoc b/docs/release-notes/8.7.asciidoc index ca3fef9cc0..93b51035a4 100644 --- a/docs/release-notes/8.7.asciidoc +++ b/docs/release-notes/8.7.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.7.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view. * The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <> to manage exceptions. * If you modify an exception item using the <> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either: @@ -137,7 +137,7 @@ To find the affected endpoint policy artifacts: [discrete] [[known-issue-8.7.0]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * After alerts are generated for the first time, you may have to refresh your browser before your alert data appears on pages that use data views (for example, Timeline). Navigating between pages will not work (https://github.com/elastic/security-docs/issues/3046[#3046]). diff --git a/docs/release-notes/8.8.asciidoc b/docs/release-notes/8.8.asciidoc index d74caa4de3..cca1e64a1d 100644 --- a/docs/release-notes/8.8.asciidoc +++ b/docs/release-notes/8.8.asciidoc @@ -8,7 +8,7 @@ [discrete] [[known-issue-8.8.2]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following: @@ -155,7 +155,7 @@ GET .kibana*/_search [discrete] [[known-issue-8.8.1]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. @@ -308,7 +308,7 @@ To view a detailed summary of the latest features and enhancements, check out ou [discrete] [[known-issue-8.8.0]] ==== Known issues -* After upgrading Elastic prebuilt rules, some rules might be erroneously duplicated as custom rules. To remove these rules, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. +* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval. * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure. * {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1.