elastic · nastasha-solomon · Oct 19, 2023 · Oct 9, 2023 · Oct 9, 2023 · Oct 9, 2023
@@ -5,6 +5,11 @@
 [[release-notes-8.6.2]]
 === 8.6.2
 
+[discrete]
+[[known-issue-8.6.2]]
+==== Known issues
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
+
 [discrete]
 [[bug-fixes-8.6.2]]
 ==== Bug fixes and enhancements
@@ -15,6 +20,11 @@
 [[release-notes-8.6.1]]
 === 8.6.1
 
+[discrete]
+[[known-issue-8.6.1]]
+==== Known issues
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
+
 [discrete]
 [[bug-fixes-8.6.1]]
 ==== Bug fixes and enhancements
@@ -29,6 +39,7 @@
 [discrete]
 [[known-issue-8.6.0]]
 ==== Known issues
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * When using the Osquery Manager integration with {agent}, Osquery results aren't properly written to {es} and, therefore, cannot be viewed in Kibana (https://github.com/elastic/beats/issues/34250)[#34250]). We recommend that Osquery users skip {stack} version 8.6.0 and upgrade to {stack} version 8.6.1 or later when available.
 * Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as `\"`). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (https://github.com/elastic/detection-rules/pull/2447[#2447]).
 

@@ -8,7 +8,7 @@
 [discrete]
 [[known-issue-8.7.1]]
 ==== Known issues
-
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * Index aliases and some data streams are not properly retrieved by the {elastic-sec} default data view.   
 * The **Add exceptions flyout** loads indefinitely and an out of memory error displays when a rule has a large number of unmapped fields in multiple indices. To avoid this issue, use the <<exceptions-api-overview,exception APIs>> to manage exceptions.
 * If you modify an exception item using the <<exceptions-api-update-item,update exception item>> API and _only_ specify its `item_id`, the exception item is erroneously duplicated. To avoid this issue, you can either:
@@ -137,6 +137,7 @@ To find the affected endpoint policy artifacts:
 [discrete]
 [[known-issue-8.7.0]]
 ==== Known issues
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * After alerts are generated for the first time, you may have to refresh your browser before your alert data appears on pages that use data views (for example, Timeline). Navigating between pages will not work (https://github.com/elastic/security-docs/issues/3046[#3046]).
 
 

@@ -8,7 +8,7 @@
 [discrete]
 [[known-issue-8.8.2]]
 ==== Known issues
-
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval.
 * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure.
 * A UI bug can affect the Alerts table height, making it difficult to view alerts. To view alerts, do one of the following:
@@ -155,7 +155,7 @@ GET .kibana*/_search
 [discrete]
 [[known-issue-8.8.1]]
 ==== Known issues
-
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval.
 * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure.
 
@@ -308,7 +308,7 @@ To view a detailed summary of the latest features and enhancements, check out ou
 [discrete]
 [[known-issue-8.8.0]]
 ==== Known issues
-
+* After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (**Manage** -> **Rules**), click the **Custom rules** filter next to the search bar, then select and delete the duplicate rules. 
 * Rule changes can't be saved and existing rule actions are removed if the action's frequency is shorter than the rule's run interval.
 * Setting the `max_signals` value higher than the {kibana-ref}/alert-action-settings-kb.html#alert-settings[`xpack.alerting.rules.run.alerts.max`] value will lead to rule failure.
 * {elastic-sec} 8.8 contains a bug that makes field types appear as `unknown` within the **Fields** browser and when examining alert or event details. This bug also causes timestamps to be incorrectly formatted in the Alerts table. To resolve this issue, upgrade to 8.8.1.

@@ -177,6 +177,7 @@ There are no breaking changes in 8.9.0.
 [discrete]
 [[bug-fixes-8.9.0]]
 ==== Bug fixes
+* Fixes a bug that caused Elastic prebuilt rules to be erroneously duplicated after you upgraded them ({pull}161331[#161331]).   
 * Fixes a bug that prevented rule exceptions from being auto-populated when you created a new exception from an alert's **Take action** menu ({pull}159908[#159908]). 
 * Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule.
 * Fixes a bug that restricted the number of cloud accounts that could appear on the Cloud Security Posture dashboard to 10 ({pull}157233[#157233]).