8.15
edit8.15
edit8.15.1
editKnown issues
editTags appear in Elastic AI Assistant’s responses
Details
On August 1, 2024, it was discovered that Elastic AI Assistant’s responses when using Bedrock Sonnet 3.5 may include <antThinking>
tags, for example <search_quality_reflection>
(#189676).
New features
edit- Introduces a new feature for Elastic Defend where Windows Image load events now include process protection status, making it easier to detect both legitimate and malicious PPL activity.
- Allows you to examine Jamf data in the visual event analyzer (#190965).
Enhancements
edit- Improves Elastic Defend by reducing Malware Protection disk I/O and CPU usage when recently written files are subsequently executed. This update is for Windows endpoints only.
- Makes several improvements to the detection and parsing of log samples uploaded to automatic import (#190588, #191502, #190656, #190046).
- Improves error handling for the Tines connector, and provides an option to use a webhook URL when connecting to the Tines API (#191263).
Bug fixes
edit- Fixes an Elastic Defend bug that affected CPU usage for Windows process events where the same executable is repeatedly launched, for example, during compilation workloads. With this fix, CPU usage is improved.
- Fixes an Elastic Defend bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory.
- Fixes an Elastic Defend bug that sometimes caused Elastic Endpoint to report an incorrect version if it used an independent Elastic Agent release.
-
Fixes an Elastic Defend bug where the
process.thread.Ext.call_stack_final_user_module.protection_provenance_path
field might be populated with a non-path value. This fix is for Windows endpoints only. -
Fixes an Elastic Defend bug that can lead to Elastic Endpoint reporting
STATUS_ACCESS_DENIED
when attempting to open files forGENERIC_READ
. Elastic Endpoint almost always recovered from this issue, but with this fix, it succeeds on the first try. This fix is for Windows endpoints only. -
Fixes an Elastic Defend regression that was introduced in 8.14.0, where security events did not populate the
user.name
field. This fix is for Windows endpoints only. - Fixes an Elastic Defend bug where Elastic Endpoint sometimes missed file and network events on newer kernels that support eBPF. This only occurred if Elastic Endpoint failed to enable eBPF probes and fell back to Kprobes. This fix is for Linux endpoints only.
- Fixes a bug that caused errors if you used Azure OpenAI connector for streaming (#191552).
- Fixes a bug that prevented duplicated prebuilt rules from inheriting Required fields and Related integrations field values (#191065).
- Turns off the option to assign users to an alert if no assignees exist (#190937).
- Fixes a bug that prevented Timeline template settings from being applied to new Timelines that were generated by a rule (#190511).
- Fixes a bug that hid the option to select a connector for Elastic AI Assistant (#189944).
- Removes the option to manually bulk-run multiple rules (#190781).
8.15.0
editKnown issues
editTags appear in Elastic AI Assistant’s responses
Details
On August 1, 2024, it was discovered that Elastic AI Assistant’s responses when using Bedrock Sonnet 3.5 may include <antThinking>
tags, for example <search_quality_reflection>
(#189676).
The option to manually run multiple rules is available in the bulk actions menu on the Rules page
Details
On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules.
Workaround
Upgrade to 8.15.1.
Resolved
On September 5, 2024, this issue was resolved.
Elastic Endpoint does not properly populate the user.name
field in security events
Details
Elastic Endpoint for Windows will not properly populate the user.name
field with security events.
Workaround
Upgrade to 8.15.1.
Resolved
On September 5, 2024, this issue was resolved.
Breaking changes
edit- If you previously created any user-defined quick prompts for Elastic AI Assistant, they will no longer appear after you upgrade to 8.15. To resolve this, copy your existing quick prompts prior to upgrading, then add them again after upgrading. Additionally, in 8.15, quick prompts are shared by all users in your deployment, rather than saved at the user level (#187040).
New features
edit- Introduces Automatic Import, a feature that helps you to quickly parse, ingest, and create ECS mappings for data from sources that don’t yet have prebuilt Elastic integrations (#186304).
- Creates an LLM connector for Google Gemini (#183668).
- Adds an API for Elastic AI Assistant (#184485).
-
Adds the
scan
action to the response console, which allows you to scan a specific file or directory on a host for malware (#184723). - Adds an Elastic Defend integration policy option in Advanced Settings that allows you to opt out of registry event filtering (#186564).
- Allows you to specify additional file and registry paths to monitor for read access (#181361).
- Allows you to use Elastic Security to isolate and release hosts running a CrowdStrike agent (#186801).
- Allows you to retrieve files from SentinelOne-enrolled hosts (#181162).
- Allows you to create an event filter that excludes the descendant events of a specific process (#184947).
- Recalculates entity risk scores when asset criticality changes on an individual entity (#182234).
- Adds an Asset criticality column to user and host data tables. If asset criticality levels are assigned to your users and hosts, this information appears in the Asset criticality column (#186375, #186456).
- Adds an API that allows you to perform paginated KQL searches through asset criticality records (#186568).
- Adds public APIs for managing asset criticality (#186169).
-
Allows you to edit the
max_signals
,related_integrations
, andrequired_fields
fields for custom rules (#179680, #178295, #180682). - Provides help from AI Assistant when you’re correcting rule query errors (#179091).
- Allows you to bulk update custom highlighted fields for rules (#179312).
- Adds alert suppression for machine learning and ES|QL rules (#181926, #180927).
- Provides previews of hosts, users, and alerts that you’re examining in the alert details flyout (#186850, #186857).
- Enhances Timeline’s data exploration experience by incorporating components from Discover, such as the sidebar and table, which allow you to quickly find fields of interest. Timeline’s overall performance is also improved (#176064).
- Adds an option for toggling row renderers on and off, and moves notes to a new flyout in Timeline (#186948).
- Revamps the Dashboards landing page (#186465).
Enhancements
edit- Allows Attack discovery generation to continue when you navigate to another page, and allows you to run Attack discovery with multiple connectors simultaneously. (#184949).
- Adds notifications to the connector dropdown menu on the Attack discovery page so you know when other connectors have new discoveries (#186903, #187209).
- Improves AI Assistant’s responses across multiple connectors and in multiple scenarios for streaming and non-streaming use cases (#182041, #187183).
- Enables AI Assistant to remember information you ask it to remember (#184554, #5670).
-
Updates the default Gemini version to
gemini-1.5-pro-001
and the default Bedrock version toanthropic.claude-3-5-sonnet-20240620-v1:0
(#186671). - Simplifies how you enable AI Assistant’s knowledge base (#182763).
- Unifies the AI Assistant’s settings view (#184678).
- Introduces a new Elastic Endpoint policy setting that allows you to control whether the kernel reports Windows network events that happened on a local loopback interface (#181753).
-
Improves how failure messages for the
scan
action appear in the response console (#186284). - Improves the risk engine’s performance. Now, after you turn on the engine, risk data is available sooner (#184797).
- Enhances the risk engine’s normalization accuracy (#184638).
- Updates the copy for bulk assigning asset criticality to multiple entities (#181390).
- Improves visual and logic issues in the Findings table (#184185).
-
Enables the expandable alert details flyout by default and replaces the
securitySolution:enableExpandableFlyout
advanced setting with a feature flag that allows you to revert to the old flyout version (#184169). - Improves the UI design and copy of various places in the alert details flyout (#187430, #187920).
- Updates the MITRE ATT&CK framework to version 15.1 (#183463).
- Improves the warning message about rule actions being unavailable after a rule ran (#182741).
-
Enables the
xMatters
andServer Log connectors
rule actions (#172933).
Bug fixes
edit- Fixes a bug that prevented Timeline from properly retrieving results after upgrading to 8.14.1 (#189031).
- Fixes a bug that showed that Timeline had been changed, even if it hadn’t been (#188106).
- Removes the option to investigate suppressed alerts in Timeline when you’re previewing alert details from a rule preview (#188385).
- Fixes the alignment of the page selector dropdown menu on the Shared Exception Lists page (#187956).
-
Fixes a rule execution error that occurred when ES|QL rules queried source documents with non-ECS compliant sub-fields under the
event.action
field (#187549). -
Fixes a bug that caused the
Enable entity risk scoring
option to display even when you didn’t have the correct requirements (#183517). -
Prevents
maxClauseCount
errors from occurring for indicator match rules (#179748). - Fixes a bug that prevented threat intelligence fields from correctly rendering in the alert details flyout if they had flattened fields (#179395).
- Removes references in the UI that directed users to outdated documentation for the risk scoring feature (#187585).
- Fixes a bug on the Get started page that prevented the correct username from being displayed in the greeting message (#180670).
- Fixes a bug that caused the pagination menu from appearing in the correct place for the Uncommon processes table (#189201).
- Fixes a bug that affected the panel showing the last command details in the Uncommon processes table (#187848).