8.6
edit8.6
edit8.6.2
editKnown issues
edit- After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (Manage → Rules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
Bug fixes and enhancements
edit- Fixes a bug that prevented related alerts from closing when the Close all alerts that match this exception option was selected on an exception (#150765).
- Ensures Elastic Endpoint sends intermediate certificates to the server for SSL validation.
8.6.1
editKnown issues
edit- After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (Manage → Rules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
Bug fixes and enhancements
edit- Fixes a bug that prevented Osquery results from being viewed in Kibana when using the Osquery Manager integration with Elastic Agent. Upgrade to Elastic Stack version 8.6.1 and Elastic Agent 8.6.1 to apply this fix to your deployment (#34250).
- Fixes a bug that impacted the way Osquery results were displayed in Lens and Discover (#148260).
- Adds an advanced setting to the Elastic Defend policy that allows users to enable or disable host isolation on Linux endpoints (#149177).
8.6.0
editKnown issues
edit- After upgrading Elastic prebuilt rules, some rules are erroneously duplicated as custom rules. To remove them, go to the Rules page (Manage → Rules), click the Custom rules filter next to the search bar, then select and delete the duplicate rules.
- When using the Osquery Manager integration with Elastic Agent, Osquery results aren’t properly written to Elasticsearch and, therefore, cannot be viewed in Kibana (#34250). We recommend that Osquery users skip Elastic Stack version 8.6.0 and upgrade to Elastic Stack version 8.6.1 or later when available.
-
Investigation guides for some prebuilt rules may not render correctly if they include an escaped character (such as
\"
). To resolve this, update your prebuilt rules once you receive a rule update prompt on the Rules page (#2447).
Breaking changes
editThere are no breaking changes in 8.6.0.
Deprecations
editThere are no deprecations in 8.6.0.
Features
edit- Allows you to add indicators to new or existing cases (#145121).
-
Adds the
is one of
operator to the Add field menu in Timeline (#144988). - Adds an "Add to timeline investigation" button to the User Risk Scores and Host Risk Scores cards on the Entity Analytics dashboard (#144819).
- Provides the option to duplicate rules and their exceptions or rules only (#144782).
- Improves the Shared Exception Lists page and allows you to export read-only exception lists (#144383).
- Enables you to build runtime queries using alert data or hard-coded literal values. (Technical preview only). (#145240).
- Creates a new connector for Tines (#143505).
- Updates the UI for adding and editing exceptions (#143127).
- Creates a Shared Exception Lists page for creating, viewing, and modifying shared exception lists (#143041).
- Enables you to bulk-add up to 4000 events to Timeline (#142737).
- Enables alert suppression per rule execution for custom query rules (#142686).
- Improves role-based access controls for Kibana users performing response actions (#142825).
Bug fixes and enhancements
edit- Adds the View indicators button to the Threat Intelligence card (#145125).
- Improves the interface for creating rule exceptions and shared exception lists (#144575).
- Adds cases metadata in the Cases panel on the alert details page (#144430).
- Improves the UX for managing machine learning jobs while managing machine learning rules (#144080).
- Enables you to run machine learning jobs from the Notable Anomalies table (#142861).
- Updates the take action UI for charts on the Hosts, Users, and Network pages (#138369).
- Adds a Respond button to the Host Details page for hosts with an Elastic Agent installed (#143988).
- Allows you to add up to three new terms to New Terms rule queries, enabling you to create alerts when multiple new terms appear in the same event (#143943).
- Allows you to launch Timeline from the Entity Analytics dashboard by clicking alert counts (#143841).
- Adds missing TLP Marking badges to the Indicators table and Indicator details flyout (#143431).
- Ensures the empty state of the Indicators page does not appear when threat intelligence integrations are installed (#143328).
- Turns the anomalies count on the Entity Analytics dashboard into a link that goes to the Anomalies table (#143085).
-
Pre-selects the
threat
category when you open the Fields browser (#142698). -
Adds a
copy to clipboard
action for indicators in the Indicators table (#142675). -
Adds a
User risk classification
column to the Users table (#142610). - Adds a label to the Indicators page that states when it was last updated (#142560).
- Specifies that links from the Threat Intelligence page to the Integrations page should open the Threat Intelligence integrations category (#142538).
- Enables full-screen mode on the Indicators table (#142519).
- Implements the standard search bar and date picker on the Threat Intelligence page (#142336).
- Updates the design of the Shared Exception Lists page (#142289).
- Displays comments for expanded items in the Action history page (#141938).
- Adds HTTP 409 conflict response status codes to error messages for several API requests (#146389).
- Adds the new Data Exfiltration Detection (DED) integration package (#4486).
- Renames the sorting toggle on the Rules page from Technical preview to Advanced sorting (#144733).
- Replaces the Run job button with a Stop job button when the job is running (#146407).
- Fixes a bug that prevented you from editing an exception while adding a comment to it from the Rules details flyout (#145575).
- Fixes a bug that could cause rule previews for New Terms rules to fail (#145707).
- Fixes a bug that could cause a "Page not found" error when you navigated to a shared exception list (#145833).
- Fixes a bug with the loading indicator that appears when bulk actions are pending (#145905).
- Fixes a bug with the linked rules count for shared exception lists (#145976).
- Fixes a bug that prevented you from editing policies created before Elastic Stack version 8.3.0 if you had a basic license (#146050).
- Fixes a bug that sometimes prevented the Rules table from updating as expected (#146271).
- Fixes a bug that sometimes prevented the display of rule preview graphs for custom rules (#142120).
-
Removes the
Optional
label from theAdditional look-back time
rule setting (#142375). - Fixes a bug that could result in duplicate entries in the Host’s page’s Events table query (#143239).
- Fixes a bug that could interfere with Platinum users' access to the Host Isolation page (#143366).
- Fixes a bug that prevented the event analyzer’s state from persisting when you switched tabs on the Alerts page (#144291).
- Fixes a bug that sometimes caused a page crash when you searched for an indicator ID on the Intelligence page (#144344).
- Fixes a bug that prevented newly imported rules from appearing on the Rules page before the page was refreshed (#144359).
- Fixes a bug with the toast message for successful bulk editing of rules (#144497).
- Fixes a bug that prevented the Event Analyzer from opening in Timeline when the Show only detection alerts option is enabled (#144705).
- Fixes bugs that affected the display and persistence of event action menus (#145025).
- Fixes a bug that limited the display of breadcrumbs on the Shared Exception Lists page (#145605).
- Fixes various minor UI bugs on the Shared Exception Lists page (#145334).
- Improves the "permissions required" message that appears on Cloud Posture pages for users without necessary permissions (#145794).
- Fixes a bug that could cause a "Page not found" error when navigating to an exception list without a description (#145833).
- Fixes a visual bug with the fullscreen view of rule preview results (#146687).
- Fixes a visual bug with the fullscreen view of Osquery results (#147076).
- Fixes a bug with the refresh indicator on the Rule details page (#147806).
- Reenables ransomware canary files.
-
Fixes a bug that caused the rule details page and the Edit rule settings page to load indefinitely if you edited a rule that had the
saved_id
property configured.