« Release notes 8.17 »
Elastic Docs Elastic Security Solution [8.18] Release notes

8.18

edit
A newer version is available. Check out the latest documentation.

8.18

edit

8.18.0

edit

Known issues

edit
Rules cannot be enabled if they’re corrupted while upgrading from 7.17.x to 8.x

Details
If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules.

Workaround

Duplicate your rules and enable them.

The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules

Details
On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check (#1021.

Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions

Details
When you install an Elastic Defend integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions, as well as any user customizations, if you customized any other rule fields.

Workaround
To resolve this issue, before you add an Elastic Defend integration to a policy in Fleet, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.

Deprecations

edit
  • The user and host risk score modules are being deprecated (#202775).

  • The following SIEM signal migration endpoints were deprecated (#202662):

    • POST /api/detection_engine/signals/migrations
    • DELETE /api/detection_engine/signals/migrations
    • POST /api/detection_engine/signals/finalize_migrations
    • GET /api/detection_engine/signals/migration_status

New features

edit
  • Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents.
  • The Automatic Import functionality is now generally available (#208523).
  • Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response (#206683).
  • Allows you to customize prebuilt rules. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings (#212761).
  • Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported (#207336, #206582, #206268, #202344).
  • Allows you to configure how often the enrich policy runs for the entity store (#207374, #204437).
  • Provides configuration options to the entity store through additional API parameters (#206421).
  • Introduces a status tab to the entity store management page (#201235).
  • Allows you to install and reinstall entity stores from the Engine Status page (#208149).
  • Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage (#206313).
  • The manual runs functionality is now generally available (#209535).
  • Allows you to preview logged Elasticsearch requests for new terms, threshold, custom, and machine learning rule types (#203320).
  • Adds support for suppressing alerts generated from even correlation rules that are using sequence queries (#189725).
  • Allows you to add common observables to any case and extend the types of observable case data to include custom options (#190237).
  • Introduces privileges that let you control role access to Timeline and notes (#201780).
  • Introduces privileges that let you control whether a role can assign users to a case (#201654).
  • Re-adds details to the alert details flyout about the last time an alert’s status was changed (#205224).
  • Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps (#203975).
  • Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through Elastic Security (#203101, #202012, #203420, #204044).
  • Applies the latest Elastic UI (EUI) theme to multiple areas of Elastic Security (#204007, #204908).
  • Elastic Defend will now graphically report its protection status when launched from Windows Security Center.
  • Adds new Elastic Defend fields, process.Ext.command_line_truncated and process.parent.Ext.command_line_truncated to indicate when the command line gathered by event sources is truncated because of size limitations.
  • Elastic Defend staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating Elastic Defend endpoints will report health-related telemetry to telemetry.elastic.co. Customers can control this behavior using the [os].advanced.artifacts.global.channel advanced policy setting (#202674).
  • Adds a new field to the metrics section of the Elastic Defend metadata document called top_process_trees. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate.

  • Introduces new advanced settings in the Elastic Defend integration policy to reduce the volume of data that Elastic Endpoint processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your Elastic Defend integration policy advanced settings:

    Elastic Endpoint behavior is preserved on existing Elastic Defend policies.

    • Elastic Endpoint will merge short lived process create/terminate events and network connect/terminate events so only a single document is produced.
    • Elastic Endpoint will only include a small subset of data in the host.* fieldset in event documents.
    • Elastic Endpoint will not report MD5 and SHA-1 hashes in event data.

Enhancements

edit
  • Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) (#205070).
  • Provides APIs for AI Assistant Knowledge Base entries (#206407).
  • Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved (#199694).
  • Introduces support for the future integration of AI Assistant prompts in Kibana. (#207138).
  • Adds audit logging for changes to AI Assistant knowledge base entries (#203349).
  • Adds a service example to the entity store upload page (#209023).
  • Updates the entity insight badge to open entity flyouts (#208287).
  • Introduces changes to the entity analytics feature to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201).
  • Allows you to include closed alerts in risk score calculations (#201909).
  • Turns the securitySolution:enableVisualizationsInFlyout advanced setting on by default, which allows you to access the event analyzer and Session View in the Visualize tab on the alert or event details flyout (#211319).
  • Reduces the system performance impact of Elastic Defend file events.
  • Improves Elastic Defend’s resilience in low memory situations.
  • Updates the Elastic Defend policy status message to show the Elastic Defend policy name, revision, and Elastic Agent policy revision.
  • Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices (#214495).
  • Allows rule actions (except for Summary of alerts actions that run at a custom frequency) to activate during manual rule runs (#200784).
  • Implements various performance optimizations to reduce Elastic Defend’s CPU usage and improve system responsiveness.
  • Includes the Elastic Defend policy name and ID in alerts.
  • Adds the allow_cloud_features advanced policy setting, which lets you explicitly list which cloud resources can be reached by Elastic Defend (#205785).
  • Adds a new set of Elastic Defend fields call_stack_final_hook_module to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products.
  • Improves Elastic Defend script visibility and adds a new API event for AmsiScanBuffer, as well as AMSI enrichments for API events.
  • Enhances Elastic Defend by including an improved fingerprint for Memory_protection.unique_key_v2. We recommend that any shellcode_thread exceptions based on the old unique_key_v1 field be updated.
  • Adds the process.Ext.memory_region.region_start_bytes field to Elastic Defend Windows memory signature alerts.
  • Improves Elastic Defend host information accuracy, such as IP addresses. Elastic Defend was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints.

Bug fixes

edit
  • Fixes the unstructured system log flow for Automatic Import (#213042).
  • Fixes missing ECS mappings for Automatic Import (#209057).
  • Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers (#205220).
  • Ensures that the field mapping for Automatic Import contains the @timestamp field whenever possible (#204931).
  • Ensures that Automatic Import uses the provided data stream description in the integration readme (#203236).
  • Fixes the countdown for the next scheduled risk engine run (#203212).
  • Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder (#203106).
  • Fixes the bug where pressing Enter reloaded the Automatic Import (#199894).
  • Fixes a bug that prevented you from being able to select a connector for AI Assistant from the Elastic Security landing page (#213969).
  • Updates prompts that you can use with the Amazon Bedrock connector (#213160).
  • Fixes a bug in AI Assistant that caused the Bedrock region to always be us-east-1 (#214251).
  • Adds the organizationId and projectId OpenAI headers and other arbitrary headers (#213117).
  • Fixes a bug that sometimes caused generic error message to appear in OpenAI (#205665).
  • Improves copy for the entity store feature on the Entity Analytics dashboard (#210991).
  • Removes the critical services count from Entity Analytics dashboard summary panel (#210827).
  • Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it (#210430).
  • Adds a filter to the entity definition schema so it can be used to further filter entity store data (#208588).
  • Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages (#209130).
  • Fixes a bug that prevented the indexPattern parameter from being respected when you refreshed a data view (#215151).
  • Ensures that Kibana space IDs are dynamically retrieved for entity risk scores in the entity flyout (#216063).
  • Uses data from the risk engine’s saved object instead of your browser’s local storage when loading the Entity Risk Score page (#215304).
  • Improves the confirmation message that appears when you update the configuration for a risk engine saved object (#211372).
  • Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing (#209863).
  • Ensures that you stay on your current page in the Rules table after editing or updating a rule (#209537).
  • Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview (#213455).
  • Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn’t turned on (#211981).
  • Fixes the order of the alert insights so they’re now shown from low risk to critical risk(#212980).
  • Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view (#212721).
  • Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview (#211853).
  • Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout (#211824).
  • Fixes the width of the alerts table in rule preview (#214028).
  • Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query (#212117).
  • Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices (#209936).
  • Fixes a bug that didn’t allow you to generate ES|QL alerts from alert indices (#208894).
  • Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log (#207396).
  • Fixes an Elastic Defend bug to ensure the first event’s timestamp is used as the timestamp for event aggregation.
  • Updates the way Elastic Defend initially connects to Elastic Agent, which significantly improves the speed of connection.
  • Fixes issues where uninstalling Elastic Defend on Windows leaves files within Elastic Defend’s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades.
  • Improves Elastic Defend by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines.
  • Improves Elastic Defend by improving entity_id algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse.
« Release notes 8.17 »