Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

8.16 Elastic Security Release Notes #5977

Merged
merged 55 commits into from
Nov 12, 2024
Merged
Show file tree
Hide file tree
Changes from 16 commits
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
f9c2d6d
8.16 Elastic Security Release Notes
benironside Oct 23, 2024
9e8664b
Adds 8.16 rns to index file
benironside Oct 23, 2024
cda2bdd
Completes first draft
benironside Oct 24, 2024
5bedce8
Including 8.16 rn file
nastasha-solomon Oct 24, 2024
f7ea205
minor updates
benironside Oct 24, 2024
f1d21dc
First draft of Endpoint PRs
nastasha-solomon Oct 25, 2024
a6f17d2
First batch of endpoint revisions
nastasha-solomon Oct 25, 2024
b79e203
Second batch of edits for Endpoint PRs
nastasha-solomon Oct 26, 2024
85af7df
Edits endpoint, DE, and TH rns
nastasha-solomon Oct 26, 2024
bf6eb32
More minor edits
nastasha-solomon Oct 30, 2024
0dbe3c6
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Oct 30, 2024
70ffdf5
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Oct 30, 2024
fe263d2
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Oct 30, 2024
8ab9343
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 1, 2024
7af796b
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 1, 2024
5d575c3
Update docs/release-notes/8.16.asciidoc
benironside Nov 1, 2024
ddde9eb
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 4, 2024
8012fa0
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 4, 2024
9d8d035
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 4, 2024
c006928
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 4, 2024
d1fd7fd
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 4, 2024
320eff9
Adds Automatic Import PRs
benironside Nov 5, 2024
bc034e2
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 5, 2024
684548b
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 5, 2024
6b9f918
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 5, 2024
0a3b585
jatin's feedback
nastasha-solomon Nov 5, 2024
bbfa178
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 5, 2024
d5e25e3
Adding known manual run issues
nastasha-solomon Nov 6, 2024
df1dac9
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 6, 2024
1decd98
Fix title
nastasha-solomon Nov 6, 2024
ede7a0d
Merge branch '5941-8.16-RNs' of github.com:elastic/security-docs into…
nastasha-solomon Nov 6, 2024
68f56f7
Adds knowledge base index known error
benironside Nov 7, 2024
168df56
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 7, 2024
ca9d5ef
Re-orders new features
nastasha-solomon Nov 7, 2024
02fc62e
Edits and summary for 191874
nastasha-solomon Nov 7, 2024
d9c762e
Grammar and re-orders enh and bf
nastasha-solomon Nov 8, 2024
cac4ce4
Re-orders known issues
nastasha-solomon Nov 8, 2024
4ea3583
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 8, 2024
d1339a9
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 8, 2024
8f8158a
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 8, 2024
3d43f1d
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 8, 2024
779327c
adds cloud sec integrations
benironside Nov 11, 2024
62adef9
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
5df7dc7
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
9e18601
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
e3954a5
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
95676b3
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
eae9b8f
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
c1e78ba
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
2e2d9a7
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
28afc0d
Update docs/release-notes/8.16.asciidoc
nastasha-solomon Nov 11, 2024
ff326f6
Updates summary for 191557
nastasha-solomon Nov 11, 2024
769899c
Merge branch 'main' into 5941-8.16-RNs
nastasha-solomon Nov 12, 2024
ace7e80
Merge branch 'main' into 5941-8.16-RNs
nastasha-solomon Nov 12, 2024
28ed119
Merge branch 'main' into 5941-8.16-RNs
nastasha-solomon Nov 12, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions docs/release-notes.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@

This section summarizes the changes in each release.

* <<release-notes-8.16.0, {elastic-sec} version 8.16.0>>
* <<release-notes-8.15.3, {elastic-sec} version 8.15.3>>
* <<release-notes-8.15.2, {elastic-sec} version 8.15.2>>
* <<release-notes-8.15.1, {elastic-sec} version 8.15.1>>
Expand Down Expand Up @@ -65,6 +66,7 @@ This section summarizes the changes in each release.
* <<release-notes-8.0.0, {elastic-sec} version 8.0.0>>
* <<release-notes-8.0.0-rc2, {elastic-sec} version 8.0.0-rc2>>

include::release-notes/8.16.asciidoc[]
include::release-notes/8.15.asciidoc[]
include::release-notes/8.14.asciidoc[]
include::release-notes/8.13.asciidoc[]
Expand Down
117 changes: 117 additions & 0 deletions docs/release-notes/8.16.asciidoc
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
[[release-notes-header-8.16.0]]
== 8.16

[discrete]
[[release-notes-8.16.0]]
=== 8.16.0

[discrete]
[[known-issue-8.16.0]]
==== Known issues

// tag::known-issue-189676[]
[discrete]
.Tags appear in Elastic AI Assistant's responses
[%collapsible]
====
*Details* +
On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `<antThinking>` tags, for example `<search_quality_reflection>` ({kibana-issue}189676[#189676]).

====
// end::known-issue-189676[]

nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
[discrete]
[[breaking-changes-8.16.0]]
==== Breaking changes

* During shutdown, {kib} now waits for all the ongoing requests to complete according to the `server.shutdownTimeout` setting. During that period, the incoming socket is closed and any new incoming requests are rejected. Before this update, new incoming requests received a response with the status code 503 and body { "message": "{kib} is shutting down and not accepting new incoming requests" }.

[discrete]
[[features-8.16.0]]
==== New features

// * Introduces a new API route for listing Entity Store entities: `GET /api/entity_store/entities/list` ({kibana-pull}192806[#192806]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Introduces Knowledge Base for Elastic AI Assistant, which allows you to specify information for AI Assistant to remember when responding to your queries ({kibana-pull}186566[#186566], {kibana-pull}192665[#192665]).
* Enables detection rules to automatically execute system actions such as opening a case ({kibana-pull}183937[#183937]).
benironside marked this conversation as resolved.
Show resolved Hide resolved
* Adds syntax validation for {esql} queries ({kibana-pull}189780[#189780]).
* Provides a way to view {es} queries that run during rule execution. This option is provided for {esql} and EQL rules only ({kibana-pull}191107[#191107]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Allows you to create and update a rule even when some data-related validation errors are present in the query field ({kibana-pull}191487[#191487]).
* Introduces a new advanced setting `securitySolution:enableVisualizationsInFlyout`. When enabled, you can examine alerts and events in the **Visualize** tab, which provides a more detailed view of the event analyzer and Session View ({kibana-pull}194012[#194012], {kibana-pull}192531[#192531]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule execution. This setting does not apply to {ml} rules ({kibana-pull}186908[#186908]).
Copy link
Contributor

@nastasha-solomon nastasha-solomon Nov 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@yctercero I just remembered that we're in the process of finetuning the docs for this advanced setting via #5925 and #5962. I've updated the PR description to reflect those changes. Let me know if it looks good or still needs some changes. Thanks!

Suggested change
* Creates a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude cold and frozen data from rule execution. This setting does not apply to {ml} rules ({kibana-pull}186908[#186908]).
* Introduces a new advanced setting `securitySolution:excludedDataTiersForRuleExecution` that allows you to exclude query results from cold and frozen data during rule executions. This setting does not apply {esql} and {ml} rules. ({kibana-pull}186908[#186908]).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This setting is not available for Serverless, not sure if we should mention.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't describe Serverless changes in stack release notes, so it's fine that we're not mentioning it here. : )

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unresolving as this might need more changes.

* Introduces the ability to add notes to alerts and events, in addition to Timeline.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
//PR for notes feature is incoming.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Enhances the Insights in the section in the alert and event details flyouts by providing available misconfiguration and vulnerabilities findings ({kibana-pull}195509[#195509]).
* Removes the `securitySolution:enableAssetCriticality` advanced setting and enables <<asset-criticality, asset criticality>> workflows by default ({kibana-pull}196270[#196270])
* Adds an {elastic-defend} integration policy advanced setting that, adds file hashes to file events when enabled ({kibana-pull}192037[#192037]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Adds RBAC for Elastic AI Assistant's knowledge base ({kibana-pull}195733[#195733]).
* Adds RBAC for Attack Discovery ({kibana-pull}188788[#188788]).
* Adds historical results to the Data Quality dashboard and updates its UI ({kibana-pull}191898[#191898], {kibana-pull}196127[#196127]).
* Enables agentless deployment for Elastic's Cloud Security Posture Management integration ({kibana-pull}191557[#191557]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* The host field size reduction setting on {elastic-defend}'s integration policy is now turned off by default. To turn it on, configure the `[os].advanced.set_extended_host_information` <<adv-policy-settings,advanced policy setting>>.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* To reduce CPU usage, I/O, and event sizes, you can turn on process event aggregation when configuring your {elastic-defend} integration policy. Related process events that occur in rapid succession are combined into fewer aggregate events. To turn on process event aggregation, configure the `advanced.events.aggregate_process` <<adv-policy-settings,advanced policy setting>>.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* To reduce CPU usage, I/O, and event sizes, you can now turn off of MD5, SHA-1, and SHA-256 hashes in events when configuring your {elastic-defend} integration policy. Example fields include `process.hash.md5` and `file.hash.sha1`.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* You can now configure your {elastic-defend} integration policy to allow the collection of SHA-256 file hashes in file events. Before doing so, consider the following caveats:
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
** This can greatly increase {elastic-defend}'s CPU and I/O utilization, and impact system responsiveness.
** This can significantly delay event enrichment, and lead to Behavioral Protection rules firing too late to effectively stop malicious behavior.
** This can cause event processing queues to overflow, and lead to dropped events.
** Many file events won't contain hashes. Hash collection is best effort and not guaranteed to be present in every event. Hashes are collected asynchronously, and shortly after the file activity. Hashes might be missing if the file was rapidly renamed, moved, deleted, or (on Windows) opened by another process without https://learn.microsoft.com/en-us/windows/win32/fileio/creating-and-opening-files[read sharing].
* Improves {elastic-defend} enabling the use of dynamic {filebeat-ref}/kafka-output.html#topic-option-kafka[topics] for the kafka output.
* Improves {elastic-defend} by integrating a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-WMI-Activity) to create new event types that can be used by prebuilt endpoint rules to detect malicious WMI activity.

[discrete]
[[enhancements-8.16.0]]
==== Enhancements
* Enables you to open the Rule details flyout from the Alerts table ({kibana-pull}191764[#191764]).
* Allows you to resize the alert and event details flyouts and choose how it's displayed (over the Alerts table or next to it) ({kibana-pull}192906[#192906], {kibana-pull}182615[#182615]).
* Allows you to enable entity risk scoring in multiple {kib} spaces ({kibana-pull}192671[#192671]).
* Creates a new API endpoint for cleaning up entity risk scoring data: `DELETE /api/risk_score/engine/dangerously_delete_data` ({kibana-pull}191843[#191843], {kibana-pull}189872[#189872]).
* Removes Elastic AI Assistant's default system prompts. The instructions previously contained in those prompts are now automatically included without user interaction, so Elastic AI Assistant will remain focused on relevant topics. Custom system prompts are still available ({kibana-pull}191847[#191847]).
* Improves Elastic AI Assistant's ability to generate {esql} queries ({kibana-pull}195480[#195480], {kibana-pull}188492[#188492]).
* Adds a button that lets you quickly add queries generated by Elastic AI Assistant to a rule's definition ({kibana-pull}190963[#190963]).
* Adds an "Other" option to the OpenAI connector's "Select an OpenAI provider" dropdown menu. Select this option when <<connect-to-byo-llm, connecting to your own custom LLM>> ({kibana-pull}194831[#194831]).
* Improves Attack Discovery in the following ways ({kibana-pull}195669[#195669]):
** Attack Discovery can now process up to 500 alerts (previous maximum: 100). This setting can now be adjusted directly from the Attack Discovery page, and is stored locally instead of in {es}
** Attack Discovery now combines related discoveries that would previously have appeared separately
** Attack Discovery now detects and displays an error instead of hallucinated output
* Adds an **Install and enable** button to the prebuilt rule UI, so you don't have to wait for rules to install before enabling them ({kibana-pull}191529[#191529]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Improves the `/upgrade/_perform` API endpoint used for upgrading rules to better handle Elastic rules that you customized, better handle special fields, and use `PUT` instead of `PATCH` logic for rule updates ({kibana-pull}191439[#191439]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Updates the Get Started tour for {elastic-sec} ({kibana-pull}192247[#192247]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Improves loading performance for various pages in {kib} ({kibana-pull}194241[#194241]).
* Adds Alert Suppression and Investigation Fields to the rule upgrade workflow ({kibana-pull}195499[#195499]).
* Adds User and Global Artifacts to the {fleet} Policy Response flyout and to the Endpoint details flyout ({kibana-pull}184125[#184125]).
* Allows you to recalculate entity risk scores immediately after you upload asset criticality data ({kibana-pull}187577[#187577]).
* Adds a {kib} advanced setting `securitySolution:maxUnassociatedNotes`, which allows you to set the maximum number of notes that can be attached to alerts and events ({kibana-pull}194947[#194947]).
* Adds the `IS` operator as an option when configuring a Windows signature blocklist entry ({kibana-pull}190515[#190515]).
* Allows you to disable the {elastic-defend} hardware call stacks feature ({kibana-pull}190553[#190553]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Improves network previews in the alert details flyout ({kibana-pull}190560[#190560]).
* Enhances {elastic-defend} by improving the `call_stack_final_user_module` attribution where potential `proxy_call` modules are encountered during Windows call stack analysis.
* Adds new fields to {elastic-defend} API events to improve context for the triage of Behavior Alerts. The new `call_stack_final_user_module` fields are `allocation_private_bytes`, `protection`, `protection_provenance_path`, and `reason`.
* Adds a new {elastic-defend} API event for https://learn.microsoft.com/en-us/windows/win32/api/ioapiset/nf-ioapiset-deviceiocontrol[`DeviceIoControl`] calls to support the detection of driver abuse. This feature is only supported on Windows 11 Desktop versions.
* Ensures security artifacts are updated when the {elastic-defend} service starts.
* Improves error messages that are returned when {elastic-defend} receives invalid or unsupported cryptographic keys from the {elastic-defend} policy.
* Ensures that {elastic-defend} tells {fleet} that it's `orphaned` if the connection between {elastic-defend} and {agent} stops for an extended period of time. {fleet} uses this information to provide you with additional troubleshooting context.
* Adds SOCKS5 proxy support to {elastic-defend}'s {ls} output.
* Ensures that on Windows, {elastic-defend} uses https://www.elastic.co/security-labs/finding-truth-in-the-shadows[Intel CET and AMD Shadow Stacks] to collect call stacks, where supported. This improves performance and enables detection of certain defense evasions.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Restore {elastic-defend}'s support for Windows Server 2012, which was removed in 8.13.0.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Improves {elastic-defend}'s caching to reduce memory usage on Windows.
* Enhances {elastic-defend} by reducing the size of process events, which reduces excessive process ancestry entries and shortens the entity ID.
* Improves the reliability and system resource usage of {elastic-defend}'s Windows network driver.

[discrete]
[[bug-fixes-8.16.0]]
==== Bug fixes

* Prevents an empty warning message from appearing for rule executions ({kibana-pull}186096[#186096]).
* Fixes an error that could occur during rule execution when the source index had a non-ECS-compliant text field ({kibana-pull}187673[#187673]).
* Removes unnecessary empty space below the title of the Open Timeline modal ({kibana-pull}188837[#188837]).
* Added a tag that was missing from an FTR suite ({kibana-pull}189661[#189661]).
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Improves the Alerts table's performance ({kibana-pull}192827[#192827]).
* Removes the requirement that you have unnecessary {kib} {fleet} privileges to access some cloud security posture Findings ({kibana-pull}194069[#194069]).
* Fixes an issue that could cause fields for all indices to appear when you tried to add a rule filter ({kibana-pull}194678[#194678]).
* Fixes an {elastic-defend} bug where network event deduplication logic could incorrectly drop Linux network events.
* Fixes an {elastic-defend} bug where Windows API events might be dropped if they contain Unicode characters that can't be converted to ANSI.
* Ensures that {elastic-defend} does not emit an empty `memory_region` if it can't enrich a memory region in an API event. With this fix, {elastic-defend} removes these fields.
* Fixes an {elastic-defend} bug where {elastic-defend} doesn't properly enrich Windows API events for short-lived processes on older operating systems that don't natively include this telemetry, such as Windows Server 2019. This might result in dropped or unattributed API events.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Fixes a bug that prevented host name uniformity with {beats} products. If you request for {elastic-defend} use the fully qualified domain name (FQDN) in the `host.name` field, {elastic-defend} now reports the FQDN exactly as the OS reports it, instead of lowercasing by default.
nastasha-solomon marked this conversation as resolved.
Show resolved Hide resolved
* Fixes an {elastic-defend} bug in behavior protection alerts, where prevention alerts could mistakenly be labeled as detection alerts.
* Fixes a bug that caused {elastic-defend} to crash if a Kafka connection is busy.