From 14af5d03a4c7f24a46f97d58a3dffcd8d961b6a7 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 5 May 2025 16:12:28 -0400 Subject: [PATCH 1/2] Retroactively updates known issues for Defend and Security (#6813) * First draft * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * Adds known issue to other releases * Adds more resolution details * Update docs/release-notes/8.16.asciidoc Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> * periods * Update docs/release-notes/8.16.asciidoc Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> * gabe's feedback --------- Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> Co-authored-by: Benjamin Ironside Goldstein <91905639+benironside@users.noreply.github.com> (cherry picked from commit f4efddce6987cc9c9df9ae035bde533f60447e63) # Conflicts: # docs/release-notes/8.18.asciidoc --- docs/release-notes/8.16.asciidoc | 318 +++++++++++++++++++++++++++++++ docs/release-notes/8.17.asciidoc | 276 +++++++++++++++++++++++++++ docs/release-notes/8.18.asciidoc | 210 ++++++++++++++++++++ 3 files changed, 804 insertions(+) create mode 100644 docs/release-notes/8.18.asciidoc diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 738d6195ea..9564611fa6 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.6]] ==== Bug fixes @@ -82,6 +127,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.5]] ==== Bug fixes @@ -116,6 +206,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.16.4]] ==== New features @@ -171,6 +306,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.3]] ==== Bug fixes @@ -219,6 +399,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.16.2]] ==== Bug fixes @@ -324,6 +549,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[] @@ -464,9 +734,57 @@ NOTE: These instructions only apply to the Google Chrome browser. Modify the ste . Search for the `siem..pageFilters` key, right-click on the value, then click *Delete*. If you have multiple non-default spaces, do this for each space. . Refresh the **Alerts** page to reload it. +*Resolved* + +This issue is fixed in {stack} version 8.16.1. + ==== // end::known-issue-53[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[breaking-changes-8.16.0]] ==== Breaking changes diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 46bbca68ff..51154249b4 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -42,6 +42,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[enhancements-8.17.5]] ==== Enhancements @@ -98,6 +143,51 @@ To resolve this issue, before you add an {elastic-defend} integration to a polic ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.4]] @@ -137,6 +227,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.3]] ==== Bug fixes @@ -177,6 +312,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[features-8.17.2]] ==== New features @@ -224,6 +404,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -247,6 +430,51 @@ On November 12, 2024, it was discovered that manually running a custom query rul ==== // end::known-issue[] +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + [discrete] [[bug-fixes-8.17.1]] ==== Bug fixes @@ -289,6 +517,9 @@ This issue was discovered on February 6, 2025. *Workaround* + To resolve this issue, upgrade to 8.17.2. Alternatively, increase {kib}'s RAM to 2 GB. +*Resolved* + +This issue is fixed in {stack} version 8.17.2. + ==== // end::known-issue[] @@ -377,6 +608,51 @@ On November 12, 2024, it was discovered that manually running threshold rules co *Details* + On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + ==== // end::known-issue[] diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc new file mode 100644 index 0000000000..01506efc6b --- /dev/null +++ b/docs/release-notes/8.18.asciidoc @@ -0,0 +1,210 @@ +[[release-notes-header-8.18.0]] +== 8.18 + +[discrete] +[[release-notes-8.18.0]] +=== 8.18.0 + +[discrete] +[[known-issue-8.18.0]] +==== Known issues +// tag::known-issue[] +[discrete] +.Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x +[%collapsible] +==== +*Details* + +If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules. + +*Workaround* + + +Duplicate your rules and enable them. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules +[%collapsible] +==== +*Details* + +On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check (https://github.com/elastic/docs-content/issues/1021)[#1021]. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Installing an {elastic-defend} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions +[%collapsible] +==== +*Details* + +When you install an {elastic-defend} integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions, as well as any user customizations, if you customized any other rule fields. + +*Workaround* + +To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten. +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck +[%collapsible] +==== +*Details* + + +An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems +[%collapsible] +==== +*Details* + + +An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. + +*Workaround* + + +If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: + +* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. +* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. + + +NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. + +*Resolved* + +This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. + + +==== +// end::known-issue[] + +[discrete] +[[deprecations-8.18.0]] +==== Deprecations +* The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]). +* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): + +** POST /api/detection_engine/signals/migrations +** DELETE /api/detection_engine/signals/migrations +** POST /api/detection_engine/signals/finalize_migrations +** GET /api/detection_engine/signals/migration_status + +[discrete] +[[features-8.18.0]] +==== New features +* Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents. +* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). +* Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). +* Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). +* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). +* Allows you to configure how often the enrich policy runs for the entity store ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). +* Provides configuration options to the entity store through additional API parameters ({kibana-pull}206421[#206421]). +* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). +* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). +* Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]). +* The manual runs functionality is now generally available ({kibana-pull}209535[#209535]). +* Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). +* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). +* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). +* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). +* Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]). +* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). +* Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). +* Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). +* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). +* {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. +* Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. +* {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). +* Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. +* Introduces <> in the {elastic-defend} integration policy to reduce the volume of data that {elastic-endpoint} processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your {elastic-defend} integration policy advanced settings: ++ +NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} policies. ++ +** {elastic-endpoint} will merge short lived process `create/terminate` events and `network connect/terminate` events so only a single document is produced. +** {elastic-endpoint} will only include a small subset of data in the `host.*` fieldset in event documents. +** {elastic-endpoint} will not report MD5 and SHA-1 hashes in event data. + +[discrete] +[[enhancements-8.18.0]] +==== Enhancements +* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). +* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). +* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). +* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). +* Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]). +* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). +* Updates the entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). +* Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). +* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). +* Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). +* Reduces the system performance impact of {elastic-defend} file events. +* Improves {elastic-defend}'s resilience in low memory situations. +* Updates the {elastic-defend} policy status message to show the {elastic-defend} policy name, revision, and {agent} policy revision. +* Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). +* Allows rule actions (except for **Summary of alerts** actions that run at a custom frequency) to activate during manual rule runs ({kibana-pull}200784[#200784]). +* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. +* Includes the {elastic-defend} policy name and ID in alerts. +* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend} ({kibana-pull}205785[#205785]). +* Adds a new set of {elastic-defend} fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. +* Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. +* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. +* Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts. +* Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. + +[discrete] +[[bug-fixes-8.18.0]] +==== Bug fixes +* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). +* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). +* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). +* Ensures that the field mapping for Automatic Import contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). +* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). +* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). +* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). +* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). +* Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]). +* Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). +* Fixes a bug in AI Assistant that caused the Bedrock region to always be `us-east-1` ({kibana-pull}214251[#214251]). +* Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). +* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). +* Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]). +* Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]). +* Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). +* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). +* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). +* Fixes a bug that prevented the `indexPattern` parameter from being respected when you refreshed a data view ({kibana-pull}215151[#215151]). +* Ensures that {kib} space IDs are dynamically retrieved for entity risk scores in the entity flyout ({kibana-pull}216063[#216063]). +* Uses data from the risk engine's saved object instead of your browser's local storage when loading the Entity Risk Score page ({kibana-pull}215304[#215304]). +* Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). +* Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). +* Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). +* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). +* Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). +* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). +* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). +* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). +* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). +* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). +* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). +* Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). +* Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). +* Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). +* Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. +* Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. +* Fixes issues where uninstalling {elastic-defend} on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. +* Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. +* Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file From 4313766b353a241ac10df733b439c3702a593a3c Mon Sep 17 00:00:00 2001 From: Nastasha Solomon Date: Mon, 5 May 2025 16:23:14 -0400 Subject: [PATCH 2/2] Remove 8.18 --- docs/release-notes/8.18.asciidoc | 210 ------------------------------- 1 file changed, 210 deletions(-) delete mode 100644 docs/release-notes/8.18.asciidoc diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc deleted file mode 100644 index 01506efc6b..0000000000 --- a/docs/release-notes/8.18.asciidoc +++ /dev/null @@ -1,210 +0,0 @@ -[[release-notes-header-8.18.0]] -== 8.18 - -[discrete] -[[release-notes-8.18.0]] -=== 8.18.0 - -[discrete] -[[known-issue-8.18.0]] -==== Known issues -// tag::known-issue[] -[discrete] -.Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x -[%collapsible] -==== -*Details* + -If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules. - -*Workaround* + - -Duplicate your rules and enable them. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules -[%collapsible] -==== -*Details* + -On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check (https://github.com/elastic/docs-content/issues/1021)[#1021]. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Installing an {elastic-defend} integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions -[%collapsible] -==== -*Details* + -When you install an {elastic-defend} integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions, as well as any user customizations, if you customized any other rule fields. - -*Workaround* + -To resolve this issue, before you add an {elastic-defend} integration to a policy in {fleet}, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten. -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck -[%collapsible] -==== -*Details* + - -An `IRQL_NOT_LESS_EQUAL` https://learn.microsoft.com/en-us/windows-hardware/drivers/debugger/bug-checks--blue-screens-[bugcheck] in the {elastic-defend} driver happens due to an interaction with Trellix Access Protection (`mfehidk.sys`). This issue can occur when `elastic-endpoint-driver.sys` calls https://learn.microsoft.com/en-us/windows/win32/api/fwpmu/nf-fwpmu-fwpmtransactionbegin0[`FwpmTransactionBegin0`] to initialize its network driver. `FwpmTransactionBegin0` performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing `FwpmTransactionBegin0` to hang or slow significantly. This delay prevents {elastic-defend} driver from properly initializing in a timely manner. Subsequent system activity can invoke {elastic-defend}'s driver before it has fully initialized, leading to a `IRQL_NOT_LESS_EQUAL` bugcheck. This issue affects {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, either disable Trellix Access Protection or add a https://docs.trellix.com/bundle/endpoint-security-10.6.0-threat-prevention-client-interface-reference-guide-windows/page/GUID-6AC245A1-5E5D-4BAF-93B0-FE7FD33571E6.html[Trellix Access Protection exclusion] for the Base Filtering Engine service (`C:\Windows\System32\svchost.exe`). - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems -[%collapsible] -==== -*Details* + - -An unbounded kernel non-paged memory growth issue in {elastic-defend}'s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running {elastic-defend} versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0. - -*Workaround* + - -If you can't upgrade, turn off the relevant event source at the kernel level using your {elastic-defend} <>: - -* Network Events - Set the `windows.advanced.kernel.network` advanced setting to `false`. -* Registry Events - Set the `windows.advanced.kernel.registry` advanced setting to `false`. - - -NOTE: Clearing the corresponding checkbox under <> is insufficient, as {elastic-defend} may still process these event sources internally to support other features. - -*Resolved* + -This issue is fixed in {elastic-defend} versions 8.17.6, 8.18.1, and 9.0.1. - - -==== -// end::known-issue[] - -[discrete] -[[deprecations-8.18.0]] -==== Deprecations -* The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]). -* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]): - -** POST /api/detection_engine/signals/migrations -** DELETE /api/detection_engine/signals/migrations -** POST /api/detection_engine/signals/finalize_migrations -** GET /api/detection_engine/signals/migration_status - -[discrete] -[[features-8.18.0]] -==== New features -* Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents. -* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]). -* Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]). -* Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]). -* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]). -* Allows you to configure how often the enrich policy runs for the entity store ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]). -* Provides configuration options to the entity store through additional API parameters ({kibana-pull}206421[#206421]). -* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]). -* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]). -* Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]). -* The manual runs functionality is now generally available ({kibana-pull}209535[#209535]). -* Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]). -* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]). -* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]). -* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]). -* Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]). -* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]). -* Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]). -* Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]). -* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]). -* {elastic-defend} will now graphically report its protection status when launched from Windows Security Center. -* Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations. -* {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <> ({kibana-pull}202674[#202674]). -* Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate. -* Introduces <> in the {elastic-defend} integration policy to reduce the volume of data that {elastic-endpoint} processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your {elastic-defend} integration policy advanced settings: -+ -NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} policies. -+ -** {elastic-endpoint} will merge short lived process `create/terminate` events and `network connect/terminate` events so only a single document is produced. -** {elastic-endpoint} will only include a small subset of data in the `host.*` fieldset in event documents. -** {elastic-endpoint} will not report MD5 and SHA-1 hashes in event data. - -[discrete] -[[enhancements-8.18.0]] -==== Enhancements -* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]). -* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]). -* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]). -* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]). -* Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]). -* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]). -* Updates the entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]). -* Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]). -* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]). -* Turns the `securitySolution:enableVisualizationsInFlyout` <> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]). -* Reduces the system performance impact of {elastic-defend} file events. -* Improves {elastic-defend}'s resilience in low memory situations. -* Updates the {elastic-defend} policy status message to show the {elastic-defend} policy name, revision, and {agent} policy revision. -* Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]). -* Allows rule actions (except for **Summary of alerts** actions that run at a custom frequency) to activate during manual rule runs ({kibana-pull}200784[#200784]). -* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness. -* Includes the {elastic-defend} policy name and ID in alerts. -* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend} ({kibana-pull}205785[#205785]). -* Adds a new set of {elastic-defend} fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products. -* Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events. -* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated. -* Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts. -* Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints. - -[discrete] -[[bug-fixes-8.18.0]] -==== Bug fixes -* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]). -* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]). -* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]). -* Ensures that the field mapping for Automatic Import contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]). -* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]). -* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]). -* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]). -* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]). -* Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]). -* Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]). -* Fixes a bug in AI Assistant that caused the Bedrock region to always be `us-east-1` ({kibana-pull}214251[#214251]). -* Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]). -* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]). -* Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]). -* Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]). -* Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]). -* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]). -* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]). -* Fixes a bug that prevented the `indexPattern` parameter from being respected when you refreshed a data view ({kibana-pull}215151[#215151]). -* Ensures that {kib} space IDs are dynamically retrieved for entity risk scores in the entity flyout ({kibana-pull}216063[#216063]). -* Uses data from the risk engine's saved object instead of your browser's local storage when loading the Entity Risk Score page ({kibana-pull}215304[#215304]). -* Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]). -* Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]). -* Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]). -* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]). -* Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]). -* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]). -* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]). -* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]). -* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]). -* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]). -* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]). -* Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]). -* Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]). -* Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]). -* Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation. -* Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection. -* Fixes issues where uninstalling {elastic-defend} on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades. -* Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines. -* Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse. \ No newline at end of file