Release Notesedit
7.11.2edit
Bug fixes and enhancementsedit
- Updates warning message when no indices match provided index patterns (#93094).
-
Fixes rule edit bug with
max_signals(#92748). - Fixes issue where the file name in a value modal list would be truncated (#91952).
- Adds an overflow text wrap for rule descriptions (#91945).
- Fixes issue in detection search where searching with the timestamp override field would yield a 400 error(#91597).
-
Replaces
partial failurewithwarningfor rule statuses (#91167). - Fixes "Error loading data" displaying under Analyze Event (#91718).
Known issuesedit
When upgrading from 7.11.0 or 7.11.1 to 7.11.2, certain connectors, including those that connect to Jira, ServiceNow, and IBM Resilient, are not properly migrated during the upgrade process, causing them to be deleted.
Impacts include:
- Security detection rules that have been configured to use the affected connectors as part of their rule actions will no longer create these actions.
- Kibana Alerting and Action alerts that have been configured to use the affected connectors will no longer create these actions.
- Security Case workflow users will need to recreate external connectors before cases can be pushed or updated via the affected connectors.
- Open cases that were previously connected to third-party systems via the affected connectors will need to be re-connected after the connector(s) are recreated.
It is recommended to consider delaying the upgrade to 7.11.2, and instead upgrade to 7.12.0 once it is released.
7.11.0edit
Breaking changesedit
Referential integrity issues when deleting value lists
The /api/lists DELETE API has been updated to check for references before removing the specified resource(s) from value lists and will now return a 409 conflict if any references exist. Set the new ignoreReferences query param to true to maintain the behavior of deleting value list(s) without performing any additional checks.
Bug fixes and enhancementsedit
- Corrects look-back time logic now displays whatever unit the user selects (#81383).
- Fixes a bug where mapping browser fields were automatically reduced (#81675).
- Allows both status data for enabled and disabled rules are now fetchable (#81783).
- Allows autorefresh to be toggled in Advanced Settings (#82062).
- Makes severity and risk score overrides more flexible (#83723).
- Improves DE query build times for large lists (#85051).
- Adds skeleton exceptions list tab to all rules page (#85465).
- Fixes export on exceptions functionality list view (#86135).
- Fixes exception list table referential deletion (#87231).
- Disables delete button for endpoint exceptions (#87694).
Known issuesedit
-
The Elastic Endpoint Security rule will report a failure status until the Endpoint sends an alert for the first time. At that point, the next rule execution will succeed.
logs-endpoint.alerts-*index pattern does not get created until the Endpoint sends the first alert (#90401). - In the Alert Details Summary view, values for some fields appear truncated. You’ll only be able to see the first character (#90539).
7.10.1edit
Bug fixes and enhancementsedit
7.10.0edit
Post upgrade requirementsedit
When upgrading the Elastic Stack to version 7.10.0 from a previous minor version (7.9.x), perform the following:
-
Grant
view_index_metadatapermissions to any Elastic Security users. This is required to enable event correlation rules. Other previously activated detection rules will continue to run after upgrade.
Breaking changesedit
Signals template updated for rollover indices
The create_index_route now checks if the template needs to be upgraded
before creating the index. If the index already exists and the template was upgraded,
the index rolls over so that the write index has the upgraded mapping.
This breaks the old mappings that have risk_score mapped as a keyword.
In the new mapping, signal.rule.risk_score is a float. After rolling over,
there is a conflict between the old and new signal.rule.risk_score for some
features, such as aggregations.
This requires the view_index_metadata permission in Kibana. See (#80019) for details.
Connect incident fields allowed when cases are sent
You can now specify connector incident fields when cases are sent. This includes: * Jira: issue type, priority, and parent issue in the case of a subtask. * IBM Resilient: issue types, and severity. * ServiceNow: urgency, severity, and impact.
See (#77327) for details.
Bug fixes and enhancementsedit
- Adds Metadata and Discovery Analysis Jobs to Security Integration (#76023).
- Improves Alert Telemetry for the Security app (#77200).
- Allows passwords to be visible on security screens (#77394).
- Groups features for role management (#78152).
- Warns users when security is not configured (#78545).
- Enhancements for saved object management workflows (#75444).
- Adds EQL search strategy for security (#78645).
- Fetches related events from specified devices (#78780).
- Excludes cloud alias index from EQL query (#81551).
- Telemetry: Displays collected security event sample (#78963).
- Analyze Events: Requests data from new event API (#78782).
- Detections: Handle conflicts on alert status update (#75492).
Known issuesedit
-
If you edit a rule while that rule is running, the rule fails. Subsequent successful runs will retain the previous failure message (#82320).
-
When adding a rule exception, you cannot select value lists of type
ip_range. Lists of typeip_rangewill not appear in the Add Exception dropdown as possible values after selecting the is in list operator. (#79511).
7.9.1edit
Post upgrade requirementsedit
After upgrading the Elastic Stack to version 7.9.0 and 7.9.1 from a previous minor release (7.8.x, 7.7.x, and so on), you need to:
- Enable access to the Detections page. Previously activated detection rules continue to run after upgrading, and this is only required to enable the UI.
- Enable the process analyzer. This is only required if you want to view graphical representations of process relationships.
Bug fixes and enhancementsedit
- Fixes closing alerts via exceptions (#76145).
- Fixes selecting all alerts issue (#75945).
- Fixes issues when exceptions are no longer associated with a rule (#76012).
- Prevents adding exceptions to unsupported rule types (#75802).
- Corrects error messages for insufficient machine learning permissions (#74582).
-
Increases permissions granularity for the
.listssystem index (#75378).
7.9.0edit
Breaking changesedit
Actions API
When you create a ServiceNow connector via the Actions API:
-
The
casesConfigurationobject is obsolete. Instead, useincidentConfiguration. -
To see ServiceNow connectors in the UI, you must use the
isCaseOwnedfield.
These changes only apply to ServiceNow connectors.
Known issuesedit
-
After changing the
xpack.encryptedSavedObjects.encryptionKeysetting value and restarting Kibana, you must restart all detection rules (#74393). - When selecting all alerts on the Detections page, some alerts are not marked as selected in the UI (#75194).
- When creating rules, if you have more than one Timeline template the template drop-down list is truncated (#75196).
- Exceptions cannot be added to or viewed in imported rules when the exception list has been deleted or does not exist in the Kibana space (#75182).
- Updates to a Timeline may not be saved when you immediately close the Timeline or navigate to a different page (#75292).
Bug fixes and enhancementsedit
-
Fixes rule tags to accept special characters and keywords:
AND,OR,(,),", and*(#74003). - Fixes broken link from the Network map to Kibana index management (#73757).
-
Fixes unresponsive Timeline issues when dragging the
process.hash.sha256field to Timeline (#72142). - Fixes Timeline page scrolling with saved queries issue (#69433).
- Fixes a UI issue with opening and closing alerts (#69217).
- Fixes display of long rule reference URLs (#68640).