7.13edit

7.13.3edit

Bug fixes and enhancementsedit

  • Fixes the JavaScript error that occurred when users opened an alert’s detailed view while an event’s detailed view was still open (#103970).

7.13.2edit

Known issueedit

The following Machine learning rules contain incorrectly configured ML job IDs (underscores were used instead of dashes between words) and cannot be successfully activated after they are enabled. Running these rules will cause an error message to display, indicating that an error occurred during the rule’s execution. This issue is present in Elastic Stack 7.13, 7.13.1, and 7.13.2. (#102146)

  • high-count-by-destination-country
  • high-count-network-denies
  • high-count-network-events
  • rare-destination-country

To ensure these rules can successfully run, duplicate the rule and edit it using these steps:

  1. Go to the Detections page and select Manage detection rules.
  2. Filter the Rules table to only display rules with the ML tag and search for the ML rule you want to duplicate.
  3. Select the rule you want to duplicate and click Bulk actions → Duplicate selected.
  4. Select the duplicated rule and click Edit rule settings.
  5. From the Definition tab, enter the correct ML job ID. For example, to fix the incorrectly configured high_count_by_destination_country ML rule job ID, remove the current job ID and enter high-count-by-destination-country. Click Save changes after you’ve finished.
  6. Delete the prebuilt ML job.

7.13.0edit

Featuresedit

  • A new Osquery Manager integration is now available as a beta in Fleet. Osquery provides a search box into hosts, leveraging security, compliance, and operations use cases. The integration enables users to centrally manage osquery deployment to Elastic Agents, run live queries against those agents, and schedule recurring queries. For more information about this new integration see the package readme.
  • Adds pre-packaged rule updates through the "Prebuilt Security Detection Rules" Fleet integration (#96698).
  • Filters the Alerts table by threat presence (#96096).
  • Populates threat.indicator.event with source.event data (#95697).
  • Adds the threat summary to the Summary tab in the Alert details flyout and introduces the Threat Intel tab (#95604) (#97185).
  • Updates Cloud plugin to handle new config values in kibana.yml (#95569).

Bug fixes and enhancementsedit

  • Fetches detection adoption metrics (#97789).
  • Updates fields with Beats metadata (#97719).
  • Updates detection alert mappings to ECS 1.9 (#97573).
  • ML rules accept multiple ML job IDs (#97073).
  • Adds the Security Network ML Module to the list of available jobs (#97014).
  • Updates MITRE tactics, techniques, and subtechniques (#97011).
  • Improves user experience duplicating rules (#96760).
  • Introduces a nested CTI row renderer (#96275).
  • Rebuilds nested fields structure from field’s response (#96187).
  • Combines multiple timestamp searches into a single request (#96078).
  • Adds the Indicator Match Timeline template (#95840).
  • Fetches additional detection rule adoption metrics (#95659).
  • Adds HTTP endpoints for the Timeline (#95036).
  • Updates the agent status labels and colors (#99314).
  • Fixes an issue where many OR clauses take up too much vertical space (#98706).
  • Adds network responses to error toasters (#97945).
  • Fixes issue where long hostnames were truncated in the agent detail flyout.(#97253).
  • Fixes a bug with DNS query that caused additional terms to be accidentally requested. (#97069).
  • Allows a preview of query results when creating a new rule or editing an existing one. (#94018).
  • Fixes the rule details page to show the rule details loading when the Activated switch is toggled. (#94010).
  • Sets the default date time on the timepicker to today instead of Last 24 hours to enable cachability. Also fixes a date math bug in the URL (#93548).
  • Fixes size issue with detection rule telemetry (#99900).
  • Excludes meta fields from the fields API request(#99443).

Known issuesedit

  • A histogram cannot be generated for these fields because their mappings have changed:

    • dll.Ext.mapped_address
    • dll.Ext.mapped_size
    • process.thread.Ext.start_address