Bug fixes and enhancementsedit

  • Updates warning message when no indices match provided index patterns (#93094).
  • Fixes rule edit bug with max_signals (#92748).
  • Fixes issue where the file name in a value modal list would be truncated (#91952).
  • Adds an overflow text wrap for rule descriptions (#91945).
  • Fixes issue in detection search where searching with the timestamp override field would yield a 400 error(#91597).
  • Replaces partial failure with warning for rule statuses (#91167).


Breaking changesedit

Referential integrity issues when deleting value lists

The /api/lists DELETE API has been updated to check for references before removing the specified resource(s) from value lists and will now return a 409 conflict if any references exist. Set the new ignoreReferences query param to true to maintain the behavior of deleting value list(s) without performing any additional checks.

Bug fixes and enhancementsedit

  • Corrects look-back time logic now displays whatever unit the user selects (#81383).
  • Fixes a bug where mapping browser fields were automatically reduced (#81675).
  • Allows both status data for enabled and disabled rules are now fetchable (#81783).
  • Allows autorefresh to be toggled in Advanced Settings (#82062).
  • Makes severity and risk score overrides more flexible (#83723).
  • Improves DE query build times for large lists (#85051).
  • Adds skeleton exceptions list tab to all rules page (#85465).
  • Fixes export on exceptions functionality list view (#86135).
  • Fixes exception list table referential deletion (#87231).
  • Disables delete button for endpoint exceptions (#87694).

Known issuesedit

  • The Elastic Endpoint Security rule will report a failure status until the Endpoint sends an alert for the first time. At that point, the next rule execution will succeed. logs-endpoint.alerts-* index pattern does not get created until the Endpoint sends the first alert (#90401).
  • In the Alert Details Summary view, values for some fields appear truncated. You’ll only be able to see the first character (#90539).