Bug fixes and enhancementsedit

  • Removes empty values in the threshold.field array for threshold rules (#97111).
  • Fixes the issue where the Read Less button in the Event Details flyout is rendered below the fold if an event’s message field is too large (#96524).
  • Resolves regression where Elastic Endgame rules would warn about the unmapped timestamp override field (#96394).
  • Standardizes process fields in Endpoint Security telemetry (#95836).
  • Adds threshold_result to the alert notification context (#95354).
  • Updates the threshold preview to account for threshold field groups and cardinality (#94224).
  • Fixes bug for pre-populated endpoint exceptions (#94025).



  • Implements a connector for ServiceNow SIR (#88190).
  • Implements the case’s fields for the ServiceNow SIR connector (#88655).

Bug fixes and enhancementsedit

  • Enables the Microsoft Team’s action type for the detection engine (#94239).
  • Fixes bug for pre-populated endpoint exceptions (#94025).
  • Pushes ServiceNow ITSM comments on cases and alerts as work notes and improves error messaging (#93916).
  • Alert migrations can be finalized and cleaned up in all spaces (#93809).
  • Updates error handling logic to produce a cleaner message when deeply nested fields in KQL queries are greater than the default or what is set for the config property (#93536).
  • Updates shellcode telemetry for schema adjustment (#93143).
  • Fixes bug in the allowlist layout for security telemetry (#92850).
  • Updates exceptions modal to use existing lists plug-in (#92348).
  • Moves PE details out of Ext context (#92146).
  • Fixes loading indicators in the rules management table (#91925).
  • Adds missing fields for security telemetry (#91920).
  • Fixes issues when pushing a case, that has alerts attached, to an external service (#91638).
  • Updates error banner when refreshing the rule status (#91051).
  • Fixes bug in the exceptions builder UI that causes invalid values to overwrite other values (#90634).
  • Fixes issues with searching the Exceptions list table by name (#88701).
  • Threshold rule fixes (#93553)(#92667).
  • Adds sub cases to the case list and a case details page (#91434).
  • Upgrades to use the IndexPatternService to get fields (#91153).
  • Adds new fields to the allowlist for alert telemetry (#90868).
  • Adds support for multiple terms aggregations within a Threshold Rule, as well as an additional cardinality aggregation for matching a specific number of unique values across a field. (#90826).
  • Introduces the network details and host details to the side panel. (#90064).
  • Adds ransomware exceptions (#89974).
  • Extends the daily usage collection to include perf and run information on active security ML jobs. (#89705).
  • Reduces the detection engine’s reliance on _source (#89371).
  • Pushes a new case to the connector when created (#89131).
  • Disallows JIRA labels with spaces (#90548).
  • Fixes "Error loading data" displaying under Analyze Event (#91718).

Known Issuesedit

  • Pagination does not work in the All Cases table. To circumvent this, increase the total number of rows that are displayed per page by selecting an option from the Rows per page menu. Alternatively, decrease the number of rows displayed in the table by filtering the list of cases that are returned. Finally, if you know which case you want to view, enter descriptive text about it into the search bar at the top of the table. (#94929).