Bug fixes and enhancementsedit

  • Detects and fixes corrupt user artifacts that intermittently caused Endpoint Integration Policy responses to fail (#111853).
  • Fixes the filter in and filter out functionality in Timeline hover actions (#111211).
  • Adds the ability to ignore fields during alert indexing and introduces a workaround for an EQL bug (#110927).



  • The securitySolution:defaultThreatIndex advanced setting defines threat intelligence indices that Elastic Security will use when collecting threat indicators. The setting controls features that query threat indices, such as the Threat Intelligence view on the Overview page and the default indicator index values for indicator match rules. One or more threat intelligence indices can be defined; the filebeat-* index is specified by default. See Update default Elastic Security threat intelligence indices for more information (#108389).

Bug fixes and enhancementsedit

  • Fixes the AlienVault OTX event count on the Threat Intelligence view (#108448).
  • Fixes a Cases configuration error in the kibana.json file (#107637).
  • Fixes UI errors that were caused by the rule author field not being migrated (#107230).



  • Host isolation allows analysts to isolate hosts from their networks while investigating a potential attack. Analysts can use this feature to respond to malicious activity by containing infected hosts, curbing potential attacks, and preventing lateral movement to other hosts. This feature is supported on Windows and macOS.
  • Adds malware protection for Linux endpoints. Users can enable Linux malware protection in their policy to receive detection alerts (#103404)(#95014)(#104984).
  • Adds threat intelligence to alerts (#101553)(#103383).
  • Introduces the Swimlane connector for rules and cases (#100086).
  • Introduces role-based access control for cases and allows users to be given all, write, or no access to cases (#95058).
  • Adds new functionality and usability improvements to the Osquery Manager integration:

    • Users can create and curate a library of saved queries.
    • When running a live query, users can select a saved query or create a new one.
    • Scheduled queries can be constrained to a particular OS or osquery version.
    • Users can view who ran or scheduled a query, which is helpful during auditing.
    • The agent list for live queries only shows enrolled agents to make selecting targets easier.
  • Enhances alert documents to have the fields of constant_keyword, runtime fields, aliases, and copy_to (#102280).
  • Paginates long activity logs (#102261).
  • Validates path values for trusted apps (#99035).
  • Allows the wildcard symbol in trusted app paths (#97623).
  • Adds the option to select all rules within the Rules table that match the currently selected filter (#100554).

Bug fixes and enhancementsedit

  • The Prebuilt Security Detection Rules package updates automatically (#101846).
  • Adds a merge strategy key to kibana.yml and adds additional security keys to the Docker container that Elastic Security previously overlooked (#103800).
  • Adds an overflow container to the rule name column in the Exceptions table for exceptions that have been assigned to three or more rules (#103377).
  • Adds the Threat Intelligence view to the Overview page (#100423).
  • Enhances the callout that describes missing privileges and feature access (#98125).
  • Fixes the rule preview issue that occurred if users created a threshold rule that was configured to group the IP data type (#105126).
  • Removes the comma delimiter for the is one of operator when defining rule exception conditions (#104960).
  • Resolves bug that left outdated validation messages on the action type selection form (#104868).
  • Fixes the sort logic that didn’t work for certain fields within the Rules table (#103960).
  • Allows activity log scrolling on small screens (#103852).
  • Fixes the bug that caused the checkbox value for Show only threat indicator alerts from updating properly within the Alerts table (#103746).
  • Disables the Load Elastic prebuilt rules and timeline templates button when pre-built rules are loading (#103568).
  • Allows users to view the details of a deleted rule (#103491).
  • Includes actions and responses for endpoints only (#103159).
  • Resolves the issue that cause an error message to display if users created rule exceptions with empty fields (#102583).
  • Removes the search bar on the Activity log tab (#102550).
  • Does not show activity log error popups (#102450).
  • Shows up to one hour of relative time in the activity log when viewing it from the endpoint details flyout (#102162).
  • Updates mappings for detection alerts to ECS v1.10.0 (#101680).
  • Fixes timestamp bugs within source indexes when the formats are not in ISO 8601 format (#101349).
  • Exposes the EQL query in Kibana logs for detections (#100565).
  • Resolves bugs linked to invalid KQL queries (#99442).
  • Allows users to view the details of a rule after the rule’s been deleted (#99406).
  • Fixes the histogram IP legend error (#99468).

Known issuesedit

  • The Elastic Agent must be upgraded to the newest version to use the Osquery Manager integration in 7.14.0. Upgrade instructions are available at Upgrade Elastic Agent (#26545).
  • Customized event rendering settings do not persist on the Alerts page (#106819).
  • Fields that have been added to the Alerts table don’t display in the table, but do in the alert details (#106840).
  • After upgrading from 7.8 to 7.14, rules sometimes fail to execute, activate, or deactivate. To resolve this, use the PATCH rule API to update each rule that encounters this problem. The payload of the PATCH call should set the author field to [], as shown in the example below. After the author field is populated, the rule works as expected (#106233).

    PATCH <kibana host>:<port>/api/detection_engine/rules
      "id": <id-value-of-rule>,
      "author": []

Security updateedit

  • Our security advisory for this release can be found here.