Bug fixes and enhancementsedit

  • Moves the Analyze event option from the overflow menu to the Actions column within the Alerts and Events tables. It now only displays events that can be opened in the visual event analyzer (#115478).
  • Fixes a table height issue that occurs when the Alerts table only has a few alerts (#114718).
  • Fixes a rule execution bug that intermittently caused large status documents to be generated and indexed, which contributed to Kibana upgrades failing (#112257).
  • Updates status queries to use the new kibana.alert.workflow_status field, and removes replaceAll references that caused older browser versions to crash if they didn’t support it (#114481).


Bug fixes and enhancementsedit

  • Supports newlines in the Jira summary field. Newlines are replaced with commas (#113571).
  • Fixes a bug that prevented the Endpoints table from resetting after the KQL query was removed (#112595).
  • Fixes a bug that caused threshold and indicator match rules to ignore custom rule filters if a saved query was used in the rule definition (#109253).
  • Fixes a bug on the Alerts page that prevented the Trend histogram and Count table from being updated after an alert’s status was changed. With this fix, refreshing the Alerts page is no longer necessary to view the updates (#111042).


Known issuesedit

  • Case comments containing GitHub Flavored Markdown (GFM) will cause migrations to fail when upgrading to Elastic Stack version 7.15.0 or later. To prevent this, remove GFM from the case comment before upgrading (#119509).

Breaking changesedit

  • After upgrading to Elastic Stack version 7.15.x from release versions 7.12.0 through 7.14.2, you need to migrate detection alerts enriched with threat intelligence data to ensure threat intelligence properly displays in Elastic Security. For more information, refer to instructions for migrating detection alerts enriched with threat intelligence data (#1102).
  • Removes the metadata query strategy v1 (#104196).


  • The securitySolution:defaultThreatIndex advanced setting defines threat intelligence indices that Elastic Security will use when collecting threat indicators. The setting controls features that query threat indices, such as the Threat Intelligence view on the Overview page and the default indicator index values for indicator match rules. One or more threat intelligence indices can be defined; the filebeat-* index is specified by default. See Update default Elastic Security threat intelligence indices for more information (#108389).
  • Adds new functionality and usability improvements to the Alerts page:

    • Introduces the Grid view and Event renderer view, which allows users to view data in a tabular format or rendered as an event flow (#108644).
    • Adds a Reason field to Alerts details flyout to describe the event that caused the alert (#108449, #107532).
    • Adds a row renderer popover to the Reason field (#108054).
    • Renames the In-progress detection alert status to Acknowledged (#107972).
    • Refactors the status filter (#107249).
    • Removes the drag and drop functionality (#107162, #106721).
    • Changes the JSON View tab name to JSON (#106524).
    • Adds actions to fields within the Alert details flyout (#106362).
    • Adds the Count table (#106358).
    • Updates the design of the Table tab in the Alert details flyout (#105996).
  • Adds the ability to attach a Lens visualization to a case (#96703, #109178).
  • Adds a date time picker to the Threat Intel tab that allows users to query the alert for indicator matches from a specific time range (#107234).
  • Adds memory threat protection as an option for configuring integration policies. This option detects and stops in-memory threats on Windows systems, such as shellcode injection, which are used to evade traditional file-based detection techniques. Users can also make exceptions for memory protection alerts (#102196, #101365).
  • Adds malicious behavior protection as an option for configuring integration policies. This option detects and stops threats by monitoring the behavior of system processes for suspicious activity. Behavioral signals are much more difficult for adversaries to evade than traditional file-based detection techniques. Users can also create exceptions for behavior protection alerts (#106853, #106247).
  • For Elastic Stack version >= 7.15.0, adds support for host isolation for endpoints in Windows, macOS, and these Linux distributions (#108230):

    • CentOS 8
    • RHEL 8
    • Ubuntu 18.04
    • Ubuntu 20.04
    • AWS Linux 2
  • Implements the accordion view on the Threat Intel tab so that threat matches and their details can be easily viewed (#106609).
  • Improves the event enrichment query performance (#106150).
  • Allows users to select a custom date range when exploring their endpoint’s activity log (#104085).
  • Adds advanced policy keys for memory signature and shellcode protection (#101721).

Bug fixes and enhancementsedit

  • Allows users to bulk close exceptions to close acknowledged alerts (#110147).
  • Removes missing fields from the Trend histogram and Count table on the Alerts page (#108843).
  • Updates ECS 1.11 signal mappings (#108764).
  • Adds the operatorsList property in exceptions builder, which allows users to define options in the operators list (#108015).
  • Updates alerts enriched with threat intelligence data to use the latest ECS threat fields (#107988).
  • Highlights building block alerts in the Alerts table (#107727).
  • Updates MITRE ATT&CK mappings to v9.0 (#107708).
  • Makes improvements to the Timeline title and moves the Timeline description to the Notes tab (#106544).
  • Adds more actions to the Take action menu in the Alert details flyout (#105767).
  • Fixes the wrong nested package object assignation in the policy delete response (#110824).
  • Fixes a bug where parts of the Activity Log tab are loaded twice because data was being fetched twice (#110233).
  • Removes the clear field button (x) within the date and time picker on the Activity Log tab (#110035).
  • Removes restrictions on minimum and maximum dates in the date time picker (#109452).
  • Fixes the bug that causes fields to reset on the Timeline page when users viewed the alert in Timeline (#109086).
  • Ensures Fleet is set up before installing or upgrading the Endpoint Integration (#107929).
  • Fixes an issue with the Endpoint page’s search bar and ensures that page_index is reset when new KQL is entered (#106918).
  • Adds the Responses field to telemetry (#111892).
  • Fixes issues with the pagination on the Exceptions table (#111000).
  • Fixes a bug that caused empty comments to display in an endpoint’s activity log (#111163).