Bug fixes and enhancementsedit

There are no user-facing changes in the 7.16.3 release.


Bug fixes and enhancementsedit

There are no user-facing changes in the 7.16.2 release.


Bug fixes and enhancementsedit

  • Fixes a 409 conflict error that occurred when users enabled a rule (#120088).
  • Fixes a bug where case comments containing GitHub Flavored Markdown (GFM) caused migrations to fail when upgrading to Elastic Stack version 7.15.0 or later (#119995).
  • Adds the Fleet host isolation exceptions summary card in the Fleet integration Advance tab (#119029).



  • Adds the ability to configure trusted applications on a per-policy basis, allowing security administrators to target a set of hosts with specific configurations and settings. For example, trusted applications can be tailored to certain functions within an organization or for testing and troubleshooting purposes (#112182, #111051, #110966).
  • Adds memory threat protection for macOS and Linux systems (#114799).
  • Provides certified applications for ServiceNow Security Operations (SecOps) and ServiceNow IT Service Management (ITSM), and introduces a new ServiceNow IT Operations Management (ITOM) connector (#105440, #114125).
  • Updates logic for deciding whether a host’s isolation or release status appears as Pending for endpoints added to Elastic Security in Elastic Stack version 7.16.0 or later (#115441).
  • Adds Fleet actions and responses to the endpoint activity log; enriches the log by showing successful or failed action responses that were completed when the endpoint finished executing the action request (#114905).
  • Updates the resolution logic for ID-based links to cases (#111984).
  • Allows users to create host isolation exceptions (#111253).
  • Allows cases to be imported and exported as saved objects (#110148).
  • Highlights the top riskiest hosts in a user’s environment, based on a normalized host risk score scale of 0 to 100. (#109553).
  • Adds host risk metadata to alert details (#113274).
  • Switches the order of the Count table and the Trend histogram on the Alerts page (#117878).
  • Removes assigned policies from trusted applications when removing the Endpoint Security integration (#108347).

Bug fixes and enhancementsedit

  • Moves the Analyze event option from the overflow menu to the Actions column within the Alerts and Events tables. It now only displays events that can be opened in the visual event analyzer (#115478).
  • Halts indicator match rule execution after the allotted time interval has passed (#115288).
  • Allows detection rule actions to be migrated to a centralized Kibana alerting framework. Users may receive notifications sooner after alerts have been generated, depending on rule configuration and actions frequency (#115243, #115101).
  • Changes the prebuilt indicator match rule’s interval and lookback time to one hour (#115185).
  • Allows exceptions to be exported with rules (#115144).
  • Improves the formatting of array values and JSON in the Table and JSON tabs (#115141).
  • Provides users with a new, simpler way to add data to their environments through the Elastic Agent (#115016, #112142).
  • Enables the Index connector and action for the Detection engine (#111813).
  • Hides building block rules on the Overview page (#105611).
  • Corrects the distorted view of the "Status" badge in the Alert details flyout (#116237).
  • Improves the display of rule status errors caused by user permissions to the source index (#115114).
  • Fixes the exceptions export route (#114920).
  • Restores local storage persistence for the Alerts table and the Remove Column action (#114742).
  • Fixes issues that occurred when adding the Endpoint Security integration to an Elastic Agent policy in Fleet (#114467).
  • Updates the Indexing Time and Query Time columns in the Rule Monitoring table to be SUM, instead of MAX (#114023).
  • Fixes a bug that prevented dialogs on the Overview page from opening when users clicked on the Inspect button (#113161).
  • Sets a new default indicator index query that checks indicator index patterns for matched indicators that have occurred in the past 30 days (#112300).
  • Decodes file names on uploaded value lists and fixes a bug that stopped value lists from being deleted (#111838).
  • Fixes a bug that allowed users to create a trusted application with an empty name field (#111508).
  • Removes duplicate exception lists on rule export when multiple rules reference the same list (#116698).
  • Disables scrolling when activity data isn’t present in the endpoint activity log (#118406).
  • Updates the description in the import rules dialog (#118216).
  • Fixes a faulty status API call if the user selects the same status that’s already selected (#118115).
  • Prevents autofocus from jumping to the wrong field (#117950).
  • Removes validation that required the action ID to be a UUID (#116524).
  • Changes the detections log level from info to debug within the detection engine (#116518).
  • Fixes truncated values in columns within the Rules table (#115825).

Upcoming breaking changesedit

Changes to detection rule preview functionality:

To improve the detection engine’s rule preview functionality in 8.0.0, preview alerts will be written to a new index called the signals preview index (.siem-signals-preview*). In order to view this index and use the updated rule preview functionality, roles must have read privileges to the new signals preview index. Also note that, other than their index lifecycle management policies, signal preview indices are nearly identical to existing signal indices (#116374).

To give a role read privileges to the new signals preview index:

  1. Open the main menu, then go to Management → Stack Management → Security → Roles.
  2. Select the custom role you want to update.
  3. Modify the role’s index privileges as follows:

    1. Indices: Enter the signals preview indices that correspond with the signals indices. For example, the .siem-signals-preview* index pattern corresponds with the .siem-signals* index pattern. Similarly, the .siem-signals-preview-<KIBANA-SPACE>* index pattern corresponds with the .siem-signals-<KIBANA-SPACE>* index pattern.
    2. Privileges: Enter read.
  4. Click Update role to save your changes.

Upcoming changes to case feature privileges

In 8.0.0, case feature privileges will no longer be a sub-feature under Elastic Security (#113172).