Known issuesedit

  • An Endpoint Security integration bug prevents benign Windows files from being deleted under certain circumstances.
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancementsedit

  • Fixes a bug that prevented the kibana.alert.uuid field from being populated in event correlation sequence shell alerts (#125890).
  • Applies updated field aliases to mappings in legacy indices (#125888).
  • Updates prebuilt detection rules (#125316).
  • Truncates long rule exception descriptions when viewing exception items in rule details (#125145).
  • Fixes a bug that caused the import process to fail if an exception list contained an exception item with comments (#124909).
  • Fixes a bug that duplicated the navigation button in the Security news section on the Overview page (#124356).
  • Fixes a bug that caused Timeline to appear if users had access to cases, but not Elastic Security (#123775).
  • Enforces privilege requirements for displaying the map on the Network page and allows users with Read or All Map feature privileges to expand or hide the map (#123336).


Upgrade requirementsedit

Before you upgrade, review the breaking changes for this release and the Elastic Security upgrade guidelines.

Known issuesedit

Case migration errors might be logged when upgrading

You might find the Failed to migrate user action alerts error message in your Kibana migration logs when upgrading to Elastic Stack version 8.0.0. This error is incorrectly logged when migrating cases and can be ignored (#124950).

Here is an example of an error message you might encounter:

[2022-02-07T20:25:58.614+00:00][ERROR][savedobjects-service] Failed to migrate user action alerts with doc id: 7420fe08-c2ed-51d2-b077-46deb4bf76c9 version: 8.0.0 error: Unexpected token in JSON at position 0

Existing or new rules that use the legacy alerts index may temporarily fail after upgrading

After you upgrade to Elastic Stack version 8.0.0, existing and new rules might fail to execute if their source index is configured to use a legacy alert index pattern created in Elastic Stack version 7.x (.siem-signals-<space-id>). Rule failures will likely cause detection gaps, which will be proportional in time to the scheduled interval of the rule. Rules will start to successfully execute after legacy alerts are no longer within the scheduled time period queried by the rule. Despite this automatic correction, coverage gaps might still remain (#124327).

The Threat Intel Filebeat Module (v8.x) Indicator Match rule query is misconfigured

The indicator index query of the prebuilt rule is misconfigured and will prevent the rule from generating alerts (#121045, #1560). To resolve this, duplicate the rule and update its settings:

  1. Go to the Rules table (Detect → Rules).
  2. Locate the Threat Intel Filebeat Module (v8.x) Indicator Match prebuilt rule.

    You can search for the rule by entering the rule name in the Rule table’s search bar.

  3. Click the rule to view the rule details.
  4. Click the actions menu, then click Duplicate rule.
  5. Go to the Indicator index query field and update the query by removing event.dataset:ti_* and replacing it with event.module:threatintel. For reference, the correct query is:

    `@timestamp >= "now-30d" and event.module:threatintel and (threat.indicator.file.hash.*:* or threat.indicator.file.pe.imphash:* or threat.indicator.ip:* or threat.indicator.registry.path:* or threat.indicator.url.full:*)`
  6. Under the Indicator index query field, update the query’s filters by removing event.dataset:ti_* and replacing it with event.module:threatintel.
  7. Save the changes.
  8. Activate the rule.

The import process fails for rules with exception comments

Comments on rule exceptions cause the import process to fail because the following system-generated fields cannot be validated for exception comments (#124742):

  • created_at
  • created_by
  • updated_at
  • updated_by
  • id

To complete the rule import process successfully, edit the exported .ndjson file and re-import it:

  1. Search the exported .ndjson file for exceptions with comments. Exception comments are stored within the exceptionItem object in the comments field.
  2. Edit the exception comment’s fields:

    • To preserve the comment during the import process, only delete the created_at, created_by, updated_at, updated_by, and id fields.
    • If you don’t want to preserve the comment, remove the comment entirely.
  3. Save the file and re-import it.

Network connection issues might occur if Elastic Endpoint is used with network traffic tools

On macOS versions before 12.4, if Elastic Endpoint is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later.

Lucene 9 validation change may affect event correlation rules

A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Breaking Changesedit

  • Removes the trusted application API. The trusted application interface retains current functionality, but now uses the exception list API (#120134).
  • Removes the list endpoint metadata API (#119401).
  • Lets you grant privileges for cases separately from Elastic Security privileges (#113573, #112980). As a result of this change, you must update case privileges for existing roles before upgrading to Elastic Stack 8.0.0. Follow these steps:

    1. Open the main menu and click Management → Stack Management → Stack → Upgrade Assistant.
    2. From the Upgrade Assistant page, review the Kibana deprecation warnings. A message prompts you to update role privileges because of changes to the Elastic Security Cases feature.
    3. Click the message to open it, then click Quick resolve.
    4. Refresh the page to verify the deprecation was resolved, then return to the guided steps on the Upgrade Assistant page.


  • The output_index parameter is no longer supported for the APIs that create and update rules.


  • Shows all historical alerts for a given rule on the rule details page, including those associated with previous versions of the rule (#120053).
  • Enhances the UI and functionality for the Rules and Rule Monitoring tables and enables actions on the Rule Monitoring table (#119644).
  • The Threat Intelligence view supports Elastic Agent, Filebeat, and custom integrations (#116175).
  • Allows exception lists to be exported and imported with detection rules (#115144, #118816).

Bug fixes and enhancementsedit

  • Enhances the UI for the Exceptions table; improves how dates are displayed in the Rules and Exceptions tables (#117643, #118940).
  • Updates the mappings of the rule registry to ECS version 8.0.0 so that detection rules can process ECS version 8.0.0 data (#123012).
  • Allows you to create and add runtime fields from the Alert and Timeline tables (#117627, #114806).
  • Enhances the Data view selection UI and hides the Data view dropdown when no data is present (#117601, #119956).
  • Enhances previews and error flagging during rule creation (#116374).
  • Updates rule actions to use kibana.alert.* fields instead of signals.* fields (#116491).
  • Changes the insufficient permissions message type from an error to a warning (#123777).
  • Fixes typos in the success messages that appear after you close Timelines or Timeline templates (#123258).
  • Updates the Exceptions table header and Export button (#122870).
  • Fixes a bug that could break a rule’s details page after you edited, activated, or deactivated the rule (#122024).
  • Fixes an overlap between the rule query text field and Timeline banner (#121967, #121127).
  • Adds support for the threat.feed.name field in the alert details flyout and Timeline view (#120250).
  • Adds the default threat indicator path (threat_indicator_path) to indicator match rules where it was missing (#118962).
  • Adds a default value for the threat indicator path that indicator match rules use when creating indicator match rules from the Elastic Security app UI or the create rule API (#118821).
  • Enhances the Endpoint details flyout UI (#117987).
  • Fixes a bug that prevented you from clearing a connector’s Additional comments field (#117901).
  • Allows you to modify the default threat indicator path for the Threat Intel Filebeat Module (v7.x) Indicator Match prebuilt rule (#116583).


Known issuesedit

The Data view option might not display in upgraded environments with legacy alerts

To make the Data view option appear, a user with elevated role privileges must visit the Elastic Security app, open a page that displays alert data (such as the Overview page), then refresh the page (#121390).

The role must have the following privileges:

  • Cluster privileges: The manage privilege
  • Index privileges: The manage, write,read, and view_index_metadata index privileges for the following system indices where <space-id> is the Kibana space name:

    • .siem-signals-<space-id>
    • .lists-<space-id>
    • .items-<space-id>
    • .alerts-security.alerts-<space-id>
    • .internal.alerts-security.alerts-<space-id>-*
  • Kibana space: All privileges for the Security feature (visit Feature access based on user privileges for more information)

If new alerts are generated in an upgraded environment without legacy alerts, refreshing any page with alert data in Elastic Security will make the Data view option appear in the Elastic Security UI.

Detection rules may not generate alerts after upgrading to Elastic Stack 8.0.0

Rules are automatically disabled during the upgrade process and must be manually re-enabled after the process completes. Failure to do so could cause a gap in rule coverage (#120906).

Before upgrading, use the Find rules API to retrieve a list of enabled detection rules in your environment. You can reference this list when re-enabling rules after you upgrade.

We recommend using curl or another HTTP tool to securely run Elastic Security APIs. Below is an example curl command that retrieves a list of your enabled rules:

GET /api/detection_engine/rules/_find?per_page=10000&filter=alert.attributes.enabled:true

After upgrading, follow these steps to re-enable your rules from the Rules page:

  1. Go to the All rules table (Detect → Rules).
  2. Select the rules that you want to enable.
  3. Click Bulk actions → Enable to re-enable the rules.

Alternatively, you can use the Bulk rule actions API to re-enable rules.

Lucene 9 validation change may affect event correlation rules

A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).