Bug fixesedit

  • Stops the ES|QL tab from rendering until you click on it in Timeline (#173484).
  • Adds a feature flag (timelineEsqlTabDisabled) to hide the ES|QL tab in Timeline (#174029).
  • Removes the default query from the ES|QL tab in Timeline (#174393).
  • Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).


Bug fixesedit

  • Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).



  • Updates references on the Entity Risk Score management page (#171089).

Bug fixesedit

  • Fixes a bug that caused the Alerts page to crash if you reloaded it while the preview panel in the alert details flyout was open (#172323).
  • Fixes the event analyzer panel width (#172026).
  • Applies page filters to MITRE ATT&CK® sub-technique cells when displaying rules (#170988).
  • Fixes a bug with the Investigate in timeline action for Elastic AI Assistant that caused ES|QL queries to open in the KQL query bar within Timeline (#170542).



  • Allows user and host risk score tables to be filtered by time range (#168826).

Bug fixesedit

  • Fixes a bug that caused MITRE ATT&CK® technique cells to show duplicate rules (#169708).
  • Fixes a bug that caused the incorrect MITRE ATT&CK® sub-technique to be applied after you saved a rule (#170465).
  • Adds a privilege check for bulk-changing alert statuses (#170584).


Known issuesedit

  • MITRE ATT&CK® technique cells show duplicate rules (#167929).
  • MITRE ATT&CK® tactic cells show an incorrect rule count (#167930).
  • An incorrect MITRE ATT&CK® sub-technique is applied after you save a rule (#170347).
  • When using Elastic Defend’s protection updates feature, if you turn off automatic updates and select the current day as your deployed artifacts version, it’s possible that the set of protections has not been released for that day yet. As a result, Elastic Agent could fail to download the artifacts and be set to an Unhealthy state. To avoid this issue, pick a date previous to the current one (#170847).

Breaking changesedit

  • Ends support for the filterQuery field of the getLiveQueryResults and findLiveQuery APIs, and replaces it with the KQL field kuery. Requests to those APIs that used the filterQuery field should replace it with kuery (#161806).
  • In 8.11, rule APIs will only support investigation_fields as { field_names: string[] }. If you’ve added this field to your rules in 8.10, you don’t need to do anything when you import your rules.


  • Deprecates the doc_root.vulnerability.package and replaces it with the doc_root.package ECS package (#164651).

New featuresedit

  • Upgrades Elastic Defend to capture a new Windows event type: ETW Threat Intelligence (ETW-TI). Renames the Windows events policy Credential access category to API in the UI (but not in the .yaml, maintaining backwards compatibility). Adds two new advanced options: windows.advanced.events.api_disabled and windows.advanced.events.api_verbose (#167549).
  • Adds the Same family category and tab to the Data Quality dashboard. Fields with mappings in the same family have the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics (#167480).
  • Updates the exceptions flyout’s match_any operator to accept duplicate values that differ in case (#167208).
  • [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Enables the Elastic AI Assistant to answer questions about Elasticsearch Query Language (ES|QL) by allowing it to query, via ELSER, an ES|QL knowledge base. Refer to Elastic AI Assistant to enable the knowledge base (#167097).
  • Enables ES|QL in Timeline (technical preview) (#166764).
  • Adds the new ES|QL rule type (technical preview) (#165450).
  • Updates the Endpoint policy UI (Manage → Policies) to include a Protection updates tab, a new column called Deployed version, and a banner that highlights outdated policies (#165256, #162719).
  • Introduces full support for Elastic Endpoint on macOS Sonoma.
  • Updates Elastic Defend to support AlmaLinux 9 and Rocky Linux 9.
  • Adds a new optional parameter to Elastic Endpoint’s top command. The --limit parameter specifies how many times to refresh the command’s output before a graceful exit.
  • Adds Agent tamper protection for Elastic Defend, which prevents unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint from a host.


  • Adds a new Generative AI connector, Amazon Bedrock, for use with Elastic AI Assistant (#166662).
  • Renames the Generative AI connector to OpenAI, since Generative AI is now a category of connectors that include OpenAI and Amazon Bedrock (#167677).
  • Adds the id, severity, and status fields to the Webhook - Case Management connector (#166295).
  • Updates the order of items on Kibana’s left-side navigation menu to match the order in Elastic Security’s left-side navigation menu (#164268).
  • Adds tooltips to overview section titles in the alert details flyout (#166737).
  • Updates the .lists and .items indices to data streams (#162508).

Bug fixesedit

  • Updates the Entity Risk Score error message to list the necessary permissions (#169216).
  • Displays more descriptive errors for Generative AI connectors (#167674).
  • Adds metrics to some rule execution warning messages (#167551).
  • Fixes a bug that could cause the exceptions flyout to reload unnecessarily in response to rule updates (#166914).
  • Fixes a bug that could cause EQL shell alerts to not include certain common fields (#166751).
  • Sets the date and time picker to full width in the expanded Prevalence view within the alert details flyout (#166714).
  • Fixes a bug that could prevent the Install Cloud Native Vulnerability Management button on the empty state of the Findings page from working (#166335).
  • Fixes a bug that could cause an error when you edited a rule’s filter (#165262).
  • Fixes a bug that caused the Rules table to auto-refresh when auto-refresh was disabled (#165250).