Bug fixesedit

  • Fixes long-running queries in Timeline and Events tables within Explore pages (#176838).
  • Updates the default Amazon Bedrock connector API URL (#176090).
  • Ensures the risk score query only searches through alerts associated with the current user (#175903).
  • Fixes a bug that prevented scheduled query packs from running if a pack’s ID was composed of numbers (#176507).
  • Fixes a bug that affected the rule details page layout if rule filters were extremely long. Also fixes a bug that incorrectly caused rule filters to display instead of their custom labels (#176590).
  • Fixes a bug that prevented rules from being successfully imported if any rules referenced preconfigured connectors (#176284).
  • Fixes a bug that prevented rules from being successfully exported if you exported more than 1000 rules (#175979).
  • Turns off the option to install rules if you don’t have the appropriate privileges (#176598).
  • Fixes a bug that caused data to be lost when you upgraded a prebuilt rule to a new version with a different rule type (#176421).



  • Provides performance improvements related to image load and registry write events (#175486).

Bug fixesedit

  • Fixes misaligned elements in the top navigation bar (#175516).
  • Fixes a bug that affected search results when you entered an agent name that included a dash (-) (#175134).
  • Fixes a UI bug that hid frequency options for rule actions when you created or edited a rule (#175050).
  • Removes the option to select a data view when modifying a rule’s filter (#174922).
  • Hides the technical and runtime fields that shouldn’t appear in the JSON diff view when you’re upgrading a rule (#174789).
  • Ensures the current user is used when querying threshold rule history (#174723).
  • Updates the document ID used for the visual event analyzer preview and the related by ancestry section of the alert details flyout (#174651).
  • Deletes saved searches that are associated with deleted Timelines, and prevents saved searches from being created twice (#174562).
  • Fixes a bug that prevented the assignee column from appearing in the Alerts table after upgrading to 8.12.0 (#174370).


Known issuesedit

Data view option incorrectly displays when editing a filter applied to the KQL query bar

When editing the Alerts page KQL query bar filter or editing the KQL query bar filter on the rule edit page, you might encounter a UI bug requiring you to select a data view to proceed.

Select the Edit the query filter using DSL option.

Action frequency settings hidden in the UI when creating and editing a rule

Configuration options for rule action frequency are unavailable when creating and editing rules. Rules with action frequencies that are already configured still run correctly.

Use the update rule API to change a rule’s action frequency settings. Alternatively, export a rule, update its action frequency settings, and then re-import the rule.

Unrelated property differences in prebuilt rule update comparison

The JSON comparison for updated prebuilt detection rules might display some properties used for internal processing, which doesn’t accurately indicate how the rule will change if you update it.

For example, if you added automated actions or an exception list to an installed rule, the comparison shows the JSON properties actions, response_actions, or exceptions_list in the Base version (your installed version) but not in the Update column (Elastic’s latest version). When you update the rule, it will still include your actions or exceptions — they will not be removed.

Similarly, the comparison might show a difference in the enabled property, but upgrading the rule will not change whether your installed rule is enabled or not. Other properties that might display in the comparison but don’t actually indicate rule configuration changes include execution_summary, timestamp_override_fallback_disabled, meta, filters, updated_at, and output_index.

No workaround is needed. You can ignore these unrelated property differences in the JSON comparison.

Breaking changesedit

There are no breaking changes in 8.12.0.


There are no deprecations in 8.12.0.

New featuresedit

  • Introduces the ability to assign alerts to specific users (#170579, #171589).
  • Introduces Retrieval Augmented Generation (RAG) for Alerts, allowing you to give Elastic AI Assistant context about more alerts in your environment (#172542).
  • Enables alert suppression for threshold rules (#171423).
  • Adds an Updates tab to the prebuilt rules upgrade flyout to show differences between the installed and updated versions (#172535, #173187).
  • Adds a setting that lets you exclude cold and frozen tiers from visual event analyzer queries (#172162).
  • Adds a tour to guide users through Timelines UI changes (#172030).
  • Adds a timeout option for Osquery queries, so you can customize the maximum time each query should run before timing out (#169925).
  • Introduces new grouping capabilities for CSPM and KSPM Findings data (#169884).
  • Adds the expandable alert details flyout to the rule preview panel (#167902).
  • Introduces bidirectional response actions to isolate and release SentinelOne-protected hosts (technical preview).


  • Refactors the timeline UI — various minor updates (#168230).
  • Introduces manual saving for Timeline (#171027, #169239).
  • Improves forward-compatibility for the rule schema (#170861).
  • Simplifies the format of risk engine API error responses (#170645).
  • Makes various UI improvements to the alert details flyout (#170279, #169035, #173399, #170078, #168297).
  • Saves the state of the alert details flyout in the browser. For example, after you use the flyout’s Investigate in timeline button, you can click your browser’s back button to return to the flyout (#169661).
  • Adds a button to rule execution error messages that lets you ask AI Assistant to diagnose errors (#166778).
  • Integrates a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Win32k) to create new event types that can be used by prebuilt endpoint rules to detect keylogging activity.
  • Allows for acting and target memory region buffers within behavior alerts to be scanned against Elastic Security’s collection of YARA signatures when collected. Detections are added to alerts.
  • Adds a new ReadProcessMemory (lsass) event that can be used by prebuilt endpoint rules to detect credential dumping.
  • Adds a link to the Amazon Bedrock connector edit UI that opens the token tracking dashboard (#172115).
  • Allows you to use the matches and does not match operators when defining endpoint exceptions and event filters (#166002, #170495).
  • Adds support for Kafka as an output type for Endpoint.

Bug fixesedit

  • Fixes response action bugs by mapping the unisolate command to the release command and the running-processes command to the processes command (#173831).
  • Fixes the dark theme for the alert details flyout footer (#173577).
  • Makes the Timeline tour compatible with the Timeline template page (#173526).
  • Stops the ES|QL tab from rendering until you click on it in Timeline (#173484).
  • Adds a feature flag (timelineEsqlTabDisabled) to show or hide the ES|QL tab in Timeline (#174029).
  • Removes the default query in the ES|QL tab in Timeline (#174393).
  • Fixes a bug that caused machine learning fetch jobs to fail when the default data view (securitySolution:defaultIndex) contained special characters (#173426).
  • Remove the Assignees field from the event details flyout (#173314).
  • Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).
  • Fixes a UI bug that overlaid Default Risk score values as you created a new rule (#172677).
  • Fixes a bug that cleared configured fields in the exceptions flyout after the flyout reloaded and refocused (#172666).
  • Limits the character length for exception comments to 3000 characters, and makes the error message more descriptive if the limit’s exceeded (#170764).
  • Re-adds the missing alerts index filtration to Data views (#170484).
  • Fixes a bug that didn’t allow exceptions to be created or edited after an error displayed (#169801).
  • Stops Elastic Security app pages from crashing when there’s a fields error in the Stack by component (#168411).
  • Deletes saved searches that are associated with deleted Timelines and prevents saved searches from being created twice (#174562).
  • Fixes a bug with the Share alert feature in the alert details flyout (#174005).