IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.6] Release notes
« 8.2 8.0 »

8.1edit

8.1.3edit

Known issuesedit

  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancementsedit

  • Improves UI performance in environments with a high number of field mappings (#129862, #128928, #128885, #128909, #128774).
  • Fixes a bug on the Host and Network pages that forced table behavior to persist after users updated the pages’ time range (#130024).

8.1.2edit

Known issuesedit

  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancementsedit

  • Ensures Endpoint Security continues to run on all supported Windows versions by changing the primary signer of the elastic-endpoint.exe file from ELASTICSEARCH B.V. to Elasticsearch, Inc. (#15).

8.1.1edit

Known issuesedit

  • A bug significantly impacts UI responsiveness. Therefore, we recommend to skip upgrading to this version.
  • Endpoint Security cannot run on Windows 8.1 or Server 2012 R2 (#15).
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Bug fixes and enhancementsedit

  • Fixes an Endpoint Security integration bug that prevented benign Windows files from being deleted under certain circumstances.
  • Adds a notification to the Exception lists page that informs users if they are lacking certain role privileges (#126874).
  • Turns off the Upload value lists option on the Rules page if users have Read Security privileges only (#126829).
  • Removes the option to select rules in the All Rules table if users have Read Security privileges only (#126827).

8.1.0edit

Known issuesedit

  • An Endpoint Security integration bug prevents benign Windows files from being deleted under certain circumstances.
  • On macOS versions before 12.4, if Elastic Endpoint is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later.
  • Indicator match rules cannot use the .items-* system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules (#133457).
  • A new Lucene 9 validation change may cause event correlation (EQL) rule errors whenever rule queries contain regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d).

Breaking changesedit

There are no breaking changes in 8.1.0.

Featuresedit

  • Adds a Technical preview toggle above the Rules table which, when enabled, allows users to sort on all rule management columns (#119611).
  • Introduces a new Host risk classification column in the All hosts table on the Hosts page. In addition, a new Host by risk tab has been added to the Hosts page and host detail pages. From the Host by risk tab, you can access an explanation of how a host’s risk is calculated and scored (#122980, #122586, #122018, #121075, #120487, #119734).
  • Introduces the ability to bulk edit rule index patterns and tags (#122635).
  • Expands Endpoint per-policy artifact assignment to include endpoint event filters and host isolation IP exceptions (#121879, #121632).
  • Adds the rule execution UUID field to alerts. In addition, the kibana.alert.rule.execution.uuid field is now part of the alert data schema and can be found in the field browser in the Alerts table.(#113058).
  • Introduces case metrics that summarize alert information and response times (#121336).
  • Improves copy for the privilege check on the Endpoints page (#124118).

Bug fixes and enhancementsedit

  • Improves the performance of indicator match rules (#123882, #123677).
  • Changes the default indicator index query of custom and prebuilt indicator match rules to @timestamp >= "now-30d/d" (#123590).
  • Improves the exceptions interface by replacing the exceptions modal with a flyout (#123408).

  • Alert details flyout enhancements:

    • Shows different highlighted fields in an alert’s details flyout based on its type, category, and code (#123239).
    • Adds overview cards with key data to the alert details flyout (#120347).
  • Allows users to aggregate alert data based on a larger selection of ECS fields instead of just 10 preset options (#120610).
  • Enriches threshold-related alert data from correct fields (#125376).
  • Hides the delete button for disabled exception lists (#122844).
  • Fixes various minor UX bugs (#121410).
« 8.2 8.0 »