Bug fixes and enhancementsedit

  • Fixes a bug that caused Elastic Endpoint to crash when running on busy Linux systems, and when network event collection or malicious behavior protection was enabled.
  • Fixes a bug that prevented Osquery packs from being ran outside of the default Kibana space (#146410).
  • Improves the "permissions required" message that appears on Cloud Posture pages for users without necessary permissions (#145794).


Bug fixes and enhancementsedit

There are no user-facing changes in 8.5.2.


Bug fixes and enhancementsedit

  • Fixes a bug that caused Elastic Endpoints running on Linux systems with many CPUs to sometimes become unhealthy (#34).
  • Fixes a bug that caused incorrect alerts to display in Timeline when investigating alerts from the Detection & Response dashboard (#144319).
  • Updates the User authentication area chart so it can be opened in Lens (#144011).
  • Fixes the Jira connector icon for users with a Basic license (#143916).
  • Updates the link in the machine learning rule type card to direct users towards the Elastic licensing page (#143836).
  • Turns off the option to edit machine learning rules if users don’t have the Machine Learning privilege in Kibana set to All (#143260).
  • Removes the ability to enable and disable machine learning rules from the UI for users without the Machine Learning privilege in Kibana set to All (#143252).
  • Fixes bug that caused the Indicators page to crash (#144348, #144651).


Known issuesedit

  • Users might experience slightly longer installation and upgrade times for the user and host risk score features (#142434).
  • Version 8.5.0 Elastic Endpoints running on Linux systems with many CPUs may become unhealthy. For a workaround refer to issue #34.

Breaking changesedit

  • Host and user risk score features that were installed in 8.4 or earlier are not ECS-compatible and, therefore, cannot generate new risk scores in 8.5. Before upgrading, users can archive their existing risk indices if they want to keep their old host and user risk scores. Otherwise, new risk indices will be generated once users upgrade host and user risk score features (#140377).


  • Deprecates the risk score index and displays the Upgrade button in host and user risk score cards on the Entity Analytics dashboard (#140143).


  • Endpoint response actions history can be filtered and searched (#134520, #140259, #138982, #140975).
  • Endpoint response actions history has a standalone page for all endpoints (#140306).
  • Introduces the Entity Analytics dashboard, which showcases host and user risk scores and anomalies. Also adds host and user risk data to the user and host detail pages. These features require a Platinum license or higher. (#137688, #140270, #139462).
  • Updates the Anomalies tab to display the same quantity of anomalies when navigating from the Entity Analytics dashboard (#139910).
  • Enriches alerts with host and user risk scores (#139478).
  • Enables the Indicators page by default if users have an Enterprise subscription and makes the functionality generally available (#141117).
  • Allows indicator data to be investigated in Timeline by including the Add to Timeline button throughout the Indicators table (#138836, #140496).
  • Removes the Host risk score card from the Overview dashboard (#140177).
  • Adds the option to bulk edit rule schedules to the bulk actions menu in the Rules table (#140166).
  • Adds the option to bulk edit rule actions to the bulk actions menu in the Rules table (#138900).
  • Adds an alert count card to the User, Host, and Network detail pages. The card shows alerts per rule and can be filtered by alert status (#140150).
  • Allows users to examine alerts associated with events and enables the Alerts related by process ancestry section by default if they have a Platinum or Enterprise subscription (#140006).
  • Enables the Alerts related by session ID section by default. It appears in the Alert details flyout if users have a Platinum or Enterprise subscription (#140006).
  • Renames the Elastic Endpoint and Cloud Security integration to the Elastic Defend integration (#139517).
  • Adds preconfigured use cases to the setup wizard for the Elastic Defend integration (formerly known as Endpoint and Cloud Security), each with different default settings (#139230).
  • Updates the UI for the rule details page’s Exceptions tab (#138770).
  • Enables the Osquery Response Action on custom query detection rules, and adds an Osquery Results tab to the Alert details flyout. Users can use the Osquery Response Action to immediately query hosts that generate alerts (#133279).
  • Enables rule exceptions to reference value lists, regardless of rule type. One caveat is that text type value lists still do not work for EQL and threshold rules (#133254).
  • Introduces the new alert renderer, which concisely displays a detailed summary of the kibana.alert.reason field. It appears in Timeline, throughout the Alerts page, and on the Alert details flyout (#140825).
  • Introduces the Kubernetes Security Posture Management (KSPM) integration as GA. You can now use it to monitor the security posture of your self-managed and Amazon EKS clusters, in addition to unmanaged clusters.
  • Adds a status filter to the Endpoints Response actions page (#139982).
  • Shows host names on the Endpoints Response actions page (#139379).

Bug fixes and enhancementsedit

  • Endpoint response actions console UI indicates if response action commands aren’t supported by the installed version of Elastic Agent (#138662).
  • Fixes a bug that sometimes caused event correlation rule (EQL) errors whenever rule queries contained regular expressions using wildcard fields and predefined character classes (for example, \w, \s, \d) (#90064).
  • Adds the has_guide tag to all prebuilt rules with investigation guides. Users can filter the Rules table by this tag to quickly find prebuilt rules with investigation guides (#2297).
  • Informs users when the event analyzer’s current time range is too narrow to include event data (#140831).
  • Lets users inspect bar charts and data grids, as with other data visualizations (#140810).
  • Makes the Indicators table sortable by any column (#140582).
  • Provides the ability to add fields to Indicators table (#138882).
  • Updates the rule preview UI to be available at any step of creating or editing a detection rule. Rule previews are also now available for Elastic prebuilt rules, and include exceptions and field overrides (#140221).
  • Adds an overview tab to the Indicator details flyout (#140073).
  • Improves the UI for saved rule queries (#140064).
  • Computes threat.indicator.name on the Elasticsearch server instead of on the client (#139814).
  • Makes the state of tables throughout Elastic Security persist; for example, when users toggle between table view and grid view (#139696).
  • Lets users enable multiple filters using various plus + and minus - buttons. Previously, adding a new filter in this way could remove the existing filters (#139616).
  • Updates rule details page URLs to specify which tab to focus (#139592).
  • Simplifies the process of adding a rule exception (#138169).
  • Hides the process ancestry insights interface when data is unavailable (#141751).
  • Formats the Rules table’s Last Gap column in a human readable way (#141363).
  • Introduces fuzzy search for user names in the Actions Log (#141239).
  • Improves the layout for the Add Field menu (#141084).
  • Restores users' ability to create exceptions with leading or trailing white space (#139617).
  • Fixes two minor bugs with the Overwrite existing rules option for rule import (#138758, #139470).
  • Fixes a bug that made the binary field type appear usable in Exception entries despite not being supported (#139370).
  • Fixes a bug that prevented a toast message from appearing after users export a rule from the rule details page (#139209).
  • Fixes sorting and pagination bugs on the Import value lists menu (#138381).
  • Mimics native link behavior for single-page application links (#142304).
  • Fixes validation issues within the rule Actions tab (#141811).
  • Fixes a bug with visualization types on the Hosts, Network, Users page (#141235).
  • Updates the documentation link on the Trusted applications page (#142467).
  • Provides the ability to run Osquery from a rule’s investigation guide (#95149).
  • Improves Timeline’s performance when users investigate alerts related by process ancestry (#142805).
  • Fixes a rule import bug that removed references to exception lists (#143882).
  • Fixes a bug that prevented the authentication area chart on the Users page to be opened in Lens (#144011).
  • Shows the Host isolation exceptions page if users have a Platinum or Enterprise subscription (#143362).
  • Fixes displayed commands in the Endpoint response actions log (#140378).
  • Updates the pagination header color in the Endpoint response actions history table (#141847).