Bug fixes and enhancementsedit

  • Improves UI performance in environments with a high number of field mappings (#129862, #128928, #128885, #128909, #128774).
  • Fixes a bug on the Host and Network pages that forced table behavior to persist after users updated the pages’ time range (#130024).


Bug fixes and enhancementsedit

  • Ensures Endpoint Security continues to run on all supported Windows versions by changing the primary signer of the elastic-endpoint.exe file from ELASTICSEARCH B.V. to Elasticsearch, Inc. (#15).


Known issuesedit

  • A bug significantly impacts UI responsiveness. Therefore, we recommend to skip upgrading to this version.
  • Endpoint Security cannot run on Windows 8.1 or Server 2012 R2 (#15).

Bug fixes and enhancementsedit

  • Fixes an Endpoint Security integration bug that prevented benign Windows files from being deleted under certain circumstances.
  • Adds a notification to the Exception lists page that informs users if they are lacking certain role privileges (#126874).
  • Turns off the Upload value lists option on the Rules page if users have Read Security privileges only (#126829).
  • Removes the option to select rules in the All Rules table if users have Read Security privileges only (#126827).


Known issuesedit

  • An Endpoint Security integration bug prevents benign Windows files from being deleted under certain circumstances.
  • On macOS versions before 12.4, if Elastic Endpoint is used with other products that monitor or manage network traffic (such as antivirus programs, firewalls, or VPNs), users might experience network connection issues. To resolve this issue, upgrade to macOS 12.4 or later.
  • Indicator match rules cannot use the .items-* system index and will encounter execution errors when run. Avoid using indices populated from value lists for indicator match rules (#133457).

Breaking changesedit

There are no breaking changes in 8.1.0.


  • Adds a Technical preview toggle above the Rules table which, when enabled, allows users to sort on all rule management columns (#119611).
  • Introduces a new Host risk classification column in the All hosts table on the Hosts page. In addition, a new Host by risk tab has been added to the Hosts page and host detail pages. From the Host by risk tab, you can access an explanation of how a host’s risk is calculated and scored (#122980, #122586, #122018, #121075, #120487, #119734).
  • Introduces the ability to bulk edit rule index patterns and tags (#122635).
  • Expands Endpoint per-policy artifact assignment to include endpoint event filters and host isolation IP exceptions (#121879, #121632).
  • Adds the rule execution UUID field to alerts. In addition, the kibana.alert.rule.execution.uuid field is now part of the alert data schema and can be found in the field browser in the Alerts table.(#113058).
  • Introduces case metrics that summarize alert information and response times (#121336).
  • Improves copy for the privilege check on the Endpoints page (#124118).

Bug fixes and enhancementsedit

  • Improves the performance of indicator match rules (#123882, #123677).
  • Changes the default indicator index query of custom and prebuilt indicator match rules to @timestamp >= "now-30d/d" (#123590).
  • Improves the exceptions interface by replacing the exceptions modal with a flyout (#123408).
  • Alert details flyout enhancements:

    • Shows different highlighted fields in an alert’s details flyout based on its type, category, and code (#123239).
    • Adds overview cards with key data to the alert details flyout (#120347).
  • Allows users to aggregate alert data based on a larger selection of ECS fields instead of just 10 preset options (#120610).
  • Enriches threshold-related alert data from correct fields (#125376).
  • Hides the delete button for disabled exception lists (#122844).
  • Fixes various minor UX bugs (#121410).