You are looking at preliminary documentation for a future release.
Not what you want? See the
current release documentation.
8.11edit
8.11.4edit
Bug fixesedit
- Stops the ES|QL tab from rendering until you click on it in Timeline (#173484).
-
Adds a feature flag (
timelineEsqlTabDisabled) to hide the ES|QL tab in Timeline (#174029). - Removes the default query from the ES|QL tab in Timeline (#174393).
- Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).
8.11.3edit
Bug fixesedit
- Fixes a bug that caused the Add to Case action to fail if you didn’t add a comment before isolating and releasing a host (#172912).
8.11.2edit
Enhancementsedit
- Updates references on the Entity Risk Score management page (#171089).
Bug fixesedit
- Fixes a bug that caused the Alerts page to crash if you reloaded it while the preview panel in the alert details flyout was open (#172323).
- Fixes the event analyzer panel width (#172026).
- Applies page filters to MITRE ATT&CK® sub-technique cells when displaying rules (#170988).
- Fixes a bug with the Investigate in timeline action for Elastic AI Assistant that caused ES|QL queries to open in the KQL query bar within Timeline (#170542).
8.11.1edit
Enhancementsedit
- Allows user and host risk score tables to be filtered by time range (#168826).
Bug fixesedit
8.11.0edit
Known issuesedit
- MITRE ATT&CK® technique cells show duplicate rules (#167929).
- MITRE ATT&CK® tactic cells show an incorrect rule count (#167930).
- An incorrect MITRE ATT&CK® sub-technique is applied after you save a rule (#170347).
- When using Elastic Defend’s protection updates feature, if you turn off automatic updates and select the current day as your deployed artifacts version, it’s possible that the set of protections has not been released for that day yet. As a result, Elastic Agent could fail to download the artifacts and be set to an Unhealthy state. To avoid this issue, pick a date previous to the current one (#170847).
Breaking changesedit
-
Ends support for the
filterQueryfield of thegetLiveQueryResultsandfindLiveQueryAPIs, and replaces it with the KQL fieldkuery. Requests to those APIs that used thefilterQueryfield should replace it withkuery(#161806). -
In 8.11, rule APIs will only support
investigation_fieldsas{ field_names: string[] }. If you’ve added this field to your rules in 8.10, you don’t need to do anything when you import your rules.
Deprecationsedit
-
Deprecates the
doc_root.vulnerability.packageand replaces it with thedoc_root.packageECS package (#164651).
New featuresedit
-
Upgrades Elastic Defend to capture a new Windows event type: ETW Threat Intelligence (ETW-TI). Renames the Windows events policy
Credential accesscategory toAPIin the UI (but not in the.yaml, maintaining backwards compatibility). Adds two new advanced options:windows.advanced.events.api_disabledandwindows.advanced.events.api_verbose(#167549). -
Adds the
Same familycategory and tab to the Data Quality dashboard. Fields with mappings in the same family have the same search behavior as the type specified by ECS, but may have different space usage or performance characteristics (#167480). -
Updates the exceptions flyout’s
match_anyoperator to accept duplicate values that differ in case (#167208). - [beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. Enables the Elastic AI Assistant to answer questions about Elasticsearch Query Language (ES|QL) by allowing it to query, via ELSER, an ES|QL knowledge base. Refer to Elastic AI Assistant to enable the knowledge base (#167097).
- Enables ES|QL in Timeline (technical preview) (#166764).
- Adds the new ES|QL rule type (technical preview) (#165450).
-
Updates the Endpoint policy UI (Manage → Policies) to include a
Protection updatestab, a new column calledDeployed version, and a banner that highlights outdated policies (#165256, #162719). - Introduces full support for Elastic Endpoint on macOS Sonoma.
- Updates Elastic Defend to support AlmaLinux 9 and Rocky Linux 9.
-
Adds a new optional parameter to Elastic Endpoint’s
topcommand. The--limitparameter specifies how many times to refresh the command’s output before a graceful exit. - Adds Agent tamper protection for Elastic Defend, which prevents unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint from a host.
Enhancementsedit
- Adds a new Generative AI connector, Amazon Bedrock, for use with Elastic AI Assistant (#166662).
- Renames the Generative AI connector to OpenAI, since Generative AI is now a category of connectors that include OpenAI and Amazon Bedrock (#167677).
-
Adds the
id,severity, andstatusfields to the Webhook - Case Management connector (#166295). - Updates the order of items on Kibana’s left-side navigation menu to match the order in Elastic Security’s left-side navigation menu (#164268).
- Adds tooltips to overview section titles in the alert details flyout (#166737).
-
Updates the
.listsand.itemsindices to data streams (#162508).
Bug fixesedit
- Updates the Entity Risk Score error message to list the necessary permissions (#169216).
- Displays more descriptive errors for Generative AI connectors (#167674).
- Adds metrics to some rule execution warning messages (#167551).
- Fixes a bug that could cause the exceptions flyout to reload unnecessarily in response to rule updates (#166914).
- Fixes a bug that could cause EQL shell alerts to not include certain common fields (#166751).
- Sets the date and time picker to full width in the expanded Prevalence view within the alert details flyout (#166714).
- Fixes a bug that could prevent the Install Cloud Native Vulnerability Management button on the empty state of the Findings page from working (#166335).
- Fixes a bug that could cause an error when you edited a rule’s filter (#165262).
- Fixes a bug that caused the Rules table to auto-refresh when auto-refresh was disabled (#165250).