IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Release notes 8.16 »

› ›

8.17

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

8.17

edit

8.17.10

edit

Enhancements

edit

Due to an issue in macOS, Elastic Defend would sometimes send network events without user.name populated. Elastic Defend now identifies these events and populates user.name if necessary.
Reduces Elastic Defend CPU usage when processing events from the System process.
Reduces Elastic Defend CPU usage for ETW events, API events, and Behavioral Protections. In some cases, this may be a significant reduction.

Fixes

edit

Fixes a race condition in Elastic Defend on Windows that occasionally resulted in corrupted process command lines. This could cause incorrect values for process.command_line, process.args_count, and process.args, leading to false positives.
Improves the efficiency of the Elastic Defend malware scan queue by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
Fixes an issue in Elastic Defend performance metrics that resulted in endpoint_uptime_percent always being 0 for behavioral rules.
Fixes an issue in Elastic Defend that could result in a crash if a Logstash output configuration contains a certificate that cannot be parsed.
Shortens the time it takes for Elastic Defend to recover from a DEGRADED status caused by Elastic Agent communication issues.

8.17.9

edit

Fixes

edit

Fixes an issue in Elastic Defend that sometimes caused bugchecks (BSODs) on Windows systems that had a very high volume of network connections.
Fixes a bug where Linux endpoint network events would fail to load if IPv6 was not supported by the system.

8.17.8

edit

Known issues

edit

Elastic Defend’s network driver may lead to bug checks

Details
On July 8, 2025, a known issue was discovered in Elastic Defend’s network driver that may lead to kernel pool corruption, resulting in bug checks (BSODs) on Windows systems with a large number of long-lived network connections that remain inactive for 30+ minutes.

The system may bug check with any of a variety of codes such as SYSTEM_SERVICE_EXCEPTION or PAGE_FAULT_IN_NONPAGED_AREA.

For more information, check #90

Workaround
Downgrade to 8.17.7 or install 8.17.9 once it becomes available.

If you’re unable to upgrade or downgrade, set the advanced.kernel.network advanced setting to false in your Elastic Defend integration policy.

Resolved
This issue is fixed in Elastic Stack version 8.17.9.

Enhancements

edit

Improves the performance of Elastic Defend’s WFP network driver in high-load environments that maintain a large number of concurrent and/or short-lived network connections.

Fixes

edit

Fixes cell actions not working when opening a Timeline from specific rules (#223297).
Fixes rule filters display issues (#222963).
Fixes banner title in event preview (#222266).
Fixes model Amazon Bedrock on preconfigured connectors (#221411).
Fixes an issue in Elastic Defend’s networking kernel driver that can manifest as a DPC_WATCHDOG_VIOLATION bugcheck in high-load environments that maintain a large number of concurrent and/or short-lived network connections.
Removes potentially confusing Elastic Defend error messages.
Fixes an edge case in Elastic Defend’s call_stack_final_user_module and call_stack_final_hook_module logic.
Fixes an issue where Elastic Defend Linux network events would have source and destination byte counts swapped.
Fixes a memory growth bug in Elastic Defend for Linux when both Collect session data and Capture terminal output are enabled.

8.17.7

edit

Fixes

edit

Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new Elastic Defend integration or Elastic Agent policy (#218519).
Fixes a bug in Elastic Defend 8.16.0 where Elastic Endpoint would incorrectly report some files as being .NET.

8.17.6

edit

Enhancements

edit

Allows Elastic Defend users to opt out of event-driven Memory Protection scanning using the advanced policy (#218354).

Fixes

edit

Fixes a bug that caused installed prebuilt detection rules to upgrade to their latest available versions when you installed a new Elastic Defend integration or Elastic Agent policy (#217959).
Avoids an IRQL_NOT_LESS_EQUAL bugcheck in the Elastic Defend driver due to an interaction with Trellix Access Protection (mfehidk.sys). This issue can occur when elastic-endpoint-driver.sys calls FwpmTransactionBegin0 to initialize its network driver. FwpmTransactionBegin0 performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix’s driver intercepts this service’s operations, causing FwpmTransactionBegin0 to hang or slow significantly. This delay prevents Elastic Defend’s driver from properly initializing in a timely manner. Subsequent system activity can invoke Elastic Defend’s driver before it has fully initialized, leading to a IRQL_NOT_LESS_EQUAL bugcheck.

If you can’t upgrade, you can prevent this issue from occurring by either disabling Trellix Access Protection or adding a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe). This issue affects Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.
Resolves an unbounded kernel non-paged memory growth issue in Elastic Defend’s kernel driver during extremely high event load situations on Windows. Systems affected by this issue would slow down or become unresponsive until the triggering event load (for example, network activity) subsided. We are only aware of this issue occurring on very busy Windows Server systems running Elastic Defend 8.16.0 and later.
Allows Elastic Defend to detect and recover from a corrupt persistent cache database. Previously, such databases would be unusable, effectively turning off the persistent cache.
Reduces Elastic Defend’s CPU usage for registry events.

8.17.5

edit

Known issues

edit

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, overwriting user-added actions and exceptions

Details
When you install an Elastic Defend integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions.

Workaround
To resolve this issue, before you add an Elastic Defend integration to a policy in Fleet, apply any pending prebuilt rule updates. This will prevent rule actions and exceptions from being overwritten.

Resolved
This issue is fixed in Elastic Stack versions 8.17.6, 8.18.1, and 9.0.1.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

An IRQL_NOT_LESS_EQUAL bugcheck in the Elastic Defend driver happens due to an interaction with Trellix Access Protection (mfehidk.sys). This issue can occur when elastic-endpoint-driver.sys calls FwpmTransactionBegin0 to initialize its network driver. FwpmTransactionBegin0 performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix’s driver intercepts this service’s operations, causing FwpmTransactionBegin0 to hang or slow significantly. This delay prevents Elastic Defend driver from properly initializing in a timely manner. Subsequent system activity can invoke Elastic Defend’s driver before it has fully initialized, leading to a IRQL_NOT_LESS_EQUAL bugcheck. This issue affects Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

An unbounded kernel non-paged memory growth issue in Elastic Defend’s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Enhancements

edit

Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices (#214495).
Elastic Defend now drops ETW and API events from trusted applications earlier, reducing CPU usage.
Reduce the CPU usage of Elastic Defend ETW and API events.

Bug fixes

edit

Handles the encoding of the model ID for Amazon Bedrock connectors that caused errors when using Application Inference Profile model IDs (#216915).
Fixes an optional filter parameter to be passed into the entity definition schema, to further filter entity store data (#208588).
Fixes CPU spike that can occur when Elastic Defend is installed alongside Forcepoint.
Fixes the way Elastic Endpoint handles NO_PROXY environments.

8.17.4

edit

Known issues

edit

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, overwriting user-added actions and exceptions

Resolved
This issue is fixed in Elastic Stack versions 8.17.6, 8.18.1, and 9.0.1.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Bug fixes

edit

Fixes the Bedrock region URL (#214251).
Replaces logic that made the Rule preview button inaccessible if rule’s definition field had errors. Now, if you enter an invalid rule definition field, a validation warning in the rule preview panel notifies you that you have fields to fix (#213801).
Fixes a rare upgrade failure when Elastic Defend has Tamper Protection enabled.
Fixes a bug in the scan response action that can crash Elastic Defend.
Fixes a potential Elastic Defend crash when generating multiple ransomware alerts on Windows. This issue was simultaneously mitigated by a cloud artifact update (manifest version 1.0.1381) on February 24, 2025. Internet-connected instances of Elastic Defend will automatically receive this update — no user intervention required. Air-gapped customers hosting their own artifacts should follow these instructions. We would like to acknowledge Todyl for their assistance with this issue.
Fixes a bug in Elastic Defend for Linux where tty capture limit defaults were ignored.

8.17.3

edit

Known issues

edit

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Bug fixes

edit

Fixes an issue with the Event Rendered View in the Alerts table where the table would sometimes have a height of zero and become unusable (#212130).
Removes the option to sort IP ranges in the value list modal (#210922).
Fixes package name validation on the Automatic Import data stream page (#210916, #210770).
Improves the way Automatic Import handles empty categorization results from LLMs (#210420).
Adds concurrency limits and request throttling to prebuilt rule routes (#209551).
The allocate_shellcode Elastic Defend API event behavior was updated to explicitly only apply to unbacked memory.
Fixes a bug in Elastic Defend where environment variables were not collected on macOS according to the advanced.capture_env_vars field
Fixes a bug where aarch64 Elastic Defend wouldn’t gracefully detect being executed in emulation on amd64 hardware.

8.17.2

edit

Known issues

edit

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

New features

edit

Adds the advanced.malware.max_file_size_bytes advanced policy setting, which allows you to control the maximum file size for malware protection.

Enhancements

edit

Enhances the performance of Elastic Defend network events monitoring for better CPU utilization and responsiveness.

Bug fixes

edit

Fixes the issue that caused Kibana to crash with an Out Of Memory error when the prebuilt rule package was installed.
Ensures that multiple IPs are displayed as individual links in the Alerts table, even if they’re passed as a single string (#209475).
Fixes an AI Assistant bug that prevented you from selecting different connector types after initially choosing one (#208969).
Adds missing fields to Automatic Import’s input manifest templates (#208768).
Ensures that Automatic Import’s structured log template surrounds single backslashes with single quotes when the backslash is used as an escape character (#209736).
Adds fields that are missing from Automatic Import’s aws-s3-manifest.yml file (#208080).
Allows Elastic Defend to detect or prevent malware process or image loads from WebDAV servers.
Allows Elastic Defend to bypass network traffic from other computers when promiscuous mode is enabled on Windows.
Fixes a bug with the get-file Endpoint response action. When you used the get-file response action to retrieve a Windows Alternate Data Stream, the resulting .zip archive would contain a checksum error that made it unusable by most zip tools.
Increases the maximum number of ETW buffers that Elastic Defend can use.
Fixes a bug where Elastic Defend was omitting MD5 and SHA-1 hashes in events and alerts unless a user had explicitly enabled them using the advanced policy. This 8.17.0 change was not supposed to go live until 8.18.0.
Fixes an issue where Elastic Defend wasn’t correctly populating event.created for process events on Windows.

8.17.1

edit

Known issues

edit

Elastic Security crashes on Kibana instances with 1 GB of RAM on Elastic Cloud deployments

Details
Whenever you open a page in Elastic Security, there’s an attempt to install the Fleet package with prebuilt rules. If the package hasn’t been installed yet, Kibana starts downloading the latest version of it, then crashes with an Out Of Memory error. The process will then automatically restart and crash for the same reasons.

This issue was discovered on February 6, 2025.

Workaround
To resolve this issue, upgrade to 8.17.2. Alternatively, increase Kibana’s RAM to 2 GB.

Resolved
This issue is fixed in Elastic Stack version 8.17.2.

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Bug fixes

edit

Fixes Integration and Datastream name validation (#204943).
Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari (#203993).
Adds role-based access control to the Automatic Import APIs (#203882).
Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned (#203820).
Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using AND or OR conditions (#201776).
Fixes a bug that caused the diff view to incorrectly mark certain characters as changed in specific cases (#205138).
Lists all policies to ensure that integrations are properly displayed (#205103).
Fixes a bug that prevented the Exceptions tab from properly loading if exceptions contained comments with newline characters (\n) (#202063).
Fixes incompatibility issues with Elastic Defend. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a CRITICAL_PROCESS_DIED bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict.

Affected users who are unable to upgrade should set one or both of the following in their Elastic Defend advanced policy, depending on their version:
- windows.advanced.events.process.creation_flags: false (8.13.0 - 8.16.1)
- windows.advanced.memory_protection.shellcode_trampoline_detection: false (8.12.0 - 8.16.2)
Fixes an Elastic Defend bug that could cause the Windows API event call stack enrichment to fail for processes that started before Elastic Defend and if another security product was present and hooking system DLLs.
Fixes an Elastic Defend bug that caused Windows API events involving mswsock.dll to be mislabeled with the proxy_call behavior.
Fixes an Elastic Defend bug that caused the Open Elastic Security button in the Windows Security Center to be non-functional. Now, you’re informed that Elastic Defend is managed by your system administrator.

8.17.0

edit

Known issues

edit

Elastic Security crashes on Kibana instances with 1 GB of RAM on Elastic Cloud deployments

This issue was discovered on February 6, 2025.

Workaround
To resolve this issue, upgrade to 8.17.2. Alternatively, increase Kibana’s RAM to 2 GB.

Resolved
This issue is fixed in Elastic Stack version 8.17.2.

Defend for Containers (D4C) is broken in 8.17.0

Defend for Containers is broken in 8.17.0. If you use it, consider updating to 8.17.1 instead.

The Exceptions tab won’t properly load if exceptions contain comments with newline characters (\n)

Details
On December 5, 2024, it was discovered that the Exceptions tab won’t load properly if any exceptions contain comments with newline characters (\n). This issue occurs when you upgrade to 8.16.0 or later (#201820).

Workaround

Upgrade to 8.17.1, or follow the workarounds below.

For custom rules:

From the Rules page, export the rule or rules with the affected exception lists.
Modify the .ndjson file so comments no longer contain newline characters.
Return to the Rules page and re-import the rules. Ensure you select the Overwrite existing exception lists with conflicting "list_id" option.

For prebuilt rules:

If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the Shared Exception Lists page.

Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule:
1. Find the affected rule’s ID (id). From the Rules page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (167a5f6f-2148-4792-8226-b5e7a58ef46e) is the id.
2. Specify the id when fetching the rule’s details using the Retrieve a detection rule API. Here is an example request that includes the id:
```
curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e
```
3. The JSON response contains the id, list_id, and namespace_type values within the exceptions_list key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list.
```
{
  "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e",
  "exceptions_list": [
    {
      "id": "490525a2-eb66-4320-95b5-88bdd1302dc4",
      "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d",
      "namespace_type": "single"
    }
  ]
}
```

Use the export exceptions API to retrieve the affected exception list. Insert the values for the id, list_id, and namespace_type parameters into the following API call:

curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson

Modify the exception list’s .ndjson file to ensure comments[].comment values don’t contain newline characters (\n).
Re-import the modified exception list using Import exception lists option on the Shared Exception Lists page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list.

Duplicate alerts can be produced from manually running threshold rules

Details
On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution.

Manually running custom query rules with suppression could suppress more alerts than expected

Details
On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

New features

edit

Adds a signature option for trusted applications on macOS (#197821).
Adds GA support for the case action feature, which lets rules automatically create cases (#196973).

Enhancements

edit

Checks user permissions before initializing the entity engine (#198661).
Updates LangChain dependencies, adding support for the new Bedrock cross-region inference profiles (#198622).

Bug fixes

edit

Clears the error on the second entity engine initialization (#202903).
Modifies the empty state message that appears when installing prebuilt rules (#202226).
Rejects CEF logs from Automatic Import and instead redirects you to the CEF integration (#201792, #202994).
Fixes a bug in Automatic Import where icons did not display after the integration was installed (#201139).
Removes an erroneous duplicate Preserve Original Event flag as one was additionally added from the common settings file (#201622).
Turns off the Install All button on the Add Elastic Rules page while rules are being installed (#201731).
Turns off the Add note button in the alert details flyout if you don’t have the appropriate permission (#201707).
Removes fields with an @ from the script processor (#201548).
Fixes an issue that could interfere with Knowledge Base setup (#201175).
Fixes an issue with Gemini streaming in the AI Assistant (#201299).
Updates LangChain dependencies, adding support for the new Bedrock cross-region inference endpoints (#198622).
Fixes a bug with threshold rules that prevented cardinality details from appearing (#201162).
Fixes a bug that caused an entity engine to get stuck in the Installing status if the default Security data view didn’t exist. With this fix, engines now correctly report the Error state (#201140).
Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you’re on Windows (#199791).
Fixes asset criticality index issue when setting up entity engines concurrently (#199486).
Fixes a bug where the @timestamp field wouldn’t update upon asset criticality soft delete (#196722).
Fixes a bug that prevented the save notification from displaying on duplicated Timelines with changes (#198652).
Improves the flow for the Insights section in the alert details flyout (#197349).
Fixes an issue where users without the Fleet read permission were blocked from interacting with any onboarding card (#202413).
Improves Elastic Defend for Linux endpoints by enabling process information enrichment for file and network events when process events are disabled.
Improves Elastic Defend by refactoring the kernel driver to work around a CRITICAL_PROCESS_DIED bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon.
Fixes an issue in Elastic Defend versions 8.15.2 and 8.15.3 which can result in Windows boot failure 0xC000007B referencing ElasticElam.sys or recovery mode prompt at boot. We have only received reports of this happening when Elastic Defend is installed alongside CrowdStrike Falcon.
Fixes an Elastic Defend bug where the Linux system call (setsid) wasn’t properly gathered for RHEL 9/CentOS Stream 9 process events.
Fixes an issue where Elastic Defend can enter an infinite loop if an external application opens and retains handles to files within Elastic Defends directory while it is processing a get-file response action. This can result in Elastic Defend flooding Elasticsearch with documents until the handles are closed.

« Release notes 8.16 »