« 8.19 8.17 »

› ›

8.18

edit

IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

8.18

edit

8.18.7

edit

Fixes

edit

Prevents users without appropriate privileges from deleting notes (#233948).
Fixes a bug that prevented the MITRE ATT&CK section from appearing in the alert details flyout (#233805).
Updates Kibana MITRE ATT&CK data to v17.1 (#231375).
Fixes a bug where Linux capabilities were included in Elastic Endpoint network events despite being disabled.
Makes the delivery of Elastic Endpoint command line commands more robust. In rare cases, commands could previously fail due to interprocess communication issues.

8.18.6

edit

Enhancements

edit

Improves the reliability of Elastic Defend’s connection to its kernel driver. This should reduce the instances of temporary DEGRADED policy statuses at boot due to connect_kernel failures.
To help identify which parts of elastic-endpoint.exe are using a significant amount of CPU, Elastic Defend on Windows can now include CPU profiling data in diagnostics. To request CPU profiling data using the command line, refer to the Agent command reference. To request CPU profiling data using Kibana, check the Collect additional CPU metrics box when requesting Elastic Agent diagnostics.

Fixes

edit

Prevents the ES|QL form from locking in read-only mode in the rule upgrade flyout (#231699).
Fixes a bug in Elastic Defend where Linux endpoints would report process.executable as a relative, instead of absolute, path.
Fixes a race condition in Elastic Defend on Windows that occasionally resulted in corrupted process command lines. This could cause incorrect values for process.command_line, process.args_count, and process.args, leading to false positives.
Hides case connectors in the create case workflow based on your license (#232506).
Fixes inconsistencies in case activity statistics (#231948).

8.18.5

edit

Enhancements

edit

Adds the detection_rule_upgrade_status object to snapshot telemetry schema (#223086).
Reduces Elastic Defend CPU usage when processing events from the System process on Windows.
Reduces Elastic Defend CPU usage for ETW events, API events, and Behavioral Protections. In some cases, this may be a significant reduction.
Allows Elastic Defend to automatically recover in some situations when it loses connectivity with Elastic Agent.
Shortens the time it takes Elastic Defend to recover from a DEGRADED status caused by communication issues with Elastic Agent.
Improves Elastic Defend malware scan queue efficiency on Windows by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
Due to an issue in macOS, Elastic Defend would sometimes send network events without user.name populated. Elastic Defend will now identify these events and populate user.name if necessary.

Fixes

edit

Improves UI copy for the "bulk update with conflicts" modal (#227803).
Fixes an issue where Elastic Defend would fail to enable network events on Linux if IPv6 is not supported by the system.
Fixes an issue in Elastic Defend that could result in a crash if a Logstash output configuration contains a certificate that cannot be parsed.

8.18.4

edit

Enhancements

edit

Adds the elastic_customized_total, elastic_noncustomized_total, and is_customized fields to snapshot telemetry schema (#222370).
Improves logging of fatal exceptions in Elastic Defend.
Allows Elastic Defend users to control the maximum file size for malware protection using the advanced.malware.max_file_size_bytes advanced policy setting.

Fixes

edit

Fixes differences between risk scoring preview and persisted risk scores (#226456).
Fixes domain validation in case observables (#225901).
Updates a placeholder and validation message in the Related Integrations section of the rule upgrade flyout (#225775).
Excludes machine learning rules from installation and upgrade checks for users with Basic or Essentials licenses (#224676).
Allows using days as a time unit in rule schedules, fixing an issue where durations normalized to days were incorrectly displayed as 0 seconds (#224083).
Strips originId from connectors before rule import to ensure correct ID regeneration and prevent errors when migrating connector references on rules (#223454).
Refactors Timeline styling for improved consistency with design updates (#222438).
Fixes a bug where the Rules, Alerts, and Fleet pages would stall in air-gapped environments (#220510).
Fixes a bug where unmodified prebuilt rules installed before v8.18 didn’t appear in the Upgrade table when the Unmodified filter was selected (#227859).
Fixes an issue in Elastic Defend that may result in bugchecks (BSODs) on Windows systems with a very high volume of network connections.

8.18.3

edit

Known issues

edit

Elastic Defend’s network driver may lead to bug checks

Details
On July 8, 2025, a known issue was discovered in Elastic Defend’s network driver that may lead to kernel pool corruption, resulting in bug checks (BSODs) on Windows systems with a large number of long-lived network connections that remain inactive for 30+ minutes.

The system may bug check with any of a variety of codes such as SYSTEM_SERVICE_EXCEPTION or PAGE_FAULT_IN_NONPAGED_AREA.

For more information, check #90

Workaround
Upgrade to the fixed version: 8.18.3+build202507101319.

If you’re unable to upgrade or downgrade, set the advanced.kernel.network advanced setting to false in your Elastic Defend integration policy.

Resolved
This issue is fixed in Elastic Stack version 8.18.4.

Enhancements

edit

Adds dns event collection for macOS for Elastic Defend (#223566).
Adds pricing information about Elastic Managed LLM in AI Assistant and Attack Discovery tours and callouts (#221566).
Adds local file path support for xpack.productDocBase.artifactRepositoryUrl (#217046).

Fixes

edit

Fixes a bug where OSS models didn’t work when streaming was ON (#224129).
Fixes a bug where cell actions didn’t work when opening a Timeline from specific rules (#223302).
Fixes an issue where the entity risk score feature stopped persisting risk score documents (#221937).
Fixes overflow issues with the threat match mapping component when you viewed the rule upgrade flyout on a smaller screen (#218628).
Ensures the Amazon Bedrock connector respects the action proxy configuration (#224130).
Ensures the OpenAI connector respects the action proxy configuration for all sub-actions (#219617).

8.18.2

edit

Known issues

edit

The entity risk score feature may stop persisting risk score documents

Details
On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to Elastic Stack 8.18.0 or higher.

This is due to a bug that prevents the entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name> ingest pipeline (which is set as a default pipeline for the risk scoring index in Elastic Stack 8.18.0) from being created when Kibana starts up.

While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.

Workaround

To resolve this issue, apply the following workaround before or after upgrading to Elastic Stack 8.18.0 or higher.

First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that default in the example ingest pipeline name below is the Kibana space ID.

PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
{
  "_meta": {
    "managed_by": "entity_analytics",
    "managed": true
  },
  "description": "Pipeline for adding timestamp value to event.ingested",
  "processors": [
    {
      "set": {
        "field": "event.ingested",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine’s next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking Run Engine.

Resolved
This issue is fixed in Elastic Stack version 8.18.3.

Fixes

edit

Improves error telemetry for the AI assistant (#220938).
Simplifies and improves the rule import error message (#218701).
Fixes a bug that caused the Dashboard overview page to crash when a Lens widget aggregation error occurred (#214888).
Removes the technical preview badge from the alert suppression fields for event correlation rules.
Fixes a bug in Elastic Defend 8.16.0 where Elastic Endpoint would incorrectly report some files as being .NET.

8.18.1

edit

Known issues

edit

The entity risk score feature may stop persisting risk score documents

Workaround

To resolve this issue, apply the following workaround before or after upgrading to Elastic Stack 8.18.0 or higher.

PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
{
  "_meta": {
    "managed_by": "entity_analytics",
    "managed": true
  },
  "description": "Pipeline for adding timestamp value to event.ingested",
  "processors": [
    {
      "set": {
        "field": "event.ingested",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

Resolved
This issue is fixed in Elastic Stack version 8.18.3.

The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules

Details
On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check #1021.

Resolved
This issue is fixed in Elastic Stack version 8.18.2.

Enhancements

edit

Updates the MITRE ATT&CK® coverage page mapping to v16.1 (#215026).
Adds a background task to upgrade Agentless deployments after Kibana has been upgraded (#207143).
Improves Elastic Defend’s CPU usage on systems with very high event volumes.

Fixes

edit

Removes the check for unused connector roles (#219358).
Simplifies and improves the rule import error message (#218701).
Fixes the related integrations render performance on rule editing pages (#217254).
Prevents ES|QL rules from timing out if the rule query takes longer than five minutes to complete (#216667).
Improves Elastic Defend’s call site analysis logic.
Fixes a bug in Elastic Defend’s redaction of diagnostics bundles.

8.18.0

edit

Known issues

edit

The entity risk score feature may stop persisting risk score documents

Workaround

To resolve this issue, apply the following workaround before or after upgrading to Elastic Stack 8.18.0 or higher.

PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
{
  "_meta": {
    "managed_by": "entity_analytics",
    "managed": true
  },
  "description": "Pipeline for adding timestamp value to event.ingested",
  "processors": [
    {
      "set": {
        "field": "event.ingested",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

Resolved
This issue is fixed in Elastic Stack version 8.18.3.

Rules cannot be enabled if they’re corrupted while upgrading from 7.17.x to 8.x

Details
If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules.

Workaround

Duplicate your rules and enable them.

The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules

Resolved
This issue is fixed in Elastic Stack version 8.18.2.

Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions

Details
When you install an Elastic Defend integration or a new agent policy for this integration, all the installed prebuilt detection rules are upgraded to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions and exceptions, as well as any user customizations, if you customized any other rule fields.

Workaround
To resolve this issue, before you add an Elastic Defend integration to a policy in Fleet, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.

Resolved
This issue is fixed in Elastic Stack versions 8.17.6, 8.18.1, and 9.0.1.

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Details

An IRQL_NOT_LESS_EQUAL bugcheck in the Elastic Defend driver happens due to an interaction with Trellix Access Protection (mfehidk.sys). This issue can occur when elastic-endpoint-driver.sys calls FwpmTransactionBegin0 to initialize its network driver. FwpmTransactionBegin0 performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix’s driver intercepts this service’s operations, causing FwpmTransactionBegin0 to hang or slow significantly. This delay prevents Elastic Defend driver from properly initializing in a timely manner. Subsequent system activity can invoke Elastic Defend’s driver before it has fully initialized, leading to a IRQL_NOT_LESS_EQUAL bugcheck. This issue affects Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.

Workaround

If you can’t upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Unbounded kernel non-paged memory growth issue in Elastic Defend’s kernal driver causes slow down on Windows systems

Details

An unbounded kernel non-paged memory growth issue in Elastic Defend’s kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.

Workaround

If you can’t upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings:

Network Events - Set the windows.advanced.kernel.network advanced setting to false.
Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Clearing the corresponding checkbox under Event Collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved
This issue is fixed in Elastic Defend versions 8.17.6, 8.18.1, and 9.0.1.

Deprecations

edit

The user and host risk score modules are being deprecated (#202775).
The following SIEM signal migration endpoints were deprecated (#202662):
- POST /api/detection_engine/signals/migrations
- DELETE /api/detection_engine/signals/migrations
- POST /api/detection_engine/signals/finalize_migrations
- GET /api/detection_engine/signals/migration_status

New features

edit

Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents.
The Automatic Import functionality is now generally available (#208523).
Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response (#206683).
Allows you to customize prebuilt rules. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings (#212761).
Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported (#207336, #206582, #206268, #202344).
Allows you to configure how often the enrich policy runs for the entity store (#207374, #204437).
Provides configuration options to the entity store through additional API parameters (#206421).
Introduces a status tab to the entity store management page (#201235).
Allows you to install and reinstall entity stores from the Engine Status page (#208149).
Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage (#206313).
The manual runs functionality is now generally available (#209535).
Allows you to preview logged Elasticsearch requests for new terms, threshold, custom, and machine learning rule types (#203320).
Adds support for suppressing alerts generated from even correlation rules that are using sequence queries (#189725).
Allows you to add common observables to any case and extend the types of observable case data to include custom options (#190237).
Introduces privileges that let you control role access to Timeline and notes (#201780).
Introduces privileges that let you control whether a role can assign users to a case (#201654).
Re-adds details to the alert details flyout about the last time an alert’s status was changed (#205224).
Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps (#203975).
Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through Elastic Security (#203101, #202012, #203420, #204044).
Applies the latest Elastic UI (EUI) theme to multiple areas of Elastic Security (#204007, #204908).
Elastic Defend will now graphically report its protection status when launched from Windows Security Center.
Adds new Elastic Defend fields, process.Ext.command_line_truncated and process.parent.Ext.command_line_truncated to indicate when the command line gathered by event sources is truncated because of size limitations.
Elastic Defend staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating Elastic Defend endpoints will report health-related telemetry to telemetry.elastic.co. Customers can control this behavior using the [os].advanced.artifacts.global.channel advanced policy setting (#202674).
Adds a new field to the metrics section of the Elastic Defend metadata document called top_process_trees. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate.
Introduces new advanced settings in the Elastic Defend integration policy to reduce the volume of data that Elastic Endpoint processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your Elastic Defend integration policy advanced settings:

Elastic Endpoint behavior is preserved on existing Elastic Defend policies.
- Elastic Endpoint will merge short lived process create/terminate events and network connect/terminate events so only a single document is produced.
- Elastic Endpoint will only include a small subset of data in the host.* fieldset in event documents.
- Elastic Endpoint will not report MD5 and SHA-1 hashes in event data.

Enhancements

edit

Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) (#205070).
Provides APIs for AI Assistant Knowledge Base entries (#206407).
Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved (#199694).
Introduces support for the future integration of AI Assistant prompts in Kibana. (#207138).
Adds audit logging for changes to AI Assistant knowledge base entries (#203349).
Adds a service example to the entity store upload page (#209023).
Updates the entity insight badge to open entity flyouts (#208287).
Introduces changes to the entity analytics feature to support event.ingested as a configurable timestamp field for init and enable endpoints (#208201).
Allows you to include closed alerts in risk score calculations (#201909).
Turns the securitySolution:enableVisualizationsInFlyout advanced setting on by default, which allows you to access the event analyzer and Session View in the Visualize tab on the alert or event details flyout (#211319).
Reduces the system performance impact of Elastic Defend file events.
Improves Elastic Defend’s resilience in low memory situations.
Updates the Elastic Defend policy status message to show the Elastic Defend policy name, revision, and Elastic Agent policy revision.
Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices (#214495).
Allows rule actions (except for Summary of alerts actions that run at a custom frequency) to activate during manual rule runs (#200784).
Implements various performance optimizations to reduce Elastic Defend’s CPU usage and improve system responsiveness.
Includes the Elastic Defend policy name and ID in alerts.
Adds the allow_cloud_features advanced policy setting, which lets you explicitly list which cloud resources can be reached by Elastic Defend (#205785).
Adds a new set of Elastic Defend fields call_stack_final_hook_module to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products.
Improves Elastic Defend script visibility and adds a new API event for AmsiScanBuffer, as well as AMSI enrichments for API events.
Enhances Elastic Defend by including an improved fingerprint for Memory_protection.unique_key_v2. We recommend that any shellcode_thread exceptions based on the old unique_key_v1 field be updated.
Adds the process.Ext.memory_region.region_start_bytes field to Elastic Defend Windows memory signature alerts.
Improves Elastic Defend host information accuracy, such as IP addresses. Elastic Defend was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints.

Bug fixes

edit

Fixes the unstructured system log flow for Automatic Import (#213042).
Fixes missing ECS mappings for Automatic Import (#209057).
Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers (#205220).
Ensures that the field mapping for Automatic Import contains the @timestamp field whenever possible (#204931).
Ensures that Automatic Import uses the provided data stream description in the integration readme (#203236).
Fixes the countdown for the next scheduled risk engine run (#203212).
Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder (#203106).
Fixes the bug where pressing Enter reloaded the Automatic Import (#199894).
Fixes a bug that prevented you from being able to select a connector for AI Assistant from the Elastic Security landing page (#213969).
Updates prompts that you can use with the Amazon Bedrock connector (#213160).
Fixes a bug in AI Assistant that caused the Bedrock region to always be us-east-1 (#214251).
Adds the organizationId and projectId OpenAI headers and other arbitrary headers (#213117).
Fixes a bug that sometimes caused generic error message to appear in OpenAI (#205665).
Improves copy for the entity store feature on the Entity Analytics dashboard (#210991).
Removes the critical services count from Entity Analytics dashboard summary panel (#210827).
Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it (#210430).
Adds a filter to the entity definition schema so it can be used to further filter entity store data (#208588).
Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages (#209130).
Fixes a bug that prevented the indexPattern parameter from being respected when you refreshed a data view (#215151).
Ensures that Kibana space IDs are dynamically retrieved for entity risk scores in the entity flyout (#216063).
Uses data from the risk engine’s saved object instead of your browser’s local storage when loading the Entity Risk Score page (#215304).
Improves the confirmation message that appears when you update the configuration for a risk engine saved object (#211372).
Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing (#209863).
Ensures that you stay on your current page in the Rules table after editing or updating a rule (#209537).
Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview (#213455).
Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn’t turned on (#211981).
Fixes the order of the alert insights so they’re now shown from low risk to critical risk(#212980).
Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view (#212721).
Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview (#211853).
Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout (#211824).
Fixes the width of the alerts table in rule preview (#214028).
Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query (#212117).
Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices (#209936).
Fixes a bug that didn’t allow you to generate ES|QL alerts from alert indices (#208894).
Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log (#207396).
Fixes an Elastic Defend bug to ensure the first event’s timestamp is used as the timestamp for event aggregation.
Updates the way Elastic Defend initially connects to Elastic Agent, which significantly improves the speed of connection.
Fixes issues where uninstalling Elastic Defend on Windows leaves files within Elastic Defend’s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades.
Improves Elastic Defend by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines.
Improves Elastic Defend by improving entity_id algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse.

« 8.19 8.17 »