« Release notes 8.18 »
Elastic Docs Elastic Security [8.19] Release notes

8.19

edit
IMPORTANT: This documentation is no longer updated. Refer to Elastic's version policy and the latest documentation.

8.19

edit

8.19.4

edit

Fixes

edit
  • Fixes a bug where the toggle column functionality only functioned on the Alerts page (#234278).
  • Fixes a bug where Linux capabilities were included in Elastic Endpoint network events despite being disabled.
  • Makes the delivery of Elastic Endpoint command line commands more robust. In rare cases, commands could previously fail due to interprocess communication issues.

8.19.3

edit

Enhancements

edit
  • Improves the reliability of Elastic Defend’s connection to its kernel driver. This should reduce the instances of temporary DEGRADED policy statuses at boot due to connect_kernel failures.
  • Enriches Elastic Defend macOS network connect events with network.direction. Possible values are ingress and egress.

Fixes

edit
  • Fixes a bug in Session View where args fields in event.process and nested objects had string values instead of array of strings as expected (#232462).
  • Fixes a bug in Elastic Defend where Linux endpoints would report process.executable as a relative, instead of absolute, path.
  • Fixes a bug where Elastic Defend Linux network events would fail to load if IPv6 is not supported by the system.
  • Fixes a bug in Elastic Defend where the fqdn feature flag was not being persisted across system or endpoint restarts.
  • Fixes a race condition in Elastic Defend on Windows that occasionally resulted in corrupted process command lines. This could cause incorrect values for process.command_line, process.args_count, and process.args, leading to false positives.
  • Hides case connectors in the create case workflow based on your license (#232506).
  • Fixes inconsistencies in case activity statistics (#231948).

8.19.2

edit

Enhancements

edit
  • Improves Elastic Defend malware scan queue efficiency by not blocking scan requests when an oplock for the file being scanned cannot be acquired.
  • To help identify which parts of elastic-endpoint.exe are using a significant amount of CPU, Elastic Defend on Windows can now include CPU profiling data in diagnostics. To request CPU profiling data using the command line, refer to the Agent command reference. To request CPU profiling data using Kibana, check the Collect additional CPU metrics box when requesting Elastic Agent diagnostics.
  • Shortens the time it takes for Elastic Defend to recover from a DEGRADED status caused by Elastic Agent communication issues.
  • Allows Elastic Defend to automatically recover in some situations when it loses connectivity with Elastic Agent.

Fixes

edit
  • Due to an issue in macOS, Elastic Defend would sometimes send network events without user.name populated. Elastic Defend will now identify these events and populate user.name if necessary.
  • Fixes an issue in Elastic Defend performance metrics that resulted in endpoint_uptime_percent always being 0 for behavioral rules.

8.19.1

edit

Enhancements

edit
  • Adds advanced policy settings in Elastic Defend to enable collection of file origin information for File, Process, and DLL (ImageLoad) events (#223882, #222030).

Fixes

edit
  • Fixes a bug where Security AI Assistant settings landed on the wrong page for users on the Basic license (#229163).
  • Fixes a bug where the base version API route cache was not properly invalidated after rule import (#228475).

8.19.0

edit

Deprecations

edit
  • Removes default quick prompts from the Security AI Assistant (#225536).

New features

edit
  • Adds an option to update the kibana.alert.workflow_status field for alerts associated with attack discoveries (#225029).
  • The rule execution gaps functionality is now generally available (#224657).
  • Adds the ability to bulk fill gaps (#224585).
  • Automatic migration is now generally available (#224544).
  • Adds a name field to the automatic migration UI (#223860).
  • Adds the ability to bulk set up and delete alert suppression (#223090).
  • Adds the ability to change rule migration execution settings when re-processing a migration (#222542).
  • Adds runscript response action support for Microsoft Defender for Endpoint–enrolled hosts (#222377).
  • Updates automatic migration API schema (#219597).
  • Adds automatic saving of attack discoveries, with search and filter capabilities (#218906).
  • Adds the ability to edit highlighted fields in the alert details flyout (#216740).
  • Adds the XSOAR connector (#212049).
  • Adds a custom script selector for choosing scripts to execute when using the runscript response action (#204965).

Enhancements

edit
  • Updates Elastic Security Labs Knowledge Base content (#227125).
  • Bumps default Gemini model (#225917).
  • Groups vulnerabilities by resource and cloud account using IDs instead of names (#225492).
  • Adds prompt tiles to the Security AI Assistant (#224981).
  • Adds support for collapsible sections in integrations READMEs (#223916).
  • Adds the ecs@mappings component to the transform destination index template (#223878).
  • Adds the ability to revert a customized prebuilt rule to its original version (#223301).
  • Displays which fields are customized for prebuilt rules (#225939).
  • Adds an Elastic Defend advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collection (#222197).
  • Updates the highlighted fields button styling in the alert details flyout (#221862).
  • Expands CVE ID search to all search parameters, not just names (#221099).
  • Improves alert searching and filtering by including additional ECS data stream fields (#220447).
  • Updates default model IDs for Amazon Bedrock and OpenAI connectors (#220146).
  • Adds support for PKI (certificate-based) authentication for the OpenAI Other connector providers (#219984).
  • Adds pinning and settings to the Table tab in the alert and event details flyouts (#218686).
  • Adds the Security AI prompts integration (#216106).
  • Adds support for grouping multi-value fields in Cloud Security (#215913).
  • Limits unassigned notes to a maximum of 100 per document instead of globally (#214922).
  • Updates the Detection rule monitoring dashboard to include rule gaps histogram (#214694).
  • Adds support for the MV_EXPAND command for the ES|QL rule type (#212675).
  • Adds support for partial results for the ES|QL rule type (#223198).
  • Updates the data view selector in Timelines (#210585).
  • Enables isolate and release response actions from the event details flyout (#206857).
  • Standardizes action triggers in alerts KPI visualizations (#206340).
  • Adds Elastic Defend process event monitoring for ptrace and memfd activity on Linux (kernel 5.10+) using eBPF.
  • Reduces Elastic Defend CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction.
  • Elastic Defend: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data.
  • Reduces Elastic Defend CPU and memory usage for behavioral protections.
  • Improves the resilience of Elastic Defend in low memory situations.
  • Reduces Elastic Defend CPU usage and improves system responsiveness for malware and memory protections.
  • Reduces Elastic Defend CPU when processing events from the System process, such as IIS network events.
  • Improves Elastic Defend logging of fatal exceptions.
  • Improves Elastic Defend call site analysis logic.
  • Adds Elastic Defend support for Elliptic Curve certificates and TLS output settings, including supported_protocols, cipher_suites, and curve_types.

Fixes

edit
  • Fixes a bug where Timelines and investigations did not consistently use the default Security data view (#226314).
  • Fixes a bug where opening an alert deeplink didn’t correctly load filters on the Alerts page (#225650).
  • Updates entity links to open in a flyout instead of leaving the current page (#225381).
  • Adds a title to the rule gap histogram in the Detection rule monitoring dashboard (#225274).
  • Fixes a bug where pressing Escape with an alert details flyout open from a Timeline closed the Timeline instead of the flyout (#224352).
  • Fixes a bug where comma-separated process.args values didn’t wrap properly in the alert details flyout’s Overview tab (#223544).
  • Fixes a bug where cell actions didn’t work when opening a Timeline from specific rule types (#223305).
  • Fixes wrapping for threat indicator match event renderer (#223164).
  • Fixes a z-index issue in the ES|QL query editor within Timeline (#222841).
  • Fixes incorrect content displaying after tab switching in the integrations section on the Get started page. (#222271).
  • Fixes the exception flyout to show the correct "Edit rule exception" title and button label when editing an exception item (#222248).
  • Retrieves active integrations from the installed integrations API (#218988).
  • Updates tooltips in the gap fills table (#218926).
  • Fixes AI Assistant prompt updates so UI changes reflect only successful updates (#217058).
  • Fixes error callout placement on the Engine Status tab of the Entity Store page (#216228).
  • Generalizes and consolidates custom Fleet onboarding logic (#215561).
  • Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group (#215086).
  • Fixes a bug in the alert details flyout’s Table tab where fields displayed duplicate hover actions (#212316).
  • Refactors conversation pagination for the Security AI Assistant (#211831).
  • Fixes the Elastic Defend artifact channel field and adds manifest_type in Elastic Defend policy responses.
  • Fixes a bug in Elastic Defend where Linux network events would have source and destination byte counts swapped.
  • Fixes a memory growth bug in Elastic Defend on Linux when both Collect session data and Capture terminal output are enabled.
  • Fixes a bug where Linux endpoint network events would fail to load if IPV6 is not supported by the system.
« Release notes 8.18 »