From a5b4824a48ed93e38c02f1d1bff0f60a91e73465 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 14 Jul 2025 15:20:21 +0100 Subject: [PATCH 1/6] [Security] 8.19.0 release notes --- docs/release-notes.asciidoc | 2 + docs/release-notes/8.19.asciidoc | 83 ++++++++++++++++++++++++++++++++ 2 files changed, 85 insertions(+) create mode 100644 docs/release-notes/8.19.asciidoc diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index ff0f54a21f..18440f3476 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> @@ -87,6 +88,7 @@ This section summarizes the changes in each release. * <> * <> +include::release-notes/8.19.asciidoc[] include::release-notes/8.18.asciidoc[] include::release-notes/8.17.asciidoc[] include::release-notes/8.16.asciidoc[] diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc new file mode 100644 index 0000000000..7d24b8da48 --- /dev/null +++ b/docs/release-notes/8.19.asciidoc @@ -0,0 +1,83 @@ +[[release-notes-header-8.19.0]] +== 8.19 + +[discrete] +[[release-notes-8.19.0]] +=== 8.19.0 + +[discrete] +[[deprecations-8.19.0]] +==== Deprecations +* Removes default quick prompts from the Security AI Assistant ({kibana-pull}225536[#225536]). + + +[discrete] +[[features-8.19.0]] +==== New features +* Adds an option to update the `kibana.alert.workflow_status` field for alerts associated with attack discoveries ({kibana-pull}225029[#225029]). +* The rule execution gaps functionality is now generally available ({kibana-pull}224657[#224657]). +* Adds the ability to bulk fill gaps ({kibana-pull}224585[#224585]). +* Automatic migration is now generally available ({kibana-pull}224544[#224544]). +* Adds a name field to the automatic migration UI ({kibana-pull}223860[#223860]). +* Adds simplified bulk editing for alert suppression ({kibana-pull}223090[#223090]). +* Adds a human-readable incremental ID to cases, making referencing cases easier ({kibana-pull}222874[#222874]). +* Adds the ability to change rule migration execution settings when re-processing a migration ({kibana-pull}222542[#222542]). +* Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts ({kibana-pull}222377[#222377]). +* Updates automatic migration API schema ({kibana-pull}219597[#219597]). +* Adds automatic saving of attack discoveries, with search and filter capabilities ({kibana-pull}218906[#218906]). +* Adds the ability to edit highlighted fields in the alert details flyout ({kibana-pull}216740[#216740]). +* Adds the XSOAR connector ({kibana-pull}212049[#212049]). +* Adds a custom script selector for choosing scripts to execute when using the `runscript` response action ({kibana-pull}204965[#204965]). + +[discrete] +[[enhancements-8.19.0]] +==== Enhancements +* Updates {elastic-sec} Labs Knowledge Base content ({kibana-pull}227125[#227125]). +* Displays which fields are customized for prebuilt rules ({kibana-pull}225939[#225939]). +* Bumps default Gemini model ({kibana-pull}225917[#225917]). +* Groups vulnerabilities by resource and cloud account using IDs instead of names ({kibana-pull}225492[#225492]). +* Adds prompt tiles to the Security AI Assistant ({kibana-pull}224981[#224981]). +* Adds support for collapsible sections in integrations READMEs ({kibana-pull}223916[#223916]). +* Adds advanced policy settings in {elastic-defend} to enable collection of file origin information for File, Process, and DLL (ImageLoad) events ({kibana-pull}222030[#222030], {kibana-pull}223882[#223882]). +* Adds the `ecs@mappings` component to the transform destination index template ({kibana-pull}223878[#223878]). +* Adds the ability to revert prebuilt rules to their base version ({kibana-pull}223301[#223301]). +* Adds an {elastic-defend} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collecion. +* Updates the highlighted fields button styling in the alert details flyout({kibana-pull}221862[#221862]). +* Expands CVE ID search to all search parameters, not just names ({kibana-pull}221099[#221099]). +* Improves alert searching and filtering by including additional ECS data stream fields ({kibana-pull}220447[#220447]). +* Updates default model IDs for {bedrock} and OpenAI connectors ({kibana-pull}220146[#220146]). +* Adds support for PKI (certificate-based) authentication for the OpenAI **Other** connector providers ({kibana-pull}219984[#219984]). +* Adds pinning and settings to the **Table** tab in the alert and event details flyouts ({kibana-pull}218686[#218686]). +* Adds the Security AI prompts integration ({kibana-pull}216106[#216106]). +* Adds support for grouping multi-value fields in Cloud Security ({kibana-pull}215913[#215913]). +* Limits unassigned notes to a maximum of 100 per document instead of globally. +({kibana-pull}214922[#214922]). +* Updates the Detection rule monitoring dashboard to include rule gaps histogram ({kibana-pull}214694[#214694]). +* Adds support for the `MV_EXPAND` command for the {esql} rule type ({kibana-pull}212675[#212675]). +* Updates the data view selector in Timelines ({kibana-pull}210585[#210585]). +* Enables `isolate` and `release` response actions from the event details flyout ({kibana-pull}206857[#206857]). +* Standardizes action triggers in alerts KPI visualizations ({kibana-pull}206340[#206340]). + +[discrete] +[[bug-fixes-8.19.0]] +==== Fixes +* Fixes a bug where Timelines and investigations did not consistently use the default Security data view ({kibana-pull}226314[#226314]). +* Fixes a bug where opening an alert deeplink didn't correctly load filters on the **Alerts** page ({kibana-pull}225650[#225650]). +* Updates entity links to open in a flyout instead of leaving the current page ({kibana-pull}225381[#225381]). +* Adds a title to the rule gap histogram in the Detection rule monitoring dashboard ({kibana-pull}225274[#225274]). +* Fixes a bug where pressing Escape with an alert details flyout open from a Timeline closed the Timeline instead of the flyout ({kibana-pull}224352[#224352]). +* Fixes a bug where comma-separated `process.args` values didn't wrap properly in the alert details flyout's **Overview** tab ({kibana-pull}223544[#223544]). +* Fixes a bug where cell actions didn't work when opening a Timeline from specific rule types ({kibana-pull}223305[#223305]). +* Fixes wrapping for threat indicator match event renderer ({kibana-pull}223164[#223164]). +* Fixes a z-index issue in the {esql} query editor within Timeline ({kibana-pull}222841[#222841]). +* Fixes incorrect content displaying after tab switching in the integrations section on the **Get started** page. +({kibana-pull}222271[#222271]). +* Fixes the exception flyout to show the correct "Edit rule exception" title and button label when editing an exception item ({kibana-pull}222248[#222248]). +* Retrieves active integrations from the installed integrations API ({kibana-pull}218988[#218988]). +* Updates tooltips in the gap fills table ({kibana-pull}218926[#218926]). +* Fixes AI Assistant prompt updates so UI changes reflect only successful updates ({kibana-pull}217058[#217058]). +* Fixes error callout placement on the **Engine Status** tab of the **Entity Store** page ({kibana-pull}216228[#216228]). +* Generalizes and consolidates custom {fleet} onboarding logic ({kibana-pull}215561[#215561]). +* Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group ({kibana-pull}215086[#215086]). +* Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions ({kibana-pull}212316[#212316]). +* Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). \ No newline at end of file From fe6eecca7b86f16bf9e47d7bcce6b8053fc1e4ba Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Mon, 14 Jul 2025 15:49:46 +0100 Subject: [PATCH 2/6] Adds Endpoint RNs --- docs/release-notes/8.19.asciidoc | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc index 7d24b8da48..1e2a1d7ccd 100644 --- a/docs/release-notes/8.19.asciidoc +++ b/docs/release-notes/8.19.asciidoc @@ -28,6 +28,7 @@ * Adds the ability to edit highlighted fields in the alert details flyout ({kibana-pull}216740[#216740]). * Adds the XSOAR connector ({kibana-pull}212049[#212049]). * Adds a custom script selector for choosing scripts to execute when using the `runscript` response action ({kibana-pull}204965[#204965]). +* Upgrades the Linux Endpoint to use Quark as an eBPF event source. [discrete] [[enhancements-8.19.0]] @@ -57,6 +58,12 @@ * Updates the data view selector in Timelines ({kibana-pull}210585[#210585]). * Enables `isolate` and `release` response actions from the event details flyout ({kibana-pull}206857[#206857]). * Standardizes action triggers in alerts KPI visualizations ({kibana-pull}206340[#206340]). +* Adds process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF. +* Reduces {elastic-defend} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction. +* {elastic-defend}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data. +* Reduces {elastic-defend} CPU and memory usage for behavioral protections. +* Improves the resilience of {elastic-defend} in low memory situations. +* Reduces {elastic-defend} CPU usage and improves system responsiveness for malware and memory protections. [discrete] [[bug-fixes-8.19.0]] @@ -80,4 +87,5 @@ * Generalizes and consolidates custom {fleet} onboarding logic ({kibana-pull}215561[#215561]). * Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group ({kibana-pull}215086[#215086]). * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions ({kibana-pull}212316[#212316]). -* Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). \ No newline at end of file +* Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). +* Fixes the artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. From dd3c8492dc1f633f83cd67b600f86a0b686539df Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 16 Jul 2025 13:45:09 +0100 Subject: [PATCH 3/6] minor fixes --- docs/release-notes/8.19.asciidoc | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc index 1e2a1d7ccd..4199e1b871 100644 --- a/docs/release-notes/8.19.asciidoc +++ b/docs/release-notes/8.19.asciidoc @@ -42,8 +42,8 @@ * Adds advanced policy settings in {elastic-defend} to enable collection of file origin information for File, Process, and DLL (ImageLoad) events ({kibana-pull}222030[#222030], {kibana-pull}223882[#223882]). * Adds the `ecs@mappings` component to the transform destination index template ({kibana-pull}223878[#223878]). * Adds the ability to revert prebuilt rules to their base version ({kibana-pull}223301[#223301]). -* Adds an {elastic-defend} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collecion. -* Updates the highlighted fields button styling in the alert details flyout({kibana-pull}221862[#221862]). +* Adds an {elastic-defend} advanced policy setting that allows you to enable or disable the Microsoft-Windows-Security-Auditing ETW provider for security events collection ({kibana-pull}222197[#222197]). +* Updates the highlighted fields button styling in the alert details flyout ({kibana-pull}221862[#221862]). * Expands CVE ID search to all search parameters, not just names ({kibana-pull}221099[#221099]). * Improves alert searching and filtering by including additional ECS data stream fields ({kibana-pull}220447[#220447]). * Updates default model IDs for {bedrock} and OpenAI connectors ({kibana-pull}220146[#220146]). @@ -51,8 +51,7 @@ * Adds pinning and settings to the **Table** tab in the alert and event details flyouts ({kibana-pull}218686[#218686]). * Adds the Security AI prompts integration ({kibana-pull}216106[#216106]). * Adds support for grouping multi-value fields in Cloud Security ({kibana-pull}215913[#215913]). -* Limits unassigned notes to a maximum of 100 per document instead of globally. -({kibana-pull}214922[#214922]). +* Limits unassigned notes to a maximum of 100 per document instead of globally ({kibana-pull}214922[#214922]). * Updates the Detection rule monitoring dashboard to include rule gaps histogram ({kibana-pull}214694[#214694]). * Adds support for the `MV_EXPAND` command for the {esql} rule type ({kibana-pull}212675[#212675]). * Updates the data view selector in Timelines ({kibana-pull}210585[#210585]). From 9bff67865e8928de13b9f4aefb4bc68ee011f957 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 17 Jul 2025 09:05:43 +0100 Subject: [PATCH 4/6] Applies Endpoint feedback Co-authored-by: Gabriel Landau <42078554+gabriellandau@users.noreply.github.com> --- docs/release-notes/8.19.asciidoc | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc index 4199e1b871..88321853fd 100644 --- a/docs/release-notes/8.19.asciidoc +++ b/docs/release-notes/8.19.asciidoc @@ -28,7 +28,6 @@ * Adds the ability to edit highlighted fields in the alert details flyout ({kibana-pull}216740[#216740]). * Adds the XSOAR connector ({kibana-pull}212049[#212049]). * Adds a custom script selector for choosing scripts to execute when using the `runscript` response action ({kibana-pull}204965[#204965]). -* Upgrades the Linux Endpoint to use Quark as an eBPF event source. [discrete] [[enhancements-8.19.0]] @@ -57,7 +56,7 @@ * Updates the data view selector in Timelines ({kibana-pull}210585[#210585]). * Enables `isolate` and `release` response actions from the event details flyout ({kibana-pull}206857[#206857]). * Standardizes action triggers in alerts KPI visualizations ({kibana-pull}206340[#206340]). -* Adds process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF. +* Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF. * Reduces {elastic-defend} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction. * {elastic-defend}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data. * Reduces {elastic-defend} CPU and memory usage for behavioral protections. @@ -87,4 +86,4 @@ * Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group ({kibana-pull}215086[#215086]). * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions ({kibana-pull}212316[#212316]). * Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). -* Fixes the artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. +* Fixes the {{elastic-defend}} artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. From f9ded24725104bd7cb2dd0b9335b37d2404d5ad1 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 17 Jul 2025 09:07:23 +0100 Subject: [PATCH 5/6] fix variable formatting --- docs/release-notes/8.19.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc index 88321853fd..c625fad53f 100644 --- a/docs/release-notes/8.19.asciidoc +++ b/docs/release-notes/8.19.asciidoc @@ -56,7 +56,7 @@ * Updates the data view selector in Timelines ({kibana-pull}210585[#210585]). * Enables `isolate` and `release` response actions from the event details flyout ({kibana-pull}206857[#206857]). * Standardizes action triggers in alerts KPI visualizations ({kibana-pull}206340[#206340]). -* Adds {{elastic-defend}} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF. +* Adds {elastic-defend} process event monitoring for `ptrace` and `memfd` activity on Linux (kernel 5.10+) using eBPF. * Reduces {elastic-defend} CPU usage for ETW events, API events, and behavioral protections. In some cases, this may be a significant reduction. * {elastic-defend}: Changes the security events source from the Event Log provider to Event Tracing for Windows (Microsoft-Windows-Security Auditing) provider and enriches the events with additional data. * Reduces {elastic-defend} CPU and memory usage for behavioral protections. @@ -86,4 +86,4 @@ * Fixes an alert grouping re-render issue that caused infinite rendering loops when selecting a group ({kibana-pull}215086[#215086]). * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions ({kibana-pull}212316[#212316]). * Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). -* Fixes the {{elastic-defend}} artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. +* Fixes the {elastic-defend} artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. From 05873efff834766a1ad9a1c8a2e1f803ce48f229 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Fri, 18 Jul 2025 16:38:35 +0100 Subject: [PATCH 6/6] Applies feedback --- docs/release-notes/8.19.asciidoc | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.19.asciidoc b/docs/release-notes/8.19.asciidoc index c625fad53f..078fdbe6ed 100644 --- a/docs/release-notes/8.19.asciidoc +++ b/docs/release-notes/8.19.asciidoc @@ -19,7 +19,7 @@ * Adds the ability to bulk fill gaps ({kibana-pull}224585[#224585]). * Automatic migration is now generally available ({kibana-pull}224544[#224544]). * Adds a name field to the automatic migration UI ({kibana-pull}223860[#223860]). -* Adds simplified bulk editing for alert suppression ({kibana-pull}223090[#223090]). +* Adds the ability to bulk set up and delete alert suppression ({kibana-pull}223090[#223090]). * Adds a human-readable incremental ID to cases, making referencing cases easier ({kibana-pull}222874[#222874]). * Adds the ability to change rule migration execution settings when re-processing a migration ({kibana-pull}222542[#222542]). * Adds `runscript` response action support for Microsoft Defender for Endpoint–enrolled hosts ({kibana-pull}222377[#222377]). @@ -62,6 +62,9 @@ * Reduces {elastic-defend} CPU and memory usage for behavioral protections. * Improves the resilience of {elastic-defend} in low memory situations. * Reduces {elastic-defend} CPU usage and improves system responsiveness for malware and memory protections. +* Reduces {elastic-defend} CPU when processing events from the System process, such as IIS network events. +* Improves {elastic-defend} logging of fatal exceptions. +* Improves {elastic-defend} call site analysis logic. [discrete] [[bug-fixes-8.19.0]] @@ -87,3 +90,5 @@ * Fixes a bug in the alert details flyout's **Table** tab where fields displayed duplicate hover actions ({kibana-pull}212316[#212316]). * Refactors conversation pagination for the Security AI Assistant ({kibana-pull}211831[#211831]). * Fixes the {elastic-defend} artifact `channel` field and adds `manifest_type` in {elastic-defend} policy responses. +* Fixes a bug in {elastic-defend} where Linux network events would have source and destination byte counts swapped. +* Fixes a memory growth bug in {elastic-defend} on Linux when both **Collect session data** and **Capture terminal output** are enabled.