From eb6d3ef1ddfe638438c251ebd962a2207598f93f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 6 Jan 2025 18:38:58 -0500 Subject: [PATCH 1/7] First draft --- docs/release-notes.asciidoc | 1 + docs/release-notes/8.17.asciidoc | 42 ++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index 986e1a4424..f445e5d311 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,6 +3,7 @@ This section summarizes the changes in each release. +* <> * <> * <> * <> diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index 0dc2ba58fc..cbf714d15f 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -1,6 +1,48 @@ [[release-notes-header-8.17.0]] == 8.17 +[discrete] +[[release-notes-8.17.1]] +=== 8.17.1 + +[discrete] +[[known-issue-8.17.1]] +==== Known issues + +// tag::known-issue[] +[discrete] +.Duplicate alerts can be produced from manually running threshold rules +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. + +==== +// end::known-issue[] + +// tag::known-issue[] +[discrete] +.Manually running custom query rules with suppression could suppress more alerts than expected +[%collapsible] +==== +*Details* + +On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. + +==== +// end::known-issue[] + +[discrete] +[[bug-fixes-8.17.1]] +==== Bug fixes +* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). +* Change handling whitespace for textarea autoheight to `pre` ({kibana-pull}203993[#203993]). +* Adds RBAC to the Automatic Import APIs ({kibana-pull}203882[#203882]). +* Fixes the validation of external API responses that return non-JSON (ex. stream) ({kibana-pull}203820[#203820]). +* Remove warning for rule filter ({kibana-pull}201776[#201776]). +* In 8.16.2 and 8.17.0, we refactored a portion of our Windows kernel driver to work around an incompatibility with CrowdStrike Falcon which can result in a `CRITICAL_PROCESS_DIED` bugcheck. We discovered that this incompatibility can also be triggered by Memory Protection. We refactored a portion of our kernel driver to avoid this conflict. +* Fix a bug in Defend where Windows API event call stack enrichment can fail for processes that started before Defend and where another security product is also present and is hooking system DLLs. +* Fixes a bug in Defend where Windows API events involving `mswsock.dll` can be mislabeled with the `proxy_call` behavior. + [discrete] [[release-notes-8.17.0]] === 8.17.0 From 38c52cd3d876b5943a2eb7bb4c0657a6778ff22d Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 6 Jan 2025 18:52:21 -0500 Subject: [PATCH 2/7] Adds correct content --- docs/release-notes.asciidoc | 2 +- docs/release-notes/8.16.asciidoc | 17 +++++++++++++ docs/release-notes/8.17.asciidoc | 42 -------------------------------- 3 files changed, 18 insertions(+), 43 deletions(-) diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc index f445e5d311..03635c426c 100644 --- a/docs/release-notes.asciidoc +++ b/docs/release-notes.asciidoc @@ -3,8 +3,8 @@ This section summarizes the changes in each release. -* <> * <> +* <> * <> * <> * <> diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index c0019219dc..d4b4870296 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -1,6 +1,23 @@ [[release-notes-header-8.16.0]] == 8.16 +[discrete] +[[release-notes-8.16.3]] +=== 8.16.3 + +[discrete] +[[bug-fixes-8.16.3]] +==== Bug fixes + +* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). +* Change handling whitespace for textarea autoheight to `pre` ({kibana-pull}203993[#203993]). +* Adds RBAC to the Automatic Import APIs ({kibana-pull}203882[#203882]). +* Fixes the validation of external API responses that return non-JSON (ex. stream) ({kibana-pull}203820[#203820]). +* Remove warning for rule filter ({kibana-pull}201776[#201776]). +* In 8.16.2 and 8.17.0, we refactored a portion of our Windows kernel driver to work around an incompatibility with CrowdStrike Falcon which can result in a `CRITICAL_PROCESS_DIED` bugcheck. We discovered that this incompatibility can also be triggered by Memory Protection. We refactored a portion of our kernel driver to avoid this conflict. +* Fix a bug in Defend where Windows API event call stack enrichment can fail for processes that started before Defend and where another security product is also present and is hooking system DLLs. +* Fixes a bug in Defend where Windows API events involving `mswsock.dll` can be mislabeled with the `proxy_call` behavior. + [discrete] [[release-notes-8.16.2]] === 8.16.2 diff --git a/docs/release-notes/8.17.asciidoc b/docs/release-notes/8.17.asciidoc index cbf714d15f..0dc2ba58fc 100644 --- a/docs/release-notes/8.17.asciidoc +++ b/docs/release-notes/8.17.asciidoc @@ -1,48 +1,6 @@ [[release-notes-header-8.17.0]] == 8.17 -[discrete] -[[release-notes-8.17.1]] -=== 8.17.1 - -[discrete] -[[known-issue-8.17.1]] -==== Known issues - -// tag::known-issue[] -[discrete] -.Duplicate alerts can be produced from manually running threshold rules -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running threshold rules could produce duplicate alerts if the date range was already covered by a scheduled rule execution. - -==== -// end::known-issue[] - -// tag::known-issue[] -[discrete] -.Manually running custom query rules with suppression could suppress more alerts than expected -[%collapsible] -==== -*Details* + -On November 12, 2024, it was discovered that manually running a custom query rule with suppression could incorrectly inflate the number of suppressed alerts. - -==== -// end::known-issue[] - -[discrete] -[[bug-fixes-8.17.1]] -==== Bug fixes -* Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). -* Change handling whitespace for textarea autoheight to `pre` ({kibana-pull}203993[#203993]). -* Adds RBAC to the Automatic Import APIs ({kibana-pull}203882[#203882]). -* Fixes the validation of external API responses that return non-JSON (ex. stream) ({kibana-pull}203820[#203820]). -* Remove warning for rule filter ({kibana-pull}201776[#201776]). -* In 8.16.2 and 8.17.0, we refactored a portion of our Windows kernel driver to work around an incompatibility with CrowdStrike Falcon which can result in a `CRITICAL_PROCESS_DIED` bugcheck. We discovered that this incompatibility can also be triggered by Memory Protection. We refactored a portion of our kernel driver to avoid this conflict. -* Fix a bug in Defend where Windows API event call stack enrichment can fail for processes that started before Defend and where another security product is also present and is hooking system DLLs. -* Fixes a bug in Defend where Windows API events involving `mswsock.dll` can be mislabeled with the `proxy_call` behavior. - [discrete] [[release-notes-8.17.0]] === 8.17.0 From f788bd5f3fdf4f890dd1647f239f3ae047935e32 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 8 Jan 2025 10:14:42 -0500 Subject: [PATCH 3/7] More changes --- docs/release-notes/8.16.asciidoc | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index d4b4870296..66fed01449 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -10,13 +10,18 @@ ==== Bug fixes * Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). -* Change handling whitespace for textarea autoheight to `pre` ({kibana-pull}203993[#203993]). -* Adds RBAC to the Automatic Import APIs ({kibana-pull}203882[#203882]). -* Fixes the validation of external API responses that return non-JSON (ex. stream) ({kibana-pull}203820[#203820]). -* Remove warning for rule filter ({kibana-pull}201776[#201776]). -* In 8.16.2 and 8.17.0, we refactored a portion of our Windows kernel driver to work around an incompatibility with CrowdStrike Falcon which can result in a `CRITICAL_PROCESS_DIED` bugcheck. We discovered that this incompatibility can also be triggered by Memory Protection. We refactored a portion of our kernel driver to avoid this conflict. -* Fix a bug in Defend where Windows API event call stack enrichment can fail for processes that started before Defend and where another security product is also present and is hooking system DLLs. -* Fixes a bug in Defend where Windows API events involving `mswsock.dll` can be mislabeled with the `proxy_call` behavior. +* Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari ({kibana-pull}203993[#203993]). +* Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]). +* Changes the validation for API responses from SentinelOne and Crowdstrike. With this fix, non-JSON responses, such as stream, are allowed ({kibana-pull}203820[#203820]). +* Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]). +* Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict. ++ +Affected users who are unable to upgrade should set one or both of following in their {elastic-defend} advanced policy, depending on their version: + +** `windows.advanced.events.process.creation_flags: false` (8.13.0 - 8.16.1) +** `windows.advanced.memory_protection.shellcode_trampoline_detection: false` (8.12.0 - 8.16.2) +* Fixes an {elastic-defend} bug that could cause the Windows API event call stack enrichment to fail for processes that started before {elastic-defend} and if another security product was present and hooking system DLLs. +* Fixes an {elastic-defend} bug that caused Windows API events involving `mswsock.dll` to be mislabeled with the `proxy_call` behavior. [discrete] [[release-notes-8.16.2]] From abfaac6f59df90bc9d371444422290117ea708eb Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 8 Jan 2025 10:44:00 -0500 Subject: [PATCH 4/7] Minor fixes --- docs/release-notes/8.16.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 66fed01449..0a9e5758bb 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -12,11 +12,11 @@ * Fixes Integration and Datastream name validation ({kibana-pull}204943[#204943]). * Improves how the rule query field handles whitespace for long pre-formatted texts. This fix only applies to Firefox, not Chrome or Safari ({kibana-pull}203993[#203993]). * Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]). -* Changes the validation for API responses from SentinelOne and Crowdstrike. With this fix, non-JSON responses, such as stream, are allowed ({kibana-pull}203820[#203820]). +* Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned ({kibana-pull}203820[#203820]). * Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]). * Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict. + -Affected users who are unable to upgrade should set one or both of following in their {elastic-defend} advanced policy, depending on their version: +Affected users who are unable to upgrade should set one or both of the following in their {elastic-defend} advanced policy, depending on their version: ** `windows.advanced.events.process.creation_flags: false` (8.13.0 - 8.16.1) ** `windows.advanced.memory_protection.shellcode_trampoline_detection: false` (8.12.0 - 8.16.2) From 989c6f69d8b573e71c381fdf7b2b2f968e034fba Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 8 Jan 2025 15:10:55 -0500 Subject: [PATCH 5/7] Expands summary for endpoint bug fix --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 0a9e5758bb..53a6dce246 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -41,7 +41,7 @@ Affected users who are unable to upgrade should set one or both of the following * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fixes an {elastic-defend} bug that prevented {elastic-sec} from launching when you clicked the **Open Elastic Security** button in the Window Security Center. +* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator. [discrete] [[release-notes-8.16.1]] From fa1d8ad9d22e7c860822f1bbb8191371acfdcdc7 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 9 Jan 2025 10:50:36 -0500 Subject: [PATCH 6/7] Update 8.16.asciidoc --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 53a6dce246..b1d9081801 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -41,7 +41,7 @@ Affected users who are unable to upgrade should set one or both of the following * Fixes a bug that caused an entity engine to get stuck in the `Installing` status if the default Security data view didn't exist. With this fix, engines now correctly report the `Error` state ({kibana-pull}201140[#201140]). * Fixes an issue that prevented you from successfully importing TSV files with asset criticality data if you're on Windows ({kibana-pull}199791[#199791]). * Improves {elastic-defend} by refactoring the kernel driver to work around a `CRITICAL_PROCESS_DIED` bug check (BSOD) that can occur due to a conflict with CrowdStrike Falcon. -* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator. +* Fixes an {elastic-defend} bug that caused the **Open Elastic Security** button in the Windows Security Center to be non-functional. Now, you're informed that {elastic-defend} is managed by your system administrator. [discrete] [[release-notes-8.16.1]] From f80e5ec033d75834c1578ebd2fde2c803df18c40 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 20 Jan 2025 13:23:19 -0500 Subject: [PATCH 7/7] Adds 205103 and 205138 --- docs/release-notes/8.16.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index b1d9081801..e292e5c223 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -14,6 +14,8 @@ * Adds role-based access control to the Automatic Import APIs ({kibana-pull}203882[#203882]). * Changes the validation for API responses from SentinelOne and Crowdstrike. This fix allows for non-JSON responses, such as stream, to be returned ({kibana-pull}203820[#203820]). * Fixes a bug that caused a warning to display when you modified the index patterns of a rule that had a filter using `AND` or `OR` conditions ({kibana-pull}201776[#201776]). +* Fixes a bug that caused the diff view to incorrectly mark certain characters as changed in specific cases ({kibana-pull}205138[#205138]). +* Lists all policies to ensure that integrations are properly displayed ({kibana-pull}205103[#205103]). * Fixes incompatibility issues with {elastic-defend}. In 8.16.2 and 8.17.0, a portion of the Windows kernel driver was refactored to work around an incompatibility with CrowdStrike Falcon which could result in a `CRITICAL_PROCESS_DIED` bugcheck. It was discovered that this incompatibility could also be triggered by Memory Protection, so a portion of the kernel driver was refactored to avoid this conflict. + Affected users who are unable to upgrade should set one or both of the following in their {elastic-defend} advanced policy, depending on their version: