elastic · nastasha-solomon · Apr 8, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 21, 2025
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.18.0, {elastic-sec} version 8.18.0>>
 * <<release-notes-8.17.4, {elastic-sec} version 8.17.4>>
 * <<release-notes-8.17.3, {elastic-sec} version 8.17.3>>
 * <<release-notes-8.17.2, {elastic-sec} version 8.17.2>>
@@ -79,6 +80,7 @@ This section summarizes the changes in each release.
 * <<release-notes-8.0.0, {elastic-sec} version 8.0.0>>
 * <<release-notes-8.0.0-rc2, {elastic-sec} version 8.0.0-rc2>>
 
+include::release-notes/8.18.asciidoc[]
 include::release-notes/8.17.asciidoc[]
 include::release-notes/8.16.asciidoc[]
 include::release-notes/8.15.asciidoc[]

@@ -0,0 +1,152 @@
+[[release-notes-header-8.18.0]]
+== 8.18
+
+[discrete]
+[[release-notes-8.18.0]]
+=== 8.18.0
+
+[discrete]
+[[known-issue-8.18.0]]
+==== Known issues
+// tag::known-issue[]
+[discrete]
+.Rules cannot be enabled if they're corrupted while upgrading from 7.17.x to 8.x 
+[%collapsible]
+====
+*Details* +
+If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules. 
+
+*Workaround* +
+
+Duplicate your rules and enable them.
+
+====
+// end::known-issue[]
+
+// tag::known-issue[]
+[discrete]
+.The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules 
+[%collapsible]
+====
+*Details* +
+On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check (https://github.com/elastic/docs-content/issues/1021)[#1021].
+
+====
+// end::known-issue[]
+
+[discrete]
+[[deprecations-8.18.0]]
+==== Deprecations
+* The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]).
+* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]):
+
+** POST /api/detection_engine/signals/migrations
+** DELETE /api/detection_engine/signals/migrations
+** POST /api/detection_engine/signals/finalize_migrations
+** GET /api/detection_engine/signals/migration_status
+
+[discrete]
+[[features-8.18.0]]
+==== New features
+* Provides automatic migration for detection rules to help convert existing SIEM rules into Elastic equivalents.
+* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]).
+* Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]).
+* Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]).
+* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]).
+* Allows you to configure how often the enrich policy runs for the entity store ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]).
+* Provides configuration options to the entity store through additional API parameters ({kibana-pull}206421[#206421]).
+* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]).
+* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]).
+* Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]).
+* The manual runs functionality is now generally available ({kibana-pull}209535[#209535]).
+* Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]).
+* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]).
+* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]).
+* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]).
+* Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]).
+* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]).
+* Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]).
+* Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]).
+* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]).
+* {elastic-defend} will now graphically report its protection status when launched from Windows Security Center.
+* Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations.
+* {elastic-defend} staged artifact rollout is now generally available. Staged artifact rollout incrementally updates global artifacts, including malware models and behavioral rules. Each update cycle begins with a small percentage of cloud-connected systems receiving new artifacts. These systems then report any stability, performance, and protection efficacy issues. Over time, additional systems will receive the updates until all systems are updated to the latest artifacts. If any issues are identified, Elastic may halt the update process and rollback all participating systems to prior known-good artifacts. To support this process, participating {elastic-defend} endpoints will report health-related telemetry to `telemetry.elastic.co`. Customers can control this behavior using the `[os].advanced.artifacts.global.channel` <<adv-policy-settings,advanced policy setting>> ({kibana-pull}202674[#202674]).
+* Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate.
+* Introduces <<endpoint-data-volume,new advanced settings>> in the {elastic-defend} integration policy to reduce the volume of data that {elastic-endpoint} processes and ingests. The following new behaviors are enabled by default. You can turn them off by configuring your {elastic-defend} integration policy advanced settings: 
++
+NOTE: {elastic-endpoint} behavior is preserved on existing {elastic-defend} policies.
++
+** {elastic-endpoint} will merge short lived process `create/terminate` events and `network connect/terminate` events so only a single document is produced. 
+** {elastic-endpoint} will only include a small subset of data in the `host.*` fieldset in event documents.
+** {elastic-endpoint} will not report MD5 and SHA-1 hashes in event data.
+
+[discrete]
+[[enhancements-8.18.0]]
+==== Enhancements
+* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]).
+* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]).
+* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]).
+* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]).
+* Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]).
+* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]).
+* Updates the entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]).
+* Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]).
+* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]).
+* Turns the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]).
+* Reduces the system performance impact of {elastic-defend} file events.
+* Improves {elastic-defend}'s resilience in low memory situations.
+* Updates the {elastic-defend} policy status message to show the {elastic-defend} policy name, revision, and {agent} policy revision.
+* Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]).
+* Allows rule actions (except for **Summary of alerts** actions that run at a custom frequency) to activate during manual rule runs ({kibana-pull}200784[#200784]).
+* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness.
+* Includes the {elastic-defend} policy name and ID in alerts.
+* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend} ({kibana-pull}205785[#205785]).
+* Adds a new set of {elastic-defend} fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products.
+* Improves {elastic-defend} script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events.
+* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated.
+* Adds the `process.Ext.memory_region.region_start_bytes` field to {elastic-defend} Windows memory signature alerts.
+* Improves {elastic-defend} host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints.
+
+[discrete]
+[[bug-fixes-8.18.0]]
+==== Bug fixes
+* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]).
+* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]).
+* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]).
+* Ensures that the field mapping for Automatic Import contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]).
+* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]).
+* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]).
+* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]).
+* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]).
+* Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]).
+* Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]).
+* Fixes a bug in AI Assistant that caused the Bedrock region to always be `us-east-1` ({kibana-pull}214251[#214251]).
+* Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]).
+* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]).
+* Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]).
+* Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]).
+* Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]).
+* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]).
+* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]).
+* Fixes a bug that prevented the `indexPattern` parameter from being respected when you refreshed a data view ({kibana-pull}215151[#215151]). 
+* Ensures that {kib} space IDs are dynamically retrieved for entity risk scores in the entity flyout ({kibana-pull}216063[#216063]). 
+* Uses data from the risk engine's saved object instead of your browser's local storage when loading the Entity Risk Score page ({kibana-pull}215304[#215304]). 
+* Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]).
+* Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]).
+* Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]).
+* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]).
+* Adds a "no data" message to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]).
+* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]).
+* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]).
+* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]).
+* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]).
+* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]).
+* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]).
+* Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]).
+* Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]).
+* Surfaces shard failure details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]).
+* Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation.
+* Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection.
+* Fixes issues where uninstalling {elastic-defend} on Windows leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades.
+* Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines.
+* Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse.