elastic · nastasha-solomon · Apr 8, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 21, 2025
diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.18.0, {elastic-sec} version 8.18.0>>
 * <<release-notes-8.17.4, {elastic-sec} version 8.17.4>>
 * <<release-notes-8.17.3, {elastic-sec} version 8.17.3>>
 * <<release-notes-8.17.2, {elastic-sec} version 8.17.2>>
@@ -79,6 +80,7 @@ This section summarizes the changes in each release.
 * <<release-notes-8.0.0, {elastic-sec} version 8.0.0>>
 * <<release-notes-8.0.0-rc2, {elastic-sec} version 8.0.0-rc2>>
 
+include::release-notes/8.18.asciidoc[]
 include::release-notes/8.17.asciidoc[]
 include::release-notes/8.16.asciidoc[]
 include::release-notes/8.15.asciidoc[]

diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc
@@ -0,0 +1,139 @@
+[[release-notes-header-8.18.0]]
+== 8.18
+
+[discrete]
+[[release-notes-8.18.0]]
+=== 8.18.0
+
+[discrete]
+[[known-issue-8.18.0]]
+==== Known issues
+// tag::known-issue[]
+[discrete]
+.Duplicate alerts can be produced from manually running threshold rules 
+[%collapsible]
+====
+*Details* +
+If rule saved objects were corrupted when you upgraded from 7.17.x to 8.x, you may run into an error when turning on your rules. 
+
+*Workaround* +
+
+Duplicate your rules and enable them.
+
+====
+// end::known-issue[]
+
+[discrete]
+[[deprecations-8.18.0]]
+==== Deprecations
+* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]).
+* Adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]).
+* The user and host risk score modules are being deprecated ({kibana-pull}202775[#202775]).
+* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]):
+
+** POST /api/detection_engine/signals/migrations
+** DELETE /api/detection_engine/signals/migrations
+** POST /api/detection_engine/signals/finalize_migrations
+** GET /api/detection_engine/signals/migration_status
+
+[discrete]
+[[features-8.18.0]]
+==== New features
+* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]).
+* Adds in-text citations to AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]).
+* Allows you to https://github.com/elastic/kibana/issues/174168[customize prebuilt rules]. You can modify most rule parameters, export and import prebuilt rules — including customized ones — and upgrade prebuilt rules while retaining customization settings ({kibana-pull}212761[#212761]).
+* Adds initial support for the service entity type in the Entity Store, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]).
+* Allows you to configure how often the enrich policy runs for the entity store ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]).
+* Provides configuration options to the entity store through additional API parameters ({kibana-pull}206421[#206421]).
+* Introduces a status tab to the entity store management page ({kibana-pull}201235[#201235]).
+* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]).
+* Introduces ways to monitor and fix gaps in rule executions, which can lead to missed alerts or reduced rule coverage ({kibana-pull}206313[#206313]).
+* Allows you to preview logged {es} requests for new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]).
+* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]).
+* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]).
+* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]).
+* Introduces privileges that let you control whether a role can assign users to a case ({kibana-pull}201654[#201654]).
+* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]).
+* Introduces changes to the asset criticality and risk score data clients to use a new ingest pipeline for adding event timestamps ({kibana-pull}203975[#203975]).
+* Adds new third-party actions to CrowdStrike response actions, which will allow you to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]).
+* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]).
+* Adds the {elastic-defend} `[os].advanced.artifacts.global.channel` <<adv-policy-settings,advanced policy setting>>, which allows you to opt out from staged artifact rollout ({kibana-pull}202674[#202674]).
+* Adds new {elastic-defend} fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations.
+* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor the health of staged global artifacts rollouts.
+* Updates the infrastructure of HttpClient to allow for future implementation of a Rust based client.
+* Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation.
+* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow you to use the advanced setting in your {elastic-defend} policy to opt-out from participating in the staged artifacts rollout.
+* Enables process event aggregation by default.
+* Improves {elastic-defend} by adding inherited event counting (events from children) to the process cache entry.
+* Adds a new field to the metrics section of the {elastic-defend} metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate.
+* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use the `advanced.events.aggregate_network` advanced setting in your {elastic-defend} policy to enable it.
+
+[discrete]
+[[enhancements-8.18.0]]
+==== Enhancements
+* Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]).
+* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]).
+* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]).
+* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]).
+* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]).
+* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]).
+* Adds audit logging for changes to AI Assistant knowledge base entries ({kibana-pull}203349[#203349]).
+* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]).
+* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]).
+* Introduces changes to the entity analytics feature to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]).
+* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]).
+* Turns the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]).
+* Reduces the system performance impact of file events.
+* Improves {elastic-defend}'s resilience in low memory situations.
+* Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision.
+* Ensures that the data view selector on the rule creation form shows data view names instead of their defined indices ({kibana-pull}214495[#214495]).
+* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness.
+* Includes the {elastic-defend} policy name and ID in alerts.
+* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}.
+* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks, including malware and 3rd party security products.
+* Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events.
+* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated.
+* Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts.
+* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once ever 24 hours, so this information could have been inaccurate for several hours, especially on roaming endpoints.
+
+[discrete]
+[[bug-fixes-8.18.0]]
+==== Bug fixes
+* Fixes the unstructured system log flow for Automatic Import ({kibana-pull}213042[#213042]).
+* Fixes missing ECS mappings for Automatic Import ({kibana-pull}209057[#209057]).
+* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]).
+* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]).
+* Ensures that Automatic Import uses the provided data stream description in the integration readme ({kibana-pull}203236[#203236]).
+* Fixes the countdown for the next scheduled risk engine run ({kibana-pull}203212[#203212]).
+* Ensures that Automatic Import uses the data stream name that you provide instead of a generic placeholder ({kibana-pull}203106[#203106]).
+* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]).
+* Fixes a bug that prevented you from being able to select a connector for AI Assistant from the {elastic-sec} landing page ({kibana-pull}213969[#213969]).
+* Updates prompts that you can use with the Amazon Bedrock connector ({kibana-pull}213160[#213160]).
+* Fixes a bug in AI Assistant that caused the Bedrock region to always be `us-east-1` ({kibana-pull}214251[#214251]).
+* Adds the `organizationId` and `projectId` OpenAI headers and other arbitrary headers ({kibana-pull}213117[#213117]).
+* Fixes a bug that sometimes caused generic error message to appear in OpenAI ({kibana-pull}205665[#205665]).
+* Improves copy for the entity store feature on the Entity Analytics dashboard ({kibana-pull}210991[#210991]).
+* Removes the critical services count from Entity Analytics dashboard summary panel ({kibana-pull}210827[#210827]).
+* Removes the prompt on the Entity Analytics dashboard that asks you to turn on the risk engine even though you have already done it ({kibana-pull}210430[#210430]).
+* Adds a filter to the entity definition schema so it can be used to further filter entity store data ({kibana-pull}208588[#208588]).
+* Improves the navigation and page descriptions for the Entity Store and Entity Risk Score pages ({kibana-pull}209130[#209130]).
+* Improves the confirmation message that appears when you update the configuration for a risk engine saved object ({kibana-pull}211372[#211372]).
+* Fixes a navigation issue with the host and user flyouts that prevented the flyout details from refreshing ({kibana-pull}209863[#209863]).
+* Ensures that you stay on your current page in the Rules table after editing or updating a rule ({kibana-pull}209537[#209537]).
+* Fixes a bug that caused the preview panel to incorrectly persist after you opened the session viewer preview ({kibana-pull}213455[#213455]).
+* Adds a "no data message" to the expanded event analyzer view in the alert details flyout when the event analyzer isn't turned on ({kibana-pull}211981[#211981]).
+* Fixes the order of the alert insights so they're now shown from low risk to critical risk({kibana-pull}212980[#212980]).
+* Fixes bugs that prevents cell action in the Alerts table from properly rendering in the event rendered view ({kibana-pull}212721[#212721]).
+* Fixes a bug that incorrectly concealed the the isolate host panel if you used the isolate host action from the alert preview ({kibana-pull}211853[#211853]).
+* Fixes a bug that prevented you from seeing alert assignee details from the Alerts table or the alert details flyout ({kibana-pull}211824[#211824]).
+* Fixes the width of the alerts table in rule preview ({kibana-pull}214028[#214028]).
+* Fixes a bug that prevented the rule creation form from properly validating EQL queries when you added filters to the query ({kibana-pull}212117[#212117]).
+* Makes 7.x alert indices compatible with Alerts table so you can access alerts in legacy indices ({kibana-pull}209936[#209936]).
+* Fixes a bug that didn't allow you to generate {esql} alerts from alert indices ({kibana-pull}208894[#208894]).
+* Surfaces details for failed EQL non-sequence queries on the rule details page and in the event log ({kibana-pull}207396[#207396]).
+* Fixes an {elastic-defend} bug where environment variables were not collected on macOS according to the `advanced.capture_env_vars` field.
+* Fixes an {elastic-defend} bug to ensure the first event's timestamp is used as the timestamp for event aggregation.
+* Updates the way {elastic-defend} initially connects to {agent}, which significantly improves the speed of connection.
+* Fixes issues where uninstalling Windows Defend leaves files within {elastic-defend}'s directory that cannot be removed by administrators. These leftover files can prevent subsequent installs and upgrades.
+* Improves {elastic-defend} by increasing the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines.
+* Improves {elastic-defend} by improving `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse.