elastic · nastasha-solomon · Apr 8, 2025 · Feb 10, 2025 · Feb 10, 2025 · Feb 21, 2025
diff --git a/docs/release-notes.asciidoc b/docs/release-notes.asciidoc
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.18.0, {elastic-sec} version 8.18.0>>
 * <<release-notes-8.17.3, {elastic-sec} version 8.17.3>>
 * <<release-notes-8.17.2, {elastic-sec} version 8.17.2>>
 * <<release-notes-8.17.1, {elastic-sec} version 8.17.1>>
@@ -77,6 +78,7 @@ This section summarizes the changes in each release.
 * <<release-notes-8.0.0, {elastic-sec} version 8.0.0>>
 * <<release-notes-8.0.0-rc2, {elastic-sec} version 8.0.0-rc2>>
 
+include::release-notes/8.18.asciidoc[]
 include::release-notes/8.17.asciidoc[]
 include::release-notes/8.16.asciidoc[]
 include::release-notes/8.15.asciidoc[]

diff --git a/docs/release-notes/8.18.asciidoc b/docs/release-notes/8.18.asciidoc
@@ -0,0 +1,121 @@
+[[release-notes-header-8.18.0]]
+== 8.18
+
+[discrete]
+[[release-notes-8.18.0]]
+=== 8.18.0
+
+[discrete]
+[[deprecations-8.18.0]]
+==== Deprecations
+//* Adds upgrade notes to the Upgrade Assistant for Endpoint management deprecated APIs in 9.0 ({kibana-pull}206904[#206904]).
+//* adds upgrade notes and create docs link for Endpoint management deprecated apis in 9.0 ({kibana-pull}206903[#206903]).
+//* Adds deprecation warning for the legacy risk score modules ({kibana-pull}202775[#202775]) for details.
+//Might need to elaborate on the following summary and also doc it in the Kibana release notes at https://www.elastic.co/guide/en/kibana/8.18/release-notes-8.18.0.html.
+* The following SIEM signal migration endpoints were deprecated ({kibana-pull}202662[#202662]):
+
+** POST /api/detection_engine/signals/migrations
+** DELETE /api/detection_engine/signals/migrations
+** POST /api/detection_engine/signals/finalize_migrations
+** GET /api/detection_engine/signals/migration_status
+
+
+[discrete]
+[[features-8.18.0]]
+==== New features
+* The Automatic Import functionality is now generally available ({kibana-pull}208523[#208523]).
+* Allows you to install and reinstall entity stores from the Engine Status page ({kibana-pull}208149[#208149]).
+* Adds enrichPolicyExecutionInterval to entity enablement and init APIs ({kibana-pull}207374[#207374], {kibana-pull}204437[#204437]).
+* Provides initial support for the service entity type, whereas previously, only user and host entity types were supported ({kibana-pull}207336[#207336], {kibana-pull}206582[#206582], {kibana-pull}206268[#206268], {kibana-pull}202344[#202344]).
+* Adds in-text citations to {elastic-sec} AI assistant responses whenever fact providers (such as the knowledge base or alert information) are used to generate the response ({kibana-pull}206683[#206683]).
+* Adds service enrichment to detection engine ().
+* Entity Store Config - Lookback period ({kibana-pull}206421[#206421]).
+* Allows you to monitor and fill gaps in rule executions, which can reduce rule coverage and may lead to missed alerts ({kibana-pull}206313[#206313]).
+* Re-adds details to the alert details flyout about the last time an alert's status was changed ({kibana-pull}205224[#205224]).
+* Applies the latest Elastic UI (EUI) theme to multiple areas of {elastic-sec} ({kibana-pull}204007[#204007], {kibana-pull}204908[#204908]).
+* Adding changes for event.ingested in riskScore and assetCriticality ({kibana-pull}203975[#203975]).
+* Expands support for previewing logged {es} requests to include the new terms, threshold, custom, and {ml} rule types ({kibana-pull}203320[#203320]).
+* Adds new third-party actions to Crowdstrike response actions, which will allow users to execute remote commands using Crowdstrike agent through {elastic-sec} ({kibana-pull}203101[#203101], {kibana-pull}202012[#202012], {kibana-pull}203420[#203420], {kibana-pull}204044[#204044]).
+* Adds the `[os].advanced.artifacts.global.channel` <<adv-policy-settings,advanced policy setting>>, which allows you to opt out from staged artifact rollout  ({kibana-pull}202674[#202674]). 
+* Introduces privileges that let you control role access to Timeline and notes ({kibana-pull}201780[#201780]).
+* Introduces privileges that allow you a role to assign users to a case ({kibana-pull}201654[#201654]).
+* Entity Engine status tab ({kibana-pull}201235[#201235]).
+* Allows you to add common observables to any case and extend the types of observable case data to include custom options ({kibana-pull}190237[#190237]).
+* Adds support for suppressing alerts generated from even correlation rules that are using sequence queries ({kibana-pull}189725[#189725]).
+* Adds new fields, `process.Ext.command_line_truncated` and `process.parent.Ext.command_line_truncated` to indicate when the command line gathered by event sources is truncated because of size limitations.
+* Allows {elastic-defend} to send data to telemetry.elastic.co to monitor health of staged global artifacts rollout.
+* Updates infrastructure of HttpClient to allow for future implementation of a rust-based client.
+* Adds infrastructure to CryptoLib that will enable a smoother transition to a Rust CryptoLib implementation.
+* Ensures that global artifacts update are delivered incrementally, closely monitoring the health of the rollout. To support it, {elastic-defend} will contact a new cloud API to know which artifacts it should use, will contact Elastic telemetry to send periodic health information during artifacts testing, and lastly, will allow opt-out via advanced policy setting from participation in staged artifacts rollout.
+* Enables process event aggregation by default.
+* Adds a new field to the metrics section of the metadata document called `top_process_trees`. This section will contain a list of the top noisy processes on the system, with "noisy" being based on how many events they generate.
+* Allows you to opt into aggregation of network events to reduce CPU usage, I/O, and event sizes. Network events with the same addresses and ports occurring in rapid succession will be combined into fewer aggregate events. Use `advanced.events.aggregate_network` in advanced policy to enable it.
+* ISSUE-14632: Count Events via Process Cache.
+
+[discrete]
+[[enhancements-8.18.0]]
+==== Enhancements
+* Turns the `securitySolution:enableVisualizationsInFlyout` <<visualizations-in-flyout,advanced setting>> on by default, which allows you to access the event analyzer and Session View in the **Visualize** tab on the alert or event details flyout ({kibana-pull}211319[#211319]).
+* Adds a service example to the entity store upload page ({kibana-pull}209023[#209023]).
+* Update entity insight badge to open entity flyouts ({kibana-pull}208287[#208287]).
+* Introduces changes to support `event.ingested` as a configurable timestamp field for init and enable endpoints ({kibana-pull}208201[#208201]).
+* Introduces support for the future integration of AI Assistant prompts in {kib}. ({kibana-pull}207138[#207138]).
+* Provides APIs for AI Assistant Knowledge Base entries ({kibana-pull}206407[#206407]).
+* Enables the new inference connector for Automatic Import ({kibana-pull}206111[#206111]).
+* Enables new inference connector in the AI Assistant and Attack Discovery ({kibana-pull}204505[#204505]).
+* Enhances Attack discovery by providing you with additional control over which alerts are included as context to the large language model (LLM) ({kibana-pull}205070[#205070]).
+* Adds audit logging for changes to knowledge base entries ({kibana-pull}203349[#203349]).
+* Allows you to include closed alerts in risk score calculations ({kibana-pull}201909[#201909]).
+* Adds the product documentation tool to AI Assistant to ensure product docs are installed and can be properly retrieved ({kibana-pull}199694[#199694]).
+* Reduces the system performance impact of file events.
+* Improves the resilience of {elastic-defend} in low memory situations.
+* Updates the {elastic-defend} status message ACK'ed to Agent to show: the {elastic-defend} policy name, revision, and Agent policy revision.
+* Implements various performance optimizations to reduce {elastic-defend}'s CPU usage and improve system responsiveness.
+* Includes the {elastic-defend} policy name and ID in alerts.
+* Adds the `allow_cloud_features` advanced policy setting, which lets you explicitly list which cloud resources can be reached by {elastic-defend}.
+* Adds a new set of fields `call_stack_final_hook_module` to API event behavior alerts, and optionally API events. These fields aid triage by identifying the presence of Win32 API hooks - including malware and 3rd party security products.
+* Improves script visibility and adds a new API event for `AmsiScanBuffer`, as well as AMSI enrichments for API events.
+* Enhances {elastic-defend} by including an improved fingerprint for `Memory_protection.unique_key_v2`. We recommend that any `shellcode_thread` exceptions based on the old `unique_key_v1` field be updated.
+* Adds the `process.Ext.memory_region.region_start_bytes` field to Windows memory signature alerts.
+* Improves host information accuracy, such as IP addresses. {elastic-defend} was updating this information only during new policy application or at least once per 24h, so this information could have been inaccurate for several hours, especially on roaming endpoints (laptops).
+
+[discrete]
+[[bug-fixes-8.18.0]]
+==== Bug fixes
+* Alerts table in Rule Preview panel fills container width ({kibana-pull}214028[#214028]).
+* 8.18 Fix assistant apiConfig set by Security getting started page ({kibana-pull}213969[#213969]).
+* Fixes session view navigation when in alert preview and add preview banner ({kibana-pull}213455[#213455]).
+* Bedrock prompt updates ({kibana-pull}213160[#213160]).
+* Adds `organizationId` and `projectId` OpenAI headers, along with arbitrary headers ({kibana-pull}213117[#213117]).
+* Fixes unstructured syslog flow ({kibana-pull}213042[#213042]).
+* Fixes alert insights color order ({kibana-pull}212980[#212980]).
+* Fixes - Alert Table Event Rendered View + Cell actions ({kibana-pull}212721[#212721]).
+* Fixes empty EQL query validation ({kibana-pull}212117[#212117]).
+* Fixes analyzer no data message in flyout when analyzer is not enabled ({kibana-pull}211981[#211981]).
+* Convert isolate host to standalone flyout ({kibana-pull}211853[#211853]).
+* Adds bulkGetUserProfiles privilege to Security Feature ({kibana-pull}211824[#211824]).
+* Changes for the confirmation message after RiskScore SO is updated ({kibana-pull}211372[#211372]).
+* Update entity store copies ({kibana-pull}210991[#210991]).
+* Delete 'critical services' count from Entity Analytics Dashboard header ({kibana-pull}210827[#210827]).
+* Do not prompt users with the legacy risk engine installed to install the risk engine on the Entity Analytics dashboard ({kibana-pull}210430[#210430]).
+* Make 7.x signals/alerts compatible with 8.18 alerts UI ({kibana-pull}209936[#209936]).
+* Clicking link in host/user flyout does not refresh details panel ({kibana-pull}209863[#209863]).
+* Remember page index in Rule Updates table ({kibana-pull}209537[#209537]).
+* Make entity store description more generic ({kibana-pull}209130[#209130]).
+* Fixes missing ecs mappings ({kibana-pull}209057[#209057]).
+* Fixes ES|QL alert on alert ({kibana-pull}208894[#208894]).
+* Adds filter to entity definitions schema ({kibana-pull}208588[#208588]).
+* Logs shard failures for eql event queries on rule details page and in event log ({kibana-pull}207396[#207396]).
+* Fixes OpenAI, error race condition bug ({kibana-pull}205665[#205665]).
+* Fixes how Automatic Import generates accesses for the field names that are not valid Painless identifiers ({kibana-pull}205220[#205220]).
+* Automatic Import now ensures that the field mapping contains the `@timestamp` field whenever possible ({kibana-pull}204931[#204931]).
+* Use provided data stream description in generated README ({kibana-pull}203236[#203236]).
+* Creating a shared component for the Risk Engine's countdown text ({kibana-pull}203212[#203212]).
+* Use Data stream name for data_stream.dataset value in input manifests ({kibana-pull}203106[#203106]).
+* Fixes the bug where pressing Enter reloaded the Automatic Import ({kibana-pull}199894[#199894]).
+* Fixes a bug where environment variables were not collected on macOS according to the advanced.capture_env_vars field.
+* Use the first event's timestamp as the timestamp for event aggregation.
+* Updated the way endpoint initially connects to agent, improving the speed of connection significantly.
+* Fix issues where Windows Defend uninstallation leaves files within Endpoint's directory that cannot be removed by administrators.  These files can prevent subsequent installs and upgrades.
+* Increase the size of command line capture from 800 to 2400 bytes for kprobe-based Linux process event collection running amd64 machines.
+* Improve `entity_id` algorithm for Windows Server 2012 to prevent it from being vulnerable to PID reuse.