elastic · nastasha-solomon · Nov 1, 2022 · Sep 30, 2022 · Sep 30, 2022 · Oct 4, 2022
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.5.0, {elastic-sec} version 8.5.0>>
 * <<release-notes-8.4.3, {elastic-sec} version 8.4.3>>
 * <<release-notes-8.4.2, {elastic-sec} version 8.4.2>>
 * <<release-notes-8.4.1, {elastic-sec} version 8.4.1>>
@@ -28,6 +29,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/kibana/issues/
 :pull: https://github.com/elastic/kibana/pull/
 
+include::release-notes/8.5.asciidoc[]
 include::release-notes/8.4.asciidoc[]
 include::release-notes/8.3.asciidoc[]
 include::release-notes/8.2.asciidoc[]

@@ -0,0 +1,90 @@
+[[release-notes-header-8.5.0]]
+== 8.5
+
+[discrete]
+[[release-notes-8.5.0]]
+=== 8.5.0
+
+[discrete]
+[[known-issue-8.5.0]]
+==== Known issues
+* Users might experience slightly longer installation and upgrade times for the user and host risk score features ({pull}142434[#142434]).
+
+[discrete]
+[[breaking-changes-8.5.0]]
+==== Breaking changes
+// tag::breaking-changes[]
+// NOTE: The breaking-changes tagged regions are reused in the Elastic Installation and Upgrade Guide. The pull attribute is defined within this snippet so it properly resolves in the output.
+:pull: {pull}
+* Host and user risk score features that were installed in 8.4 or earlier are not ECS-compatible and, therefore, cannot generate new risk scores in 8.5. Before upgrading, users can archive their existing risk indices if they want to keep their old host and user risk scores. Otherwise, new risk indices will be generated once users upgrade host and user risk score features ({pull}140377[#140377]).
+// end::breaking-changes[]
+
+[discrete]
+[[deprecations-8.5.0]]
+==== Deprecations
+* Deprecates the risk score index and displays the **Upgrade** button in host and user risk score cards on the Entity Analytics dashboard ({pull}140143[#140143]).
+
+[discrete]
+[[features-8.5.0]]
+==== Features
+* Endpoint response actions history can be filtered and searched ({pull}134520[#134520], {pull}140259[#140259], {pull}138982[#138982], {pull}140975[#140975]).
+* Endpoint response actions history has a standalone page for all endpoints ({pull}140306[#140306]).
+* Introduces the Entity Analytics dashboard, which showcases host and user risk scores and anomalies. Also adds host and user risk data to the user and host detail pages. These features require a Platinum license or higher. ({pull}137688[#137688], {pull}140270[#140270], {pull}139462[#139462]).
+* Updates the *Anomalies* tab to display the same quantity of anomalies when navigating from the Entity Analytics dashboard ({pull}139910[#139910]).
+* Enriches alerts with host and user risk scores ({pull}139478[#139478]).
+* Enables the Indicators page by default and makes the functionality generally available ({pull}141117[#141117]).
+* Allows indicator data to be investigated in Timeline by including the *Add to Timeline* button throughout the Indicators table ({pull}138836[#138836], {pull}140496[#140496]).
+* Removes the Host risk score card from the Overview dashboard ({pull}140177[#140177]).
+* Adds the option to bulk edit rule schedules to the bulk actions menu in the Rules table ({pull}140166[#140166]).
+* Adds the option to bulk edit rule actions to the bulk actions menu in the Rules table ({pull}138900[#138900]).
+* Adds an alert count card to the User, Host, and Network detail pages. The card shows alerts per rule and can be filtered by alert status ({pull}140150[#140150]).
+* Allows users to examine alerts associated with events and enables the Alerts related by process ancestry section by default if they have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({pull}140006[#140006]).
+* Enables the Alerts related by session ID section by default. It appears in the Alert details flyout if users have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({pull}140006[#140006]).
+* Renames the Elastic Endpoint and Cloud Security integration to the Elastic Defend integration ({pull}139517[#139517]).
+* Adds preconfigured use cases to the setup wizard for the {elastic-defend} integration (formerly known as Endpoint and Cloud Security), each with different default settings ({pull}139230[#139230]).
+* Updates the UI for the rule details page's *Exceptions* tab ({pull}138770[#138770]).
+* Enables the Osquery Response Action on custom query detection rules, and adds an *Osquery Results* tab to the Alert details flyout. Users can use the Osquery Response Action to immediately query hosts that generate alerts ({pull}133279[#133279]).
+* Enables rule exceptions to reference value lists, regardless of rule type. One caveat is that text type value lists still do not work for EQL and threshold rules ({pull}133254[#133254]).
+* Introduces the new alert renderer, which concisely displays a detailed summary of the `kibana.alert.reason` field. It appears in Timeline, throughout the Alerts page, and on the Alert details flyout ({pull}140825[#140825]).
+* Introduces the <<kspm,Kubernetes Security Posture Management>> (KSPM) integration as GA. You can now use it to monitor the security posture of your self-managed and Amazon EKS clusters, in addition to unmanaged clusters.
+* Adds a status filter to the Endpoints Response actions page ({pull}139982[#139982]).
+* Shows host names on the Endpoints Response actions page ({pull}139379[#139379]).
+
+[discrete]
+[[bug-fixes-8.5.0]]
+==== Bug fixes and enhancements
+* Endpoint response actions console UI indicates if response action commands aren't supported by the installed version of {agent} ({pull}138662[#138662]).
+* Fixes a bug that sometimes caused event correlation rule (EQL) errors whenever rule queries contained regular expressions using wildcard fields and predefined character classes (for example, `\w`, `\s`, `\d`) (https://github.com/elastic/elasticsearch/pull/90064[#90064]).
+* Adds the `has_guide` tag to all prebuilt rules with investigation guides. Users can filter the Rules table by this tag to quickly find prebuilt rules with investigation guides (https://github.com/elastic/detection-rules/pull/2297[#2297]).
+* Informs users when the event analyzer's current time range is too narrow to include event data ({pull}140831[#140831]).
+* Lets users inspect bar charts and data grids, as with other data visualizations ({pull}140810[#140810]).
+* Makes the Indicators table sortable by any column ({pull}140582[#140582]).
+* Provides the ability to add fields to Indicators table ({pull}138882[#138882]).
+* Updates the rule preview UI to be available at any step of creating or editing a detection rule. Rule previews are also now available for Elastic prebuilt rules, and include exceptions and field overrides ({pull}140221[#140221]).
+* Adds an overview tab to the Indicator details flyout ({pull}140073[#140073]).
-* Adds an overview tab to the Indicator details flyout ({pull}140073[#140073]).
+* Adds an Overview tab to the Indicator details flyout ({pull}140073[#140073]).
-* Adds an overview tab to the Indicator details flyout ({pull}140073[#140073]).
+* Adds an Overview tab to the Indicator details flyout ({pull}140073[#140073]).
+* Improves the UI for saved rule queries ({pull}140064[#140064]).
+* Computes `threat.indicator.name` on the {es} server instead of on the client ({pull}139814[#139814]).
+* Makes the state of tables throughout {elastic-sec} persist; for example, when users toggle between table view and grid view ({pull}139696[#139696]).
+* Lets users enable multiple filters using various plus `+` and minus `-` buttons. Previously, adding a new filter in this way could remove the existing filters ({pull}139616[#139616]).
+* Updates rule details page URLs to specify which tab to focus ({pull}139592[#139592]).
+* Simplifies the process of adding a rule exception ({pull}138169[#138169]).
+* Hides the process ancestry insights interface when data is unavailable ({pull}141751[#141751]).
+* Formats the Rules table's `Last Gap` column in a human readable way ({pull}141363[#141363]).
+* Introduces fuzzy search for user names in the Actions Log ({pull}141239[#141239]).
+* Improves the layout for the *Add Field* menu ({pull}141084[#141084]).
+* Restores users' ability to create exceptions with leading or trailing white space ({pull}139617[#139617]).
+* Fixes two minor bugs with the *Overwrite existing rules* option for rule import ({pull}138758[#138758], {pull}139470[#139470]).
+* Fixes a bug that made the `binary` field type appear usable in Exception entries despite not being supported ({pull}139370[#139370]).
+* Fixes a bug that prevented a toast message from appearing after users export a rule from the rule details page ({pull}139209[#139209]).
+* Fixes sorting and pagination bugs on the *Import value lists* menu ({pull}138381[#138381]).
+* Mimics native link behavior for single-page application links ({pull}142304[#142304]).
+* Fixes validation issues within the rule Actions tab ({pull}141811[#141811]).
+* Fixes a bug with visualization types on the Hosts, Network, Users page ({pull}141235[#141235]).
+* Updates the documentation link on the Trusted applications page ({pull}142467[#142467]).
+* Provides the ability to run Osquery from a rule's investigation guide ({pull}95149[#95149]).
+* Improves Timeline’s performance when users investigate alerts related by process ancestry ({pull}142805[#142805]).
+* Fixes a rule import bug that removed references to exception lists ({pull}143882[#143882]).
+* Fixes a bug that prevented the authentication area chart on the Users page to be opened in Lens ({pull}144011[#144011]).
+* Shows the Host isolation exceptions page if users have a https://www.elastic.co/pricing[Platinum or Enterprise subscription] ({pull}143362[#143362]).
+* Fixes displayed commands in the Endpoint response actions log ({pull}140378[#140378]).
+* Updates the pagination header color in the Endpoint response actions history table ({pull}141847[#141847]).