From f1381d456c4c8ada35d31d0d1a42919f4f7cdf20 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 18:32:06 -0500 Subject: [PATCH 01/20] First draft --- docs/release-notes/8.16.asciidoc | 114 +++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index c95df615a3..8cccf796ad 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -9,6 +9,63 @@ [[known-issue-8.16.1]] ==== Known issues +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab will not load properly if exceptions contain comments with the newline character (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with the newline character (`\n`). This issue occurs when you upgrade to 8.16.0 or later. + +*Workaround* + + +For custom rules: + +. <> the rule or rules with the affected exception lists. +. Open the `.ndjson` file, remove newline characters from exception comments, then save your changes. +. <> the rules. In the Import rules modal, make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +. Fetch the affected exception list ID or IDs associated with the rule. You will need the `id`, `list_id`, and `namespace_type` to retrieve the exception list using the Exception list API. The values for these parameters are in the response for the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. +.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. +.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: ++ +[source,console] +---- +curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +---- ++ +.. The JSON response will contain the appropriate identifiers within the `exceptions_list` key, for example: ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). ++ +The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. +==== +// end::known-issue[201820] + // tag::known-issue[] [discrete] .Duplicate alerts can be produced from manually running threshold rules @@ -50,6 +107,63 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[known-issue-8.16.0]] ==== Known issues +// tag::known-issue[201820] +[discrete] +.The **Exceptions** tab will not load properly if exceptions contain comments with the newline character (`\n`) +[%collapsible] +==== +*Details* + +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with the newline character (`\n`). This issue occurs when you upgrade to 8.16.0 or later. + +*Workaround* + + +For custom rules: + +. <> the rule or rules with the affected exception lists. +. Open the `.ndjson` file, remove newline characters from exception comments, then save your changes. +. <> the rules. In the Import rules modal, make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. + +For prebuilt rules: + +. Fetch the affected exception list ID or IDs associated with the rule. You will need the `id`, `list_id`, and `namespace_type` to retrieve the exception list using the Exception list API. The values for these parameters are in the response for the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. +.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. +.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: ++ +[source,console] +---- +curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +---- ++ +.. The JSON response will contain the appropriate identifiers within the `exceptions_list` key, for example: ++ +[source,console] +---- +{ + "id": "167a5f6f-2148-4792-8226-b5e7a58ef46e", + "exceptions_list": [ + { + "id": "490525a2-eb66-4320-95b5-88bdd1302dc4", + "list_id": "f75aae6f-0229-413f-881d-81cb3abfbe2d", + "namespace_type": "single" + } + ] +} +---- ++ +. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: ++ +[source,console] +---- +curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +---- ++ +. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). ++ +The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. +==== +// end::known-issue[201820] + // tag::known-issue[] [discrete] .Attempting to edit an Elastic AI Assistant Knowledge Base index results in an error From 8373c608bdd3f6d643654f7bb50fd96d9489c2e0 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:03:39 -0500 Subject: [PATCH 02/20] Minor tweaks --- docs/release-notes/8.16.asciidoc | 34 ++++++++++++++++---------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 8cccf796ad..37cb008eef 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -11,23 +11,23 @@ // tag::known-issue[201820] [discrete] -.The **Exceptions** tab will not load properly if exceptions contain comments with the newline character (`\n`) +.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with the newline character (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. *Workaround* + For custom rules: -. <> the rule or rules with the affected exception lists. -. Open the `.ndjson` file, remove newline characters from exception comments, then save your changes. -. <> the rules. In the Import rules modal, make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. From the {security-app}, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: -. Fetch the affected exception list ID or IDs associated with the rule. You will need the `id`, `list_id`, and `namespace_type` to retrieve the exception list using the Exception list API. The values for these parameters are in the response for the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. +. Fetch the affected exception list ID or IDs that are associated with the rule. .. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + @@ -36,7 +36,7 @@ For prebuilt rules: curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme ---- + -.. The JSON response will contain the appropriate identifiers within the `exceptions_list` key, for example: +.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. + [source,console] ---- @@ -60,7 +60,7 @@ curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 202 ---- + . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. ==== @@ -107,25 +107,25 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[known-issue-8.16.0]] ==== Known issues -// tag::known-issue[201820] +/// tag::known-issue[201820] [discrete] -.The **Exceptions** tab will not load properly if exceptions contain comments with the newline character (`\n`) +.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with the newline character (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. *Workaround* + For custom rules: -. <> the rule or rules with the affected exception lists. -. Open the `.ndjson` file, remove newline characters from exception comments, then save your changes. -. <> the rules. In the Import rules modal, make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. From the {security-app}, <> the rule or rules with the affected exception lists. +. Modify the `.ndjson` file so `comments` no longer contain newline characters. +. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: -. Fetch the affected exception list ID or IDs associated with the rule. You will need the `id`, `list_id`, and `namespace_type` to retrieve the exception list using the Exception list API. The values for these parameters are in the response for the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. +. Fetch the affected exception list ID or IDs that are associated with the rule. .. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + @@ -134,7 +134,7 @@ For prebuilt rules: curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme ---- + -.. The JSON response will contain the appropriate identifiers within the `exceptions_list` key, for example: +.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. + [source,console] ---- @@ -158,7 +158,7 @@ curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 202 ---- + . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. ==== From de5a222ae7463f7d8bf1416e3e9e7412910e5d12 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:05:24 -0500 Subject: [PATCH 03/20] missing word --- docs/release-notes/8.16.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 37cb008eef..b37b86ffc0 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -28,7 +28,7 @@ For custom rules: For prebuilt rules: . Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. +.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + [source,console] @@ -126,7 +126,7 @@ For custom rules: For prebuilt rules: . Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a `id`. +.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + [source,console] From 38581f60c1d4d9f1397ad12bc84989cb1a34b48c Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:08:35 -0500 Subject: [PATCH 04/20] Grammar --- docs/release-notes/8.16.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index b37b86ffc0..e13af2db12 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -62,7 +62,7 @@ curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 202 . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). . From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. +The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. ==== // end::known-issue[201820] @@ -160,7 +160,7 @@ curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 202 . Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). . From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the list already exists. After this failure, a option to overwrite the existing list will appear. Select the option and re-submit the import request. This will import the updated exception list. +The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. ==== // end::known-issue[201820] From 0ca9743a931d3d136a5f834dfc723befb329b8ad Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Thu, 5 Dec 2024 19:34:50 -0500 Subject: [PATCH 05/20] More small tweaks --- docs/release-notes/8.16.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index e13af2db12..0563912c9a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -11,7 +11,7 @@ // tag::known-issue[201820] [discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] ==== *Details* + @@ -28,7 +28,7 @@ For custom rules: For prebuilt rules: . Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. +.. Find the affected rule's ID (`id`). From the {security-app}, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + [source,console] @@ -109,7 +109,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul /// tag::known-issue[201820] [discrete] -.The **Exceptions** tab won't properly load if exceptions contain comments with the newline character (`\n`) +.The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] ==== *Details* + @@ -126,7 +126,7 @@ For custom rules: For prebuilt rules: . Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open rule's details page, go to the page's URL, and copy the string at the end. For example, the string `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end of the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e is a rule `id`. +.. Find the affected rule's ID (`id`). From the {security-app}, , open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: + [source,console] From 69760429a1bc479db73f3ad82fae8f6a0f763102 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 13:29:30 -0500 Subject: [PATCH 06/20] Ryland's input --- docs/release-notes/8.16.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 0563912c9a..705649da82 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -27,6 +27,8 @@ For custom rules: For prebuilt rules: +NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. + . Fetch the affected exception list ID or IDs that are associated with the rule. .. Find the affected rule's ID (`id`). From the {security-app}, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: From 6defa727fe8af54914ed116ffcbf0a766de4dff9 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 13:36:25 -0500 Subject: [PATCH 07/20] Small fixes --- docs/release-notes/8.16.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 705649da82..0cbf5db4eb 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -109,7 +109,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul [[known-issue-8.16.0]] ==== Known issues -/// tag::known-issue[201820] +// tag::known-issue[201820] [discrete] .The **Exceptions** tab won't properly load if exceptions contain comments with newline characters (`\n`) [%collapsible] @@ -127,6 +127,8 @@ For custom rules: For prebuilt rules: +NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. + . Fetch the affected exception list ID or IDs that are associated with the rule. .. Find the affected rule's ID (`id`). From the {security-app}, , open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. .. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: From 718321064587205a95cd8c086c45c93c2196da0e Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 14:05:08 -0500 Subject: [PATCH 08/20] Cleanup --- docs/release-notes/8.16.asciidoc | 44 ++++++++++++++++---------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 0cbf5db4eb..4219298a12 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -15,30 +15,30 @@ [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. *Workaround* + For custom rules: -. From the {security-app}, <> the rule or rules with the affected exception lists. +. From the **Rules** page, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. -. Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. -.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: + [source,console] ---- curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme ---- + -.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + [source,console] ---- @@ -54,17 +54,17 @@ curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5 } ---- + -. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: + [source,console] ---- curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + -. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] @@ -115,30 +115,30 @@ On November 12, 2024, it was discovered that manually running a custom query rul [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab will not load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. *Workaround* + For custom rules: -. From the {security-app}, <> the rule or rules with the affected exception lists. +. From the **Rules** page, <> the rule or rules with the affected exception lists. . Modify the `.ndjson` file so `comments` no longer contain newline characters. -. Return to the {security-app} and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. +. Return to the **Rules** page and <> the rules. Make sure to select the **Overwrite existing exception lists with conflicting "list_id"** option. For prebuilt rules: NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. -. Fetch the affected exception list ID or IDs that are associated with the rule. -.. Find the affected rule's ID (`id`). From the {security-app}, , open the rule's details page, go to the page URL, and copy the string at the end. For example, the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e contains the `id` `167a5f6f-2148-4792-8226-b5e7a58ef46e` at the end. -.. Use the `id` to fetch the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the rule ID: +. Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: +.. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. +.. Specify the `id` when fetching the rule's details using the {api-kibana}/operation/operation-readrule[Retrieve a detection rule API]. Here is an example request that includes the `id`: + [source,console] ---- curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme ---- + -.. The JSON response will contain the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You will need these values to retrieve the exception list using the Exception list API. +.. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. + [source,console] ---- @@ -154,17 +154,17 @@ curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5 } ---- + -. Retrieve the affected exception list using the export exceptions API. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: +. Use the export exceptions API to retrieve the affected exception list. Insert the values for the `id`, `list_id`, and `namespace_type` parameters into the following API call: + [source,console] ---- curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + -. Modify the exception list's `.ndjson` file to ensure that no `comments[].comment` values contain newline characters (`\n`). -. From the {security-app}, re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). +. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). + -The import will initially fail because the exception list already exists. After the failure, an option to overwrite the existing list appears. Select the option, then resubmit the request to import the updated exception list. +Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From e3f82b0c8527b62a8a7b83b96f8195bee28a0771 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:40:16 -0500 Subject: [PATCH 09/20] Update docs/release-notes/8.16.asciidoc Co-authored-by: Ryland Herrick --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 4219298a12..fa890456be 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -27,7 +27,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the **<>** page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. From 9bf6c651517374cf4096314cbc1967e7d700801f Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:40:51 -0500 Subject: [PATCH 10/20] Update docs/release-notes/8.16.asciidoc Co-authored-by: Ryland Herrick --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index fa890456be..c724dfa03b 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -58,7 +58,7 @@ curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5 + [source,console] ---- -curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). From e20aef057c1f85d7d0c403cf97c7e8ce743b90bf Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:40:57 -0500 Subject: [PATCH 11/20] Update docs/release-notes/8.16.asciidoc Co-authored-by: Ryland Herrick --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index c724dfa03b..a6aa2f746a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -135,7 +135,7 @@ NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, + [source,console] ---- -curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. From 90394fc4c766adae261b3e9f1528332970497aae Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Fri, 6 Dec 2024 15:44:59 -0500 Subject: [PATCH 12/20] Update docs/release-notes/8.16.asciidoc --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index a6aa2f746a..5198fbcd2a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -62,7 +62,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Re-import the modified exception list using **Import exception lists** option on the **<>** page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== From 2be7285badb28319cd3f6fbc235772e8c164d42b Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 16:32:21 -0500 Subject: [PATCH 13/20] Formatting fixes --- docs/release-notes/8.16.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 5198fbcd2a..8ed88ed3b6 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -27,7 +27,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the **<>** page. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. @@ -35,7 +35,7 @@ NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can + [source,console] ---- -curl -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' http://localhost:5601/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e -u elastic:changeme +curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' KIBANA_URL/api/detection_engine/rules?id=167a5f6f-2148-4792-8226-b5e7a58ef46e ---- + .. The JSON response contains the `id`, `list_id`, and `namespace_type` values within the `exceptions_list` key (as shown below). You need these values when using the Exception list API to retrieve the affected exception list. @@ -127,7 +127,7 @@ For custom rules: For prebuilt rules: -NOTE: If you only need to fix Endpoint exceptions for the Elastic Endpoint rule, follow the above instructions for fixing custom rule exceptions. +NOTE: If you only need to fix exceptions for the Elastic Endpoint rule, you can export and re-import its exception list from the <> page. . Follow these steps to fetch the affected exception list ID or IDs that are associated with the rule: .. Find the affected rule's ID (`id`). From the **Rules** page, open the details of a rule, go to the page URL, and copy the string at the end. For example, in the URL http://host.name/app/security/rules/id/167a5f6f-2148-4792-8226-b5e7a58ef46e, the string at the end (`167a5f6f-2148-4792-8226-b5e7a58ef46e`) is the `id`. From 4d0cfdc4585ea8acb8403ed5a79c085b2f6932e1 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Fri, 6 Dec 2024 16:34:42 -0500 Subject: [PATCH 14/20] fixes sample commands --- docs/release-notes/8.16.asciidoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 8ed88ed3b6..28157a05c3 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -62,7 +62,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **<>** page. +. Re-import the modified exception list using **Import exception lists** option on the <> page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== @@ -158,11 +158,11 @@ curl -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api + [source,console] ---- -curl -XPOST -u elastic:changeme -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'http://localhost:5601/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson +curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elastic-api-version: 2023-10-31' 'KIBANA_URL/api/exception_lists/_export?list_id=f75aae6f-0229-413f-881d-81cb3abfbe2d&id=490525a2-eb66-4320-95b5-88bdd1302dc4&namespace_type=single' -o list.ndjson ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the **Shared Exception Lists** page (find the page in the navigation menu or by using the {kibana-ref}/introduction.html#kibana-navigation-search[global search field]). +. Re-import the modified exception list using **Import exception lists** option on the <> page. + Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== From 1d014135df8e073d4b3327d6e5a6f8cbc908a84d Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:56:19 -0500 Subject: [PATCH 15/20] Update docs/release-notes/8.16.asciidoc --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 28157a05c3..d652b094b8 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -15,7 +15,7 @@ [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}[#201820]). *Workaround* + From 1c63272b0e1200fb453fea11e8207443da109ab6 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:57:31 -0500 Subject: [PATCH 16/20] Update docs/release-notes/8.16.asciidoc --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index d652b094b8..efc43e5e3a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -15,7 +15,7 @@ [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}[#201820]). +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). *Workaround* + From 526e18032e4e2548e1f02d315f8dc3e04964ea00 Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Mon, 9 Dec 2024 16:57:53 -0500 Subject: [PATCH 17/20] Update docs/release-notes/8.16.asciidoc --- docs/release-notes/8.16.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index efc43e5e3a..f4068a7a8a 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -115,7 +115,7 @@ On November 12, 2024, it was discovered that manually running a custom query rul [%collapsible] ==== *Details* + -On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later. +On December 5, 2024, it was discovered that the **Exceptions** tab won't load properly if any exceptions contain comments with newline characters (`\n`). This issue occurs when you upgrade to 8.16.0 or later ({kibana-issue}201820[#201820]). *Workaround* + From 3718daacd0f501ede64c699d8fd57ccb0e241f77 Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Mon, 9 Dec 2024 22:21:07 -0500 Subject: [PATCH 18/20] Updates last step --- docs/release-notes/8.16.asciidoc | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index f4068a7a8a..36b3746536 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -62,9 +62,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. -+ -Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] @@ -162,9 +160,7 @@ curl -XPOST -H 'Authorization: ApiKey API_KEY_HERE' -H 'kbn-xsrf: true' -H 'elas ---- + . Modify the exception list's `.ndjson` file to ensure `comments[].comment` values don't contain newline characters (`\n`). -. Re-import the modified exception list using **Import exception lists** option on the <> page. -+ -Note that the import will initially fail because the exception list already exists. After the initial failure, an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. +. Re-import the modified exception list using **Import exception lists** option on the <> page. The import will initially fail because the exception list already exists, and an option to overwrite the existing list will appear. Select the option, then resubmit the request to import the corrected exception list. ==== // end::known-issue[201820] From 74deb3738eab78c123439f1c7ecde25053f854cf Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 11 Dec 2024 08:27:56 -0500 Subject: [PATCH 19/20] Adds fix info --- docs/release-notes/8.16.asciidoc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index 36b3746536..dd02fd5624 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -19,6 +19,8 @@ On December 5, 2024, it was discovered that the **Exceptions** tab won't load pr *Workaround* + +Upgrade to 8.16.2. Alternatively, follow the instructions below. + For custom rules: . From the **Rules** page, <> the rule or rules with the affected exception lists. @@ -117,6 +119,8 @@ On December 5, 2024, it was discovered that the **Exceptions** tab won't load pr *Workaround* + +Upgrade to 8.16.2. Alternatively, follow the instructions below. + For custom rules: . From the **Rules** page, <> the rule or rules with the affected exception lists. From 598a11fc595493e8294c1b8f772d070b14def07f Mon Sep 17 00:00:00 2001 From: "nastasha.solomon" Date: Wed, 11 Dec 2024 08:40:36 -0500 Subject: [PATCH 20/20] Removes fix details --- docs/release-notes/8.16.asciidoc | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/release-notes/8.16.asciidoc b/docs/release-notes/8.16.asciidoc index dd02fd5624..36b3746536 100644 --- a/docs/release-notes/8.16.asciidoc +++ b/docs/release-notes/8.16.asciidoc @@ -19,8 +19,6 @@ On December 5, 2024, it was discovered that the **Exceptions** tab won't load pr *Workaround* + -Upgrade to 8.16.2. Alternatively, follow the instructions below. - For custom rules: . From the **Rules** page, <> the rule or rules with the affected exception lists. @@ -119,8 +117,6 @@ On December 5, 2024, it was discovered that the **Exceptions** tab won't load pr *Workaround* + -Upgrade to 8.16.2. Alternatively, follow the instructions below. - For custom rules: . From the **Rules** page, <> the rule or rules with the affected exception lists.