[Known Issue] Doc Elastic Defend bug that stopped security events from populating the user.name field (#5786) (#5788)

* First draft

* Update docs/release-notes/8.14.asciidoc

Co-authored-by: Gabriel Landau <[email protected]>

* Update docs/release-notes/8.14.asciidoc

Co-authored-by: Gabriel Landau <[email protected]>

* Update docs/release-notes/8.14.asciidoc

Co-authored-by: Gabriel Landau <[email protected]>

* Update docs/release-notes/8.14.asciidoc

Co-authored-by: Gabriel Landau <[email protected]>

* Update docs/release-notes/8.15.asciidoc

Co-authored-by: Gabriel Landau <[email protected]>

---------

Co-authored-by: Gabriel Landau <[email protected]>
(cherry picked from commit 665ff37)

# Conflicts:
#	docs/release-notes/8.15.asciidoc

Co-authored-by: Nastasha Solomon <[email protected]>

Author: mergify[bot]

docs/release-notes/8.14.asciidoc

@@ -5,6 +5,27 @@
 [[release-notes-8.14.3]]
 === 8.14.3
 
+[discrete]
+[[known-issue-8.14.3]]
+==== Known issues
+
+// tag::known-issue-14686[]
+[discrete]
+.{elastic-endpoint} does not properly populate the `user.name` field in security events
+[%collapsible]
+====
+*Details* +
+{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events.
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-14686[]
+
 [discrete]
 [[bug-fixes-8.14.3]]
 ==== Bug fixes
@@ -15,6 +36,27 @@
 [[release-notes-8.14.2]]
 === 8.14.2
 
+[discrete]
+[[known-issue-8.14.2]]
+==== Known issues
+
+// tag::known-issue-14686[]
+[discrete]
+.{elastic-endpoint} does not properly populate the `user.name` field in security events
+[%collapsible]
+====
+*Details* +
+{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events.
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-14686[]
+
 [discrete]
 [[bug-fixes-8.14.2]]
 ==== Bug fixes
@@ -25,6 +67,27 @@ There are no user-facing changes in 8.14.2.
 [[release-notes-8.14.1]]
 === 8.14.1
 
+[discrete]
+[[known-issue-8.14.1]]
+==== Known issues
+
+// tag::known-issue-14686[]
+[discrete]
+.{elastic-endpoint} does not properly populate the `user.name` field in security events
+[%collapsible]
+====
+*Details* +
+{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events.
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-14686[]
+
 [discrete]
 [[bug-fixes-8.14.1]]
 ==== Bug fixes
@@ -39,6 +102,27 @@ There are no user-facing changes in 8.14.2.
 [[release-notes-8.14.0]]
 === 8.14.0
 
+[discrete]
+[[known-issue-8.14.0]]
+==== Known issues
+
+// tag::known-issue-14686[]
+[discrete]
+.{elastic-endpoint} does not properly populate the `user.name` field in security events
+[%collapsible]
+====
+*Details* +
+{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events.
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-14686[]
+
 [discrete]
 [[features-8.14.0]]
 ==== New features

docs/release-notes/8.15.asciidoc

@@ -0,0 +1,181 @@
+[[release-notes-header-8.15.0]]
+== 8.15
+
+[discrete]
+[[release-notes-8.15.1]]
+=== 8.15.1
+
+[discrete]
+[[known-issue-8.15.1]]
+==== Known issues
+
+// tag::known-issue-189676[]
+[discrete]
+.Tags appear in Elastic AI Assistant's responses
+[%collapsible]
+====
+*Details* +
+On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `<antThinking>` tags, for example `<search_quality_reflection>` ({kibana-issue}189676[#189676]).
+
+
+====
+// end::known-issue-189676[]
+
+[discrete]
+[[features-8.15.1]]
+==== New features
+
+* Introduces a new feature for {elastic-defend} where Windows Image load events now include process protection status, making it easier to detect both legitimate and malicious PPL activity.
+* Allows you to examine Jamf data in the visual event analyzer ({kibana-pull}190965[#190965]).
+
+[discrete]
+[[enhancements-8.15.1]]
+==== Enhancements
+
+* Improves {elastic-defend} by reducing Malware Protection disk I/O and CPU usage when recently written files are subsequently executed. This update is for Windows endpoints only.
+* Makes several improvements to the detection and parsing of log samples uploaded to automatic import ({kibana-pull}190588[#190588], {kibana-pull}191502[#191502], {kibana-pull}190656[#190656], {kibana-pull}190046[#190046]).
+* Improves error handling for the Tines connector, and provides an option to use a webhook URL when connecting to the Tines API ({kibana-pull}191263[#191263]).
+
+[discrete]
+[[bug-fixes-8.15.1]]
+==== Bug fixes
+
+* Fixes an {elastic-defend} bug that affected CPU usage for Windows process events where the same executable is repeatedly launched, for example, during compilation workloads. With this fix, CPU usage is improved.
+* Fixes an {elastic-defend} bug that sometimes caused malware scan response actions to crash when they attempted to scan an inaccessible directory. 
+* Fixes an {elastic-defend} bug that sometimes caused {elastic-endpoint} to report an incorrect version if it used an independent {agent} release.
+* Fixes an {elastic-defend} bug where the `process.thread.Ext.call_stack_final_user_module.protection_provenance_path` field might be populated with a non-path value. This fix is for Windows endpoints only.
+* Fixes an {elastic-defend} bug that can lead to {elastic-endpoint} reporting `STATUS_ACCESS_DENIED` when attempting to open files for `GENERIC_READ`. {elastic-endpoint} almost always recovered from this issue, but with this fix, it succeeds on the first try. This fix is for Windows endpoints only.
+* Fixes an {elastic-defend} regression that was introduced in 8.14.0, where security events did not populate the `user.name` field. This fix is for Windows endpoints only.
+* Fixes an {elastic-defend} bug where {elastic-endpoint} sometimes missed file and network events on newer kernels that support eBPF. This only occurred if {elastic-endpoint} failed to enable eBPF probes and fell back to Kprobes. This fix is for Linux endpoints only.
+* Fixes a bug that caused errors if you used Azure OpenAI connector for streaming ({kibana-pull}191552[#191552]).
+* Fixes a bug that prevented duplicated prebuilt rules from inheriting **Required fields** and **Related integrations** field values ({kibana-pull}191065[#191065]).
+* Turns off the option to assign users to an alert if no assignees exist ({kibana-pull}190937[#190937]).
+* Fixes a bug that prevented Timeline template settings from being applied to new Timelines that were generated by a rule ({kibana-pull}190511[#190511]).
+* Fixes a bug that hid the option to select a connector for Elastic AI Assistant ({kibana-pull}189944[#189944]).
+* Removes the option to manually bulk-run multiple rules ({kibana-pull}190781[#190781]).
+
+[discrete]
+[[release-notes-8.15.0]]
+=== 8.15.0
+
+[discrete]
+[[known-issue-8.15.0]]
+==== Known issues
+
+// tag::known-issue-189676[]
+[discrete]
+.Tags appear in Elastic AI Assistant's responses
+[%collapsible]
+====
+*Details* +
+On August 1, 2024, it was discovered that Elastic AI Assistant's responses when using Bedrock Sonnet 3.5 may include `<antThinking>` tags, for example `<search_quality_reflection>` ({kibana-issue}189676[#189676]).
+
+
+====
+// end::known-issue-189676[]
+
+// tag::known-issue-5713[]
+[discrete]
+.The option to manually run multiple rules is available in the bulk actions menu on the Rules page
+[%collapsible]
+====
+*Details* +
+On August 20, 2024, it was discovered that the bulk actions menu on the Rules page erroneously had the option to manually run multiple rules.  
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-5713[]
+
+// tag::known-issue-14686[]
+[discrete]
+.{elastic-endpoint} does not properly populate the `user.name` field in security events
+[%collapsible]
+====
+*Details* +
+{elastic-endpoint} for Windows will not properly populate the `user.name` field with security events.
+
+*Workaround* +
+Upgrade to 8.15.1.
+
+*Resolved* +
+On September 5, 2024, this issue was resolved.
+
+====
+// end::known-issue-14686[]
+
+[discrete]
+[[breaking-changes-8.15.0]]
+==== Breaking changes
+
+* If you previously created any user-defined quick prompts for Elastic AI Assistant, they will no longer appear after you upgrade to 8.15. To resolve this, copy your existing quick prompts prior to upgrading, then add them again after upgrading. Additionally, in 8.15, quick prompts are shared by all users in your deployment, rather than saved at the user level ({kibana-pull}187040[#187040]).
+
+[discrete]
+[[features-8.15.0]]
+==== New features
+
+* Introduces Automatic Import, a feature that helps you to quickly parse, ingest, and create ECS mappings for data from sources that don't yet have prebuilt Elastic integrations ({kibana-pull}186304[#186304]).
+* Creates an LLM connector for Google Gemini ({kibana-pull}183668[#183668]).
+* Adds an API for Elastic AI Assistant ({kibana-pull}184485[#184485]).
+* Adds the `scan` action to the response console, which allows you to scan a specific file or directory on a host for malware ({kibana-pull}184723[#184723]).
+* Adds an {elastic-defend} integration policy option in Advanced Settings that allows you to opt out of registry event filtering ({kibana-pull}186564[#186564]).
+* Allows you to specify additional file and registry paths to monitor for read access ({kibana-pull}181361[#181361]).
+* Allows you to use {elastic-sec} to isolate and release hosts running a CrowdStrike agent ({kibana-pull}186801[#186801]).
+* Allows you to retrieve files from SentinelOne-enrolled hosts ({kibana-pull}181162[#181162]).
+* Allows you to create an event filter that excludes the descendant events of a specific process ({kibana-pull}184947[#184947]).
+* Recalculates entity risk scores when asset criticality changes on an individual entity ({kibana-pull}182234[#182234]).
+* Adds an **Asset criticality** column to user and host data tables. If asset criticality levels are assigned to your users and hosts, this information appears in the **Asset criticality** column ({kibana-pull}186375[#186375], {kibana-pull}186456[#186456]).
+* Adds an API that allows you to perform paginated KQL searches through asset criticality records ({kibana-pull}186568[#186568]).
+* Adds public APIs for managing asset criticality ({kibana-pull}186169[#186169]).
+* Allows you to edit the `max_signals`, `related_integrations`, and `required_fields` fields for custom rules ({kibana-pull}179680[#179680], {kibana-pull}178295[#178295], {kibana-pull}180682[#180682]).
+* Provides help from AI Assistant when you're correcting rule query errors ({kibana-pull}179091[#179091]).  
+* Allows you to bulk update custom highlighted fields for rules ({kibana-pull}179312[#179312]).
+* Adds alert suppression for {ml} and {esql} rules ({kibana-pull}181926[#181926], {kibana-pull}180927[#180927]).
+* Provides previews of hosts, users, and alerts that you're examining in the alert details flyout ({kibana-pull}186850[#186850], {kibana-pull}186857[#186857]).
+* Enhances Timeline’s data exploration experience by incorporating components from Discover, such as the sidebar and table, which allow you to quickly find fields of interest. Timeline’s overall performance is also improved ({kibana-pull}176064[#176064]).
+* Adds an option for toggling row renderers on and off, and moves notes to a new flyout in Timeline ({kibana-pull}186948[#186948]).
+* Revamps the Dashboards landing page ({kibana-pull}186465[#186465]).
+
+[discrete]
+[[enhancements-8.15.0]]
+==== Enhancements
+
+* Allows Attack discovery generation to continue when you navigate to another page, and allows you to run Attack discovery with multiple connectors simultaneously. ({kibana-pull}184949[#184949]).
+* Adds notifications to the connector dropdown menu on the Attack discovery page so you know when other connectors have new discoveries ({kibana-pull}186903[#186903], {kibana-pull}187209[#187209]).
+* Improves AI Assistant's responses across multiple connectors and in multiple scenarios for streaming and non-streaming use cases ({kibana-pull}182041[#182041], {kibana-pull}187183[#187183]).
+* Enables AI Assistant to remember information you ask it to remember ({kibana-pull}184554[#184554], https://github.com/elastic/security-docs/issues/5670[#5670]).
+* Updates the default Gemini version to `gemini-1.5-pro-001` and the default Bedrock version to `anthropic.claude-3-5-sonnet-20240620-v1:0` ({kibana-pull}186671[#186671]).
+* Simplifies how you enable AI Assistant's knowledge base ({kibana-pull}182763[#182763]).
+* Unifies the AI Assistant's settings view ({kibana-pull}184678[#184678]).
+* Introduces a new {elastic-endpoint} policy setting that allows you to control whether the kernel reports Windows network events that happened on a local loopback interface ({kibana-pull}181753[#181753]).
+* Improves how failure messages for the `scan` action appear in the response console ({kibana-pull}186284[#186284]).
+* Improves the risk engine's performance. Now, after you turn on the engine, risk data is available sooner ({kibana-pull}184797[#184797]).
+* Enhances the risk engine's normalization accuracy ({kibana-pull}184638[#184638]).
+* Updates the copy for bulk assigning asset criticality to multiple entities ({kibana-pull}181390[#181390]).
+* Improves visual and logic issues in the Findings table ({kibana-pull}184185[#184185]).
+* Enables the expandable alert details flyout by default and replaces the `securitySolution:enableExpandableFlyout` advanced setting with a feature flag that allows you to revert to the old flyout version ({kibana-pull}184169[#184169]).
+* Improves the UI design and copy of various places in the alert details flyout ({kibana-pull}187430[#187430], {kibana-pull}187920[#187920]). 
+* Updates the MITRE ATT&CK framework to version 15.1 ({kibana-pull}183463[#183463]).
+* Improves the warning message about rule actions being unavailable after a rule ran ({kibana-pull}182741[#182741]).
+* Enables the `xMatters` and `Server Log connectors` rule actions ({kibana-pull}172933[#172933]).
+
+[discrete]
+[[bug-fixes-8.15.0]]
+==== Bug fixes
+
+* Fixes a bug that prevented Timeline from properly retrieving results after upgrading to 8.14.1 ({kibana-pull}189031[#189031]).
+* Fixes a bug that showed that Timeline had been changed, even if it hadn't been ({kibana-pull}188106[#188106]).
+* Removes the option to investigate suppressed alerts in Timeline when you're previewing alert details from a rule preview ({kibana-pull}188385[#188385]).
+* Fixes the alignment of the page selector dropdown menu on the Shared Exception Lists page ({kibana-pull}187956[#187956]).
+* Fixes a rule execution error that occurred when {esql} rules queried source documents with non-ECS compliant sub-fields under the `event.action` field ({kibana-pull}187549[#187549]).
+* Fixes a bug that caused the `Enable entity risk scoring` option to display even when you didn't have the correct requirements ({kibana-pull}183517[#183517]).
+* Prevents `maxClauseCount` errors from occurring for indicator match rules ({kibana-pull}179748[#179748]).
+* Fixes a bug that prevented threat intelligence fields from correctly rendering in the alert details flyout if they had flattened fields ({kibana-pull}179395[#179395]).
+* Removes references in the UI that directed users to outdated documentation for the risk scoring feature ({kibana-pull}187585[#187585]).
+* Fixes a bug on the Get started page that prevented the correct username from being displayed in the greeting message ({kibana-pull}180670[#180670]).
+* Fixes a bug that caused the pagination menu from appearing in the correct place for the Uncommon processes table ({kibana-pull}189201[#189201]).
+* Fixes a bug that affected the panel showing the last command details in the Uncommon processes table ({kibana-pull}187848[#187848]).