Loading

Elastic Security known issues

Known issues are significant defects or limitations that may impact your implementation. These issues are actively being worked on and will be addressed in a future release. Review the Elastic Security known issues to help you make informed decisions, such as upgrading to a new version.

The entity risk score feature may stop persisting risk score documents

Applies to: Elastic Stack 9.0.0, 9.0.1, 9.0.2

On May 30, 2025, it was discovered that the entity risk score feature may stop persisting risk score documents if risk scoring was turned on before you upgraded to Elastic Stack 8.18.0+ or 9.0.0+. This is due to a bug that prevents the entity_analytics_create_eventIngest_from_timestamp-pipeline-<space_name> ingest pipeline (which is set as a default pipeline for the risk scoring index in Elastic Stack 8.18.0) from being created when Kibana starts up.

While document persistence may initially succeed, it will eventually fail after 0 to 30 days. This is how long it takes for the risk score data stream to roll over and apply its underlying index settings to the new default pipeline.

NOTE: This bug does not affect Elasticsearch clusters created in Elastic Stack 8.18.0 or 9.0.0 and higher. It also won't affect you if you only turned on entity risk scoring in Elastic Stack 8.18.0 or 9.0.0 and higher.

Workaround

To resolve this issue, apply the following workaround before or after upgrading to Elastic Stack 9.0.0 or higher.

First, manually create the ingest pipeline in each space that has entity risk scoring turned on. You can do this using a PUT request, which is described in the example below. When reviewing the example, note that default in the example ingest pipeline name below is the Kibana space ID.

PUT /_ingest/pipeline/entity_analytics_create_eventIngest_from_timestamp-pipeline-default
{
  "_meta": {
    "managed_by": "entity_analytics",
    "managed": true
  },
  "description": "Pipeline for adding timestamp value to event.ingested",
  "processors": [
    {
      "set": {
        "field": "event.ingested",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

After you complete this step, risk scores should automatically begin to successfully persist during the entity risk engine's next run. Details for the next run time are described on the Entity risk score page, where you can also manually run the risk score by clicking Run Engine.

Installing an Elastic Defend integration or a new agent policy upgrades installed prebuilt rules, reverting user customizations and overwriting user-added actions and exceptions

Applies to: Elastic Stack 9.0.0

On April 10, 2025, it was discovered that when you install a new Elastic Defend integration or agent policy, the installed prebuilt detection rules upgrade to their latest versions (if any new versions are available). The upgraded rules lose any user-added rule actions, exceptions, and customizations.

Workaround

To resolve this issue, before you add an Elastic Defend integration to a policy in Fleet, apply any pending prebuilt rule updates. This will prevent rule actions, exceptions, and customizations from being overwritten.

Resolved

Resolved in Elastic Stack 9.0.1

The technical preview badge incorrectly displays on the alert suppression fields for event correlation rules

Applies to: Elastic Stack 9.0.0 and 9.0.1

On April 8, 2025, it was discovered that alert suppression for event correlation rules is incorrectly shown as being in technical preview when you create a new rule. For more information, check #1021.

Resolved

Resolved in Elastic Stack 9.0.2

Interaction between Elastic Defend and Trellix Access Protection causes IRQL_NOT_LESS_EQUAL bugcheck

Applies to: Elastic Defend 9.0.0

An IRQL_NOT_LESS_EQUAL bugcheck in the Elastic Defend driver happens due to an interaction with Trellix Access Protection (mfehidk.sys). This issue can occur when elastic-endpoint-driver.sys calls FwpmTransactionBegin0 to initialize its network driver. FwpmTransactionBegin0 performs a synchronous RPC call to the user-mode Base Filtering Engine service. Trellix's driver intercepts this service's operations, causing FwpmTransactionBegin0 to hang or slow significantly. This delay prevents Elastic Defend driver from properly initializing in a timely manner. Subsequent system activity can invoke Elastic Defend's driver before it has fully initialized, leading to a IRQL_NOT_LESS_EQUAL bugcheck. This issue affects Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0.

Workaround

If you can't upgrade, either disable Trellix Access Protection or add a Trellix Access Protection exclusion for the Base Filtering Engine service (C:\Windows\System32\svchost.exe).

Resolved

Resolved in Elastic Defend 9.0.1

Unbounded kernel non-paged memory growth issue in Elastic Defend's kernal driver causes slow down on Windows systems

Applies to: Elastic Defend 9.0.0

An unbounded kernel non-paged memory growth issue in Elastic Defend's kernel driver occurs during extremely high event load situations on Windows. Systems affected by this issue will slow down or become unresponsive until the triggering event load (for example, network activity) subsides. We are only aware of this issue occurring on very busy Windows Server systems running Elastic Defend versions 8.16.0-8.16.6, 8.17.0-8.17.5, 8.18.0, and 9.0.0

Workaround

If you can't upgrade, turn off the relevant event source at the kernel level using your Elastic Defend advanced policy settings (optional):

  • Network Events - Set the windows.advanced.kernel.network advanced setting to false.
  • Registry Events - Set the windows.advanced.kernel.registry advanced setting to false.

Note that clearing the corresponding checkbox under event collection is insufficient, as Elastic Defend may still process these event sources internally to support other features.

Resolved

Resolved in Elastic Defend 9.0.1