elastic · nastasha-solomon · Jan 17, 2024 · Dec 14, 2023 · Dec 19, 2023 · Dec 21, 2023
@@ -3,6 +3,7 @@
 
 This section summarizes the changes in each release.
 
+* <<release-notes-8.12.0, {elastic-sec} version 8.12.0>>
 * <<release-notes-8.11.4, {elastic-sec} version 8.11.4>>
 * <<release-notes-8.11.3, {elastic-sec} version 8.11.3>>
 * <<release-notes-8.11.2, {elastic-sec} version 8.11.2>>
@@ -53,6 +54,7 @@ This section summarizes the changes in each release.
 :issue: https://github.com/elastic/kibana/issues/
 :pull: https://github.com/elastic/kibana/pull/
 
+include::release-notes/8.12.asciidoc[]
 include::release-notes/8.11.asciidoc[]
 include::release-notes/8.10.asciidoc[]
 include::release-notes/8.9.asciidoc[]

@@ -0,0 +1,107 @@
+[[release-notes-header-8.12.0]]
+== 8.12
+
+[discrete]
+[[release-notes-8.12.0]]
+=== 8.12.0
+
+[discrete]
+[[known-issue-8.12.0]]
+==== Known issues
+
+
+// tag::known-issue-173958[]
+[discrete]
+.[Title]
+[%collapsible]
+====
+*Details* +
+When editing the Alerts page KQL query bar filter or editing the KQL query bar filter on the rule edit page, you might encounter a UI bug requiring you to select a data view to proceed. 
+*Workaround* +
+Select the **Edit the query filter using DSL** option.
+====
+// end::known-issue-173958[]
+
+// tag::known-issue-174844[]
+[discrete]
+.Unrelated property differences in prebuilt rule update comparison
+[%collapsible]
+====
+*Details* +
+The JSON comparison for updated prebuilt detection rules might display some properties used for internal processing, which doesn't accurately indicate how the rule will change if you update it.
+
+For example, if you added automated actions or an exception list to an installed rule, the comparison shows the JSON properties `actions`, `response_actions`, or `exceptions_list` in the **Base version** (your installed version) but not in the **Update** column (Elastic's latest version). When you update the rule, it will still include your actions or exceptions — they will not be removed. 
+
+Similarly, the comparison might show a difference in the `enabled` property, but upgrading the rule will not change whether your installed rule is enabled or not. Other properties that might display in the comparison but don't actually indicate rule configuration changes include `execution_summary`, `timestamp_override_fallback_disabled`, `meta`, `filters`, `updated_at`, and `output_index`.
+
+*Workaround* +
+No workaround is needed. You can ignore these unrelated property differences in the JSON comparison.
+====
+// end::known-issue-174844[]
+
+[discrete]
+[[breaking-changes-8.12.0]]
+==== Breaking changes
+
+There are no breaking changes in 8.12.0.
+
+[discrete]
+[[deprecations-8.12.0]]
+==== Deprecations
+
+There are no deprecations in 8.12.0.
+
+[discrete]
+[[features-8.12.0]]
+==== New features
+
+* Introduces the ability to assign alerts to specific users ({pull}170579[#170579], {pull}171589[#171589]).
+* Introduces Retrieval Augmented Generation (RAG) for Alerts, allowing you to give Elastic AI Assistant context about more alerts in your environment ({pull}172542[#172542]).
+* Enables alert suppression for threshold rules ({pull}171423[#171423]).
+* Adds an *Updates* tab to the prebuilt rules upgrade flyout to show differences between the installed and updated versions ({pull}172535[#172535], {pull}173187[#173187]).
+* Adds a setting that lets you exclude cold and frozen tiers from visual event analyzer queries ({pull}172162[#172162]).
+* Adds a tour to guide users through Timelines UI changes ({pull}172030[#172030]).
+* Adds a timeout option for Osquery queries, so you can customize the maximum time each query should run before timing out ({pull}169925[#169925]).
+* Introduces new grouping capabilities for CSPM and KSPM Findings data ({pull}169884[#169884]).
+* Adds the expandable alert details flyout to the rule preview panel ({pull}167902[#167902]).
+* Introduces bidirectional response actions to isolate and release SentinelOne-protected hosts (technical preview).
+
+[discrete]
+[[enhancements-8.12.0]]
+==== Enhancements
+
+* Refactors the timeline UI — various minor updates ({pull}168230[#168230]).
+* Introduces manual saving for Timeline ({pull}171027[#171027], {pull}169239[#169239]).
+* Improves forward-compatibility for the rule schema ({pull}170861[#170861]).
+* Simplifies the format of risk engine API error responses ({pull}170645[#170645]).
+* Makes various UI improvements to the alert details flyout ({pull}170279[#170279], {pull}169035[#169035], {pull}173399[#173399], {pull}170078[#170078], {pull}168297[#168297]).
+* Saves the state of the alert details flyout in the browser. For example, after you use the flyout's *Investigate in timeline* button, you can click your browser's back button to return to the flyout ({pull}169661[#169661]).
+* Adds a button to rule execution error messages that lets you ask AI Assistant to diagnose errors ({pull}166778[#166778]).
+* Integrates a new Event Tracing for Windows (ETW) provider (Microsoft-Windows-Win32k) to create new event types that can be used by prebuilt endpoint rules to detect keylogging activity.
+* Allows for acting and target memory region buffers within behavior alerts to be scanned against {elastic-sec}'s collection of YARA signatures when collected. Detections are added to alerts.
+* Adds a new ReadProcessMemory (lsass) event that can be used by prebuilt endpoint rules to detect credential dumping.
+* Adds a link to the Amazon Bedrock connector edit UI that opens the token tracking dashboard ({pull}172115[#172115]).
+* Allows you to use the `matches` and `does not match` operators when defining endpoint exceptions and event filters ({pull}166002[#166002], {pull}170495[#170495]).
+* Adds support for Kafka as an output type for Endpoint.
+
+[discrete]
+[[bug-fixes-8.12.0]]
+==== Bug fixes
+
+* Fixes response action bugs by mapping the `unisolate` command to the `release` command and the `running-processes` command to the `processes` command ({pull}173831[#173831]).
+* Fixes the dark theme for the alert details flyout footer ({pull}173577[#173577]).
+* Makes the Timeline tour compatible with the Timeline template page ({pull}173526[#173526]).
+* Stops the **{esql}** tab from rendering until you click on it in Timeline ({pull}173484[#173484]).
+* Adds a feature flag (`timelineEsqlTabDisabled`) to show or hide the **{esql}** tab in Timeline ({pull}174029[#174029]).
+* Removes the default query in the **{esql}** tab in Timeline ({pull}174393[#174393]).
+* Fixes a bug that caused {ml} fetch jobs to fail when the default data view (`securitySolution:defaultIndex`) contained special characters ({pull}173426[#173426]).
+* Remove the **Assignees** field from the event details flyout ({pull}173314[#173314]).
+* Fixes a bug that caused the **Add to Case** action to fail if you didn't add a comment before isolating and releasing a host ({pull}172912[#172912]).
+* Fixes a UI bug that overlaid **Default Risk score** values as you created a new rule ({pull}172677[#172677]).
+* Fixes a bug that cleared configured fields in the exceptions flyout after the flyout reloaded and refocused ({pull}172666[#172666]).
+* Limits the character length for exception comments to 3000 characters, and makes the error message more descriptive if the limit's exceeded ({pull}170764[#170764]).
+* Re-adds the missing alerts index filtration to Data views ({pull}170484[#170484]).
+* Fixes a bug that didn't allow exceptions to be created or edited after an error displayed ({pull}169801[#169801]).
+* Stops {security-app} pages from crashing when there's a fields error in the **Stack by** component ({pull}168411[#168411]).
+* Deletes saved searches that are associated with deleted Timelines and prevents saved searches from being created twice ({pull} 174562[#174562]).
+* Fixes a bug with the **Share alert** feature in the alert details flyout ({pull} 174005[#174005]).