9.4.0

What's Changed

• Add custom documentation for kernel_process_events metrics fields by @matthewh-elastic in #716
• CountOfCredentialsReturned: unify data type between endpoint and winlog beat by @intxgo in #715
• Update custom documentation for Windows ETW API events / Device unmount events by @AsuNa-jp in #711
• Fix macOS documentation by @ricardo-estc in #719
• update the custom documentation README by @ferullo in #663
• Add hit/miss metrics fields for trusted ancestors reporting by @fearful-symmetry in #720
• Change trusted_ancestor types from double to unsigned_long by @fearful-symmetry in #721
• Add default mapping for process.command_line in network and file events by @Tacklebox in #722
• Add file origin_referrer_url and origin_url to custom doc by @ricardo-estc in #723
• add KB context doc for debugging missing endpoint list by @joeypoon in #725
• Add missing field in the ASM API events custom documentation by @AsuNa-jp in #726
• Remove volume_device events. They are now just device events. by @matthewscherer in #727
• Add linux Ransomware alert docs by @fearful-symmetry in #724
• Add Linux load module events by @nicholasberlin in #729
• Remove sample event strings that can trigger false positive alerts from other AV by @ferullo in #730
• Add process caps to other process events by @nicholasberlin in #733
• Add process.tty.char_device to memfd proc events by @nicholasberlin in #734
• Docs: Update Elastic Defend integration description by @jmikell821 in #735
• automatic troubleshooting endpoint context docs by @joeypoon in #728

New Contributors

• @Tacklebox made their first contribution in #722
• @jmikell821 made their first contribution in #735

Full Changelog: v9.3.0...v9.4.0

v9.3.1

What's Changed

• Backport #730: Remove sample event strings that can trigger false positive alerts from other AV by @ferullo in #732

Full Changelog: v9.3.0...v9.3.1

v8.19.2

What's Changed

• Backport #730: Remove sample event strings that can trigger false positive alerts from other AV by @ferullo in #731

Full Changelog: v8.19.1...v8.19.2

v9.3.0

What's Changed

• Add process.Ext.trusted to custom docs for already-running process events by @gabriellandau in #697
• Add Missing custom doc for thumbprint_sha256 by @soolidsnake in #698
• Fix macOS file access documentation by @ricardo-estc in #699
• map event.module for logs-endpoint.events.api-* by @ferullo in #700
• Add process group to macos documentation by @ricardo-estc in #702
• Add WinHTTP/WinINet ETW fields for production by @matthewh-elastic in #703
• Add script fields to process events. by @ricardo-estc in #704
• fix field def from #704 by @pzl in #707
• Move Thumbprint enrichment to production by @soolidsnake in #706
• [EDR Workflows] Add Automatic Troubleshooting knowledge base documents by @szwarckonrad in #705
• Add entropy and header_bytes on linux by @stanek-michal in #696
• Update the copyright year to 2026 by @AsuNa-jp in #709
• Release 9.3.0 by @pzl in #713

New Contributors

• @szwarckonrad made their first contribution in #705

Full Changelog: v9.2.0...v9.3.0

v9.2.0

What's Changed

• Add security event metrics to custom documentation by @AsuNa-jp in #652
• Enhance process event metrics by @nicholasberlin in #653
• Add destination.domain field to alert mapping by @ricardo-estc in #650
• [macOS] Add network.direction to docs by @ricardo-estc in #659
• Add lookup_requested to dns event.actions by @nicholasberlin in #649
• Add device schema by @matthewscherer in #660
• Added device_control to the endpoint response schema. by @matthewscherer in #667
• Add LDAP (Ldap-Client ETW Provider) API Event fields by @AsuNa-jp in #664
• Add metric custom documentation for event tracing events by @AsuNa-jp in #662
• add RemoteCredentialGuard to security event by @AsuNa-jp in #661
• Add process.Ext.ptrace.addr and .data by @nicholasberlin in #665
• custom_documentation update, policy state orphaned by @intxgo in #671
• network tamper protection -> tamper protection by @intxgo in #672
• Added pe architecture to alerts by @bit-envoy in #670
• Add file.Ext.entropy to docs by @ricardo-estc in #673
• Added documentation for malware alert architecture field by @bit-envoy in #674
• Add process.Ext.trusted_descendant to already_running processes by @nicholasberlin in #675
• Remove legacy security events custom documentation by @AsuNa-jp in #669
• Added the new device fields. by @matthewscherer in #668
• Added custom docs for mount/unmount windows events. by @matthewscherer in #677
• Add firewall_anti_tamper fields to production configuration by @matthewh-elastic in #682
• Expose process.Ext.effective_parent to behavior alert by @ricardo-estc in #666
• Replicating ECS changes for thumbprint field to endpoint package by @soolidsnake in #683
• add defend dashboard by @pzl in #684
• Change dashboard migration version by @pzl in #686
• adds dashboard announcement notice to readme by @pzl in #688
• Add device dashboard by @pzl in #687
• Update macOS documentation for device events by @ricardo-estc in #690
• Add file.size for Linux by @stanek-michal in #692
• dashboard notice should also be in the source template by @pzl in #695

Full Changelog: v9.1.0...v9.2.0

v9.1.1

What's Changed

• add destination.domain as part of the alert (#650) by @ricardo-estc in #655

Full Changelog: v9.1.0...v9.1.1

v8.19.1

What's Changed

• [backport][8.19] add destination.domain as part of the alert (#650) by @ricardo-estc in #656

Full Changelog: v8.19.0...v8.19.1

9.1.0

What's Changed

• Add process fields to custom documentation for security events by @ricardo-estc in #596
• Change the size of region_start_bytes + add the field to the alert data stream by @AsuNa-jp in #591
• update macos process events to include parent.command_line by @brian-mckinney in #602
• Add zone_identifier field to Process/DLL events by @AsuNa-jp in #608
• Update the copyright year by @AsuNa-jp in #611
• Add origin_url and origin_referrer_url field to Process/DLL events by @AsuNa-jp in #610
• AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name by @magermark in #609
• Add metrics queues custom docs by @bjmcnic in #615
• Fix Windows behavior alert custom doc by @gabriellandau in #614
• Add process.command_line to some windows file events by @gabriellandau in #616
• Actions log spaces by @pzl in #622
• Add event.provider to API events by @gabriellandau in #631
• global artifacts manifest_type by @intxgo in #632
• global artifacts manifest_type, fix custom documentation by @intxgo in #635
• Add custom documentation entries for LDAP/HTTP ETW telemetry by @matthewh-elastic in #636
• Add fields for additional desktop_name process event field by @matthewh-elastic in #634
• Add new policy fields for firewall_anti_tamper plugin by @matthewh-elastic in #637
• [8.19/9.1] Add new fields for security events by @AsuNa-jp in #640
• [8.19/9.1]Add Winlog fields for the ETW security events by @AsuNa-jp in #633
• Add tags to action request documents by @pzl in #642
• add mapping for united.agent.namespaces by @joeypoon in #641
• Update custom documentation for security events by @AsuNa-jp in #643
• Add TCC modify event on macOS by @ricardo-estc in #638
• Add missing custom documentation fields to logoff security events by @AsuNa-jp in #645
• Add custom documentation fields for pipe_events by @calladoum-elastic in #644

New Contributors

• @bjmcnic made their first contribution in #615
• @matthewh-elastic made their first contribution in #636

Full Changelog: v9.0.0...v9.1.0

v9.0.2

What's Changed

• AMSI API changes for behavior rule alerts by @magermark in #626

Full Changelog: v9.0.1...v9.0.2

8.19.0

What's Changed

• Add fleet unenrolled audit fields by @pzl in #579
• update metrics custom documentation by @jdu2600 in #580
• update alerts custom documentation by @jdu2600 in #581
• [macOS] Security events by @ricardo-estc in #582
• Add custom documentation for noisy processes by @brian-mckinney in #583
• Add process fields to custom documentation for security events by @ricardo-estc in #596
• Change the size of region_start_bytes + add the field to the alert data stream by @AsuNa-jp in #591
• update macos process events to include parent.command_line by @brian-mckinney in #602
• Add zone_identifier field to Process/DLL events by @AsuNa-jp in #608
• Update the copyright year by @AsuNa-jp in #611
• Add origin_url and origin_referrer_url field to Process/DLL events by @AsuNa-jp in #610
• AMSI API changes for behavior rule alerts - process.Ext.api.parameters.content_name by @magermark in #609
• Add metrics queues custom docs by @bjmcnic in #615
• Fix Windows behavior alert custom doc by @gabriellandau in #614
• Add process.command_line to some windows file events by @gabriellandau in #616
• Actions log spaces by @pzl in #622
• Add event.provider to API events by @gabriellandau in #631
• global artifacts manifest_type by @intxgo in #632
• global artifacts manifest_type, fix custom documentation by @intxgo in #635
• Add custom documentation entries for LDAP/HTTP ETW telemetry by @matthewh-elastic in #636
• Add fields for additional desktop_name process event field by @matthewh-elastic in #634
• Add new policy fields for firewall_anti_tamper plugin by @matthewh-elastic in #637
• [8.19/9.1] Add new fields for security events by @AsuNa-jp in #640
• [8.19/9.1]Add Winlog fields for the ETW security events by @AsuNa-jp in #633
• Add tags to action request documents by @pzl in #642
• add mapping for united.agent.namespaces by @joeypoon in #641
• Update custom documentation for security events by @AsuNa-jp in #643
• Add TCC modify event on macOS by @ricardo-estc in #638
• Add missing custom documentation fields to logoff security events by @AsuNa-jp in #645
• Add custom documentation fields for pipe_events by @calladoum-elastic in #644

Full Changelog: v8.18.0...v8.19.0