Loading

Elastic Security breaking changes

Breaking changes can impact your Elastic applications, potentially disrupting normal operations. Before you upgrade, carefully review the Elastic Security breaking changes and take the necessary steps to mitigate any issues. To learn how to upgrade, check Upgrade.

Release date: April 2, 2025

Removed legacy security rules bulk endpoints
  • POST /api/detection_engine/rules/_bulk_create has been replaced by POST /api/detection_engine/rules/_import
  • PUT /api/detection_engine/rules/_bulk_update has been replaced by POST /api/detection_engine/rules/_bulk_action
  • PATCH /api/detection_engine/rules/_bulk_update has been replaced by POST /api/detection_engine/rules/_bulk_action`
  • DELETE /api/detection_engine/rules/_bulk_delete has been replaced by POST /api/detection_engine/rules/_bulk_action
  • POST api/detection_engine/rules/_bulk_delete has been replaced by POST /api/detection_engine/rules/_bulk_action

These changes were introduced in #197422.

Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.

Action

Update your implementations to use the new endpoints:

  • For bulk creation of rules:

    • Use POST /api/detection_engine/rules/_import (API documentation) to create multiple rules along with their associated entities (for example, exceptions and action connectors).
    • Alternatively, create rules individually using POST /api/detection_engine/rules (API documentation).

  • For bulk updates of rules:

    • Use POST /api/detection_engine/rules/_bulk_action (API documentation) to update fields in multiple rules simultaneously.
    • Alternatively, update rules individually using PUT /api/detection_engine/rules (API documentation).

  • For bulk deletion of rules:

    • Use POST /api/detection_engine/rules/_bulk_action (API documentation) to delete multiple rules by IDs or query.
    • Alternatively, delete rules individually using DELETE /api/detection_engine/rules (API documentation).
Remove deprecated endpoint management endpoints
  • POST /api/endpoint/isolate has been replaced by POST /api/endpoint/action/isolate
  • POST /api/endpoint/unisolate has been replaced by POST /api/endpoint/action/unisolate
  • GET /api/endpoint/policy/summaries has been deprecated without replacement. Will be removed in v9.0.0
  • POST /api/endpoint/suggestions/{{suggestion_type}} has been deprecated without replacement. Will be removed in v9.0.0
  • GET /api/endpoint/action_log/{{agent_id}} has been deprecated without replacement. Will be removed in v9.0.0
  • GET /api/endpoint/metadata/transforms has been deprecated without replacement. Will be removed in v9.0.0

Impact
Deprecated endpoints will fail with a 404 status code starting from version 9.0.0.

Action

  • Remove references to GET /api/endpoint/policy/summaries endpoint.
  • Remove references to POST /api/endpoint/suggestions/{{suggestion_type}} endpoint.
  • Remove references to GET /api/endpoint/action_log/{{agent_id}} endpoint.
  • Remove references to GET /api/endpoint/metadata/transforms endpoint.
  • Replace references to deprecated endpoints with the replacements listed in the breaking change details.
Refactors the Timeline HTTP API endpoints

For more information, check #200633.

Removes deprecated Elastic Defend APIs

For more information, check #199598.

Removes deprecated API endpoints for bulk CRUD actions on detection rules

For more information, check #197422 and #207906.