diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 31feeca2e5..9ebc9787d8 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,137 +4,123 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. // tag::notable-highlights[] [float] -== Detection rules and alerts enhancements +== Generative AI enhancements -The following enhancements have been added to detection rules and alerts: [float] -=== Per-field diff for Elastic prebuilt rule updates +=== Attack Discovery -When examining an {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[updated Elastic prebuilt detection rule], you can now view rule changes field by field as well as in a full JSON view. +{security-guide}/attack-discovery.html[Attack discovery] is a new AI-powered tool that identifies potential attacks and maps connections between alerts to the MITRE ATT&CK® matrix, helping you to fight alert fatigue and reduce your mean time to respond. [role="screenshot"] -image::whats-new/images/8.13/prebuilt-rules-update-diff.png[Prebuilt rule comparison, 85%] +image::whats-new/images/8.14/attack-discovery-full-card.png[Attack discovery detail view] [float] -=== Alert suppression supported for indicator match rules +=== Redesigned Elastic AI Assistant UI -{security-guide}/alert-suppression.html[Alert suppression] now supports the {security-guide}/rules-ui-create.html#create-indicator-rule[indicator match] rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by an indicator match rule. +{security-guide}/security-assistant.html[Elastic AI Assistant] for {elastic-sec} has a redesigned user interface that uses a flyout instead of a popup, aligning it with standard {kib} design patterns. Also, when using OpenAI models, AI Assistant can now "stream" responses, rendering word-by-word rather than appearing as complete text blocks, providing a more conversational experience. [float] -=== Refined header design for alert details flyout +== Entity Analytics enhancements -The header design for the {security-guide}/view-alert-details.html[alert details flyout] has been refined to improve readability and structure. Basic alert details now appear clearer and more organized. - -[role="screenshot"] -image::whats-new/images/8.13/alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 75%] [float] -== Persistence of Data Quality dashboard results +=== Asset criticality file upload -The {security-guide}/data-quality-dash.html[Data Quality dashboard] now retains results across sessions, ensuring continuity of information. Additionally, the dashboard now shows when each index was last checked. +You can {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] to multiple entities at a time by importing a text file from your asset management tools. This feature allows you to quickly and easily import a list of entities and their asset criticality levels into the {security-app}. [role="screenshot"] -image::whats-new/images/8.13/data-qual-dash.png[The Data Quality dashboard, 85%] +image::whats-new/images/8.14/asset-criticality-file-upload.gif[Animation of asset criticality file upload,90%] [float] -== Visual event analyzer enhancements +=== Unassign asset criticality -The {security-guide}/visual-event-analyzer.html[Visual event analyzer] UI has been enhanced with the following functionality: +You can unassign {security-guide}/asset-criticality.html[asset criticality] from a host or user if the criticality level is no longer known, or the currently assigned level is incorrect. -* Inline actions and a search bar to the left panel: -+ [role="screenshot"] -image::whats-new/images/8.13/event-details.png[Event details panel, 85%] +image::whats-new/images/8.14/unassign-criticality.png[Unassign asset criticality, 50%] -* A date and time range picker, which allows you to analyze an event within a specific period of time: -+ -[role="screenshot"] -image::whats-new/images/8.13/date-range-selection.png[The date and time range picker, 85%] +[float] +=== Risk scoring engine processes up to 10,000 alerts per entity -* A data view selector, which allows you to filter analyzed events further: -+ -[role="screenshot"] -image::whats-new/images/8.13/data-view-selection.png[The data view selector, 85%] +When calculating {security-guide}/entity-risk-scoring.html[entity risk scores], the risk scoring engine now takes into account a maximum of 10,000 alerts per entity. This ensures that the engine remains operational in environments with extremely large data volume. [float] -== Response actions enhancements +=== Access the entity details flyout from the Entity Analytics dashboard -The following enhancements have been added to response actions: +Clicking on a specific host or user name in the {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] now opens the host or user details flyout instead of the host or user details page. This allows you to access entity metadata and risk score information without navigating away from the dashboard. [float] -=== Automated response actions for host processes +=== Entity details flyout shows contribution scores per alert -You can now add {elastic-defend}'s `kill-process` or `suspend-process` {security-guide}/response-actions.html[response actions] to detection rules. This allows you to automatically terminate or suspend a process on an affected host when an event meets the rule's criteria. +The **Risk contributions** section of the {security-guide}/hosts-overview.html#host-details-flyout[entity details flyout] now shows the top 10 alerts that contributed to the latest risk scoring calculation and each alert's contribution score. This makes each entity's risk score easier to understand and gives better insight into which alerts you should investigate at the entity level. [role="screenshot"] -image::whats-new/images/8.13/automated-response-actions.png[Automated response actions, 85%] +image::whats-new/images/8.14/contribution-scores-per-alert.png[Contribution scores for top 10 alerts, 90%] [float] -=== Third-party response actions (SentinelOne) +== Detection rules and alerts enhancements -You can now {security-guide}/third-party-actions.html#sentinelone-response-actions[direct SentinelOne] to perform response actions on protected hosts without leaving the {elastic-sec} UI. You can isolate and release a host from detection alerts and the response console, and view third-party actions in the response actions history log. [float] -== Entity Analytics enhancements +=== Value list improvements -The following enhancements have been added to Entity Analytics: +You can now {security-guide}/value-lists-exceptions.html#edit-value-lists[edit value lists] from the UI, wherever you use them. For example, you can now add items to a value list while creating a rule exception that references that value list. + +[role="screenshot"] +image::whats-new/images/8.14/edit-value-lists.png[Edit items in a value list, 90%] [float] -=== Asset criticality +=== Add ES|QL fields as custom highlighted fields -You can now assign an {security-guide}/asset-criticality.html[asset criticality] level to your entities based on their importance to your organization. For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture. +When adding custom highlighted fields to an {esql} rule, you can now {security-guide}/rules-ui-create.html#custom-highlighted-esql-fields[specify any fields returned by the rule's query]. This allows you to surface fields that contain useful information for investigating alerts. -The risk scoring engine includes asset criticality as an input when calculating entity risk scores. +[float] +=== Editable setup guide field for detection rules -With asset criticality, you can strengthen your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities. +You can now {security-guide}/rules-ui-create.html#rule-ui-advanced-params[edit the **Setup guide** field] for user-created custom rules. Use this informational field to list rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. [role="screenshot"] -image::whats-new/images/8.13/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page, 85%] +image::whats-new/images/8.14/setup-guide-field.png[Setup guide field] [float] -=== Enhanced host and user details flyouts +=== Alert suppression improvements -The redesigned {security-guide}/hosts-overview.html#host-details-flyout[host details flyout] and {security-guide}/users-page.html#user-details-flyout[user details flyout] allow you to: - -* View entity risk data and all risk contributions. Expand the risk summary section to view details about the entity's risk contributions. -* View and assign asset criticality to your entities. -* View relevant entity details such as the entity ID, when the entity was first and last seen, and the associated IP addresses and operating system. - -[role="screenshot"] -image::whats-new/images/8.13/host-details-flyout.png[Host details flyout, 85%] +In 8.14, we've moved {security-guide}/alert-suppression.html[alert suppression] for custom query rules from technical preview to generally available. We've also added alert suppression to event correlation rules (non-sequence queries only) and new terms rules. [float] -== Cloud Security enhancements +== {elastic-defend} enhancements -The following enhancements have been added to Cloud Security: [float] -=== Benchmark rules can be turned off +=== New malware file scanning options -You can now turn individual {security-guide}/cspm-benchmark-rules.html[benchmark rules] on or off. This allows you to customize your Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) integrations to reduce noise from benchmark rules that don't apply to your environment. +When configuring {security-guide}/configure-endpoint-integration-policy.html#malware-protection[malware protection], you can choose whether {elastic-defend} scans files when they're modified or executed. This can improve performance on hosts where files are frequently modified, while continuing to identify malware as it attempts to run. [role="screenshot"] -image::whats-new/images/8.13/benchmark-rules.png[Benchmark rules, 85%] +image::whats-new/images/8.14/malware-protection.png[Malware protection section, 80%] [float] -=== Cloud native vulnerability management (CNVM) Findings UI enhancements +=== Automatically register {elastic-defend} as antivirus -The **Vulnerabilities** table on the {security-guide}/vuln-management-findings.html[Findings page] now includes improved grouping capabilities (up to three nested groupings), and more table customization options. +If you're using {elastic-defend}'s malware protection, you can now automatically {security-guide}/configure-endpoint-integration-policy.html#register-as-antivirus[register {elastic-defend} as the antivirus software] for Windows endpoints. -image::whats-new/images/8.13/cnvm-findings-grouped.png[CNVM findings grouped, 85%] +[role="screenshot"] +image::whats-new/images/8.14/register-as-antivirus.png[Register as antivirus section, 80%] [float] -== Custom fields for cases must have a default value +== Cloud Security Posture Management support for AWS GovCloud + +Elastic's {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports AWS GovCloud so you can monitor and track how your GovCloud clusters perform against security benchmarks. + -When adding {security-guide}/cases-open-manage.html#cases-ui-custom-fields[custom fields] to a case, any mandatory fields must have a default value. // end::notable-highlights[] diff --git a/docs/whats-new/images/8.14/asset-criticality-file-upload.gif b/docs/whats-new/images/8.14/asset-criticality-file-upload.gif new file mode 100644 index 0000000000..15a9dafbb2 Binary files /dev/null and b/docs/whats-new/images/8.14/asset-criticality-file-upload.gif differ diff --git a/docs/whats-new/images/8.14/attack-discovery-full-card.png b/docs/whats-new/images/8.14/attack-discovery-full-card.png new file mode 100644 index 0000000000..81b9c1de69 Binary files /dev/null and b/docs/whats-new/images/8.14/attack-discovery-full-card.png differ diff --git a/docs/whats-new/images/8.14/contribution-scores-per-alert.png b/docs/whats-new/images/8.14/contribution-scores-per-alert.png new file mode 100644 index 0000000000..483980f378 Binary files /dev/null and b/docs/whats-new/images/8.14/contribution-scores-per-alert.png differ diff --git a/docs/whats-new/images/8.14/edit-value-lists.png b/docs/whats-new/images/8.14/edit-value-lists.png new file mode 100644 index 0000000000..dd53a8dc11 Binary files /dev/null and b/docs/whats-new/images/8.14/edit-value-lists.png differ diff --git a/docs/whats-new/images/8.14/malware-protection.png b/docs/whats-new/images/8.14/malware-protection.png new file mode 100644 index 0000000000..21f824edec Binary files /dev/null and b/docs/whats-new/images/8.14/malware-protection.png differ diff --git a/docs/whats-new/images/8.14/register-as-antivirus.png b/docs/whats-new/images/8.14/register-as-antivirus.png new file mode 100644 index 0000000000..17e6b9cc5d Binary files /dev/null and b/docs/whats-new/images/8.14/register-as-antivirus.png differ diff --git a/docs/whats-new/images/8.14/setup-guide-field.png b/docs/whats-new/images/8.14/setup-guide-field.png new file mode 100644 index 0000000000..32c298b982 Binary files /dev/null and b/docs/whats-new/images/8.14/setup-guide-field.png differ diff --git a/docs/whats-new/images/8.14/unassign-criticality.png b/docs/whats-new/images/8.14/unassign-criticality.png new file mode 100644 index 0000000000..3c6dcfaa5e Binary files /dev/null and b/docs/whats-new/images/8.14/unassign-criticality.png differ