Whats new 8.12

docs/whats-new.asciidoc

@@ -4,105 +4,106 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.
 
-Other versions: {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
 // tag::notable-highlights[]
 
+[float]
+== Retrieval-augmented generation supported in Elastic AI Assistant
+
+Elastic AI Assistant now supports {security-guide}/security-assistant.html#rag-for-alerts[retrieval-augmented generation (RAG) for alerts]. Using this feature, you can provide information about multiple alerts to AI Assistant, so that it can answer a broader scope of questions relating to alerts in your environment.
 
 [float]
-== Latest entity risk scoring engine provides greater scalability and performance
+== Detection rules and alerts enhancements
 
-The latest <<entity-risk-scoring, risk scoring engine>> generates risk scores on a recurring interval, and allows for easier onboarding and management. The engine is built to factor in risks from all {elastic-sec} use cases. It also allows you to customize and control how and when risk is calculated.
+The following enhancements have been added to detection rules and alerts:
 
-With the new risk scoring engine, you can:
+[float]
+=== JSON diff for Elastic prebuilt rule updates
 
-* Preview and enable the risk engine using a centralized one-click onboarding workflow.
-* Conveniently migrate to the new engine if you're an existing user of risk scoring.
-* Generate risk scores for hosts and users from the last 30 days.
-* View the alerts that contributed to an entity's risk score, allowing faster investigations.
-* Continue to access entity risk analytics in existing security workflows.
+When Elastic updates a prebuilt detection rule, you can examine the latest version before you {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[update] to it. The rule details flyout in **Rule Updates** displays a side-by-side JSON comparison of the rule's **Base version** (what you currently have installed) and the **Update version** that you can choose to install.
 
 [role="screenshot"]
-image::whats-new/images/8.11/entity-risk-score.png[Entity Risk Score page]
+image::whats-new/images/8.12/prebuilt-rules-update-diff.png[Prebuilt rule comparison,80%]
 
 [float]
-== Elastic AI Assistant enhancements 
+=== Alert suppression supported for threshold rules
 
-The following enhancements have been added to the Elastic AI Assistant:
+{security-guide}/alert-suppression.html[Alert suppression] now supports the threshold detection rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by a threshold rule.
 
 [float]
-=== New Amazon Bedrock connector
+=== Assign users to alerts
 
-You can use Elastic's new Amazon Bedrock connector to integrate with Anthropic Claude models from AWS in the {security-guide}/security-assistant.html[Elastic AI Assistant].
+You can now {security-guide}/alerts-ui-manage.html#assign-users-to-alerts[assign users to alerts] that you want them to investigate, and manage alert assignees throughout an alert's lifecycle. Assigned alerts are filterable, and you can find assignees by adding the `kibana.alert.workflow_assignee_ids` field to the Alerts table or by opening an alert's details.
 
-[float]
-=== New ES|QL knowledge base
-
-beta:[] With the new knowledge base enabled, {security-guide}/security-assistant.html[Elastic AI Assistant] can answer detailed questions about the Elastic Search Query Language (ES|QL), including help with generating specific queries and syntax questions.
+[role="screenshot"]
+image::whats-new/images/8.12/alert-assigned-alerts.png[Alert assignees in the Alerts table,80%]
 
 [float]
-== Detection rules and alerts enhancements
+== Timeline enhancements
 
-The following enhancements have been added to detection rules and alerts:
+The following enhancements have been added to Timelines:
 
 [float]
-=== Create ES|QL query detection rules with new ES|QL rule type
+=== Multiple UI and UX enhancements to Timeline
 
-Use the new {security-guide}/rules-ui-create.html#create-esql-rule[ES|QL rule type] to create detection rules that use ES|QL queries. The ES|QL rule type supports aggregating and non-aggregating queries.
+{security-guide}/timelines-ui.html[Timeline] now opens as a modal, requires you to manually save changes, and has an option to save changes as a new Timeline. In addition, Timeline has undergone significant UI changes. For example, the query builder is now collapsible, which allows you to have more space for Timeline results.
 
 [role="screenshot"]
-image::whats-new/images/8.11/esql-rule.png[New ES|QL rule type]
+image::whats-new/images/8.12/timeline-ui-updated.png[Updated Timeline UI]
 
 [float]
-=== Case-sensitive values supported in rule exceptions
+=== Feature flag added for the {esql} tab
 
-When {security-guide}/add-exceptions.html#detection-rule-exceptions[adding exceptions to a rule], the `is one of` and `is not one of` operators now support identical, case-sensitive values – for example, `Windows` and `windows`.
+You can now remove the {security-guide}/timelines-ui.html#esql-in-timeline[{esql} tab] by editing your {cloud}/ec-manage-kibana-settings.html#ec-manage-kibana-settings[{kib} user settings] and adding the `xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"]` feature flag.
 
 [float]
-== Use ES|QL in Timeline
+=== Default {esql} query removed from the {esql} tab
 
-You can use {security-guide}/timelines-ui.html#esql-in-timeline[ES|QL in Timeline] to filter, transform, and analyze event data stored in {es}. To start using ES|QL, open the **ES|QL** tab.
+The default {esql} query was removed from the {esql} tab, for increased tab performance.
+
+[float]
+== Exclude cold and frozen tiers from analyzer queries
+
+You can now exclude cold and frozen tier data from visual event analyzer queries, to increase analyzer performance. You can do this by turning on the `securitySolution:excludeColdAndFrozenTiersInAnalyzer` {security-guide}/advanced-settings.html#exclude-cold-frozen-tiers[advanced setting].
 
 [role="screenshot"]
-image::whats-new/images/8.11/esql-tab.png[New ES|QL tab in Timeline]
+image::whats-new/images/8.12/exclude-cold-frozen-tiers.png[Advanced setting to exclude cold and frozen tiers from analyzer queries,80%]
 
 [float]
-== Expanded support for Cloud security posture management (CSPM)
+== Bidirectional integration response actions (SentinelOne)
 
-Cloud security posture management (CSPM) capabilities have been expanded to support {security-guide}/cspm-get-started-gcp.html#cspm-set-up-manual-gcp-org[organization-wide GCP deployments], as well as {security-guide}/cspm-get-started-azure.html[single-subscription Azure deployments].
+Powered by the {integrations-docs}/sentinel_one[SentinelOne] integration for {agent}, SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI.
 
 [float]
-== Cases enhancements
+== Event filters and endpoint exceptions support for `matches` and `does not match` conditions
 
-The following enhancements have been added to cases:
+You can now use `matches` and `does not match` conditions on more fields when configuring {security-guide}/event-filters.html[event filters] and endpoint exceptions. Previously, only the `file.path.text` field was supported.
 
 [float]
-=== Custom case fields
+== Cloud Security enhancements
 
-You can now {security-guide}/cases-open-manage.html#cases-ui-custom-fields[add custom fields to cases] to support customized collaboration.
-
-[role="screenshot"]
-image::whats-new/images/8.11/cases-add-custom-field.png[Add custom fields to cases]
+The following enhancements have been added to Cloud Security:
 
 [float]
-=== Connectors page renamed
+=== Organization-wide Azure deployments supported in Cloud security posture management (CSPM)
 
-The page where you create and manage case connectors has been renamed to **Settings**.
-
-[role="screenshot"]
-image::whats-new/images/8.11/cases-settings.png[The case settings page]
+Cloud security posture management (CSPM) capabilities have been expanded to support organization-wide Azure deployments.
 
 [float]
-== Agent tamper protection with {elastic-defend}
+=== Data grouping and table customization improvements on the Findings page 
 
-For hosts enrolled in {elastic-defend}, you can prevent unauthorized attempts to uninstall {agent} and {elastic-endpoint} by enabling *Agent tamper protection* on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling {elastic-defend}'s endpoint protections. 
+The Findings page now enables you to {security-guide}/cspm-findings-page.html#_group_findings[group your data by any field], and to {security-guide}/cspm-findings-page.html#cspm-customize-the-findings-table[further customize] how the page is displayed.
+
+[float]
+== New Osquery query timeout setting
 
-When enabled, {agent} and {elastic-endpoint} can only be uninstalled on the host by including the policy's generated uninstall token in the uninstall CLI command.
+When running an Osquery query, you can now set a timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`.
 
 [role="screenshot"]
-image::whats-new/images/8.11/agent-tamper-protection.png[Agent tamper protection setting highlighted on Agent policy settings page]
+image::whats-new/images/8.12/osquery-timeout-setting.png[Osquery query timeout setting,80%]
 
 
 // end::notable-highlights[]