You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Please include the link to your corresponding PRs!
What's new highlights for 8.4:
Detections & Response/CTI
Wildcards in detection rule exceptions - Wildcards are now supported when defining exceptions for detection rules, using the new operators matches and does not match. ([DOCS] Detection engine wildcard exceptions #2212)
New fields for prebuilt Elastic detection rules - Elastic prebuilt rules now provide additional information to help you identify, install, and configure a rule's prerequisites. You can confirm these requirements in the Related integrations and Required fields fields on a rule's details page, and consult the rule's Setup guide for additional guidance. ([DOCS] New rule fields for prerequisites: Related Integrations, Required Fields, and Setup #2069) - Still waiting to confirm if the new content will actually be in the 8.4 release; they keep going back and forth in daily builds
I also created a separate PR for updating 8.3 What's New when the time comes, since the fields will be released to 8.3 with the out-of-band rules update
Improved bulk action handling for detection rules - When you select both prebuilt and custom rules and attempt to perform a bulk action that can only be done on custom rules, Elastic Security now determines which rules are eligible and changes only them. (Previously this would cause a general error, and the user would have to de-select ineligible rules.) I haven't drafted a PR yet for this, but here's the issue: [DOCS] Bulk action handling for detection rules #2209
New option to preview rules - The new Advanced query preview option closely imitates real rule executions and gives users more control over the rule preview by allowing them to set the preview's timeframe, rule interval, and look-back time. ([DOCS] Advanced rule query preview option available #2251)
Data views available in rule creation Users can specify data views wherever index pattern specification is available in order to take advantage of runtime fields, which are associated with a data view. [DOCS] Create rule updates 8.4 #2339
Fallback to @timestamp is configurable when timestamp override is defined. This feature allows you to disable @timestamp as a fallback timestamp field when you’ve defined a timestamp override. [DOCS] Create rule updates 8.4 #2339
New terms rule generates an alert for each new term it detects in source documents within a specified time range. [DOCS] Create rule updates 8.4 #2339
OLM
Response console for endpoint response actions - The new response console UI allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also logged in the endpoint’s actions log for reference. (Enterprise subscription required) ([DOCS] Response console UI for endpoint actions #2289)
Troubleshooting "Unhealthy" status for Elastic Agent - Integration policy errors and statuses are now provided in both Fleet and Elastic Security to help troubleshoot when an Elastic Agent has an "unhealthy" status. ([DOCS] "Unhealthy" Agent status and integration policy errors #2317)
Threat Hunting
Alerts page visualizations and new treemap view - The Alerts page now displays a single visualization pane, with a drop-down menu to select Table, Trend, or Treemap. Treemap is a new view type that shows the distribution of alerts as nested, proportionally-sized tiles. This view can help you quickly pinpoint the most prevalent and critical alerts. ([DOCS] Alerts page visualizations, new treemap view #2280)
Insights about related alerts - The Alert details flyout now has a new Insights section. The Insights section shows users how an alert is related to other alerts and offers ways to investigate related alerts. Users can leverage this information to quickly find patterns between alerts and then take action. The Insights section provides the following details: ([DOCS] Changes to Alert details flyout and new Insights section #2298)
Cases related to the alert
Alerts related by source event
Alerts related by session ID (This functionality is beta and requires a Platinum or Enterprise subscription)
Alerts related by process ancestry (This functionality is beta, and requires a Platinum or Enterprise subscription and the xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry'] feature flag must be added to the kibana.yml file.)
The process event analyzer includes alerts - Users can now view alerts associated with an event when viewing the event in the process analyzer. This allows them to examine and compare alerts with the same source event. (This functionality requires a Platinum or Enterprise subscription and the xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry'] feature flag must be added to the kibana.yml file.) ([DOCS] Alerts now shown in process tree #2309)
ResponseOps
New case connector - The Webhook - Case Management connector allows users to build a custom connector for any third-party case/ticket management system. This offers users more flexibility and choice when deciding what third-party case/ticket management system they want to send cases and case updates to. ([DOCS] Add Webhook connector to case and connector docs #2221 #2297)
New sub-feature privilege for cases - The deletion sub feature privilege governs a users ability to delete cases and comments. User who already have all access within cases will automatically be granted the deletion privilege when upgrading to 8.4. Users who have read access within cases will not automatically be granted the deletion privilege upon upgrading to 8.4. An admin can customize the cases privileges by enabling the sub feature radio button and checking/unchecking the box for deletion. [DOCS] Add deletion sub feature privilege for cases #2219
AWP
Enables Session View for Kubernetes infrastructure. You can now deploy an Elastic DaemonSet to your Kubernetes clusters to collect session data. This data, which includes new Kubernetes-specific fields, appears in summary on the new Kubernetes dashboard. ([DOCS][AWP] New page for Kubernetes dashboard #2243)
Cloud Security Posture
The Kubernetes Security Posture Management integration is now in beta. This integration allows you to check your Kubernetes infrastructure's configuration against security best practices, and provides steps for remediating any issues it identifies ([DOCS][AWP] New page for Kubernetes dashboard #2243).
Endpoint
Attack surface reduction / credential hardening - New "Attack surface reduction" protections feature helps you reduce vulnerabilities that attackers can target on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. ([DOCS] Attack surface reduction / credential hardening #2266)
Endpoint self-healing rollback - This new feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. ([DOCS] Endpoint self-healing rollback #2267)
Please include the link to your corresponding PRs!
What's new highlights for
8.4:Detections & Response/CTI
Wildcards in detection rule exceptions - Wildcards are now supported when defining exceptions for detection rules, using the new operators
matchesanddoes not match. ([DOCS] Detection engine wildcard exceptions #2212)New fields for prebuilt Elastic detection rules - Elastic prebuilt rules now provide additional information to help you identify, install, and configure a rule's prerequisites. You can confirm these requirements in the Related integrations and Required fields fields on a rule's details page, and consult the rule's Setup guide for additional guidance. ([DOCS] New rule fields for prerequisites: Related Integrations, Required Fields, and Setup #2069) - Still waiting to confirm if the new content will actually be in the 8.4 release; they keep going back and forth in daily builds
Importing value lists - The "Upload value lists" button has been renamed "Import value lists," and the UI changed from a modal to a flyout. (No functional change) ([DOCS] Import value lists: renamed button, new flyout UI #2268)
Improved bulk action handling for detection rules - When you select both prebuilt and custom rules and attempt to perform a bulk action that can only be done on custom rules, Elastic Security now determines which rules are eligible and changes only them. (Previously this would cause a general error, and the user would have to de-select ineligible rules.) I haven't drafted a PR yet for this, but here's the issue: [DOCS] Bulk action handling for detection rules #2209
New option to preview rules - The new Advanced query preview option closely imitates real rule executions and gives users more control over the rule preview by allowing them to set the preview's timeframe, rule interval, and look-back time. ([DOCS] Advanced rule query preview option available #2251)
Data views available in rule creation Users can specify data views wherever index pattern specification is available in order to take advantage of runtime fields, which are associated with a data view. [DOCS] Create rule updates 8.4 #2339
Fallback to @timestamp is configurable when timestamp override is defined. This feature allows you to disable @timestamp as a fallback timestamp field when you’ve defined a timestamp override. [DOCS] Create rule updates 8.4 #2339
New terms rule generates an alert for each new term it detects in source documents within a specified time range. [DOCS] Create rule updates 8.4 #2339
OLM
Response console for endpoint response actions - The new response console UI allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and get near-instant feedback on them. Actions are also logged in the endpoint’s actions log for reference. (Enterprise subscription required) ([DOCS] Response console UI for endpoint actions #2289)
Troubleshooting "Unhealthy" status for Elastic Agent - Integration policy errors and statuses are now provided in both Fleet and Elastic Security to help troubleshoot when an Elastic Agent has an "unhealthy" status. ([DOCS] "Unhealthy" Agent status and integration policy errors #2317)
Threat Hunting
Alerts page visualizations and new treemap view - The Alerts page now displays a single visualization pane, with a drop-down menu to select Table, Trend, or Treemap. Treemap is a new view type that shows the distribution of alerts as nested, proportionally-sized tiles. This view can help you quickly pinpoint the most prevalent and critical alerts. ([DOCS] Alerts page visualizations, new treemap view #2280)
Insights about related alerts - The Alert details flyout now has a new Insights section. The Insights section shows users how an alert is related to other alerts and offers ways to investigate related alerts. Users can leverage this information to quickly find patterns between alerts and then take action. The Insights section provides the following details: ([DOCS] Changes to Alert details flyout and new Insights section #2298)
The process event analyzer includes alerts - Users can now view alerts associated with an event when viewing the event in the process analyzer. This allows them to examine and compare alerts with the same source event. (This functionality requires a Platinum or Enterprise subscription and the xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry'] feature flag must be added to the kibana.yml file.) ([DOCS] Alerts now shown in process tree #2309)
ResponseOps
AWP
Cloud Security Posture
Endpoint
Attack surface reduction / credential hardening - New "Attack surface reduction" protections feature helps you reduce vulnerabilities that attackers can target on Windows endpoints. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. ([DOCS] Attack surface reduction / credential hardening #2266)
Endpoint self-healing rollback - This new feature rolls back file changes and processes on Windows endpoints when a prevention alert is generated by enabled protection features. ([DOCS] Endpoint self-healing rollback #2267)
Asset Management
The text was updated successfully, but these errors were encountered: