What's new in 8.12

[natasha-moore-elastic]

Please add your features and enhancements for 8.12. Don't forget to include the related PR link!

Detections & Response

Rules Management

• JSON diff for Elastic prebuilt rule updates (Prebuilt rule customization — JSON diff [Classic] #4463).
  When Elastic updates a prebuilt detection rule, you can examine the latest version before you update to it. The rule details flyout in Rule Updates displays a side-by-side JSON comparison of the rule’s Base version (what you currently have installed) and the Update version that you can choose to install.

Detection Engine

• Alert suppression for threshold rules (Threshold rule alert suppression [Classic] #4467).
  Alert suppression now supports the threshold detection rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by a threshold rule.
• Assign users to alerts (Docs for "Alert User Assignment" feature  #4476).
  You can now assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert’s lifecycle. Assigned alerts are filterable and you can find assignees by adding the kibana.alert.workflow_assignee_ids field to the Alerts table or by opening an alert's details.

Threat Hunting

Explore

• Add features here.

Investigations

• New advanced setting for excluding cold and frozen tier data from analyzer queries (Exclude cold and frozen tiers advanced setting #4484)
• Multiple UI and UX enhancements to Timeline (Timeline autosave removed in favor of manual save  #4299, Timeline opens as a modal #4298, [ESS] Timeline docs should be updated with the new UI #4483)
  Timeline now opens as a modal, has an option to manually save changes, and has undergone significant UI changes. For example, the query builder is now collapsible, which allows you to have more space for Timeline results.
• Feature flag added for the ES|QL tab ([Request] [8.11.4 & 8.12][ESS] Document feature flag for the ES|QL Timeline tab  #4552).
  You can now remove the ES|QL tab by editing your {cloud}/ec-manage-kibana-settings.html#ec-manage-kibana-settings[{kib} user settings] and adding the xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"] feature flag.
• Default ES|QL query removed ([Request] [8.11.4 & 8.12][ESS] Remove mention of default query in the ES|QL tab docs #4578).
  The default query was removed for increased tab performance. (I'm going to follow up with Michael on this next Tuesday to see if he wants this doc'd in What's new and for specific language.)

Generative AI

• Elastic AI Assistant now supports retrieval-augmented generation (RAG) for alerts. Using this feature, you can provide information about multiple alerts to AI Assistant so that it can answer a broader scope of questions relating to alerts in your environment.

EDR Workflows/Asset Management

• Bidirectional integration response actions (SentinelOne) (Bidirectional integration response actions (SentinelOne) — Classic docs #4593).
  Powered by the SentinelOne integration for Elastic Agent, SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the Elastic Security UI.

• Event filters and endpoint exceptions support for matches and does not match conditions (Add matches capabilities to event filter creation (classic docs) #4602).
  You can now use matches and does not match conditions on more fields when configuring event filters and endpoint exceptions. Previously, only the file.path.text field was supported.

• New Osquery query timeout setting ([8.12][ESS] Document Osquery Timeout setting #4611, [DOCS] Documents Osquery Timeout setting kibana#174595).
  Allows you to set timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900.

Cloud Security

• Cloud Security Posture Management can now be deployed to entire Microsoft Azure organizations.
• The Findings page now enables you to group your data by any field, and to further customize how it is displayed.

Endpoint

• Add features here.

Protections Experience

• Add features here.

ResponseOps

• Believe these will be doc'd in Kibana's "What's new for 8.12" page.