elastic · natasha-moore-elastic · Mar 26, 2024 · Mar 26, 2024
@@ -4,106 +4,138 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.
 
-Other versions: {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
 // tag::notable-highlights[]
 
-[float]
-== Retrieval-augmented generation for alerts in Elastic AI Assistant
-
-Elastic AI Assistant now supports {security-guide}/security-assistant.html#rag-for-alerts[retrieval-augmented generation (RAG) for alerts]. Using this feature, you can provide information about multiple alerts to AI Assistant, so that it can answer a broader scope of questions relating to alerts in your environment.
 
 [float]
 == Detection rules and alerts enhancements
 
 The following enhancements have been added to detection rules and alerts:
 
 [float]
-=== JSON diff for Elastic prebuilt rule updates
+=== Per-field diff for Elastic prebuilt rule updates
 
-When Elastic updates a prebuilt detection rule, you can examine the latest version before you {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[update the rule]. The rule details flyout in **Rule Updates** displays a side-by-side JSON comparison of the rule's **Base version** (what you currently have installed) and the **Update version** that you can choose to install.
+When examining an {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[updated Elastic prebuilt detection rule], you can now view rule changes field by field as well as in a full JSON view.
 
 [role="screenshot"]
-image::whats-new/images/8.12/prebuilt-rules-update-diff.png[Prebuilt rule comparison,80%]
+image::whats-new/images/8.13/prebuilt-rules-update-diff.png[Prebuilt rule comparison, 85%]
 
 [float]
-=== Alert suppression supported for threshold rules
+=== Alert suppression supported for indicator match rules
 
-{security-guide}/alert-suppression.html[Alert suppression] now supports the threshold detection rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by a threshold rule.
+{security-guide}/alert-suppression.html[Alert suppression] now supports the {security-guide}/rules-ui-create.html#create-indicator-rule[indicator match] rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by an indicator match rule.
 
 [float]
-=== Assign users to alerts
+=== Refined header design for alert details flyout 
 
-You can now {security-guide}/alerts-ui-manage.html#assign-users-to-alerts[assign users to alerts] that you want them to investigate, and manage alert assignees throughout an alert's lifecycle. Assigned alerts are filterable, and you can find assignees by adding the `kibana.alert.workflow_assignee_ids` field to the Alerts table or by opening an alert's details.
+The header design for the {security-guide}/view-alert-details.html[alert details flyout] has been refined to improve readability and structure. Basic alert details now appear clearer and more organized. 
 
 [role="screenshot"]
-image::whats-new/images/8.12/alert-assigned-alerts.png[Alert assignees in the Alerts table,80%]
+image::whats-new/images/8.13/alert-details-flyout-right-panel.png[Right panel of the alert details flyout, 75%]
 
 [float]
-== Timeline enhancements
+== Persistence of Data Quality dashboard results 
 
-The following enhancements have been added to Timeline:
+The {security-guide}/data-quality-dash.html[Data Quality dashboard] now retains results across sessions, ensuring continuity of information. Additionally, the dashboard now shows when each index was last checked.
+
+[role="screenshot"]
+image::whats-new/images/8.13/data-qual-dash.png[The Data Quality dashboard, 85%]
 
 [float]
-=== UI and UX enhancements to Timeline
+==  Visual event analyzer enhancements
 
-{security-guide}/timelines-ui.html[Timeline] now opens as a modal, requires you to manually save changes, and has the option to save changes as a new Timeline. Additional UX improvements have been also introduced. For example, the query builder is now collapsible, which allows you to have more space for Timeline results.
+The {security-guide}/visual-event-analyzer.html[Visual event analyzer] UI has been enhanced with the following functionality:
 
+* Inline actions and a search bar to the left panel:
++
 [role="screenshot"]
-image::whats-new/images/8.12/timeline-ui-updated.png[Updated Timeline UI]
+image::whats-new/images/8.13/event-details.png[Event details panel, 85%]
 
-[float]
-=== Feature flag added for the {esql} tab
+* A date and time range picker, which allows you to analyze an event within a specific period of time:
++
+[role="screenshot"]
+image::whats-new/images/8.13/date-range-selection.png[The date and time range picker, 85%]
 
-You can now remove the {security-guide}/timelines-ui.html#esql-in-timeline[**{esql}**] tab by editing your {cloud}/ec-manage-kibana-settings.html#ec-manage-kibana-settings[{kib} user settings] and adding the `xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"]` feature flag.
+* A data view selector, which allows you to filter analyzed events further:
++
+[role="screenshot"]
+image::whats-new/images/8.13/data-view-selection.png[The data view selector, 85%]
 
 [float]
-=== Default {esql} query removed from the {esql} tab
+== Response actions enhancements
 
-The default {esql} query was removed from the **{esql}** tab, for increased tab performance.
+The following enhancements have been added to response actions:
 
 [float]
-== Exclude cold and frozen tiers from analyzer queries
+=== Automated response actions for host processes
 
-You can now exclude cold and frozen tier data from visual event analyzer queries to increase analyzer performance. You can do this by turning on the `securitySolution:excludeColdAndFrozenTiersInAnalyzer` {security-guide}/advanced-settings.html#exclude-cold-frozen-tiers[advanced setting].
+You can now add {elastic-defend}'s `kill-process` or `suspend-process` {security-guide}/response-actions.html[response actions] to detection rules. This allows you to automatically terminate or suspend a process on an affected host when an event meets the rule's criteria.
 
 [role="screenshot"]
-image::whats-new/images/8.12/exclude-cold-frozen-tiers.png[Advanced setting to exclude cold and frozen tiers from analyzer queries,80%]
+image::whats-new/images/8.13/automated-response-actions.png[Automated response actions, 85%]
 
 [float]
-== Bidirectional integration response actions (SentinelOne)
+=== Third-party response actions (SentinelOne)
 
-Powered by the {integrations-docs}/sentinel_one[SentinelOne] integration for {agent}, SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the {elastic-sec} UI.
+You can now {security-guide}/third-party-actions.html#sentinelone-response-actions[direct SentinelOne] to perform response actions on protected hosts without leaving the {elastic-sec} UI. You can isolate and release a host from detection alerts and the response console, and view third-party actions in the response actions history log.
 
 [float]
-== Event filters and endpoint exceptions support for `matches` and `does not match` conditions
+== Entity Analytics enhancements
 
-You can now use `matches` and `does not match` conditions on more fields when configuring {security-guide}/event-filters.html[event filters] and {security-guide}/add-exceptions.html[endpoint exceptions]. Previously, only the `file.path.text` field was supported.
+The following enhancements have been added to Entity Analytics:
 
 [float]
-== Cloud Security enhancements
+=== Asset criticality
 
-The following enhancements have been added to Cloud Security:
+You can now assign an {security-guide}/asset-criticality.html[asset criticality] level to your entities based on their importance to your organization. For example, you can assign **Extreme impact** to business-critical entities, or **Low impact** to entities that pose minimal risk to your security posture.
+
+The risk scoring engine includes asset criticality as an input when calculating entity risk scores.
+
+With asset criticality, you can strengthen your threat detection capabilities by focusing your alert triage, threat-hunting, and investigation activities on high-impact entities.
+
+[role="screenshot"]
+image::whats-new/images/8.13/assign-asset-criticality-host-details.png[Assign asset criticality from the host details page, 85%]
 
 [float]
-=== Organization-wide Azure deployments supported in Cloud security posture management (CSPM)
+=== Enhanced host and user details flyouts
 
-Cloud security posture management (CSPM) capabilities have been expanded to support organization-wide Azure deployments.
+The redesigned {security-guide}/hosts-overview.html#host-details-flyout[host details flyout] and {security-guide}/users-page.html#user-details-flyout[user details flyout] allow you to:
+
+* View entity risk data and all risk contributions. Expand the risk summary section to view details about the entity's risk contributions.
+* View and assign asset criticality to your entities.
+* View relevant entity details such as the entity ID, when the entity was first and last seen, and the associated IP addresses and operating system.
+
+[role="screenshot"]
+image::whats-new/images/8.13/host-details-flyout.png[Host details flyout, 85%]
 
 [float]
-=== Data grouping and table customization improvements on the Findings page 
+== Cloud Security enhancements
 
-The Findings page now enables you to {security-guide}/cspm-findings-page.html#_group_findings[group your data by any field], and to {security-guide}/cspm-findings-page.html#cspm-customize-the-findings-table[further customize] how the page is displayed.
+The following enhancements have been added to Cloud Security:
 
 [float]
-== New Osquery query timeout setting
+=== Benchmark rules can be turned off
 
-When running an Osquery query, you can now set a timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is `60`. The maximum supported value is `900`.
+You can now turn individual {security-guide}/cspm-benchmark-rules.html[benchmark rules] on or off. This allows you to customize your Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) integrations to reduce noise from benchmark rules that don't apply to your environment.
 
 [role="screenshot"]
-image::whats-new/images/8.12/osquery-timeout-setting.png[Osquery query timeout setting,80%]
+image::whats-new/images/8.13/benchmark-rules.png[Benchmark rules, 85%]
+
+[float]
+=== Cloud native vulnerability management (CNVM) Findings UI enhancements
+
+The **Vulnerabilities** table on the {security-guide}/vuln-management-findings.html[Findings page] now includes improved grouping capabilities (up to three nested groupings), and more table customization options.
+
+image::whats-new/images/8.13/cnvm-findings-grouped.png[CNVM findings grouped, 85%]
+
+[float]
+== Custom fields for cases must have a default value
+
+When adding {security-guide}/cases-open-manage.html#cases-ui-custom-fields[custom fields] to a case, any mandatory fields must have a default value.
 
 
 // end::notable-highlights[]