Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[8.15] What's new 8.15 (backport #5667) #5687

Merged
merged 2 commits into from
Aug 8, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 77 additions & 46 deletions docs/whats-new.asciidoc
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@

Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.

Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
{security-guide-all}/7.9/whats-new.html[7.9]

// NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
Expand All @@ -13,114 +13,145 @@ Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide
[float]
== Generative AI enhancements

[float]
=== Manage Elastic AI Assistant using API

You can now interact with and manage {security-guide}/security-assistant.html[Elastic AI Assistant] using the Elastic AI Assistant API.
// add link to Elastic AI Assistant API page when available: {security-guide}/assistant-api-overview.html[Elastic AI Assistant API]

[float]
=== Attack Discovery
=== Create new third-party data integrations using Automatic Import

{security-guide}/attack-discovery.html[Attack discovery] is a new AI-powered tool that identifies potential attacks and maps connections between alerts to the MITRE ATT&CK® matrix, helping you to fight alert fatigue and reduce your mean time to respond.
preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources.

[role="screenshot"]
image::whats-new/images/8.14/attack-discovery-full-card.png[Attack discovery detail view]
image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%]

[float]
=== Redesigned Elastic AI Assistant UI

{security-guide}/security-assistant.html[Elastic AI Assistant] for {elastic-sec} has a redesigned user interface that uses a flyout instead of a popup, aligning it with standard {kib} design patterns. Also, when using OpenAI models, AI Assistant can now "stream" responses, rendering word-by-word rather than appearing as complete text blocks, providing a more conversational experience.
== Entity Analytics enhancements

[float]
== Entity Analytics enhancements
=== Automatic recalculation of entity risk score

{security-guide}/entity-risk-scoring.html[Entity risk score] is now automatically recalculated when you assign, change, or unassign an individual entity's {security-guide}/asset-criticality.html[asset criticality] level.

[float]
=== Asset criticality file upload
=== Manage asset criticality using API

You can {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] to multiple entities at a time by importing a text file from your asset management tools. This feature allows you to quickly and easily import a list of entities and their asset criticality levels into the {security-app}.
You can now manage {security-guide}/asset-criticality.html[asset criticality] using the {security-guide}/asset-criticality-api-overview.html[asset criticality API].

[role="screenshot"]
image::whats-new/images/8.14/asset-criticality-file-upload.gif[Animation of asset criticality file upload,90%]
[float]
== Detection rules and alerts enhancements

[float]
=== Unassign asset criticality
=== Edit fields for detection rules

You can now edit these fields for user-created {security-guide}/rules-ui-create.html[custom rules]:

* **Max alerts per run**: Specify the maximum number of alerts a rule can create each time it runs.
+
[role="screenshot"]
image::whats-new/images/8.15/max-alerts-per-run.png[The Max alerts per run field highlighted in the Create new rule UI]

You can unassign {security-guide}/asset-criticality.html[asset criticality] from a host or user if the criticality level is no longer known, or the currently assigned level is incorrect.
* **Required fields**: Create an informational list of fields that a rule requires to function.

* **Related integrations**: Create an informational list of one or more Elastic integrations associated with a rule.
+
[role="screenshot"]
image::whats-new/images/8.14/unassign-criticality.png[Unassign asset criticality, 50%]
image::whats-new/images/8.15/required-fields-related-integrations.png[The Required fields and Related integrations fields highlighted in the Create new rule UI]

[float]
=== Risk scoring engine processes up to 10,000 alerts per entity
=== Suppress alerts for {ml} and {esql} rules

When calculating {security-guide}/entity-risk-scoring.html[entity risk scores], the risk scoring engine now takes into account a maximum of 10,000 alerts per entity. This ensures that the engine remains operational in environments with extremely large data volume.
{security-guide}/alert-suppression.html[Alert suppression] now supports the {ml} and {esql} rule types. You can use it to reduce the number of repeated or duplicate detection alerts generated from {ml} and {esql} rules.

[float]
=== Access the entity details flyout from the Entity Analytics dashboard
=== Use AI Assistant when writing rule queries

Clicking on a specific host or user name in the {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] now opens the host or user details flyout instead of the host or user details page. This allows you to access entity metadata and risk score information without navigating away from the dashboard.
When creating rules, you can now use AI Assistant to improve rule queries or to quickly correct them.

[float]
=== Entity details flyout shows contribution scores per alert
=== Bulk update custom highlighted fields for rules

The **Risk contributions** section of the {security-guide}/hosts-overview.html#host-details-flyout[entity details flyout] now shows the top 10 alerts that contributed to the latest risk scoring calculation and each alert's contribution score. This makes each entity's risk score easier to understand and gives better insight into which alerts you should investigate at the entity level.
Bulk add or remove {security-guide}/rules-ui-create.html#rule-ui-advanced-params[custom highlighted fields] for multiple detection rules.

[role="screenshot"]
image::whats-new/images/8.14/contribution-scores-per-alert.png[Contribution scores for top 10 alerts, 90%]
[float]
=== Preview entities and alerts in the alert details flyout

You can now preview host and user details from the **Insights** tab of the {security-guide}/view-alert-details.html[alert details flyout] instead of going to the **Hosts** or **Users** pages for more information. From the **Correlations** tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them.

[float]
== Detection rules and alerts enhancements
=== Expandable alert details flyout enabled by default

The expandable alert details flyout is now enabled by default in multiple places throughout the {security-app}.

[float]
=== Value list improvements
== Improvements to the Timeline data exploration experience

You can now {security-guide}/value-lists-exceptions.html#edit-value-lists[edit value lists] from the UI, wherever you use them. For example, you can now add items to a value list while creating a rule exception that references that value list.
Several improvements have been made to enhance your data exploration experience in Timeline:

- Multiple components from Discover have been incorporated, such as the sidebar and table, which allow you to quickly find fields of interest.
+
[role="screenshot"]
image::whats-new/images/8.14/edit-value-lists.png[Edit items in a value list, 90%]
image::whats-new/images/8.15/timeline-sidebar-and-table.png[Example Timeline with the sidebar highlighted]

[float]
=== Add ES|QL fields as custom highlighted fields
- You can now toggle row renderers, which allow you to easily add or remove context from events.
+
[role="screenshot"]
image::whats-new/images/8.15/timeline-ui-renderer.png[Example Timeline with the event renderer highlighted]

When adding custom highlighted fields to an {esql} rule, you can now {security-guide}/rules-ui-create.html#custom-highlighted-esql-fields[specify any fields returned by the rule's query]. This allows you to surface fields that contain useful information for investigating alerts.
- Notes are easier to add and track from the new Notes flyout.
+
[role="screenshot"]
image::whats-new/images/8.15/timeline-notes-flyout.png[Example Timeline with the notes flyout highlighted]

[float]
=== Editable setup guide field for detection rules
== Response actions enhancements

You can now {security-guide}/rules-ui-create.html#rule-ui-advanced-params[edit the **Setup guide** field] for user-created custom rules. Use this informational field to list rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
[float]
=== Scan files and folders for malware

[role="screenshot"]
image::whats-new/images/8.14/setup-guide-field.png[Setup guide field]
{elastic-defend}'s new {security-guide}/response-actions.html#_scan[`scan` response action] lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your {elastic-defend} integration policy.

[float]
=== Alert suppression improvements
=== Isolate and release CrowdStrike-enrolled hosts

Using Elastic's CrowdStrike integration and connector, you can now perform {security-guide}/third-party-actions.html#crowdstrike-response-actions[response actions] on hosts enrolled in CrowdStrike's endpoint protection system. These actions are available in this release:

In 8.14, we've moved {security-guide}/alert-suppression.html[alert suppression] for custom query rules from technical preview to generally available. We've also added alert suppression to event correlation rules (non-sequence queries only) and new terms rules.
* Isolate a host from the network
* Release an isolated host

[float]
== {elastic-defend} enhancements
=== Retrieve files from SentinelOne-enrolled hosts

Using Elastic's SentinelOne integration and connector, you can now {security-guide}/third-party-actions.html#sentinelone-response-actions[retrieve files] from SentinelOne-enrolled hosts and download them through {elastic-sec}.

[float]
=== New malware file scanning options
== Filter out process descendants

When configuring {security-guide}/configure-endpoint-integration-policy.html#malware-protection[malware protection], you can choose whether {elastic-defend} scans files when they're modified or executed. This can improve performance on hosts where files are frequently modified, while continuing to identify malware as it attempts to run.
Create an {security-guide}/event-filters.html[event filter] that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into {elastic-sec}.

[role="screenshot"]
image::whats-new/images/8.14/malware-protection.png[Malware protection section, 80%]
image::whats-new/images/8.15/event-filter-process-descendants.png[Add event filter flyout, 70%]

[float]
== Cases enhancements

[float]
=== Automatically register {elastic-defend} as antivirus
=== Introducing case templates

If you're using {elastic-defend}'s malware protection, you can now automatically {security-guide}/configure-endpoint-integration-policy.html#register-as-antivirus[register {elastic-defend} as the antivirus software] for Windows endpoints.
preview:[] {kib} cases offer a new powerful capability to enhance your analyst teams' efficiency with {security-guide}/cases-manage-settings.html#cases-templates[templates]. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces resolution time.

[role="screenshot"]
image::whats-new/images/8.14/register-as-antivirus.png[Register as antivirus section, 80%]
image::whats-new/images/8.15/cases-add-template.png[Add a template in case settings, 80%]

[float]
== Cloud Security Posture Management support for AWS GovCloud

Elastic's {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports AWS GovCloud so you can monitor and track how your GovCloud clusters perform against security benchmarks.
=== Case custom fields generally available

In 8.11, {security-guide}/cases-manage-settings.html#cases-ui-custom-fields[custom fields] were added to cases, and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases.

[role="screenshot"]
image::whats-new/images/8.15/cases-add-custom-field.png[Add a custom field in case settings]


// end::notable-highlights[]
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.