Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

What's new in 8.17 (backport #6286) #6308

Merged
merged 1 commit into from
Dec 12, 2024
Merged

What's new in 8.17 (backport #6286) #6308

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
156 changes: 10 additions & 146 deletions docs/whats-new.asciidoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,172 +4,36 @@

Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.

Other versions: {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
Other versions: {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
{security-guide-all}/7.9/whats-new.html[7.9]

// NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
// tag::notable-highlights[]

[float]
== Generative AI enhancements

[float]
=== Improved Automatic Import capabilities

{security-guide}/automatic-import.html[Automatic Import] can now use a larger variety of large language models and accept larger log samples in a wider range of common formats.

[float]
=== Analyze more alerts with Attack Discovery

{security-guide}/attack-discovery.html[Attack Discovery] can now analyze up to 500 alerts at once, and provides higher-quality responses.

[role="screenshot"]
image::whats-new/images/8.16/attck-disc-alerts-number-menu.png[Attack Discovery alert settings,60%]

[float]
=== Customize Elastic AI Assistant using Knowledge Base

Elastic AI Assistant's new {security-guide}/ai-assistant-knowledge-base.html[Knowledge Base] feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context. This improves the relevance, quality, and customization of its responses.

[role="screenshot"]
image::whats-new/images/8.16/knowledge-base-add-index-config.png[Knowledge Base's Edit index entry menu,80%]

[float]
== Entity Analytics enhancements

[float]
=== Manage persisted entity metadata with entity store

preview:[] The {security-guide}/entity-store.html[entity store] feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the {elastic-sec} default data view, the entity store lets you query entity metadata without real-time data searches.

After you enable the entity store, the Entity Analytics dashboard displays the {security-guide}/detection-entity-dashboard.html#entity-entities[**Entities** section], which offers a comprehensive view of all hosts and users in your environment. You can filter them by their source, entity risk level, and asset criticality level.

[role="screenshot"]
image::whats-new/images/8.16/entities-section.png[Entities section of the Entity Analytics dashboard]

[float]
=== Asset criticality is available by default

The advanced setting for enabling {security-guide}/asset-criticality.html[asset criticality] has been removed, and this feature is now available by default.

[float]
=== Run entity risk scoring in multiple spaces

You can now enable and run {security-guide}/entity-risk-scoring.html[entity risk scoring] in multiple {kib} spaces. This allows you to analyze and monitor entity risk in different contexts simultaneously.

[float]
=== Recalculate entity risk scores after file upload

When you {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] using the file upload feature, the newly assigned criticality levels are automatically factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now** during the file upload process.

[role="screenshot"]
image::whats-new/images/8.16/recalc-ers.png[Recalculate entity risk scores]

[float]
== Detection rules and alerts enhancements

[float]
=== Enable prebuilt detection rules on installation

Previously, {security-guide}/prebuilt-rules-management.html#load-prebuilt-rules[installing and enabling prebuilt rules] took two steps. You can now do both in one step with the **Install and enable** option. This works for both single and multiple rules.

[role="screenshot"]
image::whats-new/images/8.16/install-enable-rules.png[Install and enable rules, 80%]

[float]
=== Run rules manually

{security-guide}/rules-ui-management.html#manually-run-rules[Manually run rules] for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the **Execution results** tab of the rule details page.

[role="screenshot"]
image::whats-new/images/8.16/manual-rule-run-table.png[Manual rule run table]

[float]
=== Exclude cold and frozen data from rules

Rules that query cold and frozen data tiers might perform more slowly or fail. To ensure that the rules in your {kib} space exclude query results from cold and frozen tiers when executing, configure the `excludedDataTiersForRuleExecution` <<exclude-cold-frozen-data-rule-executions,advanced setting>>.

[float]
=== View {es} queries that run during rule execution

When previewing a rule, you can also {security-guide}/rules-ui-create.html#view-rule-es-queries[learn about its {es} queries], which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for {esql} and EQL rules only.

[float]
=== Alert suppression is generally available for more rule types

{security-guide}/alert-suppression.html[Alert suppression] is generally available for the indicator match, threshold, {ml}, {esql}, and new terms rule types. It is still in technical preview for event correlation rules.

[float]
== Investigations enhancements

[float]
=== Add notes to alerts, events, and Timelines

You can now attach {security-guide}/add-manage-notes.html[notes] to alerts, events, and Timelines, and manage them from the **Notes** page. This provides an easy way to incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings.

[role="screenshot"]
image::whats-new/images/8.16/new-note-alert-event.png[New note added to an alert]

[float]
=== View analyzed events from the alert details flyout

preview:[] By enabling the new `securitySolution:enableVisualizationsInFlyout` advanced setting, you can {security-guide}/view-alert-details.html#expanded-visualizations-view[view analyzed alerts and events] in the **Visualize** tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events.

[role="screenshot"]
image::whats-new/images/8.16/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%]

[float]
=== Resize alert and event details flyouts

You can now resize the alert and event details flyouts and choose how they're displayed—over the Alerts table or next to it.

[role="screenshot"]
image::whats-new/images/8.16/flyout-settings.gif[Change alert details flyout settings]

[float]
== {elastic-defend} and response actions enhancements

[float]
=== More SentinelOne third-party response actions
=== Logsdb index mode with detection rules and alerts

Additional third-party response actions are available using Elastic's {security-guide}/third-party-actions.html#sentinelone-response-actions[SentinelOne] integration and connector:
The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] to learn how it can impact your rules and alerts.

* Get processes
* Terminate a process
NOTE: To use the {ref}/mapping-source-field.html#synthetic-source[synthetic `_source`] feature, you must have the appropriate subscription. Refer to the subscription page for https://www.elastic.co/subscriptions/cloud[{ecloud}] and {subscriptions}[{stack}/self-managed] for the breakdown of available features and their associated subscription tiers.

[float]
=== {elastic-defend}'s automated response actions support all rule types
=== Suppress alerts for EQL sequence rules

You can now configure any detection rule type to perform {elastic-defend}'s {security-guide}/automated-response-actions.html[automated response actions].

////
Commenting out until docs are ready
{security-guide}/alert-suppression.html[Alert suppression] now supports the EQL sequence rule type. You can use it to reduce the number of repeated or duplicate detection alerts generated from EQL sequence rules.

[float]
=== New rules for {elastic-defend}'s endpoint protection features

New prebuilt rules tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior—allow you to configure actions tailored for detection or prevention of each type.
== Signature option available for macOS trusted applications conditions

[role="screenshot"]
image::whats-new/images/8.16/endpoint-protection-rules.png[Endpoint protection rules]
////
When adding a {security-guide}/trusted-apps-ov.html[trusted application] for macOS, you can now specify conditions based on the application's digital signer—previously only available on Windows.

[float]
== Cloud Security enhancements

[float]
=== Ingest third-party cloud security data

You can now {security-guide}/ingest-third-party-cloud-security-data.html[ingest cloud security data] from several third-party sources—Falco, AWS Security Hub, and Wiz—into {elastic-sec}. The data appears on the **Alerts** and **Findings** pages, and in the user and host details flyouts.

[role="screenshot"]
image::whats-new/images/8.16/wiz-findings.png[Wiz data on the Findings page]

[float]
=== Simplify posture data collection with agentless Cloud Security Posture Management deployment

Elastic's native {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports agentless deployment, giving you an easier and more streamlined way to collect posture data from your cloud service providers.
== Cases action is generally available

The {kibana-ref}/cases-action-type.html[Cases action] feature, first introduced in 8.14, is moving from technical preview to general availability. Use this action to automatically create cases from rules.


// end::notable-highlights[]
Loading