diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index d38bdd5da4..d8c5ac7bd5 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,7 +4,7 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. @@ -14,143 +14,162 @@ Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide == Generative AI enhancements [float] -=== Manage Elastic AI Assistant using API +=== Improved Automatic Import capabilities -You can now interact with and manage {security-guide}/security-assistant.html[Elastic AI Assistant] using the {security-guide}/assistant-api-overview.html[Elastic AI Assistant API]. +{security-guide}/automatic-import.html[Automatic Import] can now use a larger variety of large language models and accept larger log samples in a wider range of common formats. [float] -=== Create new third-party data integrations using Automatic Import +=== Analyze more alerts with Attack Discovery -preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources. +{security-guide}/attack-discovery.html[Attack Discovery] can now analyze up to 500 alerts at once, and provides higher-quality responses. [role="screenshot"] -image::whats-new/images/8.15/auto-import-success-message.png[Automatic Import success message, 80%] +image::whats-new/images/8.16/attck-disc-alerts-number-menu.png[Attack Discovery alert settings,60%] + +[float] +=== Customize Elastic AI Assistant using Knowledge Base + +Elastic AI Assistant's new {security-guide}/ai-assistant-knowledge-base.html[Knowledge Base] feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context. This improves the relevance, quality, and customization of its responses. + +[role="screenshot"] +image::whats-new/images/8.16/knowledge-base-add-index-config.png[Knowledge Base's Edit index entry menu,80%] [float] == Entity Analytics enhancements [float] -=== Automatic recalculation of entity risk score +=== Manage persisted entity metadata with entity store + +preview:[] The {security-guide}/entity-store.html[entity store] feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the {elastic-sec} default data view, the entity store lets you query entity metadata without real-time data searches. + +After you enable the entity store, the Entity Analytics dashboard displays the {security-guide}/detection-entity-dashboard.html#entity-entities[**Entities** section], which offers a comprehensive view of all hosts and users in your environment. You can filter them by their source, entity risk level, and asset criticality level. -{security-guide}/entity-risk-scoring.html[Entity risk score] is now automatically recalculated when you assign, change, or unassign an individual entity's {security-guide}/asset-criticality.html[asset criticality] level. +[role="screenshot"] +image::whats-new/images/8.16/entities-section.png[Entities section of the Entity Analytics dashboard] [float] -=== Manage asset criticality using API +=== Asset criticality is available by default -You can now manage {security-guide}/asset-criticality.html[asset criticality] using the {security-guide}/asset-criticality-api-overview.html[asset criticality API]. +The advanced setting for enabling {security-guide}/asset-criticality.html[asset criticality] has been removed, and this feature is now available by default. [float] -== Detection rules and alerts enhancements +=== Run entity risk scoring in multiple spaces + +You can now enable and run {security-guide}/entity-risk-scoring.html[entity risk scoring] in multiple {kib} spaces. This allows you to analyze and monitor entity risk in different contexts simultaneously. [float] -=== Edit fields for detection rules +=== Recalculate entity risk scores after file upload -You can now edit these fields for user-created {security-guide}/rules-ui-create.html[custom rules]: +When you {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] using the file upload feature, the newly assigned criticality levels are automatically factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now** during the file upload process. -* **Max alerts per run**: Specify the maximum number of alerts a rule can create each time it runs. -+ [role="screenshot"] -image::whats-new/images/8.15/max-alerts-per-run.png[The Max alerts per run field highlighted in the Create new rule UI] +image::whats-new/images/8.16/recalc-ers.png[Recalculate entity risk scores] -* **Required fields**: Create an informational list of fields that a rule requires to function. +[float] +== Detection rules and alerts enhancements + +[float] +=== Enable prebuilt detection rules on installation + +Previously, {security-guide}/prebuilt-rules-management.html#load-prebuilt-rules[installing and enabling prebuilt rules] took two steps. You can now do both in one step with the **Install and enable** option. This works for both single and multiple rules. -* **Related integrations**: Create an informational list of one or more Elastic integrations associated with a rule. -+ [role="screenshot"] -image::whats-new/images/8.15/required-fields-related-integrations.png[The Required fields and Related integrations fields highlighted in the Create new rule UI] +image::whats-new/images/8.16/install-enable-rules.png[Install and enable rules, 80%] [float] -=== Suppress alerts for {ml} and {esql} rules +=== Run rules manually + +{security-guide}/rules-ui-management.html#manually-run-rules[Manually run rules] for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the **Execution results** tab of the rule details page. -{security-guide}/alert-suppression.html[Alert suppression] now supports the {ml} and {esql} rule types. You can use it to reduce the number of repeated or duplicate detection alerts generated from {ml} and {esql} rules. +[role="screenshot"] +image::whats-new/images/8.16/manual-rule-run-table.png[Manual rule run table] [float] -=== Use AI Assistant when writing rule queries +=== Exclude cold and frozen data from rule execution -When creating rules, you can now use AI Assistant to improve rule queries or to quickly correct them. +Rules that query cold and frozen data tiers might perform more slowly. To {security-guide}/exclude-cold-frozen-data-individual-rules.html[exclude query results from cold and frozen tiers], add a Query DSL filter that ignores cold and frozen documents when executing. This can help {es} exclude cold and frozen data more efficiently. [float] -=== Bulk update custom highlighted fields for rules +=== View {es} queries that run during rule execution -Bulk add or remove {security-guide}/rules-ui-create.html#rule-ui-advanced-params[custom highlighted fields] for multiple detection rules. +When previewing a rule, you can also {security-guide}/rules-ui-create.html#view-rule-es-queries[learn about its {es} queries], which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for {esql} and EQL rules only. [float] -=== Preview entities and alerts in the alert details flyout +=== Alert suppression is generally available for more rule types -You can now preview host and user details from the **Insights** tab of the {security-guide}/view-alert-details.html[alert details flyout] instead of going to the **Hosts** or **Users** pages for more information. From the **Correlations** tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them. +{security-guide}/alert-suppression.html[Alert suppression] is generally available for the indicator match, threshold, {ml}, {esql}, and new terms rule types. It is still in technical preview for event correlation rules. [float] -=== Expandable alert details flyout enabled by default - -The expandable alert details flyout is now enabled by default in multiple places throughout the {security-app}. +== Investigations enhancements [float] -== Improvements to the Timeline data exploration experience +=== Add notes to alerts, events, and Timelines -Several improvements have been made to enhance your data exploration experience in Timeline: +You can now attach {security-guide}/add-manage-notes.html[notes] to alerts, events, and Timelines, and manage them from the **Notes** page. This provides an easy way to incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. -- Multiple components from Discover have been incorporated, such as the sidebar and table, which allow you to quickly find fields of interest. -+ [role="screenshot"] -image::whats-new/images/8.15/timeline-sidebar-and-table.png[Example Timeline with the sidebar highlighted] +image::whats-new/images/8.16/new-note-alert-event.png[New note added to an alert] -- You can now toggle row renderers, which allow you to easily add or remove context from events. -+ -[role="screenshot"] -image::whats-new/images/8.15/timeline-ui-renderer.png[Example Timeline with the event renderer highlighted] +[float] +=== View analyzed events from the alert details flyout + +preview:[] By enabling the new `securitySolution:enableVisualizationsInFlyout` advanced setting, you can {security-guide}/view-alert-details.html#expanded-visualizations-view[view analyzed alerts and events] in the **Visualize** tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events. -- Notes are easier to add and track from the new Notes flyout. -+ [role="screenshot"] -image::whats-new/images/8.15/timeline-notes-flyout.png[Example Timeline with the notes flyout highlighted] +image::whats-new/images/8.16/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] [float] -== Response actions enhancements +=== Resize alert and event details flyouts -[float] -=== Scan files and folders for malware +You can now resize the alert and event details flyouts and choose how they're displayed—over the Alerts table or next to it. + +[role="screenshot"] +image::whats-new/images/8.16/flyout-settings.gif[Change alert details flyout settings] -{elastic-defend}'s new {security-guide}/response-actions.html#_scan[`scan` response action] lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your {elastic-defend} integration policy. +[float] +== {elastic-defend} and response actions enhancements [float] -=== Isolate and release CrowdStrike-enrolled hosts +=== More SentinelOne third-party response actions -Using Elastic's CrowdStrike integration and connector, you can now perform {security-guide}/third-party-actions.html#crowdstrike-response-actions[response actions] on hosts enrolled in CrowdStrike's endpoint protection system. These actions are available in this release: +Additional third-party response actions are available using Elastic's {security-guide}/third-party-actions.html#sentinelone-response-actions[SentinelOne] integration and connector: -* Isolate a host from the network -* Release an isolated host +* Get processes +* Terminate a process [float] -=== Retrieve files from SentinelOne-enrolled hosts +=== {elastic-defend}'s automated response actions support all rule types + +You can now configure any detection rule type to perform {elastic-defend}'s {security-guide}/automated-response-actions.html[automated response actions]. -Using Elastic's SentinelOne integration and connector, you can now {security-guide}/third-party-actions.html#sentinelone-response-actions[retrieve files] from SentinelOne-enrolled hosts and download them through {elastic-sec}. +//// +Commenting out until docs are ready [float] -== Filter out process descendants +=== New rules for {elastic-defend}'s endpoint protection features -Create an {security-guide}/event-filters.html[event filter] that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into {elastic-sec}. +New prebuilt rules tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior—allow you to configure actions tailored for detection or prevention of each type. [role="screenshot"] -image::whats-new/images/8.15/event-filter-process-descendants.png[Add event filter flyout, 70%] +image::whats-new/images/8.16/endpoint-protection-rules.png[Endpoint protection rules] +//// [float] -== Cases enhancements +== Cloud Security enhancements [float] -=== Introducing case templates +=== Ingest third-party cloud security data -preview:[] {kib} cases offer a new powerful capability to enhance your analyst teams' efficiency with {security-guide}/cases-manage-settings.html#cases-templates[templates]. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces resolution time. +You can now {security-guide}/ingest-third-party-cloud-security-data.html[ingest cloud security data] from several third-party sources—Falco, AWS Security Hub, and Wiz—into {elastic-sec}. The data appears on the **Alerts** and **Findings** pages, and in the user and host details flyouts. [role="screenshot"] -image::whats-new/images/8.15/cases-add-template.png[Add a template in case settings, 80%] +image::whats-new/images/8.16/wiz-findings.png[Wiz data on the Findings page] [float] -=== Case custom fields generally available +=== Simplify posture data collection with agentless Cloud Security Posture Management deployment -In 8.11, {security-guide}/cases-manage-settings.html#cases-ui-custom-fields[custom fields] were added to cases, and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases. +Elastic's native {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports agentless deployment, giving you an easier and more streamlined way to collect posture data from your cloud service providers. -[role="screenshot"] -image::whats-new/images/8.15/cases-add-custom-field.png[Add a custom field in case settings] // end::notable-highlights[] diff --git a/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png b/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png new file mode 100644 index 0000000000..bcbb57ccce Binary files /dev/null and b/docs/whats-new/images/8.16/attck-disc-alerts-number-menu.png differ diff --git a/docs/whats-new/images/8.16/endpoint-protection-rules.png b/docs/whats-new/images/8.16/endpoint-protection-rules.png new file mode 100644 index 0000000000..9c1627472d Binary files /dev/null and b/docs/whats-new/images/8.16/endpoint-protection-rules.png differ diff --git a/docs/whats-new/images/8.16/entities-section.png b/docs/whats-new/images/8.16/entities-section.png new file mode 100644 index 0000000000..9bb4c5338d Binary files /dev/null and b/docs/whats-new/images/8.16/entities-section.png differ diff --git a/docs/whats-new/images/8.16/flyout-settings.gif b/docs/whats-new/images/8.16/flyout-settings.gif new file mode 100644 index 0000000000..4de1a03c50 Binary files /dev/null and b/docs/whats-new/images/8.16/flyout-settings.gif differ diff --git a/docs/whats-new/images/8.16/install-enable-rules.png b/docs/whats-new/images/8.16/install-enable-rules.png new file mode 100644 index 0000000000..797ecbf897 Binary files /dev/null and b/docs/whats-new/images/8.16/install-enable-rules.png differ diff --git a/docs/whats-new/images/8.16/knowledge-base-add-index-config.png b/docs/whats-new/images/8.16/knowledge-base-add-index-config.png new file mode 100644 index 0000000000..3fcb91977b Binary files /dev/null and b/docs/whats-new/images/8.16/knowledge-base-add-index-config.png differ diff --git a/docs/whats-new/images/8.16/manual-rule-run-table.png b/docs/whats-new/images/8.16/manual-rule-run-table.png new file mode 100644 index 0000000000..ddacb233e2 Binary files /dev/null and b/docs/whats-new/images/8.16/manual-rule-run-table.png differ diff --git a/docs/whats-new/images/8.16/new-note-alert-event.png b/docs/whats-new/images/8.16/new-note-alert-event.png new file mode 100644 index 0000000000..33e47fd17e Binary files /dev/null and b/docs/whats-new/images/8.16/new-note-alert-event.png differ diff --git a/docs/whats-new/images/8.16/recalc-ers.png b/docs/whats-new/images/8.16/recalc-ers.png new file mode 100644 index 0000000000..d498799f18 Binary files /dev/null and b/docs/whats-new/images/8.16/recalc-ers.png differ diff --git a/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif b/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif new file mode 100644 index 0000000000..487f87c74a Binary files /dev/null and b/docs/whats-new/images/8.16/visualize-tab-lp-alert-details.gif differ diff --git a/docs/whats-new/images/8.16/wiz-findings.png b/docs/whats-new/images/8.16/wiz-findings.png new file mode 100644 index 0000000000..4a5c2ea60b Binary files /dev/null and b/docs/whats-new/images/8.16/wiz-findings.png differ