What's new in 8.16

[natasha-moore-elastic]

Please add your features and enhancements for 8.16. Don't forget to include the related PR link!

Detections & Response

Rules Management

• Enable prebuilt detection rules on installation (New option to install and enable rules in one step #6051)

  Previously, installing and enabling prebuilt rules took two steps. Users can now do both in one step with the Install and enable option. This works for both single rules and multiple rules that the user selects.

Detection Engine

• Manual rule runs ([8.16] Manual rule run docs #5631 and [Request][Serverless][8.16] Document the new kibana.alert.rule.execution.type field being added for manual runs #5940)

  Manually run rules for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the Execution results tab of the rule details page. Alerts generated from manual rule runs have the kibana.alert.rule.execution.type: manual field value pair in the alert document.

• New advanced setting that allows you to exclude cold and frozen data from rule execution ([8.16] Filtering out cold and frozen data tiers during rule execution #5849 and [8.16] Updates docs for and related to the excludedDataTiersForRuleExecution advanced setting #5962 which is still in progress)

  Rules that query cold and frozen data tiers might perform more slowly. To exclude query results from cold and frozen tiers, add a Query DSL filter that ignores cold and frozen documents when executing. This can help Elasticsearch exclude cold and frozen data more efficiently.

• View Elasticsearch queries that run during rule execution ([Serverless][8.16] Logs request during preview rule execution #5871)

  When previewing a rule, you can also learn about its Elasticsearch queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for ES|QL and EQL rules only

• Alert suppression is generally available for the indicator match, threshold, machine learning, ES|QL, and New Terms rule types ([Request][Serverless][8.16] GA-ing alert suppression for IM rule, Threshold rule, ML rule, ES|QL rule and New Terms rule #5926)

  Alert suppression is generally available for the indicator match, threshold, machine learning, ES|QL, and New Terms rule types. It is still in technical preview for event correlation rules.

Threat Hunting

Explore

• Add features here

Investigations

• More ways to add notes ([Serverless][8.16] Notes docs #6006)

  In 8.16, you can now attach notes to alerts, events, and Timelines and manage them from the Notes page. This provides an easy way to incorproate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings.

• New advanced setting that allows you to view analyzed events from the alert details flyout ([Request][Serverless][8.16] Visualizations in alert flyout - technical preview + advanced setting #5963)

  Now, after enabling the new securitySolution:enableVisualizationsInFlyout advanced setting, you can view analyzed alerts and events in the Visualize tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events.

• Resizeable alert and event details flyouts (PR pending)

  You can now resize the alert and event details flyouts and choose how it's displayed (over the Alerts table or next to it).

Entity Analytics

• Entity store ([8.16] Adds entity store docs #6053)

  The entity store feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the Elastic Security default data view, the Entity Store lets you query entity metadata without real-time data searches.

  After you enable the entity store, the Entity Analytics dashboard displays the Entities section, which offers a comprehensive view of your entities. Here, you can view all hosts and users in your environment, and filter them by their source, entity risk level, and asset criticality level.

• Asset criticality available by default (Asset criticality advanced setting removed #5991)

  The asset criticality advanced setting has been removed, meaning that asset criticality is now available by default.

• Entity risk scoring available in multiple spaces (Entity risk scoring available in multiple Kibana spaces #5931)

  You can now enable and run entity risk scoring in multiple Kibana spaces.

• Risk scoring recalculation after file upload (Risk scoring recalculation after file upload #5924)

  When you bulk assign asset criticality using the file upload feature, the newly assigned criticality levels are factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking Recalculate entity risk scores now.

Generative AI

• Automatic Import can now use a larger variety of large language models, and can accept larger log samples in a wider range of common formats [8.16] Updates automatic import guide #6064
• Attack Discovery can now analyze up to 500 alerts at once, and provides higher-quality responses [8.16] Attack Discovery updates #6013
• Elastic AI Assistant's new Knowledge Base feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context to improve the quality and customization of its responses [8.16]Adds Knowledge Base page and updates AI Assistant doc #6040

EDR Workflows/Asset Management

• SentinelOne third-party response actions (SentinelOne bidirectional processes, kill-process, and detection rule updates [ESS] #5735)

  Additional third-party response actions are available using Elastic’s SentinelOne integration and connector:

  • Get processes
  • Terminate a process

• Elastic Defend’s automated response actions support all rule types (Supported rule types for automated response actions #6050, New rule types support automated response actions #5797)

  (Docs still in progress. An earlier PR added support to a few rule types, and then a later update includes all rule types.)

  You can now configure any detection rule type to perform Elastic Defend's automated response actions.

• New rules for Elastic Defend's endpoint protection features (issue: [Request] 8 New Endpoint Security rules #5993)

  (Docs still in progress.)

  New prebuilt rules tailored for each of Elastic Defend's endpoint protections features — malware, ransomware, memory threats, and malicious behavior — allow you to configure actions tailored for detection or prevention of each type.

Cloud Security

• Cloud security data from several third party sources — Falco, AWS Security Hub, and Wiz — can now be ingested into Elastic Security and appear on the Alerts and Findings pages, and on the User and Host details flyouts [8.16] [Cloud Security] Third-party cloud data  #6046
• Elastic's native Cloud Security Posture Management (CSPM) integration now supports agentless deployment, giving you en easier and more streamlined way to collect posture data from your cloud service providers [8.16] Updates CSPM guides to include agentless option #5863

Endpoint

• Add features here

Protections Experience

• Add features here

ResponseOps

• Add features here