diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index a456e41e7b..39555fce5f 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,165 +4,156 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out the <>. -Other versions: {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. // tag::notable-highlights[] - [discrete] -[[features-8.4]] +[[elastic-defend-8.5]] -[discrete] -== New navigation menu +== Introducing {elastic-defend} + +The integration that monitors events and provides threat prevention and detection on your hosts has been renamed from *Endpoint and Cloud Security* to *{elastic-defend}*. + +[role="screenshot"] +image::whats-new/images/8.5/elastic-defend.png[Elastic Defend integration] -{elastic-sec} has a new navigation menu, designed to group related pages, highlight commonly visited areas, and easily access important workflows for a streamlined experience. +When installing the {elastic-defend} integration, you can now select from several pre-configured use cases, which you can customize as needed. For more information on how to get started, refer to {security-guide}/install-endpoint.html[Configure and install the {elastic-defend} integration]. [role="screenshot"] -image::whats-new/images/8.4/new-nav.gif[navigation menu] +image::whats-new/images/8.5/elastic-defend-config.png[Elastic Defend configuration] + [discrete] == Kubernetes and Cloud Security Posture enhancements -The {security-guide}/kubernetes-dashboard.html[Kubernetes dashboard] provides insight into Linux process data from your Kubernetes clusters. You can also {security-guide}/kubernetes-dashboard.html#k8s-dash-setup[deploy an Elastic DaemonSet] to your Kubernetes clusters to collect session data. This data, which includes new Kubernetes-specific fields, appears in summary on the Kubernetes dashboard. +*Terminal output collection* -The {security-guide}/cloud-posture-dashboard.html[Cloud Posture dashboard] allows you to check your Kubernetes infrastructure's configuration against security best practices, and provides steps for remediating any issues it identifies. +{elastic-defend} can now collect terminal output, which allows {security-guide}/session-view.html[Session View] to provide a complete history of Linux sessions through the terminal output viewer. -[role="screenshot"] -image::whats-new/images/8.4/cloud-sec-dashboard.png[Cloud Security Posture dashboard] +*Test Kubernetes clusters with Kubernetes Security Posture Management (KSPM) integration* -To get these insights, you first need to install the Kubernetes Security Posture Management integration, which is now in beta. +In addition to unmanaged clusters, you can now use the KSPM integration to test the security of your Kubernetes clusters managed by Amazon EKS. -[role="screenshot"] -image::whats-new/images/8.4/ksp-integration.png[Kubernetes Security Posture management integration] [discrete] -== Detection rules enhancements +== Detection rules enhancements -*New terms rule* +*Enhancements to rule preview* -A {security-guide}/rules-ui-create.html#create-new-terms-rule[new terms] rule generates an alert for each new term it detects in source documents within a specified time range. +You can now {security-guide}/rules-ui-create.html#preview-rules[preview a rule] at any step of creating or editing a rule, and can preview Elastic prebuilt rules. Rule previews also now include exceptions and field overrides. [role="screenshot"] -image::whats-new/images/8.4/new-terms.png[New terms rule] +image::whats-new/images/8.5/rule-preview.png[Rule preview UI] +*Choose saved query behavior with custom query rules* -*Data views available in rule creation* +When selecting a saved query to define a custom query rule, you can now choose whether to use the saved query on every rule execution or to use it once to populate the rule's query settings. -When you create a rule, you can now {security-guide}/rules-ui-create.html#views-index-patterns[specify data views] as the data source in order to use runtime fields, which are associated with a data view. +*New bulk edit rule options* -*Fallback to @timestamp is configurable when timestamp override is defined* +You can now {security-guide}/rules-ui-management.html#edit-rules-settings[bulk edit] rule actions and rule schedules on multiple detection rules. -This feature allows you to disable @timestamp as a fallback timestamp field when you’ve defined a timestamp override. +*Enhancements to rule exceptions* -*New option to preview rules* +There are several enhancements and UI improvements to rule exceptions: -The new *Advanced query preview* option allows you to set the preview's timeframe, rule interval, and look-back time, providing more control to fine-tune query results. +* When {security-guide}/detections-ui-exceptions.html#detection-rule-exceptions[adding a rule exception], you can now create value lists for all rule types. Note that you can't use text type value lists for event correlation and threshold rules. -[role="screenshot"] -image::whats-new/images/8.4/rule-preview.png[Advanced query preview] - -*Improved bulk action handling for detection rules* +* If a rule has or allows endpoint exceptions, there are two exception tabs: the *Rule exceptions* tab and a new *Endpoint exceptions* tab. The *Endpoint exceptions* tab provides an easy way to manage endpoint exceptions. -When you select prebuilt _and_ custom rules and attempt to perform a bulk action that can only be done on custom rules, {elastic-sec} now determines which rules are compatible and performs the action only on those rules. +* You can now check how many other rules are affected by an exception by clicking *Affects _X_ rules* next to an exception list item. -*Wildcards supported in detection rule exceptions* - -Wildcards are now supported when defining {security-guide}/detections-ui-exceptions.html#detection-rule-exceptions[exceptions] for detection rules, and accept new operators `matches` and `does not match`. +[role="screenshot"] +image::whats-new/images/8.5/affects-rule.png[Shows how many rules are affected by an exception] *New prebuilt rules* -18 new {security-guide}/prebuilt-rules.html[prebuilt rules] were added in 8.4.0. +28 new {security-guide}/prebuilt-rules.html[prebuilt rules] were added in 8.5.0. -*Prerequisites and setup guides for Elastic prebuilt rules* - -Elastic prebuilt rules now provide additional information to help you identify and meet their {security-guide}/rules-ui-management.html#rule-prerequisites[prerequisites]. You can confirm these requirements in the *Related integrations* and *Required fields* sections of a rule's details page, and consult its *Setup guide* for additional guidance. +[discrete] +== Endpoint response enhancements -[role="screenshot"] -image::whats-new/images/8.4/rule-details-prerequisites.png[Rule details page with Related integrations, Required fields, and Setup guide highlighted] +*Updated messaging in response console* -NOTE: Content for these new sections is delivered in a prebuilt rules update, independent of {stack} release versioning. +The {security-guide}/response-actions.html[response console] UI now displays a message if response action commands aren't supported by an installed version of {agent}, which must be 8.4 or later. -[discrete] -== Response console for endpoint response actions +*Response actions history log for all endpoints* -The new response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and receive almost immediate feedback. Actions are also logged in the endpoint’s actions log for reference. +You can now filter and search endpoint response actions history for an endpoint. In addition, there's now a standalone {security-guide}/response-actions-history.html[Response actions history] page that shows an action log of all endpoints. [role="screenshot"] -image::whats-new/images/8.4/response-console.png[Response console] +image::whats-new/images/8.5/response-history.png[Response history action log] [discrete] -== Troubleshooting "Unhealthy" status for {agent} +== New Entity Analytics dashboard -Integration policy errors and statuses are now provided in {fleet} and {elastic-sec} to help troubleshoot when an {agent} has an "unhealthy" status. +The {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] provides a centralized view of emerging insider threats — including host risk, user risk, and notable anomalies from within your network. Use it to triage, investigate, and respond to emerging threats. -[discrete] -== Alerts enhancements - -*New Alerts page visualizations* - -The Alerts page now displays a single visualization pane, with a menu to select *Table*, *Trend*, or *Treemap*. Treemap is a new view that shows alert distribution as proportionally-sized tiles. This view helps you quickly triage the most critical alerts. +You can also enable host risk score and user risk score directly from this dashboard simply by clicking the *Enable* button. To learn more, refer to {security-guide}/host-risk-score.html#enable-host-risk-score[Host risk score] and {security-guide}/user-risk-score.html#deploy-user-risk-score[User risk score]. [role="screenshot"] -image::whats-new/images/8.4/treemap-view.png[Alerts treemap view] - -*New Insights section in alert details* +image::dashboards/images/entity-dashboard.png[Entity Analytics dashboard] -The Alert details flyout now has a new {security-guide}/view-alert-details.html#alert-details-insights[*Insights* section], which shows users how an alert is related to other alerts and provides options to investigate related alerts. You can leverage this information to quickly find patterns between alerts, then take action. +[discrete] +== Alerts enhancements -[role="screenshot"] -image::whats-new/images/8.4/insights.png[Insights section] +*Alert counts displayed on Explore detail pages* -*Process event analyzer now includes alerts* +Each of the Explore detail pages ({security-guide}/hosts-overview.html#host-details-page[host details], {security-guide}/network-page-overview.html#ip-details-page[network details], and {security-guide}/users-page.html#_user_details_page[user details]) now displays alert metrics that show the total number of alerts by severity, rule, and status. -You can now view alerts associated with an event when viewing the event in the process analyzer. This allows you to examine and compare alerts with the same source event. +[role="screenshot"] +image::whats-new/images/8.5/alert-counts.png[Alert count metrics] -NOTE: This functionality requires a Platinum or Enterprise subscription, and the `xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` feature flag must be added to the `kibana.yml` file.) +*Visual event analyzer enhancements* -[discrete] -== Cases enhancements +* If you have a http://elastic.co/pricing[Platinum subscription] or higher, by default, you can now examine alerts associated with the event. -*New Webhook - Case Management case connector* +* The visual event analyzer automatically displays the entire process tree if you select a time range that doesn't have any process events. You'll also receive a message that your time range is too narrow. -The Webhook - Case Management connector allows you to build a custom connector for any third-party case/ticket management system. This offers more flexibility when deciding what third-party case/ticket management system you want to send cases and case updates to. -*New sub-feature privilege for cases* +*Alert details flyout enhancements* -The *Delete cases and comments* sub-feature privilege determines whether a user can delete cases and comments. Users with current `All` access to cases are automatically granted the delete privilege upon upgrading to 8.4. However, users with current `read` access to cases are not automatically granted the delete privilege upon upgrading to 8.4. An admin can modify these user privileges. +The following enhancements have been made to the alert details flyout. To learn more about analyzing detection alerts, refer to {security-guide}/view-alert-details.html[View alert details]. +* Improvements to the *Overview* tab: +** *Reason statement shown in rendered view* - The alert rendered view displays event details, such as the alert reason statement, file paths, or process arguments, to provide context for the alert. You can take action (such as Add to Timeline) on individual fields in the statement. +** *Event renderer added to the Overview tab* - The event renderer displays relevant event details to provide context for the alert, such as file paths or process arguments. You can take actions on any of the fields provided. ++ [role="screenshot"] -image::whats-new/images/8.4/cases-privs.png[Cases privileges] +image::whats-new/images/8.5/render-view.png[Alert render view] ++ +* If you have a http://elastic.co/pricing[Platinum subscription] or higher, these details are included in the *Insights* section: -[discrete] -== Endpoint enhancements +** *Alerts related by session ID* - Shows the ten most recent alerts generated during the same session. These alerts share the same session ID, a unique ID for tracking a given Linux session. To use this feature, you must enable the *Include session data* setting in your {security-guide}/install-endpoint.html#add-security-integration[{elastic-defend} integration policy]. -*New credential hardening protection* +** *Alerts related by process ancestry* - Shows alerts that are related by process events on the same linear branch. -You can now configure {security-guide}/configure-endpoint-integration-policy.html#attack-surface-reduction[credential hardening protection] in an integration policy. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. Turn on the toggle to remove any overly permissive access rights that aren’t required for standard interaction with the Local Security Authority Subsystem Service (LSASS). +** *Risk score data included* - Risk score classification data is displayed in the *Enriched data* section. If the current risk classification has changed from the original, both scores display to show the difference. -[role="screenshot"] -image::whats-new/images/8.4/credential-hardening.png[Credential hardening protection] +[discrete] +== New Indicators page -*Endpoint self-healing rollback* +The Indicators page provides a centralized view for threat intelligence analysts to view and investigate indicators of compromise (IoCs). To learn more about this feature, refer to {security-guide}/indicators-of-compromise.html[Indicators of compromise]. -{security-guide}/self-healing-rollback.html[Endpoint self-healing rollback] is a new feature that rolls back file changes and processes on Windows endpoints when enabled protection features generate a prevention alert. +[role="screenshot"] +image::whats-new/images/8.5/ioc.png[Indicators of compromise page] [discrete] -== Run query packs from an alert +== Assign users to a case -When {security-guide}//alerts-run-osquery.html[running a live query] from an alert, you can now choose to run single queries or query packs. - -[role="screenshot"] -image::whats-new/images/8.4/osquery.png[Run a live query] +You can now {security-guide}/cases-open-manage.html#cases-open-manage[assign users to a case] if they meet the necessary prerequisites. [discrete] -== Enhanced workflow for enabling host risk score +== Osquery enhancements -Enabling {security-guide}/host-risk-score.html[host risk score] is now easier, with enhancements that guide you through the process and pre-populate the {kib} Dev Tools Console with the required scripts. +* *Add Osquery results to a case* - After users run Osquery from an alert, they can {security-guide}/view-osquery-results.html#investigate-osquery-results[add Osquery results to a new or an existing case]. -[role="screenshot"] -image::whats-new/images/8.4/host-risk-score-enable-dev-tools-wn.png[Enable host risk score in Dev Tools Console] +* *Use Osquery Response Action to query hosts* - Users can use the {security-guide}/osquery-response-action.html[Osquery Response Action] to immediately query hosts that generate alerts. Note that Osquery Response Actions are currently a technical preview feature. + +* *Run Osquery queries from an investigation guide* - When analyzing an alert, you can now {security-guide}/invest-guide-run-osquery.html[add queries to a rule's investigation guide] and run it as part of your investigation. // end::notable-highlights[] diff --git a/docs/whats-new/images/8.5/affects-rule.png b/docs/whats-new/images/8.5/affects-rule.png new file mode 100644 index 0000000000..32608566f4 Binary files /dev/null and b/docs/whats-new/images/8.5/affects-rule.png differ diff --git a/docs/whats-new/images/8.5/alert-counts.png b/docs/whats-new/images/8.5/alert-counts.png new file mode 100644 index 0000000000..dc032d1bbe Binary files /dev/null and b/docs/whats-new/images/8.5/alert-counts.png differ diff --git a/docs/whats-new/images/8.5/elastic-defend-config.png b/docs/whats-new/images/8.5/elastic-defend-config.png new file mode 100644 index 0000000000..44d08334af Binary files /dev/null and b/docs/whats-new/images/8.5/elastic-defend-config.png differ diff --git a/docs/whats-new/images/8.5/elastic-defend.png b/docs/whats-new/images/8.5/elastic-defend.png new file mode 100644 index 0000000000..9ff2cdb606 Binary files /dev/null and b/docs/whats-new/images/8.5/elastic-defend.png differ diff --git a/docs/whats-new/images/8.5/ioc.png b/docs/whats-new/images/8.5/ioc.png new file mode 100644 index 0000000000..7645276104 Binary files /dev/null and b/docs/whats-new/images/8.5/ioc.png differ diff --git a/docs/whats-new/images/8.5/render-view.png b/docs/whats-new/images/8.5/render-view.png new file mode 100644 index 0000000000..c19c2a0054 Binary files /dev/null and b/docs/whats-new/images/8.5/render-view.png differ diff --git a/docs/whats-new/images/8.5/response-history.png b/docs/whats-new/images/8.5/response-history.png new file mode 100644 index 0000000000..a69ee0662f Binary files /dev/null and b/docs/whats-new/images/8.5/response-history.png differ diff --git a/docs/whats-new/images/8.5/rule-preview.png b/docs/whats-new/images/8.5/rule-preview.png new file mode 100644 index 0000000000..d1bd2ae21a Binary files /dev/null and b/docs/whats-new/images/8.5/rule-preview.png differ