From 348cf56476506ce242227139f67c591376769e8e Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 10 Dec 2024 12:32:52 +0000 Subject: [PATCH 1/6] Whats new in 8.17 --- docs/whats-new.asciidoc | 158 +++------------------------------------- 1 file changed, 11 insertions(+), 147 deletions(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 0b6a37ccb4..c0bd08b026 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,172 +4,36 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. // tag::notable-highlights[] -[float] -== Generative AI enhancements - -[float] -=== Improved Automatic Import capabilities - -{security-guide}/automatic-import.html[Automatic Import] can now use a larger variety of large language models and accept larger log samples in a wider range of common formats. - -[float] -=== Analyze more alerts with Attack Discovery - -{security-guide}/attack-discovery.html[Attack Discovery] can now analyze up to 500 alerts at once, and provides higher-quality responses. - -[role="screenshot"] -image::whats-new/images/8.16/attck-disc-alerts-number-menu.png[Attack Discovery alert settings,60%] - -[float] -=== Customize Elastic AI Assistant using Knowledge Base - -Elastic AI Assistant's new {security-guide}/ai-assistant-knowledge-base.html[Knowledge Base] feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context. This improves the relevance, quality, and customization of its responses. - -[role="screenshot"] -image::whats-new/images/8.16/knowledge-base-add-index-config.png[Knowledge Base's Edit index entry menu,80%] - -[float] -== Entity Analytics enhancements - -[float] -=== Manage persisted entity metadata with entity store - -preview:[] The {security-guide}/entity-store.html[entity store] feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the {elastic-sec} default data view, the entity store lets you query entity metadata without real-time data searches. - -After you enable the entity store, the Entity Analytics dashboard displays the {security-guide}/detection-entity-dashboard.html#entity-entities[**Entities** section], which offers a comprehensive view of all hosts and users in your environment. You can filter them by their source, entity risk level, and asset criticality level. - -[role="screenshot"] -image::whats-new/images/8.16/entities-section.png[Entities section of the Entity Analytics dashboard] - -[float] -=== Asset criticality is available by default - -The advanced setting for enabling {security-guide}/asset-criticality.html[asset criticality] has been removed, and this feature is now available by default. - -[float] -=== Run entity risk scoring in multiple spaces - -You can now enable and run {security-guide}/entity-risk-scoring.html[entity risk scoring] in multiple {kib} spaces. This allows you to analyze and monitor entity risk in different contexts simultaneously. - -[float] -=== Recalculate entity risk scores after file upload - -When you {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] using the file upload feature, the newly assigned criticality levels are automatically factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking **Recalculate entity risk scores now** during the file upload process. - -[role="screenshot"] -image::whats-new/images/8.16/recalc-ers.png[Recalculate entity risk scores] - [float] == Detection rules and alerts enhancements [float] -=== Enable prebuilt detection rules on installation - -Previously, {security-guide}/prebuilt-rules-management.html#load-prebuilt-rules[installing and enabling prebuilt rules] took two steps. You can now do both in one step with the **Install and enable** option. This works for both single and multiple rules. +=== LogsDB index mode with detection rules and alerts -[role="screenshot"] -image::whats-new/images/8.16/install-enable-rules.png[Install and enable rules, 80%] +The {ref}/logs-data-stream.html[logsDB index mode] allows you to store log data more efficiently. If you're considering using it, refer to to learn how it can impact your rules and alerts. This feature requires the . +// some information to be added [float] -=== Run rules manually +=== Suppress alerts for EQL sequence rules -{security-guide}/rules-ui-management.html#manually-run-rules[Manually run rules] for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the **Execution results** tab of the rule details page. - -[role="screenshot"] -image::whats-new/images/8.16/manual-rule-run-table.png[Manual rule run table] +Alert suppression now supports the EQL sequence rule type. You can use it to reduce the number of repeated or duplicate detection alerts generated from EQL sequence rules. +// link to be added [float] -=== Exclude cold and frozen data from rules +== Signature option available for macOS trusted applications conditions -Rules that query cold and frozen data tiers might perform more slowly or fail. To ensure that the rules in your {kib} space exclude query results from cold and frozen tiers when executing, configure the `excludedDataTiersForRuleExecution` <>. +When adding a {security-guide}/trusted-apps-ov.html[trusted application] for macOS, you can now specify conditions based on the application's digital signer—previously only available on Windows. [float] -=== View {es} queries that run during rule execution - -When previewing a rule, you can also {security-guide}/rules-ui-create.html#view-rule-es-queries[learn about its {es} queries], which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for {esql} and EQL rules only. - -[float] -=== Alert suppression is generally available for more rule types - -{security-guide}/alert-suppression.html[Alert suppression] is generally available for the indicator match, threshold, {ml}, {esql}, and new terms rule types. It is still in technical preview for event correlation rules. - -[float] -== Investigations enhancements - -[float] -=== Add notes to alerts, events, and Timelines - -You can now attach {security-guide}/add-manage-notes.html[notes] to alerts, events, and Timelines, and manage them from the **Notes** page. This provides an easy way to incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings. - -[role="screenshot"] -image::whats-new/images/8.16/new-note-alert-event.png[New note added to an alert] - -[float] -=== View analyzed events from the alert details flyout - -preview:[] By enabling the new `securitySolution:enableVisualizationsInFlyout` advanced setting, you can {security-guide}/view-alert-details.html#expanded-visualizations-view[view analyzed alerts and events] in the **Visualize** tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events. - -[role="screenshot"] -image::whats-new/images/8.16/visualize-tab-lp-alert-details.gif[Examine alert details from event analyzer, 80%] - -[float] -=== Resize alert and event details flyouts - -You can now resize the alert and event details flyouts and choose how they're displayed—over the Alerts table or next to it. - -[role="screenshot"] -image::whats-new/images/8.16/flyout-settings.gif[Change alert details flyout settings] - -[float] -== {elastic-defend} and response actions enhancements - -[float] -=== More SentinelOne third-party response actions - -Additional third-party response actions are available using Elastic's {security-guide}/third-party-actions.html#sentinelone-response-actions[SentinelOne] integration and connector: - -* Get processes -* Terminate a process - -[float] -=== {elastic-defend}'s automated response actions support all rule types - -You can now configure any detection rule type to perform {elastic-defend}'s {security-guide}/automated-response-actions.html[automated response actions]. - -//// -Commenting out until docs are ready - -[float] -=== New rules for {elastic-defend}'s endpoint protection features - -New prebuilt rules tailored for each of {elastic-defend}'s endpoint protection features—malware, ransomware, memory threats, and malicious behavior—allow you to configure actions tailored for detection or prevention of each type. - -[role="screenshot"] -image::whats-new/images/8.16/endpoint-protection-rules.png[Endpoint protection rules] -//// - -[float] -== Cloud Security enhancements - -[float] -=== Ingest third-party cloud security data - -You can now {security-guide}/ingest-third-party-cloud-security-data.html[ingest cloud security data] from several third-party sources—Falco, AWS Security Hub, and Wiz—into {elastic-sec}. The data appears on the **Alerts** and **Findings** pages, and in the user and host details flyouts. - -[role="screenshot"] -image::whats-new/images/8.16/wiz-findings.png[Wiz data on the Findings page] - -[float] -=== Simplify posture data collection with agentless Cloud Security Posture Management deployment - -Elastic's native {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports agentless deployment, giving you an easier and more streamlined way to collect posture data from your cloud service providers. +== Case action is generally available +The {kibana-ref}/cases-action-type.html[Case action] feature, first introduced in 8.14, is moving from technical preview to general availability. Use Case action to automatically create cases from rules. // end::notable-highlights[] From a57e2a23115b4f48f3e53e5ce15213ce7ebbc5b0 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 11 Dec 2024 14:09:18 +0000 Subject: [PATCH 2/6] Add missing refs and lowercase logsdb --- docs/whats-new.asciidoc | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index c0bd08b026..b8b416225e 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -14,16 +14,14 @@ Other versions: {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide == Detection rules and alerts enhancements [float] -=== LogsDB index mode with detection rules and alerts +=== Logsdb index mode with detection rules and alerts -The {ref}/logs-data-stream.html[logsDB index mode] allows you to store log data more efficiently. If you're considering using it, refer to to learn how it can impact your rules and alerts. This feature requires the . -// some information to be added +The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] to learn how it can impact your rules and alerts. [float] === Suppress alerts for EQL sequence rules -Alert suppression now supports the EQL sequence rule type. You can use it to reduce the number of repeated or duplicate detection alerts generated from EQL sequence rules. -// link to be added +{security-guide}/alert-suppression.html[Alert suppression] now supports the EQL sequence rule type. You can use it to reduce the number of repeated or duplicate detection alerts generated from EQL sequence rules. [float] == Signature option available for macOS trusted applications conditions From f12a3ca001c83a914f5f23e3f927fb386621c8d0 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 12 Dec 2024 13:23:25 +0000 Subject: [PATCH 3/6] Removes unavailable link --- docs/whats-new.asciidoc | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index b8b416225e..21ac964f82 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -16,7 +16,9 @@ Other versions: {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide [float] === Logsdb index mode with detection rules and alerts -The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] to learn how it can impact your rules and alerts. +The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to Using logsdb index mode with {elastic-sec} to learn how it can impact your rules and alerts. + +// link to be added when relevant PR is merged: {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] [float] === Suppress alerts for EQL sequence rules From 43eee6074b355fc5146077f66d27f794862d4eb1 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 12 Dec 2024 15:40:38 +0000 Subject: [PATCH 4/6] Update docs/whats-new.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/whats-new.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 21ac964f82..0763829495 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -33,7 +33,7 @@ When adding a {security-guide}/trusted-apps-ov.html[trusted application] for mac [float] == Case action is generally available -The {kibana-ref}/cases-action-type.html[Case action] feature, first introduced in 8.14, is moving from technical preview to general availability. Use Case action to automatically create cases from rules. +The {kibana-ref}/cases-action-type.html[Cases action] feature, first introduced in 8.14, is moving from technical preview to general availability. Use this action to automatically create cases from rules. // end::notable-highlights[] From 2d552fde4aacf91227a741d1dfe1b07829f3150b Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 12 Dec 2024 17:27:43 +0000 Subject: [PATCH 5/6] Update docs/whats-new.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> --- docs/whats-new.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 0763829495..67b029c119 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -31,7 +31,7 @@ The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data When adding a {security-guide}/trusted-apps-ov.html[trusted application] for macOS, you can now specify conditions based on the application's digital signer—previously only available on Windows. [float] -== Case action is generally available +== Cases action is generally available The {kibana-ref}/cases-action-type.html[Cases action] feature, first introduced in 8.14, is moving from technical preview to general availability. Use this action to automatically create cases from rules. From b7702b8c810e66ab4aa3e567316e0738893d6501 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Thu, 12 Dec 2024 18:43:09 +0000 Subject: [PATCH 6/6] Add logsdb updates --- docs/whats-new.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 67b029c119..13bde6a9ab 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -16,9 +16,9 @@ Other versions: {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide [float] === Logsdb index mode with detection rules and alerts -The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to Using logsdb index mode with {elastic-sec} to learn how it can impact your rules and alerts. +The {ref}/logs-data-stream.html[logsdb index mode] allows you to store log data more efficiently. If you're considering using it, refer to {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] to learn how it can impact your rules and alerts. -// link to be added when relevant PR is merged: {security-guide}/detections-logsdb-index-mode-impact.html[Using logsdb index mode with {elastic-sec}] +NOTE: To use the {ref}/mapping-source-field.html#synthetic-source[synthetic `_source`] feature, you must have the appropriate subscription. Refer to the subscription page for https://www.elastic.co/subscriptions/cloud[{ecloud}] and {subscriptions}[{stack}/self-managed] for the breakdown of available features and their associated subscription tiers. [float] === Suppress alerts for EQL sequence rules