diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index e1692ed174..e3378be460 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,7 +4,7 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.17/whats-new.html[8.17] | {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.18/whats-new.html[8.18] | {security-guide-all}/8.17/whats-new.html[8.17] | {security-guide-all}/8.16/whats-new.html[8.16] | {security-guide-all}/8.15/whats-new.html[8.15] | {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. @@ -15,157 +15,125 @@ Other versions: {security-guide-all}/8.17/whats-new.html[8.17] | {security-guide == Generative AI enhancements [float] -=== Automatically migrate Splunk SIEM rules +=== Use Elastic Managed LLM in Security AI Assistant -{security-guide}/siem-migration.html[Automatic Migration] for detection rules helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({esql}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch. +{kibana-ref}/elastic-managed-llm.html[Elastic Managed LLM] is now the default large language model connector in AI Assistant. It gives you immediate access to generative AI features without any setup or external model integration. [role="screenshot"] -image::whats-new/images/8.18/security-siem-migration-1.png[The Upload Splunk SIEM rules flyout] +image::whats-new/images/8.19/elastic-managed-llm.png[AI Assistant chat window with Elastic Managed LLM selected] [float] -=== Control which alerts Attack Discovery analyzes +=== Use prompt tiles in Security AI Assistant -You can now specify which alerts {security-guide}/attack-discovery.html[Attack Discovery] analyzes using a date and time selector and a KQL filter. +The {security-guide}/security-assistant.html[Security AI Assistant]'s chat UI now uses prompt tiles instead of default quick prompts. Prompt tiles help you begin structured tasks or investigations into common {elastic-sec} workflows. [role="screenshot"] -image::whats-new/images/8.18/security-attack-discovery-settings.png[Attack Discovery's settings menu,60%] +image::whats-new/images/8.19/assistant-basic-view.png[AI Assistant chat window with prompt tiles,75%] [float] -=== View citations and documentation in AI Assistant +=== Schedule recurring attack discoveries -{security-guide}/security-assistant.html[AI Assistant] can now cite sources, including Elastic's product documentation, threat reports, and more. - - -[float] -== Entity Analytics enhancements - -[float] -=== Monitor services installed in your environment - -The {security-guide}/entity-store.html[entity store] now supports a new *service* entity type, expanding the range of entities you can track and monitor in your environment. Previously, only user and host entities were supported. With the addition of the service entity type, you can now investigate and protect the various services installed across your infrastructure. +You can now {security-guide}/attack-discovery.html#schedule-discoveries[define recurring schedules] to automatically generate attack discoveries without needing manual runs. When discoveries are found, you'll receive notifications through your configured connectors, such as Slack or email. You can customize the notification content to tailor alert context to your needs. [role="screenshot"] -image::whats-new/images/8.18/service-risk-scores.png[Service risk scores table] +image::whats-new/images/8.19/schedule-discoveries.png[Create new schedule flyout,75%] [float] -=== Verify entity store engine status +=== View and manage saved attack discoveries -Use the new **Engine Status** tab on the **Entity Store** page to {security-guide}/entity-store.html#verify-engine-status[verify] which engines are installed in your environment and check their current statuses. This tab provides a centralized view for monitoring engine health, allowing you to ensure proper functionality, and troubleshoot any potential issues. +{security-guide}/attack-discovery.html#saved-discoveries[Attack discoveries] are now automatically saved whenever they're generated. You can update their status, share manually generated discoveries with other {kib} users, and perform bulk actions, such as status changes or adding discoveries to cases. Use the search box and filters to quickly find relevant discoveries. [role="screenshot"] -image::whats-new/images/8.18/engine-status.png[Engine status tab,60%] +image::whats-new/images/8.19/saved-discoveries.png[Saved attack discoveries] [float] -=== Entity risk scoring and entity store are generally available +=== Automatic Migration is generally available -{security-guide}/entity-risk-scoring.html[Entity risk scoring] and entity store are moving from technical preview to general availability. Use these features to monitor the risk score of entities in your environment and query persisted entity metadata. - -[float] -=== Include closed alerts in risk score calculations - -When {security-guide}/turn-on-risk-engine.html[turning on the risk engine], you now have the option to include `Closed` alerts in risk scoring calculations. By default, only `Open` and `Acknowledged` alerts are included. Additionally, you can specify a custom date and time range for the calculation, allowing for more flexible and tailored risk monitoring. - -[role="screenshot"] -image::whats-new/images/8.18/include-closed-alerts.png[Toggle for including closed alerts in risk score calculations,60%] +{security-guide}/siem-migration.html[Automatic Migration] is moving from technical preview to general availability. Use this feature to quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({esql}). [float] == Detection rules and alerts enhancements [float] -=== Customize and manage prebuilt detection rules +=== Revert a customized prebuilt rule to its original version -Previously, you had limited ability to customize prebuilt rules, couldn’t export or import them, and could only accept Elastic changes during rule updates. Now, you can do so much more. +After modifying a prebuilt rule, you can {security-guide}/rules-ui-management.html#revert-rule-changes[restore its original version]. To do this, open the rule's details page, click **All actions** → **Revert to Elastic version**, review the modified fields, then click **Revert**. The original rule version might be unavailable for comparison if you haven't updated your rules in a while. -After installing prebuilt rules, you're now able to {security-guide}/rules-ui-management.html#edit-rules-settings[edit] most of their settings to fit your custom needs. When updating rules, Elastic retains your changes whenever possible and helps you auto-resolve conflicts that may occur. Additional enhancements, such as the ability to compare different versions of a rule and edit the final update, have also been made to give you more control over the {security-guide}/prebuilt-rules-update-modified-unmodified.html[prebuilt rule update experience]. +[role="screenshot"] +image::whats-new/images/8.19/revert-rule.png[Option to revert customized prebuilt rule on rule details page] -In addition to customizing prebuilt rules, you're now able to: +[float] +=== Modified fields on prebuilt rules are marked with a badge -* {security-guide}/rules-ui-management.html#import-export-rules-ui[Export and import] prebuilt rules that have been modified or left unchanged. -* {security-guide}/rules-ui-management.html#edit-rules-settings[Bulk-edit] prebuilt rules settings, such as custom highlighted fields or tags. +Modified fields on prebuilt rules are marked with the **Modified** badge on the rule's details page. You can compare the original Elastic version and the modified version of the field by clicking on the badge. +[role="screenshot"] +image::whats-new/images/8.19/modified-field.png[Modified field badge on rule details page] [float] -=== Manual run enhancements - -The {security-guide}/rules-ui-management.html#manually-run-rules[manual runs] functionality is now generally available and includes the following new features: +=== Bulk-apply and remove alert suppression from rules -* Almost all rule actions are supported and can be activated when you run a rule manually. -* Gaps in rule executions—which can lead to missed alerts and inconsistent rule coverage—can be monitored and manually filled. +From the Rules table, use the **Bulk actions** menu to quickly {security-guide}/alert-suppression.html#_bulk_apply_and_remove_alert_suppression[apply or remove] alert suppression from multiple rules. Note that threshold rules have a dedicated option for bulk-applying alert suppression. [role="screenshot"] -image::whats-new/images/8.18/gaps-table.png[Gaps table on the rule execution results tab] +image::whats-new/images/8.19/bulk-alert-suppression.png[Bulk alert suppression options on Rules page] [float] -=== Preview logged {es} requests for more rule types +=== Improvements to gap fills -You can now {security-guide}/rules-ui-create.html#view-rule-es-queries[preview logged {es} requests] for new terms, threshold, custom, and machine learning rule types. - -[float] -=== Suppress alerts for event correlation rules +Several enhancements have been made to the {security-guide}/alerts-ui-monitor.html#gaps-table[gap fill feature]: -{security-guide}/alert-suppression.html[Alert suppression] is now supported for event correlation rules using sequence queries. +* The Gaps table is now generally available and provides you with an option to fill all gaps for a rule. +* In the panel above the Rules table, the **Total rules with gaps** field now shows how many rules have unfilled gaps and how many are currently having their gaps filled. The **Only rules with gaps:** filter has also been renamed to **Only rules with unfilled gaps:** and now only shows rules that have unfilled gaps. Rules with gaps that are being filled are excluded from the filter results. +* You can now bulk-fill gaps for multiple rules. +[role="screenshot"] +image::whats-new/images/8.19/monitor-table.png[Rules table] [float] -== Investigations enhancements +== Response actions enhancements [float] -=== Control access to Timeline and notes with more granularity - -You now have more control over role access to {security-guide}/timelines-ui.html#timeline-privileges[Timeline] and {security-guide}/add-manage-notes.html#notes-privileges[notes]. When you upgrade to 8.18, roles that previously had `All` or `Read` access to Security will inherit these privileges for Timelines and notes. +=== Run a script on Microsoft Defender for Endpoint-enrolled hosts -[float] -=== Visualizations are available by default in the alert details flyout +Using Elastic's Microsoft Defender for Endpoint integration and connector, you can now {security-guide}/response-actions.html#runscript-mde[run a script] on Microsoft Defender for Endpoint-enrolled hosts. -The `securitySolution:enableVisualizationsInFlyout` advanced setting is now turned on by default and generally available. The **Session View** and **Analyzer Graph** {security-guide}/view-alert-details.html#expanded-visualizations-view[sub-tabs] in the alert details flyout are also available by default and generally available. +[role="screenshot"] +image::whats-new/images/8.19/mde-runscript.png[Response console,80%] [float] -=== Quickly access visited places from the alert details flyout - -From the {security-guide}/view-alert-details.html#right-panel[alert details flyout], you can click the history icon (image:detections/images/history-icon.png[History icon,15,15]) to display a list of places that you visited from the alert's details flyout—for example, flyouts for other alerts or users. Click any list entry to quickly access the item's details. - +=== Select saved scripts when using `runscript` third-party response actions -[float] -== Response actions enhancements +When using the `runscript` response action with hosts enrolled in CrowdStrike and Microsoft Defender for Endpoint, you can now select from a list of saved custom scripts. This means you no longer need to type the script name manually. [float] -=== Updated privileges for third-party response actions - -A new {kib} feature privilege is now required when {security-guide}/response-actions-config.html[configuring third-party response actions]. To find and assign the privilege, navigate to **Management** -> **Actions and Connectors** -> **Endpoint Security**. +== Investigations enhancements [float] -=== Run a script on CrowdStrike-enrolled hosts +=== Customize highlighted fields for alerts -Using Elastic's CrowdStrike integration and connector, you can now {security-guide}/response-actions.html#runscript[run a script] on CrowdStrike-enrolled hosts by providing one of the following: +You can now add more fields to an alert's {security-guide}/view-alert-details.html#investigation-section[highlighted fields] to display information that's relevant to your investigations. -* The full script content -* The name of the script stored in a cloud storage location -* The file path of the script located on the host machine +[role="screenshot"] +image::whats-new/images/8.19/customize-highlighted-fields.png[Alert details flyout,75%] [float] -=== Isolate and release Microsoft Defender for Endpoint–enrolled hosts +=== Access the response console from events -Using Elastic's Microsoft Defender for Endpoint integration and connector, you can now {security-guide}/third-party-actions.html#defender-response-actions[perform response actions] on hosts enrolled in Microsoft Defender's endpoint protection system. These actions are available in this release: +Now, you can access the response console from events, giving you more places to use response actions. You can now also {security-guide}/host-isolation-ov.html[isolate or release] a host from events. -* Isolate a host from the network -* Release an isolated host +image::whats-new/images/8.19/respond-from-events.png[Event details flyout] [float] -=== Third-party response actions are generally available - -{security-guide}/third-party-actions.html[Third-party response actions] are moving from technical preview to general availability. This includes response capabilities for Sentinel One, Crowdstrike, and Microsoft Defender for Endpoint. - +== Cloud Security enhancements [float] -== Increase Osquery timeout to 24 hours +=== New integrations -When {kibana-ref}/osquery.html#osquery-run-query[running Osquery queries], you can now set a timeout period of up to 24 hours (86,400 seconds). Overwriting the query's default timeout period allows you to support queries that take longer to run. +{elastic-sec} now supports three new Cloud Security integrations: {integrations-docs}/rapid7_insightvm[Rapid7 InsightVM], {integrations-docs}/tenable_io[Tenable Vulnerability Management], and {integrations-docs}/qualys_vmdr[Qualys VMDR]. -[float] -== Increased support for agentless integrations -An additional 14 {security-guide}/agentless-integrations.html[integrations] can now be deployed using agentless technology. // end::notable-highlights[] diff --git a/docs/whats-new/images/8.19/assistant-basic-view.png b/docs/whats-new/images/8.19/assistant-basic-view.png new file mode 100644 index 0000000000..18f152c4b2 Binary files /dev/null and b/docs/whats-new/images/8.19/assistant-basic-view.png differ diff --git a/docs/whats-new/images/8.19/bulk-alert-suppression.png b/docs/whats-new/images/8.19/bulk-alert-suppression.png new file mode 100644 index 0000000000..d5e6463a6e Binary files /dev/null and b/docs/whats-new/images/8.19/bulk-alert-suppression.png differ diff --git a/docs/whats-new/images/8.19/customize-highlighted-fields.png b/docs/whats-new/images/8.19/customize-highlighted-fields.png new file mode 100644 index 0000000000..fcdd3f23e1 Binary files /dev/null and b/docs/whats-new/images/8.19/customize-highlighted-fields.png differ diff --git a/docs/whats-new/images/8.19/elastic-managed-llm.png b/docs/whats-new/images/8.19/elastic-managed-llm.png new file mode 100644 index 0000000000..a90fa1a650 Binary files /dev/null and b/docs/whats-new/images/8.19/elastic-managed-llm.png differ diff --git a/docs/whats-new/images/8.19/mde-runscript.png b/docs/whats-new/images/8.19/mde-runscript.png new file mode 100644 index 0000000000..eab0aa829d Binary files /dev/null and b/docs/whats-new/images/8.19/mde-runscript.png differ diff --git a/docs/whats-new/images/8.19/modified-field.png b/docs/whats-new/images/8.19/modified-field.png new file mode 100644 index 0000000000..36db140eee Binary files /dev/null and b/docs/whats-new/images/8.19/modified-field.png differ diff --git a/docs/whats-new/images/8.19/monitor-table.png b/docs/whats-new/images/8.19/monitor-table.png new file mode 100644 index 0000000000..081d748696 Binary files /dev/null and b/docs/whats-new/images/8.19/monitor-table.png differ diff --git a/docs/whats-new/images/8.19/respond-from-events.png b/docs/whats-new/images/8.19/respond-from-events.png new file mode 100644 index 0000000000..15bd7a07a4 Binary files /dev/null and b/docs/whats-new/images/8.19/respond-from-events.png differ diff --git a/docs/whats-new/images/8.19/revert-rule.png b/docs/whats-new/images/8.19/revert-rule.png new file mode 100644 index 0000000000..ea0df5840f Binary files /dev/null and b/docs/whats-new/images/8.19/revert-rule.png differ diff --git a/docs/whats-new/images/8.19/saved-discoveries.png b/docs/whats-new/images/8.19/saved-discoveries.png new file mode 100644 index 0000000000..a212953224 Binary files /dev/null and b/docs/whats-new/images/8.19/saved-discoveries.png differ diff --git a/docs/whats-new/images/8.19/schedule-discoveries.png b/docs/whats-new/images/8.19/schedule-discoveries.png new file mode 100644 index 0000000000..b866247c93 Binary files /dev/null and b/docs/whats-new/images/8.19/schedule-discoveries.png differ