You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/whats-new.asciidoc
+35-99Lines changed: 35 additions & 99 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@
4
4
5
5
Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.
// NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
@@ -15,157 +15,93 @@ Other versions: {security-guide-all}/8.17/whats-new.html[8.17] | {security-guide
15
15
== Generative AI enhancements
16
16
17
17
[float]
18
-
=== Automatically migrate Splunk SIEM rules
19
-
20
-
{security-guide}/siem-migration.html[Automatic Migration] for detection rules helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({esql}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch.
=== View citations and documentation in AI Assistant
35
-
36
-
{security-guide}/security-assistant.html[AI Assistant] can now cite sources, including Elastic's product documentation, threat reports, and more.
18
+
=== Use Elastic Managed LLM in Security AI Assistant
37
19
20
+
{kibana-ref}/elastic-managed-llm.html[Elastic Managed LLM] is now the default large language model connector in AI Assistant. It gives you immediate access to generative AI features without any setup or external model integration.
38
21
39
22
[float]
40
-
== Entity Analytics enhancements
23
+
=== Use prompt tiles in Security AI Assistant
41
24
42
-
[float]
43
-
=== Monitor services installed in your environment
44
-
45
-
The {security-guide}/entity-store.html[entity store] now supports a new *service* entity type, expanding the range of entities you can track and monitor in your environment. Previously, only user and host entities were supported. With the addition of the service entity type, you can now investigate and protect the various services installed across your infrastructure.
The {security-guide}/security-assistant.html[Security AI Assistant]'s chat UI now uses prompt tiles instead of default quick prompts. Prompt tiles help you begin structured tasks or investigations into common {elastic-sec} workflows.
49
26
50
27
[float]
51
-
=== Verify entity store engine status
28
+
=== Schedule recurring attack discoveries
52
29
53
-
Use the new **Engine Status** tab on the **Entity Store** page to {security-guide}/entity-store.html#verify-engine-status[verify] which engines are installed in your environment and check their current statuses. This tab provides a centralized view for monitoring engine health, allowing you to ensure proper functionality, and troubleshoot any potential issues.
54
-
55
-
[role="screenshot"]
56
-
image::whats-new/images/8.18/engine-status.png[Engine status tab,60%]
30
+
You can now {security-guide}/attack-discovery.html#schedule-discoveries[define recurring schedules] to automatically generate attack discoveries without needing manual runs. When discoveries are found, you'll receive notifications through your configured connectors, such as Slack or email. You can customize the notification content to tailor alert context to your needs.
57
31
58
32
[float]
59
-
=== Entity risk scoring and entity store are generally available
33
+
=== View and manage saved attack discoveries
60
34
61
-
{security-guide}/entity-risk-scoring.html[Entity risk scoring] and entity store are moving from technical preview to general availability. Use these features to monitor the risk score of entities in your environment and query persisted entity metadata.
35
+
{security-guide}/attack-discovery.html#saved-discoveries[Attack discoveries] are now automatically saved whenever they're generated. You can update their status, share manually generated discoveries with other {kib} users, and perform bulk actions, such as status changes or adding discoveries to cases. Use the search box and filters to quickly find relevant discoveries.
62
36
63
37
[float]
64
-
=== Include closed alerts in risk score calculations
65
-
66
-
When {security-guide}/turn-on-risk-engine.html[turning on the risk engine], you now have the option to include `Closed` alerts in risk scoring calculations. By default, only `Open` and `Acknowledged` alerts are included. Additionally, you can specify a custom date and time range for the calculation, allowing for more flexible and tailored risk monitoring.
38
+
=== Automatic Migration is generally available
67
39
68
-
[role="screenshot"]
69
-
image::whats-new/images/8.18/include-closed-alerts.png[Toggle for including closed alerts in risk score calculations,60%]
40
+
{security-guide}/siem-migration.html[Automatic Migration] is moving from technical preview to general availability. Use this feature to quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({esql}).
70
41
71
42
[float]
72
43
== Detection rules and alerts enhancements
73
44
74
45
[float]
75
-
=== Customize and manage prebuilt detection rules
76
-
77
-
Previously, you had limited ability to customize prebuilt rules, couldn’t export or import them, and could only accept Elastic changes during rule updates. Now, you can do so much more.
78
-
79
-
After installing prebuilt rules, you're now able to {security-guide}/rules-ui-management.html#edit-rules-settings[edit] most of their settings to fit your custom needs. When updating rules, Elastic retains your changes whenever possible and helps you auto-resolve conflicts that may occur. Additional enhancements, such as the ability to compare different versions of a rule and edit the final update, have also been made to give you more control over the {security-guide}/prebuilt-rules-update-modified-unmodified.html[prebuilt rule update experience].
80
-
81
-
In addition to customizing prebuilt rules, you're now able to:
82
-
83
-
* {security-guide}/rules-ui-management.html#import-export-rules-ui[Export and import] prebuilt rules that have been modified or left unchanged.
84
-
* {security-guide}/rules-ui-management.html#edit-rules-settings[Bulk-edit] prebuilt rules settings, such as custom highlighted fields or tags.
46
+
=== Revert a customized prebuilt rule to its original version
85
47
48
+
After modifying a prebuilt rule, you can {security-guide}/rules-ui-management.html#revert-rule-changes[restore its original version]. To do this, open the rule's details page, click **All actions** → **Revert to Elastic version**, review the modified fields, then click **Revert**. The original rule version might be unavailable for comparison if you haven't updated your rules in a while.
86
49
87
50
[float]
88
-
=== Manual run enhancements
51
+
=== Modified fields on prebuilt rules are marked with a badge
89
52
90
-
The {security-guide}/rules-ui-management.html#manually-run-rules[manual runs] functionality is now generally available and includes the following new features:
91
-
92
-
* Almost all rule actions are supported and can be activated when you run a rule manually.
93
-
* Gaps in rule executions—which can lead to missed alerts and inconsistent rule coverage—can be monitored and manually filled.
94
-
95
-
[role="screenshot"]
96
-
image::whats-new/images/8.18/gaps-table.png[Gaps table on the rule execution results tab]
53
+
Modified fields on prebuilt rules are marked with the **Modified** badge on the rule's details page. You can compare the original Elastic version and the modified version of the field by clicking on the badge.
97
54
98
55
[float]
99
-
=== Preview logged {es} requests for more rule types
56
+
=== Bulk-apply and remove alert suppression from rules
100
57
101
-
You can now {security-guide}/rules-ui-create.html#view-rule-es-queries[preview logged {es} requests] for new terms, threshold, custom, and machine learning rule types.
58
+
From the Rules table, use the **Bulk actions** menu to quickly {security-guide}/alert-suppression.html#_bulk_apply_and_remove_alert_suppression[apply or remove] alert suppression from multiple rules. Note that threshold rules have a dedicated option for bulk-applying alert suppression.
102
59
103
60
[float]
104
-
=== Suppress alerts for event correlation rules
105
-
106
-
{security-guide}/alert-suppression.html[Alert suppression] is now supported for event correlation rules using sequence queries.
61
+
=== Improvements to gap fills
107
62
63
+
Several enhancements have been made to the {security-guide}/alerts-ui-monitor.html#gaps-table[gap fill feature]:
108
64
109
-
[float]
110
-
== Investigations enhancements
65
+
* The Gaps table is now generally available and provides you with an option to fill all gaps for a rule.
66
+
* In the panel above the Rules table, the **Total rules with gaps** field now shows how many rules have unfilled gaps and how many are currently having their gaps filled. The **Only rules with gaps:** filter has also been renamed to **Only rules with unfilled gaps:** and now only shows rules that have unfilled gaps. Rules with partial gaps or gaps that are being filled are excluded from the filter results.
67
+
* You can now bulk-fill gaps for multiple rules.
111
68
112
69
[float]
113
-
=== Control access to Timeline and notes with more granularity
114
-
115
-
You now have more control over role access to {security-guide}/timelines-ui.html#timeline-privileges[Timeline] and {security-guide}/add-manage-notes.html#notes-privileges[notes]. When you upgrade to 8.18, roles that previously had `All` or `Read` access to Security will inherit these privileges for Timelines and notes.
70
+
== Response actions enhancements
116
71
117
72
[float]
118
-
=== Visualizations are available by default in the alert details flyout
73
+
=== Run a script on Microsoft Defender for Endpoint-enrolled hosts
119
74
120
-
The `securitySolution:enableVisualizationsInFlyout` advanced setting is now turned on by default and generally available. The **Session View** and **Analyzer Graph** {security-guide}/view-alert-details.html#expanded-visualizations-view[sub-tabs] in the alert details flyout are also available by default and generally available.
75
+
Using Elastic's Microsoft Defender for Endpoint integration and connector, you can now {security-guide}/response-actions.html#runscript-mde[run a script] on Microsoft Defender for Endpoint-enrolled hosts.
121
76
122
77
[float]
123
-
=== Quickly access visited places from the alert details flyout
124
-
125
-
From the {security-guide}/view-alert-details.html#right-panel[alert details flyout], you can click the history icon (image:detections/images/history-icon.png[History icon,15,15]) to display a list of places that you visited from the alert's details flyout—for example, flyouts for other alerts or users. Click any list entry to quickly access the item's details.
126
-
78
+
=== Select saved scripts when using `runscript` third-party response actions
127
79
128
-
[float]
129
-
== Response actions enhancements
80
+
When using the `runscript` response action with hosts enrolled in CrowdStrike and Microsoft Defender for Endpoint, you can now select from a list of saved custom scripts. This means you no longer need to type the script name manually.
130
81
131
82
[float]
132
-
=== Updated privileges for third-party response actions
133
-
134
-
A new {kib} feature privilege is now required when {security-guide}/response-actions-config.html[configuring third-party response actions]. To find and assign the privilege, navigate to **Management** -> **Actions and Connectors** -> **Endpoint Security**.
83
+
== Investigations enhancements
135
84
136
85
[float]
137
-
=== Run a script on CrowdStrike-enrolled hosts
138
-
139
-
Using Elastic's CrowdStrike integration and connector, you can now {security-guide}/response-actions.html#runscript[run a script] on CrowdStrike-enrolled hosts by providing one of the following:
86
+
=== Customize highlighted fields for alerts
140
87
141
-
* The full script content
142
-
* The name of the script stored in a cloud storage location
143
-
* The file path of the script located on the host machine
88
+
You can now add more fields to an alert's {security-guide}/view-alert-details.html#investigation-section[highlighted fields] to display information that's relevant to your investigations.
144
89
145
90
[float]
146
-
=== Isolate and release Microsoft Defender for Endpoint–enrolled hosts
91
+
=== Access the response console from events
147
92
148
-
Using Elastic's Microsoft Defender for Endpoint integration and connector, you can now {security-guide}/third-party-actions.html#defender-response-actions[perform response actions] on hosts enrolled in Microsoft Defender's endpoint protection system. These actions are available in this release:
149
-
150
-
* Isolate a host from the network
151
-
* Release an isolated host
93
+
Now, you can access the response console from events, giving you more places to use response actions. You can now also {security-guide}/host-isolation-ov.html[isolate or release] a host from events.
152
94
153
95
[float]
154
-
=== Third-party response actions are generally available
155
-
156
-
{security-guide}/third-party-actions.html[Third-party response actions] are moving from technical preview to general availability. This includes response capabilities for Sentinel One, Crowdstrike, and Microsoft Defender for Endpoint.
157
-
96
+
== Cloud Security enhancements
158
97
159
98
[float]
160
-
== Increase Osquery timeout to 24 hours
99
+
=== TBA
161
100
162
-
When {kibana-ref}/osquery.html#osquery-run-query[running Osquery queries], you can now set a timeout period of up to 24 hours (86,400 seconds). Overwriting the query's default timeout period allows you to support queries that take longer to run.
101
+
TBA
163
102
164
103
165
-
[float]
166
-
== Increased support for agentless integrations
167
104
168
-
An additional 14 {security-guide}/agentless-integrations.html[integrations] can now be deployed using agentless technology.
0 commit comments