Whats new 8.9 (#3633) (#3634)

* Saving first changes.

* Adds highlights for 8.9

* Fixing build errors.

(cherry picked from commit 5ec3ad8)

Co-authored-by: Janeen Mikell Roberts <[email protected]>

docs/whats-new.asciidoc

@@ -4,132 +4,121 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out the <<release-notes, Release notes>>.
 
-Other versions: {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
 // tag::notable-highlights[]
 
 [float]
-== Detection rules enhancements
-
-*New warning for running maintenance windows*
+== Elastic AI Assistant enhancements 
 
-A warning banner displays on the Rules page if a {kibana-ref}/maintenance-windows.html[maintenance window] is running. During an active maintenance window, rule actions won’t run, and alert notifications aren't sent. 
+The {security-guide}/security-assistant.html[Elastic AI Assistant] now has a centralized UI for configuring settings, and you can now {security-guide}/security-assistant.html#data-information[anonymize data] sent to and from the AI provider. 
 
-NOTE: To use maintenance windows, you must have the appropriate https://www.elastic.co/subscriptions[subscription] and Kibana feature {kibana-ref}/maintenance-windows.html#setup-maintenance-windows[privileges].
-
-*Prebuilt rule updates*
+[role="screenshot"]
+image::whats-new/images/8.9/AI-anonymous.png[Elastic AI Assistant settings]
 
-Check out the {security-guide}/prebuilt-rules-downloadable-updates.html[latest updates] to prebuilt rules. To download the latest updates, refer to {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[Update Elastic prebuilt rules]. 
+Additionally, the new Generative AI Token Usage dashboard allows you to monitor your token usage with the AI provider.
 
 [float]
-== Alerts enhancements 
+== Detection rules enhancements
 
-*Control alert notifications and summaries*
+[float]
+=== New UI for installing and upgrading prebuilt detection rules
 
-The following enhancements give more control over how and when alert notifications are sent. For more information, refer to {security-guide}/rules-ui-create.html#rule-notifications[Set up alert notifications]. 
+There's a {security-guide}/prebuilt-rules-management.html[newly redesigned UI] and workflow for managing prebuilt detection rules to allow more flexibility and visibility into rule updates. You can now select which prebuilt rules you want to install and update, instead of only installing the entire set of rules. You can also duplicate a rule to make changes to it. 
 
-* You can now specify how often {security-guide}/rules-ui-create.html#rule-notifications[alert notifications] are sent to third-party systems (such as Slack, JIRA, email, etc.). You can apply your preferred frequency to all rule actions, or set notification frequency individually for each action. 
-+
 [role="screenshot"]
-image::whats-new/images/8.8/action-frequency.png[Rule action frequency]
-+
-* You can decide whether to be notified each time an alert is generated, or receive alert summaries. 
-
-* Instead of turning rules off to stop alert notifications, you can {security-guide}/rules-ui-management.html#snooze-rule-actions[snooze rule actions] for a specified time period. When you snooze rule actions, the rule continues to run on its defined schedule, but won’t perform any actions or send alert notifications. 
+image::whats-new/images/8.9/prebuilt-rules.png[Prebuilt rules UI]
 
-*Max alerts warning*
+In addition, prebuilt detection rules have new tags to categorize your rules, such as the rule’s purpose, detection method, associated resources, and other information.  
 
-When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following {security-guide}/alerts-ui-monitor.html#troubleshoot-max-alerts[warning] is displayed on the rule’s details page and in the rule execution log: `This rule reached the maximum alert limit for the rule execution. Some alerts were not created.` To troubleshoot this event, we recommend you check for unexpected alerts. For more information, refer to {security-guide}/alerts-ui-monitor.html#troubleshoot-max-alerts[Troubleshoot maximum alerts warning].
-
-*Share an alert*
+[float]
+=== Monitor rule performance with the new Detection rule monitoring dashboard
 
-The *Share alert* button in the {security-guide}/view-alert-details.html#view-alert-details[alert details] flyout provides a shareable link you can copy and paste into browsers, cases, messages, and more.
+The {security-guide}/rule-monitoring-dashboard.html[Detection rule monitoring dashboard] provides visualizations to help you monitor the overall health and performance of {elastic-sec}'s detection rules. Review this dashboard for a high-level overview to determine if your rules are running successfully and how long they’re taking to run, search data, and create alerts.
 
 [role="screenshot"]
-image::whats-new/images/8.8/share-alert.png[Share alert in alert details flyout]
+image::whats-new/images/8.9/rule-monitor-dashboard.png[Detection rule monitor dashboard]
 
-*Edit filter controls on the Alerts page*
+[float]
+=== Automated endpoint response actions for rules
 
-The drop-down filter controls on the Alerts page allow you to filter alerts by up to four fields. By default, you can filter by *Status*, *Severity*, *User*, and *Host*, but you can {security-guide}/alerts-ui-manage.html#drop-down-filter-controls[edit these to filter by different fields]. You can also remove, add, and reorder them.
+You can now add the {security-guide}/host-isolation-ov.html#isolate-a-host[host isolation response action] to rules. When rule conditions are met, the endpoint is automatically isolated. 
 
-[role="screenshot"]
-image::whats-new/images/8.8/alert-controls.png[Alert filter controls]
+[float]
+=== Rule exceptions auto-populated with alert data
 
+Now, when you {security-guide}/add-exceptions.html#detection-rule-exceptions[create a new rule exception] from an alert, exception conditions are auto-populated with relevant alert data. A comment describing this action is also automatically added to the *Add comments* section.
 
-*New alert suppression options*
+[float]
+=== Interactive investigation guides are now generally available
 
-A new rule configuration option for {security-guide}/alert-suppression.html[alert suppression] allows you to specify how to handle alerts when a field that's used for suppression does not have a value. 
+{security-guide}/interactive-investigation-guides.html[Interactive investigation guides], which suggest steps for triaging, analyzing, and responding to potential security issues, are now generally available. You can configure an interactive investigation guide when you create a new rule or edit an existing one.
 
-TIP: To learn how to reduce notifications and alerts, check out our analysis comparison {security-guide}/reduce-notifications-alerts.html[here].
+[role="screenshot"]
+image::whats-new/images/8.9/IG-UI.png[Interactive investigation guide]
 
-*Filter alerts from the Entity Analytics dashboard*
 
-In the Entity Analytics dashboard, you can now filter alerts on the Alerts page by selecting the number link in the column.
+[float]
+=== Prebuilt rule updates
 
-[role="screenshot"]
-image::whats-new/images/8.8/dashboard-filter-alerts.gif[Filter alerts from the Entity Analytics dashboard]
+Check out the {security-guide}/prebuilt-rules-downloadable-updates.html[latest updates] to prebuilt rules. To download the latest updates, refer to {security-guide}/prebuilt-rules-management.html#update-prebuilt-rules[Update Elastic prebuilt rules]. 
 
-*Select up to three fields for grouping alerts*
+[float]
+=== Manage and filter alert tags
 
-You now select up to three fields to {security-guide}/alerts-ui-manage.html#group-alerts[group alerts] by to customize your alerts view. Each group is nested in the Alerts table by order of selection.
+{security-guide}/alerts-ui-manage.html#apply-alert-tags[Alert tags], which you can add or remove for individual or multiple alerts, allow you to organize related alerts into categories that you can filter and group. If desired, you can also create custom tags by updating the feature's advanced setting.
 
 [role="screenshot"]
-image::whats-new/images/8.8/group-alerts.png[Group alerts]
+image::whats-new/images/8.9/alert-tags.png[Apply alert tags]
 
 [float]
-== Visualization actions and inline actions added to more places in the {security-app}
-
-{security-guide}/es-ui-overview.html#visualization-actions[Visualization actions], which allow you to examine {es} queries used to retrieve data throughout the {security-app} or perform actions for the selected visualization, have been added to several places in the {security-app}. Look for the Inspect button (image:whats-new/images/8.8/inspect-icon.png[Inspect icon,16,16]) or options menu (image:whats-new/images/8.8/three-dot-menu.png[Options menu icon,17,17]) in the UI. 
+== New integrations 
 
+The following security https://docs.elastic.co/integrations[integrations] were added in {minor-version}:
 
-{security-guide}/es-ui-overview.html#inline-actions[Inline actions] are displayed when you hover over a specific data field or value and allow you to customize your view or investigate further. They've also been added to more places throughout the {security-app}, such as:
-
-* Explore pages (Host, Network, and User pages)
-* Entity analytics (Entity Analytics Dashboard, user risk score, and host risk score features)
-* Alerts and events table
-* Event details flyout
+* Arista Firewall
+* Google Cloud Security Command Center
+* Microsoft Defender for Cloud
+* Okta (Entity Analytics)
+* SentinelOne Cloud Funnel
+* Zero Networks Firewall
 
 [role="screenshot"]
-image::whats-new/images/8.8/inline-actions-menu.png[Inline actions menu]
+image::whats-new/images/8.9/integrations.png[Newly add integrations in 8.9]
 
 [float]
-== Cloud Security enhancements
-
-*New Container Workload Protection (beta)*
-
-You can now use {agent} to {security-guide}/d4c-overview.html[protect your containers] by detecting and preventing malicious behavior and malware, and to capture workload telemetry data. This solution uses a new integration, *Defend for Containers* (D4C), which allows you to create custom alerting and enforcement policies.
+== Upload files to an endpoint with new `upload` response action
 
-*New Cloud Native Vulnerability Management (CNVM) (beta)*
-
-The {security-guide}/vuln-management-overview.html[Cloud Native Vulnerability Management (CNVM)] feature helps you identify known vulnerabilities in your cloud workloads. When it finds vulnerabilities, it enables your remediation efforts by providing metadata such as the CVSS, severity, affected package, and a fix version if available, as well as information about impacted systems. 
+The response console's new {security-guide}/response-actions.html#_upload[`upload` response action] allows you to upload a file to an endpoint enrolled with {elastic-defend}. You can combine this with the execute response action to upload and run scripts, or perform other mitigation on remote hosts.
 
 [float]
-== New "execute" response console command
+== Cloud Security enhancements
 
-A new {security-guide}/response-actions.html[response console] command, `execute`, allows you to run shell commands and scripts on the host. The complete output is also saved to a downloadable `.zip` file. 
+[float]
+=== New CloudFormation deployment for Cloud Security Posture Management (CSPM)
 
-NOTE: Ensure you have the appropriate {security-guide}/endpoint-management-req.html[privileges] to use the response console. 
+The {security-guide}/cspm-get-started.html#cspm-get-started[CloudFormation deployment for CSPM] provides a new, simpler deployment method for Cloud Security Posture Management, which you can use to monitor the security posture of your cloud assets. You can quickly set up this feature using {security-guide}/cspm-get-started.html#cspm-setup[AWS CloudFormation]. 
 
 [float]
-== Delete notes in Timeline 
+=== Discover vulnerabilities with the new Cloud Native Vulnerability Management dashboard
 
-In Timeline, you can now {security-guide}/timelines-ui.html#conf-timeline-display[delete notes for individual events] or delete investigation notes for the entire Timeline. 
+The {security-guide}/vuln-management-dashboard.html[Cloud Native Vulnerability Management (CNVM) dashboard] gives you an overview of vulnerabilities detected in your cloud infrastructure.
+
+[role="screenshot"]
+image::whats-new/images/8.9/CNVM-dashboard.png[CNVM dashboard]
 
 [float]
 == Cases enhancements 
 
 The following enhancements have been added to Cases: 
 
-* You can now {security-guide}/cases-open-manage.html#cases-add-files[add files to a case].
-+
-[role="screenshot"]
-image::whats-new/images/8.8/add-files-case.png[Add files to a case]
-+
-* You can now add the *Cases* column to the Alerts table, which is helpful to quickly identify which alerts have been added to a case. 
-* Case activity and history are paginated and sortable. 
-* The {security-guide}/case-permissions.html[privileges] for attaching alerts to cases have changed. Now, users need `Read` access to Security and `All` access to Cases.
+* You now have the option to {security-guide}/cases-open-manage.html#cases-ui-open[specify a category] for new and existing cases.
+* You can now {security-guide}/cases-open-manage.html#cases-lens-visualization[add Lens visualizations to cases] from anywhere within the {security-app}.
+* The case details *Alerts* tab now displays the number of alerts attached to a case.
+* Email notifications now follow a new and improved template.
+
 
 
 // end::notable-highlights[]