[DOCS] What's new in 8.3

[jmikell821]

Please include the link to your corresponding PRs!

What's new highlights for 8.3:

Detections & Response/CTI

• Event correlation detection rules have new optional settings for specifying EQL fields: Event category field, Tiebreaker field, and Timestamp field. [DOCS] Add new EQL search configuration options #2061
• Users can create a global search filter based on a specific rule execution, by clicking on the filter icon in the Actions column of the Rule execution logs tab on the rule details page. [DOCS] Rule execution logs: Add filter icon in Actions column #2045
• Elastic prebuilt machine learning detection rules for some Windows and Linux anomalies have been updated with new v3 machine learning jobs. [DOCS] Add/update docs for users upgrading to V3 ML modules #2080

OLM

• Endpoint Security is being renamed to Endpoint and Cloud Security (META: Rename Endpoint Security to Endpoint and Cloud Security #2025). Be sure to mention this in a "New Terminology" section

Threat Hunting

• The Session ID field has been added to the Highlighted fields section. The alert prevalence data for this field shows the number of of alerts that were generated in the same session. [DOCS] Add session ID to highlighted fields section in alert details flyout #2067
• Users can open alert prevalence data in Timeline to explore related alerts in a different view. [DOCS] Add the "investigate in timeline" button to the alert prevalence section #2077
• There is a new documentation page that describes the role of Data Views in determining which data appears in {elastic-sec} [DOCS][New Page] Creates topic for data views in Elastic Security #2034
• Grouped navigation is an optional new navigation menu that groups related pages and highlights commonly visited areas for a streamlined experience. [DOCS] New grouped navigation side menu #2088
• The Detection & Response dashboard provides focused visibility into the day-to-day operations of your security environment. It helps security operations managers and analysts quickly monitor recent and high priority detection alerts and cases, and identify the hosts and users associated with alerts. [DOCS] New page: Detection & Response dashboard #2085

ResponseOps

• Users can enable and set up OAuth authentication for ServiceNow connectors. [DOCS] OAuth authentication added to SN connectors #2048 (might add more detail to this - following up with dev)
• Multiple enhancements to cases: [DOCS] Case enhancements in 8.3 #2050
  • Users can assign a severity level to cases. If they do not set the case's severity, it defaults to Low.
  • The Cases table now includes a Severity column and un option to filter the table by severity.
  • The Average time to close metric has been added to the Cases table. This metric measures the average amount of time it takes to close cases.
  • Users can now delete text comments, including Lens visualizations. They cannot delete alerts or user actions in the case history.
  • Multiple alerts can be added to new and existing cases via the Bulk actions menu.
  • The case icon has been updated on the Saved Objects and Cases and Connectors pages.
  • An Alerts tab has been added to the case details page. This allows users to view all alerts attached to a case.

AWP

• [ ]

Cloud Security Posture

• There is a new experimental feature called Cloud Security Posture Management that can help you compare your cloud and Kubernetes settings to security best practices. [DOCS][8.3] Create CSPM / KSPM page #2089
• New card added to Get started page to show that we offer a way to manage your cloud posture and ensure the security of cloud workloads. [DOCS] Update screenshot of the "Getting started" page #2049

Endpoint

• N/A - Refer to OLM section above

Asset Management

• Users can now run Osquery from the more actions menu in the Alerts table. [DOCS] Osquery enhancements to the Alerts table and alert details flyout #2087

• User can investigate a single or all Osquery query results in Timeline. [DOCS] Osquery enhancements to the Alerts table and alert details flyout #2087

[lcawl]

Users can enable and set up OAuth authentication for ServiceNow connectors. #2048 (might add more detail to this - following up with dev)

FYI This will be mentioned in the Kibana release highlights.

Users can assign a severity level to cases. If they do not set the case's severity, it defaults to Low.

Ditto

The Average time to close metric has been added to the Cases table. This metric measures the average amount of time it takes to close cases.

Ditto

Users can now delete text comments, including Lens visualizations. They cannot delete alerts or user actions in the case history.

The ability to delete comments will be in the Kibana release highlights. The bit about alerts will not, since attaching alerts to cases isn't supported yet in the core Stack Management feature.

Multiple alerts can be added to new and existing cases via the Bulk actions menu.

This is applicable only to Security and Observability apps, so it won't be covered in the Kibana release highlights. For tracking purposes, details are in elastic/kibana#128875. If you need any additional information or assistance from me, let me know!

There's an additional item that's likely worth mentioning in the Security (and Observability highlights): elastic/kibana#116501. Per @cnasikas the gist is it's an "alerts table in Cases. Users can see their alerts attached to a case in the table"