[8.3] [DOCS] What's new in 8.3 (backport #2155)

docs/whats-new.asciidoc

@@ -4,112 +4,140 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out the <<release-notes, Release notes>>.
 
-Other versions: {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
 // tag::notable-highlights[]
 
 [discrete]
-[[features-8.2]]
+[[term-changes-8.3]]
+== Terminology changes
+
+*"Endpoint Security integration" has been renamed to "Endpoint and Cloud Security integration"*
+
+Due to the launch of https://www.elastic.co/security/cloud-security[Elastic Security for Cloud], the *Endpoint Security integration*, which allows the {agent} to monitor for events on your host, has been renamed to *Endpoint and Cloud Security integration*. Please note that general industry term references to endpoint security have not changed.
+
+[role="screenshot"]
+image::whats-new/images/8.3/cloud-integration.png[]
 
 [discrete]
-== New landing pages added to the left navigation menu
+[[features-8.3]]
 
-Several new landing pages were added to the navigation menu in 8.2:
 
-The *Getting started* page provides guidance on adding data to your environment. When new users install {elastic-sec}, this page is now the default view.
+[discrete]
+== New streamlined navigation
+
+An optional, new navigation menu, which can be enabled in the {security-guide}/advanced-settings.html#_enable_grouped_navigation[advanced {kib} settings], groups related pages and highlights commonly visited areas for a streamlined experience.
 
 [role="screenshot"]
-image::whats-new/images/8.2/getting-started.png[Getting started landing page]
+image::getting-started/images/grouped-nav-ui.png[width=75%][height=75%][Grouped navigation menu][Grouped navigation menu]
 
-The {security-guide}/users-page.html[*Users page*] provides an overview of user data to help you understand authentication and user behavior.
+[discrete]
+== New dashboards summarize critical information
 
-[role="screenshot"]
-image::whats-new/images/8.2/users-page.png[Users page]
+A new *Dashboards* section, which includes two new dashboards to help you visualize critical information, has been added to the navigation menu in the {security-app}.
 
-The {security-guide}/policies-page-ov.html[*Policies page*] allows you to view and manage your {endpoint-cloud-sec} integration policies from a single location.
+The {security-guide}/overview-dashboard.html[*Overview* dashboard] provides an overview of detections, external alerts, and event trends. Use it to assess overall system health and find anomalies that may require further investigation.
 
 [role="screenshot"]
-image::whats-new/images/8.2/policies-page.png[]
+image::whats-new/images/8.3/overview-pg.png[]
 
-The {security-guide}/blocklist.html[*Blocklist*] page allows you to view, add, and manage the blocklist - a list of specified applications that are blocked from running on hosts. You can also use the {security-guide}/blocklist-api.html[blocklist API] to manage blocked applications.
+The {security-guide}/detection-response-dashboard.html[*Detection & Response* dashboard] provides focused visibility into the daily operations of your security environment. Use it to monitor recent and high priority detection alerts and cases, and identify the top hosts and users associated with the most alerts so you can triage effectively.
 
 [role="screenshot"]
-image::whats-new/images/8.2/blocklist-page.png[]
+image::whats-new/images/8.3/detection-response-dashboard.png[]
 
 [discrete]
-== Session View tool shows Linux process executions (beta)
-
-{security-guide}/session-view.html[Session View] is a new tool that shows detailed information about Linux process executions in a chronological and hierarchal context. Use Session View to investigate alerts, user activity, and sessions on your Linux infrastructure.
+== New integrations
 
-[role="screenshot"]
-image::whats-new/images/8.2/session-view.png[]
+Several new https://docs.elastic.co/integrations[integrations] have been added, including ones for CIS Kubernetes Benchmark, AWS Security Hub, Cloudflare, Jamf, and Palo Alto Networks.
 
 [discrete]
-== Deploy DGA and Living-off-the-land supervised models in {fleet}
+== Technical preview features
 
-Incorporating supervised models into integration packages allows you to seamlessly install package artifacts inside {kib} with a single
-click. Now you can deploy
-https://docs.elastic.co/en/integrations/dga[DGA]
-and https://docs.elastic.co/en/integrations/problemchild[Living-off-the-land (LotL)]
-detection packages within Fleet.
+*Cloud Security Posture Management*
 
-[role="screenshot"]
-image::whats-new/images/8.2/dga.png[]
+Cloud Security Posture Management (CSPM) and Kubernetes security posture management (KSPM) help you compare your cloud and Kubernetes infrastructure to security best practices. Refer to our {security-guide}/security-posture-management.html[documentation] for setup instructions.
 
+*User risk score*
 
+https://github.com/elastic/detection-rules/blob/209b40b0a30d87898d75bb2d5dc3f2e068b5f09d/docs/experimental-machine-learning/user-risk-score.md[User risk score] assigns a score to highlight risky users within your environment. It uses a transform with a scripted metric aggregation to calculate scores based on detection rule alerts within a 90-day window. The transform runs hourly to update the score as new detection rule alerts are generated. Each user risk score is normalized on a scale of 0 to 100.
 
 [discrete]
-== Wildcard support for event filters
+== New Authentications tab added to Users page
+
+An *Authentications* tab has been added to the Users page to show successful and failed authentication events per user.
+
+[role="screenshot"]
+image::whats-new/images/8.3/user-auth.png[]
 
-{security-guide}/event-filters.html[Event filters] now support using wildcard entries for the `file.path.text` field using the `matches` operator.
 
 [discrete]
 == Detection rules enhancements
 
-[discrete]
-=== Rule execution logs
+*New optional settings for event correlation rules*
+
+{security-guide}/rules-ui-create.html#create-eql-rule[Event correlation rules] now allow you to specify the following EQL fields: *Event category*, *Tiebreaker*, and *Timestamp* fields.
+
+*{ml-cap} rules upgraded to v3 {ml} jobs*
 
-The new {security-guide}/alerts-ui-monitor.html#rule-execution-logs[*Rule execution logs*] tab on a rule's details page provides historical data for the rule's executions over time. Use this to understand how a particular rule is running and whether it’s creating the alerts you expect.
+Elastic prebuilt rules for some Windows and Linux anomalies have been updated with new v3 {ml}} jobs. Refer to our {security-guide}/alerts-ui-monitor.html#ml-job-compatibility[documentation] for information about how to upgrade and/or continue to use the old v1/v2 jobs.
+
+*New Actions column in rule execution logs table enables filtering*
+
+You can create a {security-guide}/alerts-ui-monitor.html#rule-execution-logs[global search filter] based on a specific rule execution by selecting the filter icon in the *Actions* column of the *Rule execution logs* tab on the rule details page. Enabling this filter replaces any previously applied filters.
 
 [role="screenshot"]
-image::whats-new/images/8.2/rule-exec-logs.png[]
+image::whats-new/images/8.3/actions-icon.png[]
 
-[discrete]
-=== Bulk apply a Timeline template to rules
+*New prebuilt rules*
 
-A new {security-guide}/rules-ui-management.html#edit-rules-settings[bulk actions option] allows you to apply a Timeline template to multiple rules at once.
+15 new {security-guide}/prebuilt-rules.html[prebuilt rules] were added in 8.3.0.
 
 [discrete]
-=== New Rules table filter options
+== OAuth support in {sn} connectors
 
-You can now {security-guide}/rules-ui-management.html#sort-filter-rules[filter the Rules table] by index pattern, MITRE ATT&CK tactic or technique (name or ID), and rule name.
+The {sn} connectors now support open authentication (OAuth).
+For configuration details, refer to
+{kibana-ref}/servicenow-action-type.html[ServiceNow ITSM], {kibana-ref}/servicenow-sir-action-type.html[ServiceNow SecOps],
+and {kibana-ref}/servicenow-itom-action-type.html[ServiceNow ITOM connector].
 
-*Rule preview feature includes alerts table*
-
-When you create or edit a detection rule and preview it, the {security-guide}/rules-ui-create.html#preview-rules[rule preview] now includes an alerts table with the expected alerts for the rule. Use this feature to learn how noisy a rule may be before saving it. You can now also preview {security-guide}/rules-ui-create.html#create-indicator-rule[indicator match rules].
+[discrete]
+== Cases enhancements
 
-[role="screenshot"]
-image::whats-new/images/8.2/preview-rules.png[]
+The following enhancements have been added to Cases:
 
-*Turn off `read` privilege warnings for detection rules*
+* You can now assign severity levels to cases.
++
+NOTE: If you do not set a case's severity, it defaults to Low.
++
+* The Cases table now includes a *Severity* column and an option to filter the table by severity. It also now includes an "Average time to close" metric.
+* You can now delete text comments, including those in Lens visualizations.
+* You can now add multiple alerts to new and existing cases through the *Bulk actions* menu.
+* A new *Alerts* tab has been added to the case details page. This allows you to view all alerts attached to a case.
 
-A new Advanced Settings toggle, `securitySolution:enableCcsWarning`, allows you to {security-guide}/advanced-settings.html#enable-ccs-warning[turn off `read` privilege warnings] for detection rules using a remote cross-cluster search (CCS) index pattern.
 
 [discrete]
 == Alert details enhancements
 
-You can now {security-guide}/alerts-run-osquery.html[run Osquery searches] from the *Take action* menu on the Alert details flyout.
+The following enhancements have been added to the alert details flyout:
 
+* Numerical values in the Alert prevalence column are now active links that send you to Timeline, where you can investigate related alerts.
++
 [role="screenshot"]
-image::whats-new/images/8.2/run-osquery.png[]
+image::whats-new/images/8.3/alert-prevalance.gif[]
+* Session ID, a unique ID for Linux sessions, has been added to the *Highlighted fields* section. To collect session data from Linux hosts, you must {security-guide}/session-view.html#enable-session-view[enable session view data] in an integration policy.
 
-As shown in the image below, a new *Alert prevalence* column (1) shows the total number of alerts within the selected timeframe that have identical values. The {security-guide}/alerts-ui-manage.html#view-alert-details[Alert details flyout] also now shows linked cases (2).
+[discrete]
+== Osquery enhancements
 
-[role="screenshot"]
-image::whats-new/images/8.2/alert-prevalance.png[]
+You can now run Osquery from the *More actions* menu in the Alerts table.
 
+[role="screenshot"]
+image::whats-new/images/8.3/run-osquery.png[]
+You can also investigate a single or all Osquery query results in Timeline. Refer to {security-guide}/alerts-run-osquery.html[Run Osquery] for more information.
 
+For information about additional Osquery enhancements, check out the {kibana-ref-all}/8.3/whats-new.html#highlights-8.3-osquery[{kib} Osquery highlights].
 
 // end::notable-highlights[]