diff --git a/docs/whats-new.asciidoc b/docs/whats-new.asciidoc index 9ebc9787d8..93a6735891 100644 --- a/docs/whats-new.asciidoc +++ b/docs/whats-new.asciidoc @@ -4,7 +4,7 @@ Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <>. -Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | +Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] | {security-guide-all}/7.9/whats-new.html[7.9] // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions. @@ -13,114 +13,145 @@ Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide [float] == Generative AI enhancements +[float] +=== Manage Elastic AI Assistant using API + +You can now interact with and manage {security-guide}/security-assistant.html[Elastic AI Assistant] using the Elastic AI Assistant API. +// add link to Elastic AI Assistant API page when available: {security-guide}/assistant-api-overview.html[Elastic AI Assistant API] [float] -=== Attack Discovery +=== Create new third-party data integrations using Automatic Import -{security-guide}/attack-discovery.html[Attack discovery] is a new AI-powered tool that identifies potential attacks and maps connections between alerts to the MITRE ATT&CK® matrix, helping you to fight alert fatigue and reduce your mean time to respond. +preview:[] {security-guide}/automatic-import.html[Automatic Import] uses AI to create integrations for your custom data sources. [role="screenshot"] -image::whats-new/images/8.14/attack-discovery-full-card.png[Attack discovery detail view] +image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%] [float] -=== Redesigned Elastic AI Assistant UI - -{security-guide}/security-assistant.html[Elastic AI Assistant] for {elastic-sec} has a redesigned user interface that uses a flyout instead of a popup, aligning it with standard {kib} design patterns. Also, when using OpenAI models, AI Assistant can now "stream" responses, rendering word-by-word rather than appearing as complete text blocks, providing a more conversational experience. +== Entity Analytics enhancements [float] -== Entity Analytics enhancements +=== Automatic recalculation of entity risk score +{security-guide}/entity-risk-scoring.html[Entity risk score] is now automatically recalculated when you assign, change, or unassign an individual entity's {security-guide}/asset-criticality.html[asset criticality] level. [float] -=== Asset criticality file upload +=== Manage asset criticality using API -You can {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] to multiple entities at a time by importing a text file from your asset management tools. This feature allows you to quickly and easily import a list of entities and their asset criticality levels into the {security-app}. +You can now manage {security-guide}/asset-criticality.html[asset criticality] using the {security-guide}/asset-criticality-api-overview.html[asset criticality API]. -[role="screenshot"] -image::whats-new/images/8.14/asset-criticality-file-upload.gif[Animation of asset criticality file upload,90%] +[float] +== Detection rules and alerts enhancements [float] -=== Unassign asset criticality +=== Edit fields for detection rules + +You can now edit these fields for user-created {security-guide}/rules-ui-create.html[custom rules]: + +* **Max alerts per run**: Specify the maximum number of alerts a rule can create each time it runs. ++ +[role="screenshot"] +image::whats-new/images/8.15/max-alerts-per-run.png[The Max alerts per run field highlighted in the Create new rule UI] -You can unassign {security-guide}/asset-criticality.html[asset criticality] from a host or user if the criticality level is no longer known, or the currently assigned level is incorrect. +* **Required fields**: Create an informational list of fields that a rule requires to function. +* **Related integrations**: Create an informational list of one or more Elastic integrations associated with a rule. ++ [role="screenshot"] -image::whats-new/images/8.14/unassign-criticality.png[Unassign asset criticality, 50%] +image::whats-new/images/8.15/required-fields-related-integrations.png[The Required fields and Related integrations fields highlighted in the Create new rule UI] [float] -=== Risk scoring engine processes up to 10,000 alerts per entity +=== Suppress alerts for {ml} and {esql} rules -When calculating {security-guide}/entity-risk-scoring.html[entity risk scores], the risk scoring engine now takes into account a maximum of 10,000 alerts per entity. This ensures that the engine remains operational in environments with extremely large data volume. +{security-guide}/alert-suppression.html[Alert suppression] now supports the {ml} and {esql} rule types. You can use it to reduce the number of repeated or duplicate detection alerts generated from {ml} and {esql} rules. [float] -=== Access the entity details flyout from the Entity Analytics dashboard +=== Use AI Assistant when writing rule queries -Clicking on a specific host or user name in the {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] now opens the host or user details flyout instead of the host or user details page. This allows you to access entity metadata and risk score information without navigating away from the dashboard. +When creating rules, you can now use AI Assistant to improve rule queries or to quickly correct them. [float] -=== Entity details flyout shows contribution scores per alert +=== Bulk update custom highlighted fields for rules -The **Risk contributions** section of the {security-guide}/hosts-overview.html#host-details-flyout[entity details flyout] now shows the top 10 alerts that contributed to the latest risk scoring calculation and each alert's contribution score. This makes each entity's risk score easier to understand and gives better insight into which alerts you should investigate at the entity level. +Bulk add or remove {security-guide}/rules-ui-create.html#rule-ui-advanced-params[custom highlighted fields] for multiple detection rules. -[role="screenshot"] -image::whats-new/images/8.14/contribution-scores-per-alert.png[Contribution scores for top 10 alerts, 90%] +[float] +=== Preview entities and alerts in the alert details flyout + +You can now preview host and user details from the **Insights** tab of the {security-guide}/view-alert-details.html[alert details flyout] instead of going to the **Hosts** or **Users** pages for more information. From the **Correlations** tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them. [float] -== Detection rules and alerts enhancements +=== Expandable alert details flyout enabled by default +The expandable alert details flyout is now enabled by default in multiple places throughout the {security-app}. [float] -=== Value list improvements +== Improvements to the Timeline data exploration experience -You can now {security-guide}/value-lists-exceptions.html#edit-value-lists[edit value lists] from the UI, wherever you use them. For example, you can now add items to a value list while creating a rule exception that references that value list. +Several improvements have been made to enhance your data exploration experience in Timeline: +- Multiple components from Discover have been incorporated, such as the sidebar and table, which allow you to quickly find fields of interest. ++ [role="screenshot"] -image::whats-new/images/8.14/edit-value-lists.png[Edit items in a value list, 90%] +image::whats-new/images/8.15/timeline-sidebar-and-table.png[Example Timeline with the sidebar highlighted] -[float] -=== Add ES|QL fields as custom highlighted fields +- You can now toggle row renderers, which allow you to easily add or remove context from events. ++ +[role="screenshot"] +image::whats-new/images/8.15/timeline-ui-renderer.png[Example Timeline with the event renderer highlighted] -When adding custom highlighted fields to an {esql} rule, you can now {security-guide}/rules-ui-create.html#custom-highlighted-esql-fields[specify any fields returned by the rule's query]. This allows you to surface fields that contain useful information for investigating alerts. +- Notes are easier to add and track from the new Notes flyout. ++ +[role="screenshot"] +image::whats-new/images/8.15/timeline-notes-flyout.png[Example Timeline with the notes flyout highlighted] [float] -=== Editable setup guide field for detection rules +== Response actions enhancements -You can now {security-guide}/rules-ui-create.html#rule-ui-advanced-params[edit the **Setup guide** field] for user-created custom rules. Use this informational field to list rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly. +[float] +=== Scan files and folders for malware -[role="screenshot"] -image::whats-new/images/8.14/setup-guide-field.png[Setup guide field] +{elastic-defend}'s new {security-guide}/response-actions.html#_scan[`scan` response action] lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your {elastic-defend} integration policy. [float] -=== Alert suppression improvements +=== Isolate and release CrowdStrike-enrolled hosts + +Using Elastic's CrowdStrike integration and connector, you can now perform {security-guide}/third-party-actions.html#crowdstrike-response-actions[response actions] on hosts enrolled in CrowdStrike's endpoint protection system. These actions are available in this release: -In 8.14, we've moved {security-guide}/alert-suppression.html[alert suppression] for custom query rules from technical preview to generally available. We've also added alert suppression to event correlation rules (non-sequence queries only) and new terms rules. +* Isolate a host from the network +* Release an isolated host [float] -== {elastic-defend} enhancements +=== Retrieve files from SentinelOne-enrolled hosts +Using Elastic's SentinelOne integration and connector, you can now {security-guide}/third-party-actions.html#sentinelone-response-actions[retrieve files] from SentinelOne-enrolled hosts and download them through {elastic-sec}. [float] -=== New malware file scanning options +== Filter out process descendants -When configuring {security-guide}/configure-endpoint-integration-policy.html#malware-protection[malware protection], you can choose whether {elastic-defend} scans files when they're modified or executed. This can improve performance on hosts where files are frequently modified, while continuing to identify malware as it attempts to run. +Create an {security-guide}/event-filters.html[event filter] that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into {elastic-sec}. [role="screenshot"] -image::whats-new/images/8.14/malware-protection.png[Malware protection section, 80%] +image::whats-new/images/8.15/event-filter-process-descendants.png[Add event filter flyout, 70%] + +[float] +== Cases enhancements [float] -=== Automatically register {elastic-defend} as antivirus +=== Introducing case templates -If you're using {elastic-defend}'s malware protection, you can now automatically {security-guide}/configure-endpoint-integration-policy.html#register-as-antivirus[register {elastic-defend} as the antivirus software] for Windows endpoints. +preview:[] {kib} cases offer a new powerful capability to enhance your analyst teams' efficiency with {security-guide}/cases-manage-settings.html#cases-templates[templates]. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces resolution time. [role="screenshot"] -image::whats-new/images/8.14/register-as-antivirus.png[Register as antivirus section, 80%] +image::whats-new/images/8.15/cases-add-template.png[Add a template in case settings, 80%] [float] -== Cloud Security Posture Management support for AWS GovCloud - -Elastic's {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports AWS GovCloud so you can monitor and track how your GovCloud clusters perform against security benchmarks. +=== Case custom fields generally available +In 8.11, {security-guide}/cases-manage-settings.html#cases-ui-custom-fields[custom fields] were added to cases, and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases. +[role="screenshot"] +image::whats-new/images/8.15/cases-add-custom-field.png[Add a custom field in case settings] // end::notable-highlights[] diff --git a/docs/whats-new/images/8.15/auto-import-success-message.png b/docs/whats-new/images/8.15/auto-import-success-message.png new file mode 100644 index 0000000000..d7ef0a8530 Binary files /dev/null and b/docs/whats-new/images/8.15/auto-import-success-message.png differ diff --git a/docs/whats-new/images/8.15/cases-add-custom-field.png b/docs/whats-new/images/8.15/cases-add-custom-field.png new file mode 100644 index 0000000000..134ea000a8 Binary files /dev/null and b/docs/whats-new/images/8.15/cases-add-custom-field.png differ diff --git a/docs/whats-new/images/8.15/cases-add-template.png b/docs/whats-new/images/8.15/cases-add-template.png new file mode 100644 index 0000000000..29075ec9f2 Binary files /dev/null and b/docs/whats-new/images/8.15/cases-add-template.png differ diff --git a/docs/whats-new/images/8.15/event-filter-process-descendants.png b/docs/whats-new/images/8.15/event-filter-process-descendants.png new file mode 100644 index 0000000000..f41c2fa9f8 Binary files /dev/null and b/docs/whats-new/images/8.15/event-filter-process-descendants.png differ diff --git a/docs/whats-new/images/8.15/max-alerts-per-run.png b/docs/whats-new/images/8.15/max-alerts-per-run.png new file mode 100644 index 0000000000..d1109318aa Binary files /dev/null and b/docs/whats-new/images/8.15/max-alerts-per-run.png differ diff --git a/docs/whats-new/images/8.15/required-fields-related-integrations.png b/docs/whats-new/images/8.15/required-fields-related-integrations.png new file mode 100644 index 0000000000..b41f4424c8 Binary files /dev/null and b/docs/whats-new/images/8.15/required-fields-related-integrations.png differ diff --git a/docs/whats-new/images/8.15/timeline-notes-flyout.png b/docs/whats-new/images/8.15/timeline-notes-flyout.png new file mode 100644 index 0000000000..2b46de2658 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-notes-flyout.png differ diff --git a/docs/whats-new/images/8.15/timeline-sidebar-and-table.png b/docs/whats-new/images/8.15/timeline-sidebar-and-table.png new file mode 100644 index 0000000000..3f26511421 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-sidebar-and-table.png differ diff --git a/docs/whats-new/images/8.15/timeline-ui-renderer.png b/docs/whats-new/images/8.15/timeline-ui-renderer.png new file mode 100644 index 0000000000..e799fe2236 Binary files /dev/null and b/docs/whats-new/images/8.15/timeline-ui-renderer.png differ