elastic · natasha-moore-elastic · Aug 8, 2024 · Aug 6, 2024 · Aug 6, 2024 · Aug 7, 2024
@@ -4,7 +4,7 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out our <<release-notes, release notes>>.
 
-Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.14/whats-new.html[8.14] | {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide-all}/8.12/whats-new.html[8.12] | {security-guide-all}/8.11/whats-new.html[8.11] | {security-guide-all}/8.10/whats-new.html[8.10] | {security-guide-all}/8.9/whats-new.html[8.9] | {security-guide-all}/8.8/whats-new.html[8.8] | {security-guide-all}/8.7/whats-new.html[8.7] | {security-guide-all}/8.6/whats-new.html[8.6] | {security-guide-all}/8.5/whats-new.html[8.5] | {security-guide-all}/8.4/whats-new.html[8.4] | {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
@@ -13,114 +13,137 @@ Other versions: {security-guide-all}/8.13/whats-new.html[8.13] | {security-guide
 [float]
 == Generative AI enhancements
 
+[float]
+=== Manage Elastic AI Assistant using API
+
+You can now interact with and manage {security-guide}/security-assistant.html[Elastic AI Assistant] using the Elastic AI Assistant API.
+// add link to Elastic AI Assistant API page when available: {security-guide}/assistant-api-overview.html[Elastic AI Assistant API]
 
 [float]
-=== Attack Discovery
+=== Automatic Import
 
-{security-guide}/attack-discovery.html[Attack discovery] is a new AI-powered tool that identifies potential attacks and maps connections between alerts to the MITRE ATT&CK® matrix, helping you to fight alert fatigue and reduce your mean time to respond.
+preview:[] Automatic Import uses AI to create integrations for your custom data sources.
+// add link to Automatic Import page when available: {security-guide}/xyz.html[Automatic Import]
 
 [role="screenshot"]
-image::whats-new/images/8.14/attack-discovery-full-card.png[Attack discovery detail view]
+image::whats-new/images/8.15/auto-import-success-message.png[The Automatic Import success message, 80%]
 
 [float]
-=== Redesigned Elastic AI Assistant UI
-
-{security-guide}/security-assistant.html[Elastic AI Assistant] for {elastic-sec} has a redesigned user interface that uses a flyout instead of a popup, aligning it with standard {kib} design patterns. Also, when using OpenAI models, AI Assistant can now "stream" responses, rendering word-by-word rather than appearing as complete text blocks, providing a more conversational experience.
+== Entity Analytics enhancements
 
 [float]
-== Entity Analytics enhancements
+=== Automatic recalculation of entity risk score
 
+{security-guide}/entity-risk-scoring.html[Entity risk score] is now automatically recalculated when you assign, change, or unassign an individual entity's {security-guide}/asset-criticality.html[asset criticality] level.
 
 [float]
-=== Asset criticality file upload
+=== Manage asset criticality using API
 
-You can {security-guide}/asset-criticality.html#bulk-assign-asset-criticality[bulk assign asset criticality] to multiple entities at a time by importing a text file from your asset management tools. This feature allows you to quickly and easily import a list of entities and their asset criticality levels into the {security-app}.
+You can now manage {security-guide}/asset-criticality.html[asset criticality] using the asset criticality API.
+// add link to asset criticality API page when available: {security-guide}/xyz.html[asset criticality API]
 
-[role="screenshot"]
-image::whats-new/images/8.14/asset-criticality-file-upload.gif[Animation of asset criticality file upload,90%]
+[float]
+== Detection rules and alerts enhancements
 
 [float]
-=== Unassign asset criticality
+=== Edit fields for detection rules
+
+You can now edit these fields for user-created {security-guide}/rules-ui-create.html[custom rules]:
 
-You can unassign {security-guide}/asset-criticality.html[asset criticality] from a host or user if the criticality level is no longer known, or the currently assigned level is incorrect.
+* **Max alerts per run**: Specify the maximum number of alerts a rule can create each time it runs.
++
+[role="screenshot"]
+image::whats-new/images/8.15/max-alerts-per-run.png[The Max alerts per run field highlighted in the Create new rule UI]
+
+* **Required fields**: Create an informational list of fields that a rule requires to function.
 
+* **Related integrations**: Create an informational list of one or more Elastic integrations associated with a rule.
++
 [role="screenshot"]
-image::whats-new/images/8.14/unassign-criticality.png[Unassign asset criticality, 50%]
+image::whats-new/images/8.15/required-fields-related-integrations.png[The Required fields and Related integrations fields highlighted in the Create new rule UI]
 
 [float]
-=== Risk scoring engine processes up to 10,000 alerts per entity
+=== Suppress alerts for {ml} and {esql} rules
 
-When calculating {security-guide}/entity-risk-scoring.html[entity risk scores], the risk scoring engine now takes into account a maximum of 10,000 alerts per entity. This ensures that the engine remains operational in environments with extremely large data volume.
+{security-guide}/alert-suppression.html[Alert suppression] now supports the {ml} and {esql} rule types. You can use it to reduce the number of repeated or duplicate detection alerts created by {ml} and {esql} rules.
 
 [float]
-=== Access the entity details flyout from the Entity Analytics dashboard 
+=== Use AI Assistant when writing rule queries
 
-Clicking on a specific host or user name in the {security-guide}/detection-entity-dashboard.html[Entity Analytics dashboard] now opens the host or user details flyout instead of the host or user details page. This allows you to access entity metadata and risk score information without navigating away from the dashboard.
+When creating rules, use AI Assistant to improve rule queries or to quickly correct them.
 
 [float]
-=== Entity details flyout shows contribution scores per alert
+=== Bulk update custom highlighted fields for rules
 
-The **Risk contributions** section of the {security-guide}/hosts-overview.html#host-details-flyout[entity details flyout] now shows the top 10 alerts that contributed to the latest risk scoring calculation and each alert's contribution score. This makes each entity's risk score easier to understand and gives better insight into which alerts you should investigate at the entity level.
+Bulk add or remove {security-guide}/rules-ui-create.html#rule-ui-advanced-params[custom highlighted fields] for multiple detection rules.
 
-[role="screenshot"]
-image::whats-new/images/8.14/contribution-scores-per-alert.png[Contribution scores for top 10 alerts, 90%]
+[float]
+=== Preview entities and alerts in the alert details flyout
+
+You can now preview host and user details from the **Insights** tab of the {security-guide}/view-alert-details.html[alert details flyout] instead of going to the **Hosts** or **Users** pages for more information. From the **Correlations** tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them.
 
 [float]
-== Detection rules and alerts enhancements
+=== Expandable alert details flyout enabled by default
 
+The expandable alert details flyout is now enabled by default in multiple places throughout the {security-app}.
 
 [float]
-=== Value list improvements
+==  Toggle row renderers on and off in Timeline
 
-You can now {security-guide}/value-lists-exceptions.html#edit-value-lists[edit value lists] from the UI, wherever you use them. For example, you can now add items to a value list while creating a rule exception that references that value list.
+Within Timeline, quickly add or remove context from events by toggling row renderers.
 
 [role="screenshot"]
-image::whats-new/images/8.14/edit-value-lists.png[Edit items in a value list, 90%]
+image::whats-new/images/8.15/timeline-ui-renderer.png[Example Timeline with the event renderer highlighted]
 
 [float]
-=== Add ES|QL fields as custom highlighted fields
-
-When adding custom highlighted fields to an {esql} rule, you can now {security-guide}/rules-ui-create.html#custom-highlighted-esql-fields[specify any fields returned by the rule's query]. This allows you to surface fields that contain useful information for investigating alerts.
+== Response actions enhancements
 
 [float]
-=== Editable setup guide field for detection rules
-
-You can now {security-guide}/rules-ui-create.html#rule-ui-advanced-params[edit the **Setup guide** field] for user-created custom rules. Use this informational field to list rule prerequisites such as required integrations, configuration steps, and anything else needed for the rule to work correctly.
+=== Scan files and folders for malware
 
-[role="screenshot"]
-image::whats-new/images/8.14/setup-guide-field.png[Setup guide field]
+{elastic-defend}'s new {security-guide}/response-actions.html#_scan[`scan` response action] lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your {elastic-defend} integration policy.
 
 [float]
-=== Alert suppression improvements 
+=== Isolate and release CrowdStrike-enrolled hosts
 
-In 8.14, we've moved {security-guide}/alert-suppression.html[alert suppression] for custom query rules from technical preview to generally available. We've also added alert suppression to event correlation rules (non-sequence queries only) and new terms rules.
+Using Elastic's CrowdStrike integration and connector, you can now perform response actions on hosts enrolled in CrowdStrike's endpoint protection system. These actions are available in this release:
+
+* Isolate a host from the network
+* Release an isolated host
+
+// add link to CrowdStrike response actions when available: {security-guide}/third-party-actions.html#crowdstrike-response-actions[response actions]
 
 [float]
-== {elastic-defend} enhancements
+=== Retrieve files from SentinelOne-enrolled hosts
 
+Using Elastic's SentinelOne integration and connector, you can now {security-guide}/third-party-actions.html#sentinelone-response-actions[retrieve files] from SentinelOne-enrolled hosts and download them through {elastic-sec}.
 
 [float]
-=== New malware file scanning options
+== Filter out process descendants
 
-When configuring {security-guide}/configure-endpoint-integration-policy.html#malware-protection[malware protection], you can choose whether {elastic-defend} scans files when they're modified or executed. This can improve performance on hosts where files are frequently modified, while continuing to identify malware as it attempts to run.
+Create an {security-guide}/event-filters.html[event filter] that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into {elastic-sec}.
 
 [role="screenshot"]
-image::whats-new/images/8.14/malware-protection.png[Malware protection section, 80%]
+image::whats-new/images/8.15/event-filter-process-descendants.png[Add event filter flyout, 70%]
+
+[float]
+== Cases enhancements
 
 [float]
-===  Automatically register {elastic-defend} as antivirus
+=== Introducing case templates
 
-If you're using {elastic-defend}'s malware protection, you can now automatically {security-guide}/configure-endpoint-integration-policy.html#register-as-antivirus[register {elastic-defend} as the antivirus software] for Windows endpoints.
+preview:[] {kib} cases offer a new powerful capability to enhance the efficiency of your analyst teams with {security-guide}/cases-manage-settings.html#cases-templates[templates]. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces time to resolution.
 
 [role="screenshot"]
-image::whats-new/images/8.14/register-as-antivirus.png[Register as antivirus section, 80%]
+image::whats-new/images/8.15/cases-add-template.png[Add a template in case settings, 80%]
 
 [float]
-== Cloud Security Posture Management support for AWS GovCloud
-
-Elastic's {security-guide}/cspm.html[Cloud Security Posture Management (CSPM)] integration now supports AWS GovCloud so you can monitor and track how your GovCloud clusters perform against security benchmarks.
+=== Case custom fields generally available
 
+In 8.11, {security-guide}/cases-manage-settings.html#cases-ui-custom-fields[custom fields] were added to cases, and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases.
 
+[role="screenshot"]
+image::whats-new/images/8.15/cases-add-custom-field.png[Add a custom field in case settings]
 
 
 // end::notable-highlights[]