What’s new in 8.12

edit

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.11 | 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Retrieval-augmented generation for alerts in Elastic AI Assistant

edit

Elastic AI Assistant now supports retrieval-augmented generation (RAG) for alerts. Using this feature, you can provide information about multiple alerts to AI Assistant, so that it can answer a broader scope of questions relating to alerts in your environment.

Detection rules and alerts enhancements

edit

The following enhancements have been added to detection rules and alerts:

JSON diff for Elastic prebuilt rule updates

edit

When Elastic updates a prebuilt detection rule, you can examine the latest version before you update the rule. The rule details flyout in Rule Updates displays a side-by-side JSON comparison of the rule’s Base version (what you currently have installed) and the Update version that you can choose to install.

Prebuilt rule comparison

Alert suppression supported for threshold rules

edit

Alert suppression now supports the threshold detection rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by a threshold rule.

Assign users to alerts

edit

You can now assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert’s lifecycle. Assigned alerts are filterable, and you can find assignees by adding the kibana.alert.workflow_assignee_ids field to the Alerts table or by opening an alert’s details.

Alert assignees in the Alerts table

Timeline enhancements

edit

The following enhancements have been added to Timeline:

UI and UX enhancements to Timeline

edit

Timeline now opens as a modal, requires you to manually save changes, and has the option to save changes as a new Timeline. Additional UX improvements have been also introduced. For example, the query builder is now collapsible, which allows you to have more space for Timeline results.

Updated Timeline UI

Feature flag added for the ES|QL tab

edit

You can now remove the ES|QL tab by editing your Kibana user settings and adding the xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"] feature flag.

Default ES|QL query removed from the ES|QL tab

edit

The default ES|QL query was removed from the ES|QL tab, for increased tab performance.

Exclude cold and frozen tiers from analyzer queries

edit

You can now exclude cold and frozen tier data from visual event analyzer queries to increase analyzer performance. You can do this by turning on the securitySolution:excludeColdAndFrozenTiersInAnalyzer advanced setting.

Advanced setting to exclude cold and frozen tiers from analyzer queries

Bidirectional integration response actions (SentinelOne)

edit

Powered by the SentinelOne integration for Elastic Agent, SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the Elastic Security UI.

Event filters and endpoint exceptions support for matches and does not match conditions

edit

You can now use matches and does not match conditions on more fields when configuring event filters and endpoint exceptions. Previously, only the file.path.text field was supported.

Cloud Security enhancements

edit

The following enhancements have been added to Cloud Security:

Organization-wide Azure deployments supported in Cloud security posture management (CSPM)

edit

Cloud security posture management (CSPM) capabilities have been expanded to support organization-wide Azure deployments.

Data grouping and table customization improvements on the Findings page

edit

The Findings page now enables you to group your data by any field, and to further customize how the page is displayed.

New Osquery query timeout setting

edit

When running an Osquery query, you can now set a timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900.

Osquery query timeout setting