What’s new in Elastic Security 8.11: Piped queries, AI assistance, and cloud and user data


Elastic Security 8.11 introduces pipe queries with Elasticsearch Query Language (ES|QL), an Elastic AI Assistant connector for AWS Bedrock, and data integrations for Okta, Microsoft Entra ID, Wiz, and Palo Alto Prisma Cloud. Together, these enhancements deliver vital guidance and context to threat hunters and investigators.

Elastic Security 8.11 is available now on Elastic Cloud — the only hosted Elasticsearch® offering to include all of the new features in this latest release. You can also download the Elastic Stack and our cloud orchestration products, Elastic Cloud Enterprise and Elastic Cloud for Kubernetes, for a self-managed experience.

What else is new? Check out the Elastic 8.11 announcement post to learn more.

ES|QL advances analysis and strengthens detection

ES|QL, previewed in Elastic 8.11, transforms how analysts pursue threats and strengthens detection. Built in answer to rich community input, it unleashes the power of piped queries at the speed of Elasticsearch, enhancing the SIEM, endpoint security, and cloud security capabilities of Elastic Security.

Connecting the dots of an unfolding attack requires practitioners to filter and assess an extraordinary amount of data. Amid this process, they typically perform a series of searches, look up wide-ranging context, and restructure data as needed. Elastic Security arms analysts to accomplish these tasks efficiently — and ES|QL propels them even faster. On the fly, with a single piped query, security professionals can:

  • Search quickly and iteratively
  • Enrich results with context (e.g., threat intelligence)
  • Transform data (e.g., define a new field, parse non-normalized data)
  • Aggregate results for further analysis

Elastic® is the only search platform to pair the efficiency of a schema-on-write architecture with the iterative search experience of a schema-on-read piped query language. With incredibly fast search — and query output in full sight — analysts can draw closer to their target with each successive pipe.

1 - esql data exfill

ES|QL also enhances Elastic Security’s powerful detection engine. To reduce alarm fatigue, improve alert relevance, and provide another avenue for behavioral detection, organizations can incorporate aggregated values within detection rules. With inline evaluation, practitioners can iteratively develop and hone ES|QL-based rules. Queries are formatted in plaintext, simplifying collaboration.

2 - definition custom query

AI Assistant adds support for Amazon Bedrock and can generate ES|QL queries from natural language prompts

AI Assistant adds support for Amazon Bedrock, via an open integration framework that already supports OpenAI and Azure OpenAI. Amazon Bedrock provides access to Anthropic’s Claude 2 model, which allows larger context windows, enabling longer and more elaborate conversations with the assistant.

3 - amazon bedrock connector

AI Assistant now allows users to generate ES|QL queries from natural language prompts. This is made possible with Elastic Learned Sparse EncodeR (ELSER).

4 - elastic assistant

Identity context from Okta and Microsoft Entra ID enhances entity-based analysis

Elastic Security 8.11 deepens integrations with Okta and Microsoft Entra ID (fka Azure AD) to enhance advanced entity analytics with rich identity context. Numerous existing log connectors for these and other identity management and security technologies enable the ingestion and analysis of vital user activity. The Okta and Entra ID integrations delivered in version 8.11 lay the groundwork to infuse additional asset context, including information about users, groups, and devices, throughout analyst workflows. These new integrations can be activated on Elastic Agent with just a couple clicks.

Enhance cloud security by centralizing data from Wiz and Palo Alto Prisma Cloud

Elastic Security 8.11 adds data integrations with two popular cloud security technologies, Wiz and Palo Alto Prisma Cloud. Customers can ingest and analyze Wiz and Prisma Cloud data within Elastic Security, including events and alerts related to cloud resource misconfigurations, compliance violations, vulnerabilities, and anomalous user activities, providing visibility and context for your cloud environments within Elastic Security. Elastic Security is one of the first vendors to seamlessly support numerous third-party cloud security technologies and also offer native cloud security capabilities.

Try it out

Read about these capabilities and more in the release notes.

Existing Elastic Cloud customers can access many of these features directly from the Elastic Cloud console. Not taking advantage of Elastic on cloud? Start a free trial.

The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features or functionality not currently available may not be delivered on time or at all.