Elastic Security 8.9: Streamline the analyst experience with GAI and advanced analytics

Security professionals have been stretched thin for years, and that’s why Elastic Security has released the Elastic AI Assistant, a generative AI sidekick for the modern SOC. Leaning on large language models (LLMs), the AI Assistant provides a wealth of knowledge on security operations topics and supplies answers to any questions about the Elastic^® platform. Analysts can also leverage the AI Assistant for help with basic tasks, such as:

• Alert triage and investigation
• Query generation for specific use cases
• Data ingestion and extraction
• And much more!

Teams can read the initial announcement and watch the included demo for a deeper dive into the base capabilities.

In 8.9, we’ve added several features to the AI Assistant to further improve security and privacy, while enhancing user experience and administration. Users can now select which model to use with the AI Assistant. If they’re using OpenAI, both quick prompts and system prompts are now customizable, with the option to set defaults for both. In addition to those, we’ve implemented changes for both privacy and quality of life.

What else is new in Elastic 8.9? Check out the 8.9 announcement post to learn more >>

When working with an alert context, you can now selectively decide what data to send and what fields you would like to anonymize. This granular control is an excellent way to ensure you’re not potentially sending extra, unnecessary data to any third parties.

When analysts are working with anonymized entities, they do not have to keep track of the original values. The AI Assistant takes care of the translation of all values to allow for a consistent experience and workflow during alert investigations. Users can also set default behavior for both data selection and anonymization.

Anonymization and field selection for the alert context within the Elastic AI Assistant:

In 8.9, we’ve introduced a number of improvements to help with investigations, namely alert analysis, detections monitoring, and rule tuning. To help analysts reclaim their day, 8.9 brings users the ability to tag alerts to provide additional context such as what further action is required or why the alert was closed. This contributes to a cleaner environment by filtering, automating responses, and grouping and reporting on specific alerts. The default alert tags can be customized via advanced settings to accommodate specific workflows.

Attackers use sophisticated software and tools to move under the security radar, and it can be very difficult for SOCs to detect malicious lateral movement with traditional detection rules. While we released the initial Lateral Movement package in February 2023, Elastic Security has been busy identifying more ways to detect these threats within an environment.

With the 8.9 release, our Lateral Movement Detection package has been made generally available. In addition to identifying network and file based threats, the package detects malicious activities in Windows RDP events using prebuilt ML jobs and specific detection rules.

Elastic Security 8.9 continues to expand our native response action capabilities with the addition of the upload response action. The upload action enables security analysts and administrators to upload files to their hosts through our centralized response console, without requiring that analysts have physical access to the host. This capability vastly streamlines workflows for running scripts on remote hosts, giving analysts the necessary tools to run scripts tailored to their organization's specific security needs and expedite tasks related to investigation, remediation, and orchestration. For example, a script could be designed to collect relevant system logs, scan for specific indicators of compromise (IOCs), or extract forensic information from the endpoint for further analysis, like memory and network dumps.  

Deploying the Elastic Security Cloud Security Posture Management (CSPM) feature in AWS has become even simpler with the power of AWS CloudFormation. This deployment method brings a host of benefits that not only enhance security but also streamline the entire process. Here's why you should take advantage of it:

• Accurate resource configuration: Say goodbye to manual setup and potential errors. CloudFormation ensures that all the necessary resources for CSPMs are set up correctly and with the right minimal permissions, thereby drastically reducing the potential for errors. 
• Saving time and effort: No more wasting precious time on manual resource creation and agent deployment. CloudFormation's auto-provisioning capabilities take care of everything for you. This means you can redirect your valuable time and effort toward other critical tasks that demand your attention.
• Consistency and repeatability: With CloudFormation, deployments can be easily reproduced and consistently maintained across different environments. This ensures a standardized and reliable CSPM setup, regardless of the deployment location.

Read about these capabilities and more in the release notes.

Existing Elastic Cloud customers can access many of these features directly from the Elastic Cloud console. Not taking advantage of Elastic on cloud? Start a free trial.