- New prebuilt detection rules.
- Exceptions can be assigned to to threshold and machine learning rules.
- Enhanced UI to view and manage exceptions.
- Add MITRE ATT&CK sub-techniques in advanced rule settings.
- New rule actions and enhanced alert notifications.
- New support for cold tier data and searchable snapshots for specific Elasticsearch indices.
- Self-protection enabled on Windows and macOS by default.
- Register Elastic Security as an antivirus solution on Windows.
- Customize malware notification messages.
- Enhanced Timeline design with accessibility features.
- Enhanced capability to add a trusted application by signer.
- Enhanced event visualization for Endpoint and Windows process events.
- New detection alerts migration API feature, which can be used to enable new features on existing detection alerts.
- Fourteen new machine learning anomaly detection jobs have been added, which support multi-index analysis for Linux or Windows data and detect anomalous user, process, and network port activity. See Security: Linux and Security: Windows.
- Ingest Manager has been renamed to Fleet.
- Configuration has been renamed to Policy.
- New support for macOS 11.0 (Big Sur).
- Enhanced user interface for the Endpoint Administration page.
- Add trusted applications to avoid performance or compatibility issues.
- New Event Correlation rule type based on EQL (Event Query Language).
- New Indicator Match rule type to create alerts for index field values that match threat indices.
- Free, open detections in the Detection Rules repo.
- New Timeline enhancements that include detection alert actions.
- Connect and send cases to external systems (ServiceNow, Jira, Resilient).
- In addition to new prebuilt rules for 7.10, Elastic Security now provides additional anomaly detection jobs for Auditbeat and Winlogbeat data. Twelve new metadata and discovery analysis jobs have been added to enable threat detection on metadata services, system and discovery processes, and compiler events. For the full list, see Prebuilt job reference.
In the 7.9 release, Elastic SIEM and Endpoint Security combined into a single unified app, Elastic Security. The following lists the new changes as a result of the merge.
- Signal detection rules have been renamed to detection rules.
Signals are now called detection alerts, which fall into one of the following categories:
- Detection alerts: Alerts occurring within the Elastic Security from the rules engine.
- External alerts: Alerts originating outside of Elastic Security.
- Kibana alerts: Alerts native to Kibana (may not be security related).
- Whitelist is now called the Exception list. Items added to the Exception list are known as exceptions.
The former Alerts tab has been renamed to Detections.
- The Alerts title page in the Detections tab has been renamed to Detection alerts.
- Alert count has been renamed to Trend.
In the Overview tab:
- Alert count has been renamed to Detection alert trend.
- External alert count has been renamed to External alert trend.
- A new tab, Administration, allows analysts to view and manage hosts running Elastic Endpoint Security. From this page you can also manage integrations and check the configuration status of hosts to ensure they’re protected.