What’s new in 7.15edit

Here are the highlights of what’s new and improved in the latest version of Elastic Security.

For detailed information about this release, see the Release notes.

Other versions: 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9


New featuresedit

Malicious behavior protection for Linux, Windows, and macOS hosts

Malicious behavior protection detects and stops threats by monitoring the behavior of system processes for suspicious activity. It leverages existing malware and ransomware prevention with dynamic prevention of post-execution behavior. Malicious behavior is available for customers with a Platinum or Enterprise license.

Memory threat protection for Windows hosts

Memory threat protection detects and stops many of the techniques used for process injection via shellcode, where an attacker attempts to avoid detection by executing an attack from memory instead of from on-disk, where most detection tools operate. Adversaries leverage in-memory attacks to evade common defensive technologies. Elastic Security also stops sub-techniques such as thread execution hijacking, asynchronous procedure call, process hollowing, and process doppelgänging. Memory threat protection is available for customers with a Platinum or Enterprise license.

Enhanced Alerts page view

The Alerts page has several new enhancements, all designed to help triage alerts faster. A few of these include:

  • Updated alert statuses (Open, Acknowledged, and Closed)
  • New options to group alerts by specific parameters and view individual alert counts
  • New options to customize the Alerts table view
Alerts view

Threat intelligence data enhancements

The following enhancements have been made to alerts enriched with threat intel data:

  • The securitySolution:defaultThreatIndex advanced setting allows you to define threat intelligence indices that Elastic Security will use when collecting threat indicators. The setting controls features that query threat indices, such as the Threat Intelligence view on the Overview page and the default indicator index values for indicator match rules.
  • The event enrichment query performance has been improved.
  • UX enhancements to the Threat Intel tab in the Alert details flyout allow you to view threat matches and their correlating details.
Threat intel tab

Host isolation for all operating systems

Host isolation, which allows analysts to respond to malicious activity by isolating a host from a network, was introduced for Windows and macOS hosts in Elastic Stack 7.14. In Elastic Stack 7.15, this feature is now available for Linux hosts, making the feature compatible with all operating systems.

Host isolation

New third-party integrations

Elastic Security introduces the following new integrations in 7.15:

  • CrowdStrike Falcon
  • Cloudflare
  • Palo Alto Networks Cortex XDR
  • VMware Carbon Black EDR
  • Hashicorp Vault
Hashicorp EDR integration

Add a Lens visualization to an existing case (beta)

Add a Lens visualization to your case to portray event and alert data through charts and graphs.

Shows how to add a visualization to a case