What’s new in 8.11edit

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Latest entity risk scoring engine provides greater scalability and performanceedit

The latest risk scoring engine generates risk scores on a recurring interval, and allows for easier onboarding and management. The engine is built to factor in risks from all Elastic Security use cases. It also allows you to customize and control how and when risk is calculated.

With the new risk scoring engine, you can:

  • Preview and enable the risk engine using a centralized one-click onboarding workflow.
  • Conveniently migrate to the new engine if you’re an existing user of risk scoring.
  • Generate risk scores for hosts and users from the last 30 days.
  • View the alerts that contributed to an entity’s risk score, allowing faster investigations.
  • Continue to access entity risk analytics in existing security workflows.
Entity Risk Score page

Elastic AI Assistant enhancementsedit

The following enhancements have been added to the Elastic AI Assistant:

New Amazon Bedrock connectoredit

You can use Elastic’s new Amazon Bedrock connector to integrate with Anthropic Claude models from AWS in the Elastic AI Assistant.

New ES|QL knowledge baseedit

[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. With the new knowledge base enabled, Elastic AI Assistant can answer detailed questions about the Elastic Search Query Language (ES|QL), including help with generating specific queries and syntax questions.

Detection rules and alerts enhancementsedit

The following enhancements have been added to detection rules and alerts:

Create ES|QL query detection rules with new ES|QL rule typeedit

Use the new ES|QL rule type to create detection rules that use ES|QL queries. The ES|QL rule type supports aggregating and non-aggregating queries.

New ES|QL rule type

Case-sensitive values supported in rule exceptionsedit

When adding exceptions to a rule, the is one of and is not one of operators now support identical, case-sensitive values – for example, Windows and windows.

Use ES|QL in Timelineedit

You can use ES|QL in Timeline to filter, transform, and analyze event data stored in Elasticsearch. To start using ES|QL, open the ES|QL tab.

New ES|QL tab in Timeline

Expanded support for Cloud security posture management (CSPM)edit

Cloud security posture management (CSPM) capabilities have been expanded to support organization-wide GCP deployments, as well as single-subscription Azure deployments.

Cases enhancementsedit

The following enhancements have been added to cases:

Custom case fieldsedit

You can now add custom fields to cases to support customized collaboration.

Add custom fields to cases

Connectors page renamededit

The page where you create and manage case connectors has been renamed to Settings.

The case settings page

Agent tamper protection with Elastic Defendedit

For hosts enrolled in Elastic Defend, you can prevent unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling Elastic Defend’s endpoint protections.

When enabled, Elastic Agent and Elastic Endpoint can only be uninstalled on the host by including the policy’s generated uninstall token in the uninstall CLI command.

Agent tamper protection setting highlighted on Agent policy settings page