Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.
Latest entity risk scoring engine provides greater scalability and performanceedit
The latest risk scoring engine generates risk scores on a recurring interval, and allows for easier onboarding and management. The engine is built to factor in risks from all Elastic Security use cases. It also allows you to customize and control how and when risk is calculated.
With the new risk scoring engine, you can:
- Preview and enable the risk engine using a centralized one-click onboarding workflow.
- Conveniently migrate to the new engine if you’re an existing user of risk scoring.
- Generate risk scores for hosts and users from the last 30 days.
- View the alerts that contributed to an entity’s risk score, allowing faster investigations.
- Continue to access entity risk analytics in existing security workflows.
Elastic AI Assistant enhancementsedit
The following enhancements have been added to the Elastic AI Assistant:
New Amazon Bedrock connectoredit
You can use Elastic’s new Amazon Bedrock connector to integrate with Anthropic Claude models from AWS in the Elastic AI Assistant.
New ES|QL knowledge baseedit
[beta] This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features. With the new knowledge base enabled, Elastic AI Assistant can answer detailed questions about the Elastic Search Query Language (ES|QL), including help with generating specific queries and syntax questions.
Detection rules and alerts enhancementsedit
The following enhancements have been added to detection rules and alerts:
Create ES|QL query detection rules with new ES|QL rule typeedit
Use the new ES|QL rule type to create detection rules that use ES|QL queries. The ES|QL rule type supports aggregating and non-aggregating queries.
Case-sensitive values supported in rule exceptionsedit
When adding exceptions to a rule, the
is one of and
is not one of operators now support identical, case-sensitive values – for example,
Use ES|QL in Timelineedit
You can use ES|QL in Timeline to filter, transform, and analyze event data stored in Elasticsearch. To start using ES|QL, open the ES|QL tab.
Expanded support for Cloud security posture management (CSPM)edit
The following enhancements have been added to cases:
Custom case fieldsedit
You can now add custom fields to cases to support customized collaboration.
Connectors page renamededit
The page where you create and manage case connectors has been renamed to Settings.
Agent tamper protection with Elastic Defendedit
For hosts enrolled in Elastic Defend, you can prevent unauthorized attempts to uninstall Elastic Agent and Elastic Endpoint by enabling Agent tamper protection on the Agent policy. This offers an additional layer of security by preventing users from bypassing or disabling Elastic Defend’s endpoint protections.
When enabled, Elastic Agent and Elastic Endpoint can only be uninstalled on the host by including the policy’s generated uninstall token in the uninstall CLI command.