What’s new in 8.8edit

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out the Release notes.

Other versions: 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Detection rules enhancementsedit

New warning for running maintenance windows

A warning banner displays on the Rules page if a maintenance window is running. During an active maintenance window, rule actions won’t run, and alert notifications aren’t sent.

To use maintenance windows, you must have the appropriate subscription and Kibana feature privileges.

Prebuilt rule updates

Check out the latest updates to prebuilt rules. To download the latest updates, refer to Download latest Elastic prebuilt rules.

Alerts enhancementsedit

Control alert notifications and summaries

The following enhancements give more control over how and when alert notifications are sent. For more information, refer to Set up alert notifications.

  • You can now specify how often alert notifications are sent to third-party systems (such as Slack, JIRA, email, etc.). You can apply your preferred frequency to all rule actions, or set notification frequency individually for each action.

    Rule action frequency
  • You can decide whether to be notified each time an alert is generated, or receive alert summaries.
  • Instead of turning rules off to stop alert notifications, you can snooze rule actions for a specified time period. When you snooze rule actions, the rule continues to run on its defined schedule, but won’t perform any actions or send alert notifications.

Max alerts warning

When a rule reaches the maximum number of alerts it can generate in a single rule execution, the following warning is displayed on the rule’s details page and in the rule execution log: This rule reached the maximum alert limit for the rule execution. Some alerts were not created. To troubleshoot this event, we recommend you check for unexpected alerts. For more information, refer to Troubleshoot maximum alerts warning.

Share an alert

The Share alert button in the alert details flyout provides a shareable link you can copy and paste into browsers, cases, messages, and more.

Share alert in alert details flyout

Edit filter controls on the Alerts page

The drop-down filter controls on the Alerts page allow you to filter alerts by up to four fields. By default, you can filter by Status, Severity, User, and Host, but you can edit these to filter by different fields. You can also remove, add, and reorder them.

Alert filter controls

New alert suppression options

A new rule configuration option for alert suppression allows you to specify how to handle alerts when a field that’s used for suppression does not have a value.

To learn how to reduce notifications and alerts, check out our analysis comparison here.

Filter alerts from the Entity Analytics dashboard

In the Entity Analytics dashboard, you can now filter alerts on the Alerts page by selecting the number link in the column.

Filter alerts from the Entity Analytics dashboard

Select up to three fields for grouping alerts

You now select up to three fields to group alerts by to customize your alerts view. Each group is nested in the Alerts table by order of selection.

Group alerts

Visualization actions and inline actions added to more places in the Elastic Security appedit

Visualization actions, which allow you to examine Elasticsearch queries used to retrieve data throughout the Elastic Security app or perform actions for the selected visualization, have been added to several places in the Elastic Security app. Look for the Inspect button (Inspect icon) or options menu (Options menu icon) in the UI.

Inline actions are displayed when you hover over a specific data field or value and allow you to customize your view or investigate further. They’ve also been added to more places throughout the Elastic Security app, such as:

  • Explore pages (Host, Network, and User pages)
  • Entity analytics (Entity Analytics Dashboard, user risk score, and host risk score features)
  • Alerts and events table
  • Event details flyout
Inline actions menu

Cloud Security enhancementsedit

New Container Workload Protection (beta)

You can now use Elastic Agent to protect your containers by detecting and preventing malicious behavior and malware, and to capture workload telemetry data. This solution uses a new integration, Defend for Containers (D4C), which allows you to create custom alerting and enforcement policies.

New Cloud Native Vulnerability Management (CNVM) (beta)

The Cloud Native Vulnerability Management (CNVM) feature helps you identify known vulnerabilities in your cloud workloads. When it finds vulnerabilities, it enables your remediation efforts by providing metadata such as the CVSS, severity, affected package, and a fix version if available, as well as information about impacted systems.

New "execute" response console commandedit

A new response console command, execute, allows you to run shell commands and scripts on the host. The complete output is also saved to a downloadable .zip file.

Ensure you have the appropriate privileges to use the response console.

Delete notes in Timelineedit

In Timeline, you can now delete notes for individual events or delete investigation notes for the entire Timeline.

Cases enhancementsedit

The following enhancements have been added to Cases:

  • You can now add files to a case.

    Add files to a case
  • You can now add the Cases column to the Alerts table, which is helpful to quickly identify which alerts have been added to a case.
  • Case activity and history are paginated and sortable.
  • The privileges for attaching alerts to cases have changed. Now, users need Read access to Security and All access to Cases.