Here are the highlights of what’s new and improved in Elastic Security!
For detailed information about this release, see the Release notes.
- A new Osquery Manager integration allows you to centrally manage Osquery deployments to Elastic Agents in your Fleet server, and query host data through distributed SQL.
- A new Fleet integration allows you to download the latest version of prebuilt detection rules out of the regular Elastic Stack release cycle.
- 14 new prebuilt detection rules.
- A newly updated Fleet Server in Kibana requires you to redeploy your Elastic Agents. Review each scenario to ensure you take the appropriate steps to keep your endpoints protected.
- Add multiple job IDs when creating a new machine learning rule.
- Updated APIs for Timeline and Create rule.
- New updates to the Administration page include updated agent statuses and enhancements to Trusted applications, including hash validation, improved error messages, and the ability to run a simple search.
To use Elastic Security, at least one node in an Elasticsearch cluster needs the
- Ransomware protection is enabled on Windows and macOS protected hosts for customers with a Platinum or Enterprise license.
- Enhanced malware prevention capabilities of the Elastic Agent to increase accuracy.
- 86 new prebuilt detection rules.
- Write an Event Query Language (EQL) query directly in the Timeline to view matched, ordered events directly in the Timeline table.
Support for multiple aggregations in threshold rules by enabling grouping across multiple fields and adding a new
Countfield to check cardinality.
- Threshold rules are now compatible with creating an exception.
- A new connector with ServiceNow Security Incident Response (SIR) to enable orchestration and response workflows.
- New prebuilt detection rules.
- Exceptions can be assigned to to threshold and machine learning rules.
- Enhanced UI to view and manage exceptions.
- Add MITRE ATT&CK sub-techniques in advanced rule settings.
- New rule actions and enhanced alert notifications.
- New support for cold tier data and searchable snapshots for specific Elasticsearch indices.
- Self-protection enabled on Windows and macOS by default.
- Register Elastic Security as an antivirus solution on Windows.
- Customize malware notification messages.
- Enhanced Timeline design with accessibility features.
- Enhanced capability to add a trusted application by signer.
- Enhanced event visualization for Endpoint and Windows process events.
- New detection alerts migration API feature, which can be used to enable new features on existing detection alerts.
- Fourteen new machine learning anomaly detection jobs have been added, which support multi-index analysis for Linux or Windows data and detect anomalous user, process, and network port activity. See Security: Linux and Security: Windows.
- Ingest Manager has been renamed to Fleet.
- Configuration has been renamed to Policy.
- New support for macOS 11.0 (Big Sur).
- Enhanced user interface for the Endpoint Administration page.
- Add trusted applications to avoid performance or compatibility issues.
- New Event Correlation rule type based on EQL (Event Query Language).
- New Indicator Match rule type to create alerts for index field values that match threat indices.
- Free, open detections in the Detection Rules repo.
- New Timeline enhancements that include detection alert actions.
- Connect and send cases to external systems (ServiceNow, Jira, Resilient).
- In addition to new prebuilt rules for 7.10, Elastic Security now provides additional anomaly detection jobs for Auditbeat and Winlogbeat data. Twelve new metadata and discovery analysis jobs have been added to enable threat detection on metadata services, system and discovery processes, and compiler events. For the full list, see Prebuilt job reference.
In the 7.9 release, Elastic SIEM and Endpoint Security combined into a single unified app, Elastic Security. The following lists the new changes as a result of the merge.
- Signal detection rules have been renamed to detection rules.
Signals are now called detection alerts, which fall into one of the following categories:
- Detection alerts: Alerts occurring within the Elastic Security from the rules engine.
- External alerts: Alerts originating outside of Elastic Security.
- Kibana alerts: Alerts native to Kibana (may not be security related).
- Whitelist is now called the Exception list. Items added to the Exception list are known as exceptions.
The former Alerts tab has been renamed to Detections.
- The Alerts title page in the Detections tab has been renamed to Detection alerts.
- Alert count has been renamed to Trend.
In the Overview tab:
- Alert count has been renamed to Detection alert trend.
- External alert count has been renamed to External alert trend.
- A new tab, Administration, allows analysts to view and manage hosts running Elastic Endpoint Security. From this page you can also manage integrations and check the configuration status of hosts to ensure they’re protected.