What’s new in 8.12

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.11 | 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Elastic AI Assistant now supports retrieval-augmented generation (RAG) for alerts. Using this feature, you can provide information about multiple alerts to AI Assistant, so that it can answer a broader scope of questions relating to alerts in your environment.

The following enhancements have been added to detection rules and alerts:

When Elastic updates a prebuilt detection rule, you can examine the latest version before you update the rule. The rule details flyout in Rule Updates displays a side-by-side JSON comparison of the rule’s Base version (what you currently have installed) and the Update version that you can choose to install.

Alert suppression now supports the threshold detection rule type. You can use it to reduce the number of repeated or duplicate detection alerts created by a threshold rule.

You can now assign users to alerts that you want them to investigate, and manage alert assignees throughout an alert’s lifecycle. Assigned alerts are filterable, and you can find assignees by adding the kibana.alert.workflow_assignee_ids field to the Alerts table or by opening an alert’s details.

The following enhancements have been added to Timeline:

Timeline now opens as a modal, requires you to manually save changes, and has the option to save changes as a new Timeline. Additional UX improvements have been also introduced. For example, the query builder is now collapsible, which allows you to have more space for Timeline results.

You can now remove the ES|QL tab by editing your Kibana user settings and adding the xpack.securitySolution.enableExperimental: ["timelineEsqlTabDisabled"] feature flag.

The default ES|QL query was removed from the ES|QL tab, for increased tab performance.

You can now exclude cold and frozen tier data from visual event analyzer queries to increase analyzer performance. You can do this by turning on the securitySolution:excludeColdAndFrozenTiersInAnalyzer advanced setting.

Powered by the SentinelOne integration for Elastic Agent, SentinelOne response actions allow you to perform bidirectional actions on protected hosts, such as directing SentinelOne to isolate a suspicious endpoint from your network, without needing to leave the Elastic Security UI.

You can now use matches and does not match conditions on more fields when configuring event filters and endpoint exceptions. Previously, only the file.path.text field was supported.

The following enhancements have been added to Cloud Security:

Cloud security posture management (CSPM) capabilities have been expanded to support organization-wide Azure deployments.

The Findings page now enables you to group your data by any field, and to further customize how the page is displayed.

When running an Osquery query, you can now set a timeout period, in seconds, after which the query will stop running. Overwriting the default timeout allows you to support queries that require more time to complete. The default and minimum supported value is 60. The maximum supported value is 900.