What’s new in 8.16

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.15 | 8.14 | 8.13 | 8.12 | 8.11 | 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Automatic Import can now use a larger variety of large language models and accept larger log samples in a wider range of common formats.

Attack Discovery can now analyze up to 500 alerts at once, and provides higher-quality responses.

Elastic AI Assistant’s new Knowledge Base feature allows you to specify individual documents or entire indices that AI Assistant will remember and use as context. This improves the relevance, quality, and customization of its responses.

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. The entity store feature allows you to query, reconcile, and maintain entity metadata from various sources, such as ingested logs, integrated identity providers, external asset repositories, and more. By extracting and storing entities from all indices in the Elastic Security default data view, the entity store lets you query entity metadata without real-time data searches.

After you enable the entity store, the Entity Analytics dashboard displays the Entities section, which offers a comprehensive view of all hosts and users in your environment. You can filter them by their source, entity risk level, and asset criticality level.

The advanced setting for enabling asset criticality has been removed, and this feature is now available by default.

You can now enable and run entity risk scoring in multiple Kibana spaces. This allows you to analyze and monitor entity risk in different contexts simultaneously.

When you bulk assign asset criticality using the file upload feature, the newly assigned criticality levels are automatically factored in during the next hourly risk scoring calculation. You can now manually trigger an immediate recalculation of entity risk scores by clicking Recalculate entity risk scores now during the file upload process.

Previously, installing and enabling prebuilt rules took two steps. You can now do both in one step with the Install and enable option. This works for both single and multiple rules.

Manually run rules for testing purposes or additional rule coverage. Details about manual runs (such as the status of each run, the total number of runs that will occur, and more) are shown on the Execution results tab of the rule details page.

Rules that query cold and frozen data tiers might perform more slowly. To exclude query results from cold and frozen tiers, add a Query DSL filter that ignores cold and frozen documents when executing. This can help Elasticsearch exclude cold and frozen data more efficiently.

When previewing a rule, you can also learn about its Elasticsearch queries, which are submitted when the rule runs. This information can help you identify and troubleshoot potential rule issues. You can also use it to confirm that your rule is retrieving the expected data. This option is provided for ES|QL and EQL rules only.

Alert suppression is generally available for the indicator match, threshold, machine learning, ES|QL, and new terms rule types. It is still in technical preview for event correlation rules.

You can now attach notes to alerts, events, and Timelines, and manage them from the Notes page. This provides an easy way to incorporate notes into your investigative workflows to coordinate responses, conduct threat hunting, and share investigative findings.

[preview] This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features. By enabling the new securitySolution:enableVisualizationsInFlyout advanced setting, you can view analyzed alerts and events in the Visualize tab of the alert details flyout. This allows you to maintain the context of the Alerts table during your investigation and provides an easy way to preview related alerts and events.

You can now resize the alert and event details flyouts and choose how they’re displayed—over the Alerts table or next to it.

Additional third-party response actions are available using Elastic’s SentinelOne integration and connector:

You can now configure any detection rule type to perform Elastic Defend’s automated response actions.

You can now ingest cloud security data from several third-party sources—Falco, AWS Security Hub, and Wiz—into Elastic Security. The data appears on the Alerts and Findings pages, and in the user and host details flyouts.

Elastic’s native Cloud Security Posture Management (CSPM) integration now supports agentless deployment, giving you an easier and more streamlined way to collect posture data from your cloud service providers.