What's new in 8.18

[natasha-moore-elastic]

Please add your features and enhancements for 8.18. Don't forget to include the related PR link!

Detections & Response

Rules Management

• Customize and manage prebuilt detection rules
  ([ESS][8.18] Updating customized prebuilt rules #6568 and [ESS][8.18] Editing, exporting, and importing prebuilt rules #6563)

  Previously, you could only add notification actions to prebuilt rules and could't export or import them. Now, you can edit most prebuilt rule settings and customize them to fit your needs. When updating prebuilt rules, your customizations are preserved whenever possible and can be merged with Elastic updates. In addition, you can now export and import prebuilt rules (modified and unmodified) and bulk-update their settings from the Rule's page.

Detection Engine

• Manual run enhancements
  ([8.18] Rule gaps and manual rule runs #6649)

  The manual runs functionality is now generally available and includes the following new features:

  • Almost all rule actions are supported and can be activated when you run a rule manually.
  • Gaps in rule executions -- which can lead to missed alerts and inconsistent rule coverage -- can be monitored and manually filled.

• Preview logged Elasticsearch requests for more rule types
  ([8.18] Logged ES queries now provided for new terms, machine learning, custom query, threshold rule types #6655)

  You can now preview logged Elasticsearch requests for new terms, threshold, custom, and machine learning rule types.

• Alert suppression for event correlation rules
  ([Serverless][8.18] EQL Sequence alert suppression  #6291)

  Alert suppression is now supported for event correlation rules using sequence queries.

Threat Hunting

Explore

• Add features here

Investigations

• More granular control over access to Timeline and Notes
  ([8.18] New privs for Timelines and notes  #6642)

  You now have more control over role access to Timeline and Notes. When you upgrade to 8.18, roles that previously had All or Read access to Security will inherit these privileges for Timelines and Notes.

• Visualizations are available by default in the alert details flyout
  ([REQUEST][8.18]: Visualizations in the alert details flyout are enabled by default  #6695)

  The securitySolution:enableVisualizationsInFlyout advanced setting is now turned on by default and generally available. The Session View and Analyzer Graph sub-tabs in the alert details flyout are also available by default and generally available.

• Quickly access visited places from the alert details flyout
  ([REQUEST][8.18]: Show flyout history for alerts/host/user/events #6696)

  From the alert details flyout, you can click the history icon () to display a list of places that you visited from the alert’s details flyout, for example, flyouts for other alerts or users. Click any list entry to quickly access the item’s details.

Entity Analytics

• Monitor services installed in your environment (New entity store features #6634)

  Entity Store now supports a new 'service' entity type, expanding the range of entities you can track and monitor in your environment. Previously, only 'user' and 'host' entities were supported. With the addition of the 'service' entity type, you can now investigate and protect the various services installed across your infrastructure.

• Verify entity store engine status (New entity store features #6634)

  Use the new Engine Status tab on the Entity Store page to verify which engines are installed in your environment and check their current statuses. This tab provides a centralized view for monitoring engine health, allowing you to ensure proper functionality, and troubleshoot any potential issues.

• Entity risk scoring and entity store are generally available (Entity store GA in 8.18 #6622, GA for entity risk scoring #6472)

  Entity risk scoring and entity store are moving from technical preview to general availability. Use these features to monitor the risk score of entities in your environment and query persisted entity metadata.

•  Include closed alerts in risk score calculations (Risk score calculation for closed alerts #6271 )

  When turning on the risk engine, you now have the option to include Closed alerts in risk scoring calculations. By default, only Open and Acknowledged alerts are included. Additionally, you can specify a custom date and time range for the calculation, allowing for more flexible and tailored risk monitoring.

Generative AI

• New feature: Automatic Migration ([security][9.0] Creates Automatic Migrations guide docs-content#713)

Automatic Migration for detection rules helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language ({esql}). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch.

• Automatic Import improvements (https://github.com/elastic/security-docs/pull/6697/files)

Added the option to select API (CEL input) as a data source, and to provide the associated OpenAPI specification (OAS) file to automatically generate a CEL program to consume an API.

• Granular control of which alerts Attack Discovery analyzes ([8.18] [8.18]AI for Security updates (backport #6691) #6705)

You can now specify which alerts Attack Discovery analyzes using a date and time selector and a KQL filter.

• Citations and documentation for AI Assistant ([8.18] [8.18]AI for Security updates (backport #6691) #6705)

AI Assistant can now cite sources including Elastic's product documentation, threat reports, and more.

EDR Workflows/Asset Management

• Maximum Osquery timeout is 24 hours (Increase maximum Osquery timeout #6590)

  When running Osquery queries, you can now set a timeout period of up to 24 hours (86,400 seconds). Overwriting the query's default timeout period allows you to support queries that take longer to run.

• Updated privileges for third-party response actions ([Jan 28] Updates RBAC requirements for 3rd-party response actions #6434)

  A new Kibana feature privilege is now required when configuring third-party response actions. To find and assign the privilege, navigate to Management > Actions and Connectors > Endpoint Security.

•  Run a script on CrowdStrike-enrolled hosts ([Jan 28] Adds new runscript Crowdstrike response action #6435)

  Using Elastic’s CrowdStrike integration and connector, you can now run a script on CrowdStrike-enrolled hosts by providing one of the following:

  • The full script content
  • The name of the script stored in a cloud storage location
  • The file path of the script located on the host machine

• Isolate and release Microsoft Defender for Endpoint–enrolled hosts ([Jan 28] MS Defender for Endpoint third-party response integration #6478)

  Using Elastic’s Microsoft Defender for Endpoint integration and connector, you can now perform response actions on hosts enrolled in Microsoft Defender’s endpoint protection system. These actions are available in this release:

  • Isolate a host from the network
  • Release an isolated host

• Third-party response actions are generally available ([Jan 28] GA for third-party response actions #6471)

  Third-party response actions are moving from technical preview to general availability. This includes response capabilities for Sentinel One, Crowdstrike, and Microsoft Defender for Endpoint.

Cloud Security

• Increased support for agentless integrations ([security][9.0]Updates agentless integrations info docs-content#1034)

An additional 14 integrations can now be deployed using agentless technology.

Endpoint

• Add features here

Protections Experience

• Add features here

ResponseOps

• Add features here