What’s new in 8.18

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.17 | 8.16 | 8.15 | 8.14 | 8.13 | 8.12 | 8.11 | 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Automatic Migration for detection rules helps you quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language (ES|QL). If comparable Elastic-authored rules exist, it simplifies onboarding by mapping your rules to them. Otherwise, it creates custom rules on the fly so you can verify and edit them instead of writing them from scratch.

Automatic Import now allows you to select API (CEL input) as a data source and to provide the associated OpenAPI specification (OAS) file to automatically generate a CEL program to consume an API.

You can now specify which alerts Attack Discovery analyzes using a date and time selector and a KQL filter.

AI Assistant can now cite sources, including Elastic’s product documentation, threat reports, and more.

The entity store now supports a new service entity type, expanding the range of entities you can track and monitor in your environment. Previously, only user and host entities were supported. With the addition of the service entity type, you can now investigate and protect the various services installed across your infrastructure.

Use the new Engine Status tab on the Entity Store page to verify which engines are installed in your environment and check their current statuses. This tab provides a centralized view for monitoring engine health, allowing you to ensure proper functionality, and troubleshoot any potential issues.

Entity risk scoring and entity store are moving from technical preview to general availability. Use these features to monitor the risk score of entities in your environment and query persisted entity metadata.

When turning on the risk engine, you now have the option to include Closed alerts in risk scoring calculations. By default, only Open and Acknowledged alerts are included. Additionally, you can specify a custom date and time range for the calculation, allowing for more flexible and tailored risk monitoring.

Previously, you had limited ability to customize prebuilt rules, couldn’t export or import them, and could only accept Elastic changes during rule updates. Now, you can do so much more.

After installing prebuilt rules, you’re now able to edit most of their settings to fit your custom needs. When updating rules, Elastic retains your changes whenever possible and helps you auto-resolve conflicts that may occur. Additional enhancements, such as the ability to compare different versions of a rule and edit the final update, have also been made to give you more control over the prebuilt rule update experience.

In addition to customizing prebuilt rules, you’re now able to:

The manual runs functionality is now generally available and includes the following new features:

You can now preview logged Elasticsearch requests for new terms, threshold, custom, and machine learning rule types.

Alert suppression is now supported for event correlation rules using sequence queries.

You now have more control over role access to Timeline and notes. When you upgrade to 8.18, roles that previously had All or Read access to Security will inherit these privileges for Timelines and notes.

The securitySolution:enableVisualizationsInFlyout advanced setting is now turned on by default and generally available. The Session View and Analyzer Graph sub-tabs in the alert details flyout are also available by default and generally available.

From the alert details flyout, you can click the history icon () to display a list of places that you visited from the alert’s details flyout—for example, flyouts for other alerts or users. Click any list entry to quickly access the item’s details.

A new Kibana feature privilege is now required when configuring third-party response actions. To find and assign the privilege, navigate to Management → Actions and Connectors → Endpoint Security.

Using Elastic’s CrowdStrike integration and connector, you can now run a script on CrowdStrike-enrolled hosts by providing one of the following:

Using Elastic’s Microsoft Defender for Endpoint integration and connector, you can now perform response actions on hosts enrolled in Microsoft Defender’s endpoint protection system. These actions are available in this release:

Third-party response actions are moving from technical preview to general availability. This includes response capabilities for Sentinel One, Crowdstrike, and Microsoft Defender for Endpoint.

When running Osquery queries, you can now set a timeout period of up to 24 hours (86,400 seconds). Overwriting the query’s default timeout period allows you to support queries that take longer to run.

An additional 14 integrations can now be deployed using agentless technology.