Elastic Security highlights

edit

This list summarizes the most important enhancements in Elastic Security 8.2.

New landing pages added to the left navigation menu

edit

Several new landing pages were added to the navigation menu in 8.2:

The Getting started page provides guidance on adding data to your environment. When new users install Elastic Security, this page is now the default view.

Getting started landing page

The Users page provides an overview of user data to help you understand authentication and user behavior.

Users page

The Policies page allows you to view and manage your Endpoint Security integration policies from a single location.

policies page

The Blocklist page allows you to view, add, and manage the blocklist - a list of specified applications that are blocked from running on hosts. You can also use the blocklist API to manage blocked applications.

blocklist page

Session View tool shows Linux process executions (beta)

edit

Session View is a new tool that shows detailed information about Linux process executions in a chronological and hierarchal context. Use Session View to investigate alerts, user activity, and sessions on your Linux infrastructure.

session view

Deploy DGA and Living-off-the-land supervised models in Fleet

edit

Incorporating supervised models into integration packages allows you to seamlessly install package artifacts inside Kibana with a single click. Now you can deploy DGA and Living-off-the-land (LotL) detection packages within Fleet.

dga

Wildcard support for event filters

edit

Event filters now support using wildcard entries for the file.path.text field using the matches operator.

Detection rules enhancements

edit

Rule execution logs

edit

The new Rule execution logs tab on a rule’s details page provides historical data for the rule’s executions over time. Use this to understand how a particular rule is running and whether it’s creating the alerts you expect.

rule exec logs

Bulk apply a Timeline template to rules

edit

A new bulk actions option allows you to apply a Timeline template to multiple rules at once.

New Rules table filter options

edit

You can now filter the Rules table by index pattern, MITRE ATT&CK tactic or technique (name or ID), and rule name.

Rule preview feature includes alerts table

When you create or edit a detection rule and preview it, the rule preview now includes an alerts table with the expected alerts for the rule. Use this feature to learn how noisy a rule may be before saving it. You can now also preview indicator match rules.

preview rules

Turn off read privilege warnings for detection rules

A new Advanced Settings toggle, securitySolution:enableCcsWarning, allows you to turn off read privilege warnings for detection rules using a remote cross-cluster search (CCS) index pattern.

Alert details enhancements

edit

You can now run Osquery searches from the Take action menu on the Alert details flyout.

run osquery

As shown in the image below, a new Alert prevalence column (1) shows the total number of alerts within the selected timeframe that have identical values. The Alert details flyout also now shows linked cases (2).

alert prevalance