Elastic Security highlights

This list summarizes the most important enhancements in Elastic Security 8.2.

Several new landing pages were added to the navigation menu in 8.2:

The Getting started page provides guidance on adding data to your environment. When new users install Elastic Security, this page is now the default view.

The Users page provides an overview of user data to help you understand authentication and user behavior.

The Policies page allows you to view and manage your Endpoint Security integration policies from a single location.

The Blocklist page allows you to view, add, and manage the blocklist - a list of specified applications that are blocked from running on hosts. You can also use the blocklist API to manage blocked applications.

Session View is a new tool that shows detailed information about Linux process executions in a chronological and hierarchal context. Use Session View to investigate alerts, user activity, and sessions on your Linux infrastructure.

Incorporating supervised models into integration packages allows you to seamlessly install package artifacts inside Kibana with a single click. Now you can deploy DGA and Living-off-the-land (LotL) detection packages within Fleet.

Event filters now support using wildcard entries for the file.path.text field using the matches operator.

The new Rule execution logs tab on a rule’s details page provides historical data for the rule’s executions over time. Use this to understand how a particular rule is running and whether it’s creating the alerts you expect.

A new bulk actions option allows you to apply a Timeline template to multiple rules at once.

You can now filter the Rules table by index pattern, MITRE ATT&CK tactic or technique (name or ID), and rule name.

Rule preview feature includes alerts table

When you create or edit a detection rule and preview it, the rule preview now includes an alerts table with the expected alerts for the rule. Use this feature to learn how noisy a rule may be before saving it. You can now also preview indicator match rules.

Turn off read privilege warnings for detection rules

A new Advanced Settings toggle, securitySolution:enableCcsWarning, allows you to turn off read privilege warnings for detection rules using a remote cross-cluster search (CCS) index pattern.

You can now run Osquery searches from the Take action menu on the Alert details flyout.

As shown in the image below, a new Alert prevalence column (1) shows the total number of alerts within the selected timeframe that have identical values. The Alert details flyout also now shows linked cases (2).