Elastic Security highlights

This list summarizes the most important enhancements in Elastic Security 8.3.

"Endpoint Security integration" has been renamed to "Endpoint and Cloud Security integration"

Due to the launch of Elastic Security for Cloud, the Endpoint Security integration, which allows the Elastic Agent to monitor for events on your host, has been renamed to Endpoint and Cloud Security integration. Please note that general industry term references to endpoint security have not changed.

An optional, new navigation menu, which can be enabled in the advanced Kibana settings, groups related pages and highlights commonly visited areas for a streamlined experience.

A new Dashboards section, which includes two new dashboards to help you visualize critical information, has been added to the navigation menu in the Elastic Security app.

The Overview dashboard provides an overview of detections, external alerts, and event trends. Use it to assess overall system health and find anomalies that may require further investigation.

The Detection & Response dashboard provides focused visibility into the daily operations of your security environment. Use it to monitor recent and high priority detection alerts and cases, and identify the top hosts and users associated with the most alerts so you can triage effectively.

Several new integrations have been added, including ones for CIS Kubernetes Benchmark, AWS Security Hub, Cloudflare, Jamf, and Palo Alto Networks.

Cloud Security Posture Management

Cloud Security Posture Management (CSPM) and Kubernetes security posture management (KSPM) help you compare your cloud and Kubernetes infrastructure to security best practices. Refer to our documentation for setup instructions.

User risk score

User risk score assigns a score to highlight risky users within your environment. It uses a transform with a scripted metric aggregation to calculate scores based on detection rule alerts within a 90-day window. The transform runs hourly to update the score as new detection rule alerts are generated. Each user risk score is normalized on a scale of 0 to 100.

An Authentications tab has been added to the Users page to show successful and failed authentication events per user.

New optional settings for event correlation rules

Event correlation rules now allow you to specify the following EQL fields: Event category, Tiebreaker, and Timestamp fields.

Machine learning rules upgraded to v3 machine learning jobs

Elastic prebuilt rules for some Windows and Linux anomalies have been updated with new v3 machine learning jobs. Refer to our documentation for information about how to upgrade and/or continue to use the old v1/v2 jobs.

New Actions column in rule execution logs table enables filtering

You can create a global search filter based on a specific rule execution by selecting the filter icon in the Actions column of the Rule execution logs tab on the rule details page. Enabling this filter replaces any previously applied filters.

New prebuilt rules

15 new prebuilt rules were added in 8.3.0.

Prerequisites and setup guides for Elastic prebuilt rules

Elastic prebuilt rules now provide additional information to help you identify and meet their prerequisites. You can confirm these requirements in the Related integrations and Required fields sections of a rule’s details page, and consult its Setup guide for additional guidance.

The ServiceNow connectors now support open authentication (OAuth). For configuration details, refer to ServiceNow ITSM, ServiceNow SecOps, and ServiceNow ITOM connector.

The following enhancements have been added to Cases:

The following enhancements have been added to the alert details flyout:

You can now run Osquery from the More actions menu in the Alerts table.

You can also investigate a single or all Osquery query results in Timeline. Refer to Run Osquery for more information.

For information about additional Osquery enhancements, check out the Kibana Osquery highlights.