[DOCS] What's new in 8.5

[jmikell821]

Detections & Response/CTI

• Rule preview UI enhancements - Detection rule preview UI is now available at any step of creating or editing a rule, and rule previews are now possible for Elastic prebuilt rules. Rule previews also now include exceptions and field overrides ([DOCS] "Create rule" updates: rule preview, saved queries #2559).

• Value list exceptions - Enables rule exceptions to reference value lists for all rule types. One caveat is that text type value lists still do not work for EQL and threshold rules ([DOCS] Value list exceptions for all rule types #2562).

• Saved queries on detection rules - When using a saved query to define a detection rule's query settings, users can now choose whether to use the saved query on every rule execution or to use the saved query as a one-time way to populate rule settings ([DOCS] "Create rule" updates: rule preview, saved queries #2559).

• Bulk editing rule settings - Users can now bulk edit rule actions and rule schedules on multiple detection rules ([DOCS] Bulk edit rules updates (rule schedules, actions) #2567).

• Exception UI enhancements - Several changes were made to the exceptions feature in 8.5 to improve usability and the user experience. Now, there are two exception tabs: the Rule exceptions tab and the Endpoint exceptions tab. Users can also check how many other rules are affected by an exception by clicking Affects X rules next to an exception list item. [DOCS] New exceptions UI/UX #2546

• Viewing alerts in event analyzer - Examining alerts associated with the event from the Event analyzer is enabled by default if users have a Platinum or Enterprise subscription. [DOCS] Feature flag enabled by default for feature that displays alerts in the process tree #2538

• Auto-tuning event analyzer - In 8.5, the visual event analyzer automatically includes the entire process tree if a user tries to examine a timeframe that has 0 process events in it. The user will also be notified that events exist in a different time frame. (Doc'd in release notes [DOCS] 8.5 Release Notes #2519)

OLM

• Elastic Defend - The Endpoint and Cloud Security integration has been renamed to the Elastic Defend integration ([DOCS] [META] Rename integration to "Elastic Defend" #2463).

• Endpoint response console - UI indicates if response action commands aren't supported by installed version of Elastic Agent ([DOCS] Response console, actions history updates #2536).

• Endpoint response actions history - Endpoint response actions history can be filtered and searched, and we now have a standalone response history page that includes all endpoints ([DOCS] Response console, actions history updates #2536).

Threat Hunting

• Host and user risk score alert enrichments - Alerts are enriched with host and user risk scores. Current risk scores are shown, as well as changes to risk scores. Risk scores are displayed within the Enriched data section in the Alert details flyout. [DOCS] Host and user risk score alert enrichments  #2558

• User and risk score now can be enabled by clicking a button from the Entity dashboard. Users who previously installed risk score can upgrade with the simple click of a button. [DOCS] Risk score enhancements  #2580

• Alert count charts now are displayed on each of the Explore pages. [DOCS] Alert counts added to Explore pages #2576

• The Entity Analytics dashboard provides a centralized view of emerging insider threats - including host risk, user risk, and notable anomalies from within your network. Use it to triage, investigate, and respond to emerging threats. [DOCS] Entity dashboard #2565

• Enhancements to the Alert details flyout:

  • Events related by process ancestry - The Enables the Alerts related by process ancestry section in the Alert details flyout is enabled by default if users have a Platinum or Enterprise subscription. [DOCS] Alerts related by session ID and Alerts related by process ancestry no longer beta and don't require a feature flag  #2527
  • Events related by session ID - The Enables the Alerts related by session ID section is enabled by default if users have a Platinum or Enterprise subscription. [DOCS] Alerts related by session ID and Alerts related by process ancestry no longer beta and don't require a feature flag  #2527
  • Reason statement shown in rendered view - In 8.5, the alert reason statement will display in the alert-rendered view. This and allows users to take actions on individual parts of the statement, which is something they could not previously do. [DOCS] Reason statement shown in alert rendered view #2540
  • Event renderer added to alert overview - Displays relevant event details to provide context for the alert, such as file paths or process arguments. Users can take actions on any of the fields provided. [DOCS] Reason statement shown in alert rendered view #2540

Protections Experience

• Indicators page GA'ed - The Indicators page is enabled by default and its functionality is generally available. The Indicators page collects data from enabled threat intelligence feeds and provides a centralized view for threat intelligence analysts to view and investigate indicators. [DOCS] Threat Intelligence - Indicators Page and Indicator Details #2526

ResponseOps

• Assigning users to a case - Users can be assigned to a case [DOCS] Assign users to Security cases #2568

• Embedding anomaly charts in a case - Users can be attach ML anomaly charts to a case [Doc PR is incoming]

AWP

• Terminal output tracking - Elastic Defend can now collect terminal output, enabling Session view to provide a more complete history of Linux sessions via the terminal output viewer. [DOCS] Add Terminal output view information to Session view doc #2566

• Guided onboarding for Elastic Defend - When creating an Elastic Defend integration, users can now select from several use-cases, each of which come with configuration presets. [DOCS] Updates install endpoint doc for Guided Onboarding epic #2569

Cloud Security Posture

• EKS support for KSPM - Users can now use the Kubernetes Security Posture Management integration to test the security of their Kubernetes clusters managed by EKS, in addition to unmanaged clusters. [DOCS] KSPM docs reorg #2539

Endpoint

N/A

Asset Management

• Osquery results can be added to a case - After users run Osquery from an alert, they can add Osquery results to a new or an existing case. [DOCS] Osquery features in 8.5 #2561

• Osquery Response Action - Users can use the the Osquery Response Action to immediately query hosts that generate alerts. Response Actions are in technical preview. [DOCS] Osquery features in 8.5 #2561

• Running Osquery from an investigation guide - Users can now add queries to a rule's investigation guide and run it as part of their investigative steps when analyzing an alert. [DOCS] Osquery features in 8.5 #2561