What's new in 8.15

[natasha-moore-elastic]

Please add your features and enhancements for 8.15. Don't forget to include the related PR link!

Detections & Response

• Add features here

Rules Management

• Editable fields for detection rules
  You can now edit these fields for user-created custom rules:
  • Max alerts per run — Specify the maximum number of alerts a rule can create each time it runs.
    (Edit max_signals field for custom rules in UI [classic] #5106)
  • Required fields — Create an informational list of fields that a rule requires to function.
    (Edit required_fields field for custom rules in UI [classic] #5287)
  • Related integrations — Create an informational list of one or more Elastic integrations associated with a rule.
    (Edit related_integrations field for custom rules in UI [classic] #5151)

Detection Engine

• Alert suppression supported for for machine learning and ES|QL rules - Alert suppression now supports the machine learning and ES|QL rule types. You can use it to reduce the number of repeated or duplicate detection alerts created by machine learning and ES|QL rules. ([Request][8.15 & Serverless] Alert suppression for ES|QL and ML rules  #5568)
• Support from AI Assistant when writing rule queries - When creating rules, use AI Assistant to improve rule queries or to quickly correct them. ([Request][8.15 & Serverless] AI Assistant for rule creation #5598)
• Bulk update custom highlighted fields for rules - Bulk add or remove custom highlighted fields for multiple rules. ([DE Team][8.15][Serverless] Bulk-update a rule's custom highlighted fields #5460)

Threat Hunting

Explore

• Add features here

Investigations

• Introduces previews for entities and alerts in the alert details flyout - Now, you can preview host and user details from the Insights tab of the alert details flyout instead of going to the Hosts or Users pages for more information. From the Correlations tab in the flyout, you can also preview alerts that are related to each other instead of leaving the flyout to access them ([TH: Investigations][Serverless & 8.15] New previews in expandable flyout #5605)
• Toggle row renderers on and off in Timeline - Within Timeline, quickly add or remove context from events by toggling row renderers. ([8.15 & Serverless] Update the Security Timeline Documentation in accordance with new Unified Timeline changes #5505)
• The expandable alert details flyout is enabled by default - The expandable flyout is now enabled by default in multiple places throughout the Security application. ([Request][Serverless & 8.15]: Expandable flyout setting being removed from advanced settings  #5292)

Entity Analytics

• Automatic recalculation of entity risk score ([8.15] Documents risk score recalculation when asset criticality is changed #5193)
  Entity risk score is now automatically recalculated when you assign, change, or unassign an individual entity's asset criticality level.
• New API for asset criticality ([Entity Analytics] Add Asset Criticality public API docs #5660)
  You can now manage asset criticality using the asset criticality API.

Generative AI

• New API for Elastic AI Assistant (Security AI Assistant APIs #5620) You can now interact with Elastic AI Assistant via API.

• New feature: Automatic Import ([Serverless] Adds auto import page #5560) Automatic Import uses AI to create integrations for your custom data sources.

EDR Workflows/Asset Management

• Scan files and folders for malware (Scan response action [ESS] #5563)
  Elastic Defend’s new scan response action lets you perform on-demand malware scans of a specific file or directory on a host. Scans are based on the malware protection settings configured in your Elastic Defend integration policy.

• Filter out process descendants (Process descendant filtering in event filters [ESS] #5626)
  Create an event filter that excludes the descendant events of a specific process, but still includes the primary process itself. This can help you limit the amount of events ingested into Elastic Security.

• Isolate and release CrowdStrike-enrolled hosts (CrowdStrike bidirectional response actions (isolate & release) #5529)
  Using Elastic’s CrowdStrike integration and connector, you can now perform response actions on hosts enrolled in CrowdStrike’s endpoint protection system. These actions are available in this release:

  • Isolate a host from the network
  • Release an isolated host

• Retrieve files from SentinelOne-enrolled hosts (SentinelOne get-file response action [classic] #5499)
  Using Elastic’s SentinelOne integration and connector, you can now retrieve files from SentinelOne-enrolled hosts and download them through Elastic Security.

Cloud Security

• Add features here

Endpoint

• Add features here

Protections Experience

• Add features here

ResponseOps

(@natasha-moore-elastic I pulled these from the Kibana What's new so they're good to insert as is.)

• Introducing case templates - Kibana cases offer a new powerful capability to enhance the efficiency of your analyst teams with templates. You can manage multiple templates, each of which can be used to auto-populate values in a case with pre-defined knowledge. This streamlines the investigative process and significantly reduces time to resolution. (Add case templates #5565)
• Case custom fields are GA - In 8.11, custom fields were added to cases and they are now moving from technical preview to general availability. You can set custom field values in your templates to enhance consistency across cases. (Case custom fields GA #5591)