[7.9] "What's changed" - Security update overview

[caitlinbetz]

Description

We want to include documentation to help communicate some of the changes as a result of the combined security app in 7.9. We want to get ahead of questions like "where are my signals?" and help users better understand where new and old features now live in the unified app.

What's Changed

Terminology changes for 7.9:

Old → New

• Endpoint → Host
• Signal Detection Rules → Detection Rules
• Whitelist → Exception(s) / Exception List
• Elastic SIEM & Endpoint Security → Elastic Security
• Management → Administration
• Signals → Detection Alerts (See note below)
  • Detection Alerts: Alerts occurring within the Elastic Security from the Detection Engine / Detection Rules
  • External Alerts: Alerts originating outside of Elastic Security
  • Kibana Alerts: Alerts native to Kibana not necessarily security-related
• Resolver → No name, will be referred to as an action: "Analyze Event"
• Sensor → Endpoint

Note: Some navigation changes happened due to renaming of Signals

• Top Nav naming:

1. Alerts → Detections
2. URL will be app/security/detections

• Under "Detection":

1. Alert page title → Detection alerts
2. Alert count → Trend
3. Alert list → nothing (blank space)
4. URL will be app/security/detections

• Under "Overview":

1. Alert Count → Detection Alert Trend
2. External Alert Count → External Alert Trend

• Inside Timeline Event filter drop down

1. Alert Events → Detection Alerts

What's New

Administration Tab:

• New Administration tab is dedicated to managing Hosts that are running endpoint security. From this page you can view hosts, view and edit the advanced integration options,

Other stuff:

• Alert table customisations are now persistent, on both the Detections and Rule details pages ([SIEM][Timeline] Persist timeline to localStorage kibana#67156) cc @spong @cnasikas
• Exceptions and value lists
• Endpoint integration (policies and endpoint exceptions)
• Threshold rules
• Timeline templates
• IBM Resilient integration for Cases

Notes

[jmikell821]

@caitlinbetz totally agree with this! This can also be an FAQ style, if applicable. Let's keep a running list of questions/'what's new" content in the comments here.

[jmikell821]

@caitlinbetz following up on this. Let's start compiling a list of changes. I'll add my thoughts in the comments too. @benskelker since you are the most familiar with SIEM, perhaps you can weigh in as well?

[dontcallmesherryli]

@jmikell821 @caitlinbetz @benskelker I added some chunks in the "what changed" section above.

[benskelker]

@jmikell821 @caitlinbetz @dontcallmesherryli - also added some stuff

[cnasikas]

Alert table customisations are now persistent, on both the Detections and Rule details pages (elastic/kibana#67156) cc @spong @cnasikas

I would like to add that not only the alert table is persistent but all tables in Security. Specifically, Host (Events and External alerts) and Network (External alerts).