What’s new in 8.19

Here are the highlights of what’s new and improved in Elastic Security. For detailed information about this release, check out our release notes.

Other versions: 8.18 | 8.17 | 8.16 | 8.15 | 8.14 | 8.13 | 8.12 | 8.11 | 8.10 | 8.9 | 8.8 | 8.7 | 8.6 | 8.5 | 8.4 | 8.3 | 8.2 | 8.1 | 8.0 | 7.17 | 7.16 | 7.15 | 7.14 | 7.13 | 7.12 | 7.11 | 7.10 | 7.9

Elastic Managed LLM is now the default large language model connector in AI Assistant. It gives you immediate access to generative AI features without any setup or external model integration.

The Security AI Assistant's chat UI now uses prompt tiles instead of default quick prompts. Prompt tiles help you begin structured tasks or investigations into common Elastic Security workflows.

You can now define recurring schedules to automatically generate attack discoveries without needing manual runs. When discoveries are found, you’ll receive notifications through your configured connectors, such as Slack or email. You can customize the notification content to tailor alert context to your needs.

Attack discoveries are now automatically saved whenever they’re generated. You can update their status, share manually generated discoveries with other Kibana users, and perform bulk actions, such as status changes or adding discoveries to cases. Use the search box and filters to quickly find relevant discoveries.

Automatic Migration is moving from technical preview to general availability. Use this feature to quickly convert SIEM rules from the Splunk Processing Language (SPL) to the Elasticsearch Query Language (ES|QL).

After modifying a prebuilt rule, you can restore its original version. To do this, open the rule’s details page, click All actions → Revert to Elastic version, review the modified fields, then click Revert. The original rule version might be unavailable for comparison if you haven’t updated your rules in a while.

Modified fields on prebuilt rules are marked with the Modified badge on the rule’s details page. You can compare the original Elastic version and the modified version of the field by clicking on the badge.

From the Rules table, use the Bulk actions menu to quickly apply or remove alert suppression from multiple rules. Note that threshold rules have a dedicated option for bulk-applying alert suppression.

Several enhancements have been made to the gap fill feature:

Using Elastic’s Microsoft Defender for Endpoint integration and connector, you can now run a script on Microsoft Defender for Endpoint-enrolled hosts.

When using the runscript response action with hosts enrolled in CrowdStrike and Microsoft Defender for Endpoint, you can now select from a list of saved custom scripts. This means you no longer need to type the script name manually.

You can now add more fields to an alert’s highlighted fields to display information that’s relevant to your investigations.

Now, you can access the response console from events, giving you more places to use response actions. You can now also isolate or release a host from events.

Elastic Security now supports three new Cloud Security integrations: Rapid7 InsightVM, Tenable Vulnerability Management, and Qualys VMDR.