Adding highlights for 8.4. (#2380)

docs/whats-new.asciidoc

@@ -4,138 +4,148 @@
 
 Here are the highlights of what’s new and improved in {elastic-sec}. For detailed information about this release, check out the <<release-notes, Release notes>>.
 
-Other versions: {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
+Other versions: {security-guide-all}/8.3/whats-new.html[8.3] | {security-guide-all}/8.2/whats-new.html[8.2] | {security-guide-all}/8.1/whats-new.html[8.1] | {security-guide-all}/8.0/whats-new.html[8.0] | {security-guide-all}/7.17/whats-new.html[7.17] | {security-guide-all}/7.16/whats-new.html[7.16] | {security-guide-all}/7.15/whats-new.html[7.15] | {security-guide-all}/7.14/whats-new.html[7.14] | {security-guide-all}/7.13/whats-new.html[7.13] | {security-guide-all}/7.12/whats-new.html[7.12] | {security-guide-all}/7.11/whats-new.html[7.11] | {security-guide-all}/7.10/whats-new.html[7.10] |
 {security-guide-all}/7.9/whats-new.html[7.9]
 
 // NOTE: The notable-highlights tagged regions are re-used in the Installation and Upgrade Guide. Full URL links are required in tagged regions.
 // tag::notable-highlights[]
 
+
+
 [discrete]
-[[term-changes-8.3]]
-== Terminology changes
+[[features-8.4]]
 
-*"Endpoint Security integration" has been renamed to "Endpoint and Cloud Security integration"*
+[discrete]
+== New navigation menu
 
-Due to the launch of https://www.elastic.co/security/cloud-security[Elastic Security for Cloud], the *Endpoint Security integration*, which allows the {agent} to monitor for events on your host, has been renamed to *Endpoint and Cloud Security integration*. Please note that general industry term references to endpoint security have not changed.
+{elastic-sec} has a new navigation menu, designed to group related pages, highlight commonly visited areas, and easily access important workflows for a streamlined experience.
 
 [role="screenshot"]
-image::whats-new/images/8.3/cloud-integration.png[]
+image::whats-new/images/8.4/new-nav.gif[navigation menu]
 
 [discrete]
-[[features-8.3]]
+== Kubernetes and Cloud Security Posture enhancements
 
+The {security-guide}/kubernetes-dashboard.html[Kubernetes dashboard] provides insight into Linux process data from your Kubernetes clusters. You can also {security-guide}/kubernetes-dashboard.html#k8s-dash-setup[deploy an Elastic DaemonSet] to your Kubernetes clusters to collect session data. This data, which includes new Kubernetes-specific fields, appears in summary on the Kubernetes dashboard.
 
-[discrete]
-== New streamlined navigation
+The {security-guide}/cloud-posture-dashboard.html[Cloud Posture dashboard] allows you to check your Kubernetes infrastructure's configuration against security best practices, and provides steps for remediating any issues it identifies.
 
-An optional, new navigation menu, which can be enabled in the {security-guide}/advanced-settings.html#_enable_grouped_navigation[advanced {kib} settings], groups related pages and highlights commonly visited areas for a streamlined experience.
+[role="screenshot"]
+image::whats-new/images/8.4/cloud-sec-dashboard.png[Cloud Security Posture dashboard]
+
+To get these insights, you first need to install the Kubernetes Security Posture Management integration, which is now in beta.
 
 [role="screenshot"]
-image::getting-started/images/grouped-nav-ui.png[width=75%][height=75%][Grouped navigation menu][Grouped navigation menu]
+image::whats-new/images/8.4/ksp-integration.png[Kubernetes Security Posture management integration]
 
 [discrete]
-== New dashboards summarize critical information
+== Detection rules enhancements
 
-A new *Dashboards* section, which includes two new dashboards to help you visualize critical information, has been added to the navigation menu in the {security-app}.
+*New terms rule*
 
-The {security-guide}/overview-dashboard.html[*Overview* dashboard] provides an overview of detections, external alerts, and event trends. Use it to assess overall system health and find anomalies that may require further investigation.
+A {security-guide}/rules-ui-create.html#create-new-terms-rule[new terms] rule generates an alert for each new term it detects in source documents within a specified time range.
 
 [role="screenshot"]
-image::whats-new/images/8.3/overview-pg.png[]
+image::whats-new/images/8.4/new-terms.png[New terms rule]
+
 
-The {security-guide}/detection-response-dashboard.html[*Detection & Response* dashboard] provides focused visibility into the daily operations of your security environment. Use it to monitor recent and high priority detection alerts and cases, and identify the top hosts and users associated with the most alerts so you can triage effectively.
+*Data views available in rule creation*
+
+When you create a rule, you can now {security-guide}/rules-ui-create.html#views-index-patterns[specify data views] as the data source in order to use runtime fields, which are associated with a data view.
+
+*Fallback to @timestamp is configurable when timestamp override is defined*
+
+This feature allows you to disable @timestamp as a fallback timestamp field when you’ve defined a timestamp override.
+
+*New option to preview rules*
+
+The new *Advanced query preview* option allows you to set the preview's timeframe, rule interval, and look-back time, providing more control to fine-tune query results.
 
 [role="screenshot"]
-image::whats-new/images/8.3/detection-response-dashboard.png[]
+image::whats-new/images/8.4/rule-preview.png[Advanced query preview]
 
-[discrete]
-== New integrations
+*Improved bulk action handling for detection rules*
 
-Several new https://docs.elastic.co/integrations[integrations] have been added, including ones for CIS Kubernetes Benchmark, AWS Security Hub, Cloudflare, Jamf, and Palo Alto Networks.
+When you select prebuilt _and_ custom rules and attempt to perform a bulk action that can only be done on custom rules, {elastic-sec} now determines which rules are compatible and performs the action only on those rules.
 
-[discrete]
-== Technical preview features
+*Wildcards supported in detection rule exceptions*
 
-*Cloud Security Posture Management*
+Wildcards are now supported when defining {security-guide}/detections-ui-exceptions.html#detection-rule-exceptions[exceptions] for detection rules, and accept new operators `matches` and `does not match`.
 
-*User risk score*
+*New prebuilt rules*
 
-https://github.com/elastic/detection-rules/blob/209b40b0a30d87898d75bb2d5dc3f2e068b5f09d/docs/experimental-machine-learning/user-risk-score.md[User risk score] assigns a score to highlight risky users within your environment. It uses a transform with a scripted metric aggregation to calculate scores based on detection rule alerts within a 90-day window. The transform runs hourly to update the score as new detection rule alerts are generated. Each user risk score is normalized on a scale of 0 to 100.
+18 new {security-guide}/prebuilt-rules.html[prebuilt rules] were added in 8.4.0.
 
 [discrete]
-== New Authentications tab added to Users page
+== Response console for endpoint response actions
 
-An *Authentications* tab has been added to the Users page to show successful and failed authentication events per user.
+The new response console allows you to perform response actions on an endpoint using a terminal-like interface. You can enter action commands and receive almost immediate feedback. Actions are also logged in the endpoint’s actions log for reference.
 
 [role="screenshot"]
-image::whats-new/images/8.3/user-auth.png[]
-
+image::whats-new/images/8.4/response-console.png[Response console]
 
 [discrete]
-== Detection rules enhancements
+== Troubleshooting "Unhealthy" status for {agent}
 
-*New optional settings for event correlation rules*
+Integration policy errors and statuses are now provided in {fleet} and {elastic-sec} to help troubleshoot when an {agent} has an "unhealthy" status.
+
+[discrete]
+== Alerts enhancements
 
-{security-guide}/rules-ui-create.html#create-eql-rule[Event correlation rules] now allow you to specify the following EQL fields: *Event category*, *Tiebreaker*, and *Timestamp* fields.
+*New Alerts page visualizations*
 
-*{ml-cap} rules upgraded to v3 {ml} jobs*
+The Alerts page now displays a single visualization pane, with a menu to select *Table*, *Trend*, or *Treemap*. Treemap is a new view that shows alert distribution as proportionally-sized tiles. This view helps you quickly triage the most critical alerts.
 
-Elastic prebuilt rules for some Windows and Linux anomalies have been updated with new v3 {ml}} jobs. Refer to our {security-guide}/alerts-ui-monitor.html#ml-job-compatibility[documentation] for information about how to upgrade and/or continue to use the old v1/v2 jobs.
+[role="screenshot"]
+image::whats-new/images/8.4/treemap-view.png[Alerts treemap view]
 
-*New Actions column in rule execution logs table enables filtering*
+*New Insights section in alert details*
 
-You can create a {security-guide}/alerts-ui-monitor.html#rule-execution-logs[global search filter] based on a specific rule execution by selecting the filter icon in the *Actions* column of the *Rule execution logs* tab on the rule details page. Enabling this filter replaces any previously applied filters.
+The Alert details flyout now has a new {security-guide}/view-alert-details.html#alert-details-insights[*Insights* section], which shows users how an alert is related to other alerts and provides options to investigate related alerts. You can leverage this information to quickly find patterns between alerts, then take action.
 
 [role="screenshot"]
-image::whats-new/images/8.3/actions-icon.png[]
-
-*New prebuilt rules*
+image::whats-new/images/8.4/insights.png[Insights section]
 
-15 new {security-guide}/prebuilt-rules.html[prebuilt rules] were added in 8.3.0.
+*Process event analyzer now includes alerts*
 
-[discrete]
-== OAuth support in {sn} connectors
+You can now view alerts associated with an event when viewing the event in the process analyzer. This allows you to examine and compare alerts with the same source event.
 
-The {sn} connectors now support open authentication (OAuth).
-For configuration details, refer to
-{kibana-ref}/servicenow-action-type.html[ServiceNow ITSM], {kibana-ref}/servicenow-sir-action-type.html[ServiceNow SecOps],
-and {kibana-ref}/servicenow-itom-action-type.html[ServiceNow ITOM connector].
+NOTE: This functionality requires a Platinum or Enterprise subscription, and the `xpack.securitySolution.enableExperimental: ['insightsRelatedAlertsByProcessAncestry']` feature flag must be added to the `kibana.yml` file.)
 
 [discrete]
 == Cases enhancements
 
-The following enhancements have been added to Cases:
+*New Webhook - Case Management case connector*
 
-* You can now assign severity levels to cases.
-+
-NOTE: If you do not set a case's severity, it defaults to Low.
-+
-* The Cases table now includes a *Severity* column and an option to filter the table by severity. It also now includes an "Average time to close" metric.
-* You can now delete text comments, including those in Lens visualizations.
-* You can now add multiple alerts to new and existing cases through the *Bulk actions* menu.
-* A new *Alerts* tab has been added to the case details page. This allows you to view all alerts attached to a case.
+The Webhook - Case Management connector allows you to build a custom connector for any third-party case/ticket management system. This offers more flexibility when deciding what third-party case/ticket management system you want to send cases and case updates to.
 
+*New sub-feature privilege for cases*
+
+The *Delete cases and comments* sub-feature privilege determines whether a user can delete cases and comments. Users with current `All` access to cases are automatically granted the delete privilege upon upgrading to 8.4. However, users with current `read` access to cases are not automatically granted the delete privilege upon upgrading to 8.4. An admin can modify these user privileges.
+
+[role="screenshot"]
+image::whats-new/images/8.4/cases-privs.png[Cases privileges]
 
 [discrete]
-== Alert details enhancements
+== Endpoint enhancements
+
+*New credential hardening protection*
 
-The following enhancements have been added to the alert details flyout:
+You can now configure {security-guide}/configure-endpoint-integration-policy.html#attack-surface-reduction[credential hardening protection] in an integration policy. Credential hardening prevents attackers from stealing credentials stored in Windows system process memory. Turn on the toggle to remove any overly permissive access rights that aren’t required for standard interaction with the Local Security Authority Subsystem Service (LSASS).
 
-* Numerical values in the Alert prevalence column are now active links that send you to Timeline, where you can investigate related alerts.
-+
 [role="screenshot"]
-image::whats-new/images/8.3/alert-prevalance.gif[]
-* Session ID, a unique ID for Linux sessions, has been added to the *Highlighted fields* section. To collect session data from Linux hosts, you must {security-guide}/session-view.html#enable-session-view[enable session view data] in an integration policy.
+image::whats-new/images/8.4/credential-hardening.png[Credential hardening protection]
+
+*Endpoint self-healing rollback*
+
+{security-guide}/self-healing-rollback.html[Endpoint self-healing rollback] is a new feature that rolls back file changes and processes on Windows endpoints when enabled protection features generate a prevention alert.
 
 [discrete]
-== Osquery enhancements
+== Run query packs from an alert
 
-You can now run Osquery from the *More actions* menu in the Alerts table.
+When {security-guide}//alerts-run-osquery.html[running a live query] from an alert, you can now choose to run single queries or query packs.
 
 [role="screenshot"]
-image::whats-new/images/8.3/run-osquery.png[]
-You can also investigate a single or all Osquery query results in Timeline. Refer to {security-guide}/alerts-run-osquery.html[Run Osquery] for more information.
-
-For information about additional Osquery enhancements, check out the {kibana-ref-all}/8.3/whats-new.html#highlights-8.3-osquery[{kib} Osquery highlights].
+image::whats-new/images/8.4/osquery.png[Run a live query]
 
 // end::notable-highlights[]