What's new in 8.7

[jmikell821]

Please add your features/enhancements for 8.7. Don't forget to include the corresponding PR. Thanks!

Detections & Response/Platform

• Rule exceptions can expire: You can set an expiration date and time for rule exceptions and you can view active and expired exceptions from the rule details page. In addition, if you're exporting a shared exception list that contains expired exceptions, you can choose whether to include them in the exported file. Rule exceptions can expire and misc. exception UI changes #3052
• UI changes to exceptions feature: The Manage rules button has been renamed to Link rules and the Import list button has been renamed to Import value list. Rule exceptions can expire and misc. exception UI changes #3052
• Connectors can be exported and imported with rules: Connectors used by rule actions can be exported and imported with rules. In addition, when importing a rule with connectors, users can now choose to overwrite existing connectors that have a conflicting action ID. Action connectors can be imported/exported with rules #3021
• Warning that describes field conflicts and mapping issues when creating exceptions: When defining exception conditions, you'll be warned if you're selecting a field that is unmapped or has type conflicts across multiple indices. This information is useful for resolving data quality and mapping issues. Adding warning to exceptions that describes field conflicts and mapping issues #3025
• Cross-cluster search is now supported for indicator match rules: You can use cross-cluster search for indicator match rules. Update docs to show that CCS Supported for IM rules in 8.7 #3054

Alerts

• Alert suppression time window (Alert suppression time window #3026)
• Resizeable rule preview (Resizeable rule preview #3000)

Rules

• Rules table UX enhancements (Rules table UX enhancements for 8.7 #2998)
  • Filters for enabled and disabled rules
  • Ability to clear filters from current view
  • Persistent state for Rules page filters, sorting
    • Rules page URLs can be shared and retain filters, sorting
  • Advanced sorting is now default/GA behavior (Remove mentions of the "Advanced sorting" toggle #2960)

Defend Workflows

• Endpoint management RBAC (Endpoint management RBAC #3040)
• Get file endpoint response action (Get file - endpoint response action #3043)

Threat Hunting

• Machine learning job names are now used throughout the Security app instead of ML job IDs (ML job names used in place of job IDs #2972)
• Alerts page UX enhancements (Alerts table/page updates for 8.7 #3058)
  • Updated KPI visualizations, including new Summary view type
  • Grouped alerts
• Interactive investigation guides: query builder form (Interactive investigation guides form builder UI #3062)
• Ability to create a rule from Timeline: From the Timelines page, users can create a custom query rule or an EQL rule from a custom Timeline or from a Timeline template. Create rule from Timeline #3023
• Introduces the Data Quality dashboard, which allows you to quickly check one or many indices for unmapped fields or fields with mapping conflicts, and makes it easy to track and share the results. Data Quality dashboard #3059 (NOTE: Janeen, I'm not sure which What's New section this fits into best — I put it here for now since Andrew is on the Threat Hunting Investigations team)

Cloud Security

• Introduces a new integration, Cloud Security Posture Management (CSPM) which tests your AWS account's configuration against best practices defined by the Center for Internet Security. Once enabled, it regularly generates pass/fail findings which appear on the Findings page and the Cloud Posture dashboard to help you harden your cloud infrastructure. [8.7][CSPM] Adds CSPM overview and getting started pages to Cloud Security section #3014

Integrations

• Add which new integrations were added.

Protections Experience

• Credential Access Events are now available in production
• IoCs can be added to the blocklist: You can add indicators to the blocklist to prevent selected applications from running on your hosts. You can add indicators that have the file indicator type and hash values for the MD5, SHA-1, or SHA-256 fields. IoCs can be added to blocklists #3024
• Changes to the Indicator details flyout that opens from cases: The Indicator details flyout now has the Overview and Table tabs when you open indicator details from a case comment. Overview and Table tabs added to Indicator details flyout in cases #3022
• Improvements to the indicators feature: Timeframe for indicator Timeline query updated  #3034
  • When a user investigates an indicator in Timeline, the new Timeline that opens has a start and end date that's 7 days before and 7 days after the indicator's timestamp.
  • You can now delete values entered into the Stack by field in the Trend chart.
  • When you open the Indicator table's field browser, the agent, base, and event fields categories are already preselected.

ResponseOps

• Cases can be shared: Each case has a universally unique identifier (UUID) that you can copy and share. You can access a case's UUID from the Cases page or the case details page. Changes to the case feature in 8.7  #3053
• Improvements to cases: Changes to the case feature in 8.7  #3053
  • In the Overview dashboard, users can go to the Recent cases widget and sort by cases assigned to them.
  • Several improvements have been made to the Cases table:
  • Users can bulk edit assignees.
  • The Updated on column has been added and shows the last time cases were modified.
  • Users can sort the Status, Severity, and Name columns.
  • Filters and sorting changes are persisted in the browser.

Asset Management

• Use placeholder fields in Osquery queries: Instead of hard-coding alert and event values into Osquery queries, you can use placeholder fields to dynamically pass this data into queries. Placeholder fields function like parameters. You can use placeholder fields to build flexible and re-usable queries. Placeholder fields and Osquery UI updates #3045
• Easy way to add Osquery queries from rule's investigation guide to Osquery Response Action: Now, if a rule is using an Osquery query in it's investigation guide, you can quickly add the query to the rule's Osquery Response Action. Osquery UI changes in 8.7 #3070