Elastic’s latest and greatest 7.10 version has some extra tasty new functionality packed in. Even though a minor revision, Kibana has a slightly refined new look, and dare I say it, the UI feels even more responsive than before.
So what are our top 5 favorite new features in 7.10?
1. Event Correlation detection rules.
Kibana now comes with one of the most powerful aspects of the Endgame EDR platform, EQL or Event Query Language
We could write another top 5 list about the best features of EQL, but top of the list would still be the ability to chain together events into a single detection rule. The alert only being triggered when all events are found in the correct order. With modern advances threats being often the sum of many parts this type of event ‘correlation’ is essential. We love this as it now allows us to build complex detection rules, thus reducing false alarms and saving our customers’ resources.
2. Indicator Match rules.
Detections based on a dynamic ‘blacklist’ of values has been sorely needed, now we have it! Not only that, but as these ‘blacklist(s)’ are also Elastic indices, they can be added to and/or enriched by external processes (threat feeds) through the regular Elasticsearch REST API.
Easily import from external threat feeds, or build your own blacklist based on your own findings and analysis.
Elastic security now comes with 316 detection rules compared with previous version’s 203. We love Elastic’s commitment to readily rolling out new detection rules. Version 7.10 comes with a bunch of Azure and Google Cloud security monitoring rules, among many others.
4. Points in time (PITS), for search.
This new feature slices and dices lengthy search requests into several smaller ones. This allows any UI using Elasticsearch as a backend to perform more responsively.
I can’t say for sure, but it wouldn’t surprise me if Kibana is always making use of this feature under the hood. The result – a better end user experience.
A great way to reduce the overall operating cost of an elastic cluster. Snapshots have long been the established way of reducing resource use by archiving old data into snapshots. Up to now, those snapshots where a locked box, that no-one should open unless they really had to.
Now snapshots became really useful by being searchable. Being able to search a snapshot to remind yourself what was in it, is already super useful, but being able to include snapshots as a not-so-active data mass is great.
We’re expecting a lot of new stuff over the coming couple of releases regarding Elastic Security. We look forward to it, and of course will keep you updated in our news and blogs.
Written by: Alex Hutchinson Certified Elastic Engineer and Software Architect