What’s new in Elastic Security 8.18 and 9.0
Automatic Migration for detection rules, Lookup Join for ES|QL, AI feature enhancements, and more
Share on TwitterShare on Twitter
Share on LinkedInShare on LinkedIn
Share on FacebookShare on Facebook
Share by EmailShare by email
Print this pagePrint
Elastic Security 8.18 and 9.0 bring updates that help security operations teams work more efficiently and respond to threats faster. This release includes migration support for Splunk SIEM users, the new ES|QL Lookup Join feature, which makes it easier to enrich and analyze data, and several usability improvements. Attack Discovery and Automatic Import are now generally available (GA), along with improvements to Elastic AI Assistant and support for custom detection rules.
Elastic Security endpoint capabilities now include automated response integrations for Microsoft Defender and CrowdStrike, along with host traffic anomaly detection using machine learning. These additions help reduce manual workload, accelerate investigations, and strengthen endpoint visibility and response.
Simplify the switch to Elastic Security from legacy SIEM
The challenges of migrating to a new SIEM can leave some teams locked into using outdated solutions — slowing detection, investigation, and response. Automatic Migration, new in Elastic Security 8.18 and 9.0, expedites your move to a modern SIEM.
Our first release of Automatic Migration, available now in technical preview, provides an AI-driven workflow for migrating legacy SIEM detection rules to Elastic Security. We’re launching with support for Splunk, including multi-tenant environments, and planning to expand to other legacy SIEMs soon. Support for other types of SIEM content, like dashboards and visualizations, is also planned.
Automatic Migration expedites the transfer of legacy SIEM content into Elastic Security, starting with your existing detection rules. It maps certain rules to prebuilt detections actively maintained by Elastic Security Labs and translates many others — including associated lookups and macros — to run in Elastic.
The AI-powered feature validates translated rules to ensure that they function as intended and recommends relevant integrations if required data sources are missing. For efficient review, it presents original and translated rules side-by-side. When further updates are needed, Elastic AI Assistant guides practitioners toward next best actions.
Ad-hoc data enrichment with the power of Joins in ES|QL
This release introduces Lookup Join support in Elasticsearch Query Language (ES|QL) — a highly requested feature that significantly enhances data correlation workflows in Elastic Security. With this new capability, practitioners can now dynamically bolster their analysis by using the Lookup Join function in queries.
Unlike enrichment workflows that require preconfigured policies and policy execution, ES|QL Lookup Join allows users to correlate across datasets on the fly. Whether you’re matching asset metadata, user attributes, threat intelligence, or business context, it’s now easier to bring related context into your investigations.
Let’s examine a real security use case. During alert triage, analysts often wonder, “Did this alert contain IOCs flagged in a threat feed? Is there additional information about the host or user entity? Do I know more about this alert in organization-specific data?” All of these questions likely mean that the analyst is looking for more information in another index, a classic Join use case. Now you’re able to!
In the video below, you can see how a user can query attributes from the alert (in this case the file name) and then compare to another data store, like a threat feed, and return that information to the final results!
Elastic Security continues leading the way with AI and SIEM
Attack Discovery and Automatic Import are now GA, with enhancements across Elastic Security’s AI features:
Attack Discovery holistically assesses incoming alerts to reveal advancing attacks and guide analysts to stop them. With new support for alert filtering and custom date ranges, you have full control over what gets analyzed, helping Elastic surface what matters.
Automatic Import builds custom data integrations in minutes — and now it can build the necessary configuration to ingest data from any REST API. Simply upload an OpenAPI specification and let Automatic Import handle the rest to ensure seamless data ingestion with minimal effort.
- Elastic AI Assistant now cites sources in its responses, so you can see where information originates. It also introduces an API to manage knowledge sources and improves audit logging. These updates reflect our continued focus on explainable AI, ensuring that the Assistant is both helpful and accountable.
Update Elastic-built rules without losing your custom changes
Elastic includes over 1,300 detection rules built and maintained by Elastic Security Labs. Organizations sometimes tailor these rules to meet specific needs (e.g., adjust conditions, add tags). Starting with 8.18, you can apply rule updates without overwriting your custom changes.
Last year alone, Elastic Security Labs improved existing rules more than 2,400 times. With this enhancement in rule management, organizations that have made modifications can continue to benefit from those updates without needing to reapply customizations manually. This makes it easier to customize and maintain prebuilt detection rules over time, streamlining detection engineering workflows and helping teams expand coverage to more use cases with less effort.
Eliminate conflicts with Automatic Troubleshooting
Deploying endpoint protections in environments with existing antivirus or EDR tools can lead to software conflicts. A new AI-driven troubleshooting workflow, starting with Elastic Agent, helps avoid these issues by ensuring the Defend integration doesn’t interfere with other software on the host.
Powered by generative AI, Automatic Troubleshooting detects installed security tools and walks you through adding them as trusted applications. This task used to require digging through system data and configuring everything manually. Now it’s faster, easier, and more reliable, so you can deploy with confidence and keep protections running without disruption.
Execute third-party endpoint response actions from Elastic Security
Elastic continues to evolve as a unified, vendor-agnostic platform for endpoint analytics — giving analysts a single, integrated solution to detect, investigate, and respond across any environment. Building on the ability to take response actions with Elastic Defend, analysts can now take direct action on hosts protected by CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne — without leaving the Elastic interface.
This includes isolating or releasing hosts, collecting files, running scripts (CrowdStrike), and listing or killing processes (SentinelOne), all with real-time synchronization between platforms. These bidirectional integrations streamline response workflows, reduce context switching, and make it easier to take consistent, informed action across diverse endpoint deployments — all from a single, centralized workspace.
Integrations with no installation required
Elastic first introduced no-install data integrations in 8.16 to simplify cloud security posture management. In this release, we’re expanding agentless support (public beta) to 15 widely used integrations, including CrowdStrike, Google Workspace, Microsoft 365 Defender, Okta, Qualys VMDR, SentinelOne, and more.
These integrations make it easier to bring valuable security and IT data into Elastic without installing agents or managing ingest infrastructure. Just select the agentless option during integration setup to start streaming data. This broader support helps teams accelerate a wide range of analytics use cases — from identity and endpoint visibility to asset inventory and risk-based alerting — without unnecessary operational overhead.
Try it out
Read about these capabilities and more in the Elastic Security release notes.
The fastest and easiest way to experience Elastic Security is on Elastic Cloud Serverless. Try it now.
The release and timing of any features or functionality described in this post remain at Elastic's sole discretion. Any features, support plans, or functionality not currently available may not be delivered on time or at all, and mention of such plans or ideas reflects only our strategic goals and objectives. Such plans may be updated, cancelled or postponed.
In this blog post, we may have used or referred to third party generative AI tools, which are owned and operated by their respective owners. Elastic does not have any control over the third party tools and we have no responsibility or liability for their content, operation or use, nor for any loss or damage that may arise from your use of such tools. Please exercise caution when using AI tools with personal, sensitive or confidential information. Any data you submit may be used for AI training or other purposes. There is no guarantee that information you provide will be kept secure or confidential. You should familiarize yourself with the privacy practices and terms of use of any generative AI tools prior to use.
Elastic, Elasticsearch,and associated marks are trademarks, logos or registered trademarks of Elasticsearch N.V. in the United States and other countries. Splunk and other related marks are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. Microsoft and other related marks are trademarks of the Microsoft group of companies. Crowdstrike is a trademark of Crowdstrike, Inc. SentinelOne is a registered trademark of SentinelOne, Inc. All other company and product names are trademarks, logos or registered trademarks of their respective owners.
Share
- Share on Twitter
Share on Twitter
- Share on LinkedIn
Share on LinkedIn
- Share on Facebook
Share on Facebook
- Share by Email
Share by email
- Print this page
Print
