Elastic Security 7.16: Accelerate SecOps with the most powerful Elastic Security yet

blog-thumb-release-security.png

In Elastic Security 7.16, multiple new out-of-the-box data integrations for Elastic Agent streamline data ingestion and normalization, powering security operations. The release also introduces full production support for several existing data integrations.

Version 7.16 introduces an expanded set of malicious behavior protections, addressing methods related to initial access, privilege escalation, and defense evasion. It also brings memory threat protection to macOS and Linux, and enhances ECS support for Osquery Manager.

Plus, power cross-org collaboration with new and enhanced workflow integrations for ServiceNow.

Let’s jump in.

Amplify visibility to accelerate detection and response

Expansive environmental activity and context powers the work of modern security teams, but onboarding data at unthrottled scale — from distributed sources, in diverse formats — can be challenging. Elastic Agent delivers visibility across the attack surface. It’s centrally managed, supports every major operating system, and is covered by the Elastic license, so you can take your deployment global.

New sources of valuable security data

Elastic Security 7.16 ships with new out-of-the-box data integrations, including multiple community-developed and Elastic-validated integrations, that simplify collection and automate normalization with the Elastic Common Schema (ECS), propelling cross-telemetry detection, investigation, and response.

AWS WAF data extends cloud visibility and spots everything from common web exploits to advanced threats.

Cisco Duo events surface authentications throughout the enterprise, powering security analytics.

 

GitHub audit data reveals the actions taken by users — who did what, when.

1Password events show authentication attempts, password usage, and other high-stakes activity, enabling cross-environment analysis.

Elastic Agent integrations with production-ready support

The 7.16 release also brings numerous prebuilt Elastic Agent data integrations into general availability, ensuring production-ready support.

Security data sources: Common Event Format (CEF), Check Point firewalls, Cloudflare CDN, CrowdStrike Falcon EDR, CyberArk PAS, Google Cloud Platform (audit logs, firewall logs, VPC flows), Google Workspace, HashiCorp Vault, Juniper SRX, osquery logs, Microsoft Defender for Endpoint, Sophos XG and UTM, custom Windows event logs, ZeroFox platform alerts, and Zoom.

Infrastructure, datastore, and application sources: The 7.16 release also marks the general availability of numerous security-relevant observability technologies, enabling monitoring via granular analysis of data from numerous DevOps tools (e.g., Docker, Kubernetes, Nginx, Traefik), datastores (e.g., Cassandra, MongoDB, MySQL, PostgreSQL, Redis), and more. Learn more in the Elastic Observability 7.16 blog.

Secure every endpoint with layered protections

Elastic Security autonomously fights back at every stage of the attack lifecycle, applying multiple layers of endpoint prevention and detection — and demonstrating the rapid advancement of Elastic Agent.

Feature

Windows

macOS

Linux

Malicious behavior protection

Enhanced ↗

Enhanced ↗

Enhanced ↗

Memory threat protection

Existing ✓

New +

New +

Behavioral ransomware prevention

Existing ✓

Existing ✓

Existing ✓

Malware & ransomware prevention

Existing ✓

Existing ✓

Existing ✓

Centralized osquery host inspection

Enhanced ↗

Enhanced ↗

Enhanced ↗

On-host response actions

Existing ✓

Existing ✓

Existing ✓

Centralized detection with host data

Existing ✓

Existing ✓

Existing ✓

Expanded malicious behavior protections at the endpoint

Elastic Security 7.16 extends malicious behavior prevention — which pairs post-execution behavior analytics with targeted response actions — to stop an expanded set of advanced attack techniques. All analytics are mapped to the MITRE ATT&CK® framework, addressing methods related to initial access, privilege escalation, and defense evasion, including:

These capabilities build on the malicious behavior preventions introduced in Elastic Security 7.15 to stop various techniques for phishing, credential theft, LotL, and achieving advanced persistence.

Memory threat protection for Linux and macOS

The release adds memory threat protection for macOS and Linux systems, uncovering methods sometimes used by advanced threats to evade traditional defenses. It ships with preventions for shellcode (macOS and Linux), reflective ELF injection (Linux), and in-memory Mach-O execution (macOS), plus the preventions for Windows systems delivered in version 7.15.

Osquery Manager now generally available

Elastic Security 7.16 enhances the Osquery Manager integration for Elastic Agent and advances it into general availability, ensuring production-ready support. Osquery Manager equips hunters and investigators with real-time visibility into system data, like running processes, loaded kernel modules, open network connections, and more.

Practitioners can now map saved queries results directly to ECS to return normalized data, ready for immediate analysis.

The release enables administrators to customize the configuration of key settings, such as files paths to monitor and table views, enabling new use cases, like file integrity monitoring and process auditing.

Streamline workflows with certified ServiceNow integrations

Threats are growing in number and sophistication, and experienced practitioners remain scarce, so it’s vital to maximize the productivity of each analyst. Elastic Security addresses this challenge head-on by eliminating the operational inefficiencies caused by data silos and providing a uniquely effective investigation UI, built-in case management, and a growing set of external workflow integrations.

We're hiring

Work for a global, distributed team where finding someone like you is just a Zoom meeting away. Flexible work with impact? Development opportunities from the start?