Our org is starting to look towards using Elastics SIEM and for the most part it works just fine … except detection’s. For detection’s to function
'security.enabled must be true, which in turn breaks RoR. I’ve dug around for a bit cant find an actual reason to why elastic has the requirement outside the assumption that its using the ml component of ES which even then i dot think is the issue.
We know from the error logs it wants the
_security indices to exist, but logically reasons as to why, especially when at the end of the day its creating .signal indices per Kibana space.
Does anyone know the reasoning behind the requirement?
Is there some intent for RoR to accommodate the detection function of Kibana?