Elastic SIEM Detections

Our org is starting to look towards using Elastics SIEM and for the most part it works just fine … except detection’s. For detection’s to function 'security.enabled must be true, which in turn breaks RoR. I’ve dug around for a bit cant find an actual reason to why elastic has the requirement outside the assumption that its using the ml component of ES which even then i dot think is the issue.

We know from the error logs it wants the _security indices to exist, but logically reasons as to why, especially when at the end of the day its creating .signal indices per Kibana space.

Does anyone know the reasoning behind the requirement?

Is there some intent for RoR to accommodate the detection function of Kibana?



@mgaetano we are almost done mocking the security API to make SIEM Detection work (and whatever additional future module will require the security API).

For now we suceeded getting it to work using a generic “ror” username to save detection rules, notes and cases. Next step is to bind the current ROR user identity, so when for example you create a note, it will say “created by mgaetano”.

For now I can’t guarantee full multi-tenancy support for SIEM will be achieved, but we’ll try.