Elastic SIEM Detections

Our org is starting to look towards using Elastics SIEM and for the most part it works just fine … except detection’s. For detection’s to function 'security.enabled must be true, which in turn breaks RoR. I’ve dug around for a bit cant find an actual reason to why elastic has the requirement outside the assumption that its using the ml component of ES which even then i dot think is the issue.

We know from the error logs it wants the _security indices to exist, but logically reasons as to why, especially when at the end of the day its creating .signal indices per Kibana space.

Does anyone know the reasoning behind the requirement?

Is there some intent for RoR to accommodate the detection function of Kibana?



@mgaetano we are almost done mocking the security API to make SIEM Detection work (and whatever additional future module will require the security API).

For now we suceeded getting it to work using a generic “ror” username to save detection rules, notes and cases. Next step is to bind the current ROR user identity, so when for example you create a note, it will say “created by mgaetano”.

For now I can’t guarantee full multi-tenancy support for SIEM will be achieved, but we’ll try.

@sscarduzio any update on this?

Hi @mgaetano,

We made a prototype, but we decided not to release it in its form right now, because 7.9.0 has broken the legacy API that ROR was using and was supposed to use without problem for some time before Kibana 8.0.0 release.
At the moment we are porting the progress we made in the prototype into Kibana’s “new platform” plugin API directly as quick as we can.

Just curious if any ETA is available for this fix?

The SIEM interop code produced in the efforts mentioned in this thread have been moved to the “new platform” branch, which is the one that will be compatible with 7.9.x. We are still resolving some issue on multi tenancy compatibility with the new Kibana and we have to wait for those to get sorted first. We can’t give a precise ETA, but we are full steam on this.