ELK stack 8.5.2 - RoR 1.45.1 - SIEM usage

ld57 · January 3, 2023, 7:50am

Hello,

i have some issue related to the use of Kibana 8.5.2, Security section (SIEM), and RoR 1.45.1.

to place the topic, the security section of kibana contains SIEM stuff
Elastic Security overview | Kibana Guide [8.5] | Elastic

with my current installations (test on linux, and also on windows) , i meet an error message when i try to use any of link of this section (dashboard, cases etc etc)

Any hints, or someone else met this issue ?

I have to precise that with RoR pluging at false in elasticsearch, and completely uninstalled on kibana, the result is the same.

May it be related to the elasticsearch.yml setting xpack.security.enabled: false ?

another point to precise : in kibana.yml the setting xpack.security.enabled: false is not supported (rejected when starting kibana, deprecated)

Did i miss something ?

kr

Fred

sscarduzio · January 3, 2023, 11:28am

Hello @ld57, unfortunately the whole security app in Kibana is not supported yet with ROR. We are slowly making progress in broadening the compatibility of the most recent sections of Kibana, but it turned out a very tough endeavour, and we are yet to find a clever solution to it.

Yes I’m aware you can’t disable xpack.security in newer Kibana, but you can hide it via ROR Enterprise ACL using the rule kibana_hide_apps: ["Security"].

ld57 · January 3, 2023, 11:36am

ouch, so bad for me as i “sold” this section to our CiSo lol…

Any way i can help ?

sscarduzio · January 3, 2023, 6:52pm

Oh no! That’s unfortunate

We will get back to you when we get something worth testing.

For now the major obstacle we are facing is that SIEM requires current user information from the xpack API which works incredibly differently from ROR’s. And it’s really messy to reconcile the two.

ld57 · January 4, 2023, 4:32pm

you are a