Skip to content

Latest commit

 

History

History
94 lines (60 loc) · 9.58 KB

detections-requirements.md

File metadata and controls

94 lines (60 loc) · 9.58 KB
mapped_pages applies_to
stack serverless
all
security
all

Detections requirements

To use the Detections feature, you first need to configure a few settings. You also need the appropriate {{stack}} subscription or {{serverless-short}} project tier to send notifications when detection alerts are generated. Additionally, there are some advanced settings used to configure {{kib}} value list upload limits.

::::{important} Several steps are only required for self-managed {{stack}} deployments. If you’re using an Elastic Cloud deployment, you only need to enable detections. ::::

Configure self-managed {{stack}} deployments [detections-on-prem-requirements]

stack:

These steps are only required for self-managed deployments:

  • HTTPS must be configured for communication between {{es}} and {{kib}}.

  • In the elasticsearch.yml configuration file, set the xpack.security.enabled setting to true. For more information, refer to Configuring {{es}} and Security settings in {{es}}.

  • In the kibana.yml configuration file, add the xpack.encryptedSavedObjects.encryptionKey setting with any alphanumeric value of at least 32 characters. For example:

    xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'

::::{important} After changing the xpack.encryptedSavedObjects.encryptionKey value and restarting {{kib}}, you must restart all detection rules. ::::

Enable and access detections [enable-detections-ui]

To use the Detections feature, it must be enabled, your role must have access to rules and alerts, and your {{kib}} space must have Data View Management feature visibility. If your role doesn’t have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your {{kib}} space, which will turn it on for you.

::::{note} For instructions about using {{ml}} jobs and rules, refer to Machine learning job and rule requirements. ::::

Custom role privileges [security-detections-requirements-custom-role-privileges]

The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to Feature access based on user privileges.

Action Cluster Privileges Index Privileges Kibana Privileges
Enable detections in your space manage manage, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

- .alerts-security.alerts-<space-id>
- .siem-signals-<space-id> ^1^
- .lists-<space-id>
- .items-<space-id>

^1^ NOTE: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the {{stack}}, then users do not need privileges for the .siem-signals-<space-id> index.
 All for the Security feature
Enable detections in all spaces

NOTE: To turn on detections, visit the Rules and Alerts pages for each space.		 manage manage, write, read, and view_index_metadata for these system indices and data streams:

- .alerts-security.alerts-<space-id>
- .siem-signals-<space-id> ^1^
- .lists-<space-id>
- .items-<space-id>

^1^ NOTE: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the {{stack}}, then users do not need privileges for the .siem-signals-<space-id> index.
 All for the Security feature
Preview rules N/A read for these indices:

- .preview.alerts-security.alerts-<space-id>
- .internal.preview.alerts-security.alerts-<space-id>-*
 All for the Security feature
Manage rules N/A manage, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

- .alerts-security.alerts-<space-id>
- .siem-signals-<space-id>^1^
- .lists-<space-id>
- .items-<space-id>

^1^ NOTE: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the {{stack}}, then users do not need privileges for the .siem-signals-<space-id> index.
 All for the Security feature

NOTE: You need additional Action and Connectors feature privileges (Management → Action and Connectors) to manage rules with actions and connectors:

- To provide full access to rule actions and connectors, give your role All privileges. With Read privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, Read privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges.
Manage alerts

NOTE: Allows you to manage alerts, but not modify rules.		 N/A maintenance, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

- .alerts-security.alerts-<space-id>
- .internal.alerts-security.alerts-<space-id>-*
- .siem-signals-<space-id>^1^
- .lists-<space-id>
- .items-<space-id>

^1^ NOTE: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the {{stack}}, then users do not need privileges for the .siem-signals-<space-id> index.
 Read for the Security feature
Create the .lists and .items data streams in your space

NOTE: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.		 manage manage, write, read, and view_index_metadata for these data streams, where <space-id> is the space name:

- .lists-<space-id>
- .items-<space-id>
 All for the Security and Saved Objects Management features

Authorization [alerting-auth-model]

stack:

Rules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.

::::{important} If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.

::::

Configure list upload limits [adv-list-settings]

stack:

You can set limits to the number of bytes and the buffer size used to upload value lists to {{elastic-sec}}.

To set the value:

  1. Open kibana.yml configuration file or edit your {{kib}} cloud instance.

  2. Add any of these settings and their required values:

    • xpack.lists.maxImportPayloadBytes: Sets the number of bytes allowed for uploading {{elastic-sec}} value lists (default 9000000, maximum 100000000). For every 10 megabytes, it is recommended to have an additional 1 gigabyte of RAM reserved for Kibana.

      For example, on a Kibana instance with 2 gigabytes of RAM, you can set this value up to 20000000 (20 megabytes).

    • xpack.lists.importBufferSize: Sets the buffer size used for uploading {{elastic-sec}} value lists (default 1000). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage.