Detections prerequisites and requirements

edit

To use the Detections feature, you first need to configure a few settings. You also need the appropriate license to send notifications when detection alerts are generated.

Several steps are only required for self-managed Elastic Stack deployments. If you’re using an Elastic Cloud deployment, you only need to enable detections.

Additionally, there are some advanced settings used to configure Kibana value list upload limits.

Configure self-managed Elastic Stack deployments

edit

These steps are only required for self-managed deployments:

  • HTTPS must be configured for communication between Elasticsearch and Kibana.
  • In the elasticsearch.yml configuration file, set the xpack.security.enabled setting to true. For more information, refer to Configuring Elasticsearch and Security settings in Elasticsearch.
  • In the kibana.yml configuration file, add the xpack.encryptedSavedObjects.encryptionKey setting with any alphanumeric value of at least 32 characters. For example:

    xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'

After changing the xpack.encryptedSavedObjects.encryptionKey value and restarting Kibana, you must restart all detection rules.

Enable and access detections

edit

To use the Detections feature, it must be enabled and your role must have access to rules and alerts. If your role does not have the cluster and index privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you. The following table describes the required privileges to access the Detections page, including rules and alerts.

For instructions about using Machine Learning jobs and rules, refer to Machine learning job and rule requirements.

In Elastic Stack version 8.0.0, the .siem-signals-<space-id> index was renamed to .alerts-security.alerts-<space-id>. Detection alert indices are created for each Kibana space. For the default space, the alerts index is named .alerts-security.alerts-default. If you’re upgrading to 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the Elastic Stack, then users do not need privileges for the .siem-signals-<space-id> index.

Action Cluster Privileges Index Privileges Kibana Privileges

Enable the Detections feature in your Kibana space

The manage privilege

The manage, write,read, and view_index_metadata index privileges for the following system indices, where <space-id> is the Kibana space name:

  • .alerts-security.alerts-<space-id>
  • .siem-signals-<space-id> 1
  • .lists-<space-id>
  • .items-<space-id>

1 NOTE: If you’re upgrading to Elastic Stack 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the Elastic Stack, then users do not need privileges for the .siem-signals-<space-id> index.

Kibana space All privileges for the Security feature (refer to Feature access based on user privileges)

Enable the Detections feature in all Kibana spaces

NOTE: To turn on the Detections feature, visit the Detections page for each appropriate Kibana space.

The manage privilege

The manage, write,read, and view_index_metadata index privileges for the following system indices:

  • .alerts-security.alerts-<space-id>
  • .siem-signals-<space-id> 1
  • .lists-<space-id>
  • .items-<space-id>

1 NOTE: If you’re upgrading to Elastic Stack 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the Elastic Stack, then users do not need privileges for the .siem-signals-<space-id> index.

Kibana space All privileges for the Security feature (refer to Feature access based on user privileges)

Preview rules

N/A

The read privilege for the following indices:

  • .preview.alerts-security.alerts-<space-id>
  • .internal.preview.alerts-security.alerts-<space-id>-*

Kibana space All privileges for the Security feature (refer to Feature access based on user privileges)

Manage rules

N/A

The manage, write,read, and view_index_metadata index privileges for the following system indices, where <space-id> is the Kibana space name:

  • .alerts-security.alerts-<space-id
  • .siem-signals-<space-id>1
  • .lists-<space-id>
  • .items-<space-id>

1 NOTE: If you’re upgrading to Elastic Stack 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the Elastic Stack, then users do not need privileges for the .siem-signals-<space-id> index.

Kibana space All privileges for the Security feature (refer to Feature access based on user privileges)

NOTE: You need additional Action and Connectors feature privileges (Management → Action and Connectors) to manage rules with actions and connectors:

  • To provide full access to rule actions and connectors, give your role All privileges. With Read privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, Read privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
  • To import rules with actions and connectors, your role needs at least Read privileges. To import rules without actions or connectors, your role does not require Action and Connectors feature privileges.

Manage alerts

NOTE: Allows you to manage alerts, but not modify rules.

N/A

The maintenance, write,read, and view_index_metadata index privileges for the following system indices, where <space-id> is the Kibana space name:

  • .alerts-security.alerts-<space-id>
  • .internal.alerts-security.alerts-<space-id>-*
  • .siem-signals-<space-id>1
  • .lists-<space-id>
  • .items-<space-id>

1 NOTE: If you’re upgrading to Elastic Stack 8.0.0 or later, users should have privileges for the .alerts-security.alerts-<space-id> AND .siem-signals-<space-id> indices. If you’re newly installing the Elastic Stack, then users do not need privileges for the .siem-signals-<space-id> index.

Kibana space Read privileges for the Security feature (refer to Feature access based on user privileges)

Create the .lists and .items indices in your Kibana space

NOTE: To initiate the process that creates the .lists and .items indices, you must visit the Rules page for each appropriate Kibana space.

The manage privilege

The manage, write,read, and view_index_metadata index privileges for the following indices, where <space-id> is the Kibana space name:

  • .lists-<space-id>
  • .items-<space-id>

Kibana space All privileges for the Security and Saved Objects Management features (refer to Feature access based on user privileges)

Here is an example of a user who has the Detections feature enabled in all Kibana spaces:

Shows user with the Detections feature enabled in all Kibana spaces
Authorization
edit

Rules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.

If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.

Configure list upload limits

edit

You can set limits to the number of bytes and the buffer size used to upload value lists to Elastic Security.

To set the value:

  1. Open kibana.yml configuration file or edit your Kibana cloud instance.
  2. Add any of these settings and their required values:

    • xpack.lists.maxImportPayloadBytes: Sets the number of bytes allowed for uploading Elastic Security value lists (default 9000000, maximum 100000000). For every 10 megabytes, it is recommended to have an additional 1 gigabyte of RAM reserved for Kibana.

      For example, on a Kibana instance with 2 gigabytes of RAM, you can set this value up to 20000000 (20 megabytes).

    • xpack.lists.importBufferSize: Sets the buffer size used for uploading Elastic Security value lists (default 1000). Change the value if you’re experiencing slow upload speeds or larger than wanted memory usage when uploading value lists. Set to a higher value to increase throughput at the expense of using more Kibana memory, or a lower value to decrease throughput and reduce memory usage.

For information on how to configure Elastic Cloud deployments, refer to Add Kibana user settings.