- Elastic Cloud Serverless
- Elasticsearch
- Elastic Observability
- Get started
- Observability overview
- Elastic Observability Serverless billing dimensions
- Create an Observability project
- Quickstart: Monitor hosts with Elastic Agent
- Quickstart: Monitor your Kubernetes cluster with Elastic Agent
- Quickstart: Monitor hosts with OpenTelemetry
- Quickstart: Unified Kubernetes Observability with Elastic Distributions of OpenTelemetry (EDOT)
- Quickstart: Collect data with AWS Firehose
- Get started with dashboards
- Applications and services
- Application performance monitoring (APM)
- Get started with traces and APM
- Learn about data types
- Collect application data
- View and analyze data
- Act on data
- Use APM securely
- Reduce storage
- Managed intake service event API
- Troubleshooting
- Synthetic monitoring
- Get started
- Scripting browser monitors
- Configure lightweight monitors
- Manage monitors
- Work with params and secrets
- Analyze monitor data
- Monitor resources on private networks
- Use the CLI
- Configure a Synthetics project
- Multifactor Authentication for browser monitors
- Configure Synthetics settings
- Grant users access to secured resources
- Manage data retention
- Scale and architect a deployment
- Synthetics Encryption and Security
- Troubleshooting
- Application performance monitoring (APM)
- Infrastructure and hosts
- Logs
- Inventory
- Incident management
- Data set quality
- Observability AI Assistant
- Machine learning
- Reference
- Get started
- Elastic Security
- Elastic Security overview
- Security billing dimensions
- Create a Security project
- Elastic Security requirements
- Elastic Security UI
- AI for Security
- Ingest data
- Configure endpoint protection with Elastic Defend
- Manage Elastic Defend
- Endpoints
- Policies
- Trusted applications
- Event filters
- Host isolation exceptions
- Blocklist
- Optimize Elastic Defend
- Event capture and Elastic Defend
- Endpoint protection rules
- Identify antivirus software on your hosts
- Allowlist Elastic Endpoint in third-party antivirus apps
- Elastic Endpoint self-protection features
- Elastic Endpoint command reference
- Endpoint response actions
- Cloud Security
- Explore your data
- Dashboards
- Detection engine overview
- Rules
- Alerts
- Advanced Entity Analytics
- Investigation tools
- Asset management
- Manage settings
- Troubleshooting
- Manage your project
- Changelog
Spaces and Elastic Security
editSpaces and Elastic Security
editElastic Security supports the organization of your security operations into logical instances with the spaces feature. Each space in Kibana represents a separate logical instance of Elastic Security in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and Kibana advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about privileges for Elastic Security and specific features, refer to Elastic Security requirements.
For example, if you create a SOC_prod space in which you load and activate all the Elastic Security prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the Elastic Security app in the SOC_prod space. If you then create a new SOC_dev space, you’ll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the SOC_dev space, and they will run independently of those in the SOC_prod space.
By default, alerts created by detection rules are stored in Elasticsearch indices under the .alerts-security.alerts-<space-name> index pattern, and they may be accessed by any user with role privileges to access those Elasticsearch indices. In our example above, any user with Elasticsearch privileges to access .alerts-security.alerts-SOC_prod will be able to view SOC_prod alerts from within Elasticsearch and other Kibana apps such as Discover.
To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your Elastic Security users include Elasticsearch privileges that limit their access to alerts within their space’s alerts index.