Spaces and Elastic Security

edit

Elastic Security supports the organization of your security operations into logical instances with the Kibana spaces feature. Each space in Kibana represents a separate logical instance of Elastic Security in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and Kibana advanced settings are private to the space and accessible only by users that have role privileges to access the space. For details about configuring privileges for Elasticsearch and Kibana, refer to Detections prerequisites and requirements.

For example, if you create a SOC_prod space in which you load and activate all the Elastic Security prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the Elastic Security app in the SOC_prod space. If you then create a new SOC_dev space, you’ll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to the SOC_dev space, and they will run independently of those in the SOC_prod space.

By default, alerts created by detection rules are stored in Elasticsearch indices under the .alerts-security.alerts-<Kibana-space> index pattern, and they may be accessed by any user with role privileges to access those Elasticsearch indices. In our example above, any user with Elasticsearch privileges to access .alerts-security.alerts-SOC_prod will be able to view SOC_prod alerts from within Elasticsearch and other Kibana apps such as Discover and Lens.

To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your Elastic Security users include Elasticsearch privileges that limit their access to alerts within their space’s alerts index.