CCR KSPM Data

  • As suggested in the past, for using the KSPM on the SIEM Module, we need to use the Elastic Agent integration for our k8s clusters.
  • Now if in case this data is read over CCR, what changes needs to be done other than mapping the index patterns on Security Data view?
  • I tried and was disappointed that it does not work. But I feel there is something which needs to be changed than obvious.
  • Currently the page asks me to install the integration, but I only need to use the available data which is fetched over CCR.
  • I can see this works where the data is locally stored.