Clarification on Rules execution

Elastic Security
1

I need clarification on the following scenario regarding Elastic:

We have three spaces configured:

  1. In Space 1, a rule was enabled by a user with admin privileges.
  2. In Space 2, a rule was enabled by a custom user who only has access to Space 2.
  3. In Space 3, a rule was enabled by User 3, who has access to both Space 2 and Space 3.

All the rules are configured to run on indices that follow the pattern log-*. My concern is about how Elasticsearch handles this, given the index permissions and space access:

  • User 2 does not have access to the other spaces, and the index

  • The rule enabled by the admin user in Space 1 should technically have access to all indices, but how are the index access permissions managed across different spaces?

Could you clarify how Elasticsearch handles index permissions and rule execution across multiple spaces with different user privileges?

Elastic documentation related to this please share

Same scenario for ML jobs ?

2

Hi @abubacker, thanks for the question and using Elastic Security!

Spaces is Kibana's feature. Elasticsearch doesn't know anything about spaces. It just stores Kibana's data like installed rules per space and source events data.

While rules could be installed in each space individually rule's index pattern doesn't depend on space by default. It means that rules will read the same source data from specified index patterns. For example having a prebuilt rule installed in different spaces and enabled with logs-* index pattern we'll get the same generated alerts since it will read the same source data. You might check out a similar question on how to split source data and rules per space.

Permissions are handled by Elasticsearch per user. Space information doesn't take any action in that.

Same scenario for ML jobs ?

It works the same way for ML jobs.