Clarification on Rules execution

Hi @abubacker, thanks for the question and using Elastic Security!

Spaces is Kibana's feature. Elasticsearch doesn't know anything about spaces. It just stores Kibana's data like installed rules per space and source events data.

While rules could be installed in each space individually rule's index pattern doesn't depend on space by default. It means that rules will read the same source data from specified index patterns. For example having a prebuilt rule installed in different spaces and enabled with logs-* index pattern we'll get the same generated alerts since it will read the same source data. You might check out a similar question on how to split source data and rules per space.

Permissions are handled by Elasticsearch per user. Space information doesn't take any action in that.

Same scenario for ML jobs ?

It works the same way for ML jobs.