Hi There!!
i was just tasked with making a lab of mssp setup without cluster
(we will have 4 users )
Users:-
- CustA - windows logs and only alerts of windows (can only see this )
- CustB - linux logs and its alerts
- superuser/admin - can see or do anything
- SOC L1 - can see only alerts releated to both CustA & CustB
so without lisence i was able to make it by making custom roles for CustA & CustB (then created seprate space for them )
after that for SOC L1 i made a role with access to security alert of CustA & security alert of CustB(also gave both list & items for both) & assined the space of CustA & CustB to SOC L1
everything is working fine but the main task was that that the SOC L1 should be able to see all alerts at one place (not switcing spaces )
so i researched and found that itcould be done easily by not creatng multiple space and using DLS(Document Level Security) so i will be able to do that but the problem is i dont have lisence and cant get one // later tried it on 15 day free lisnece on elastic cloud but on that you cant swtich users or give custom roles to users // then tried it on demo portal but same cant switch users or make changes to default users(can change the roles but it decrease the privllage so much the whole demo was just stuck as stack mangement cant be given in that role so no coming back from that )
also know that if we have spaces alert segration can be done but if only 1 space is their then DLS is required
so if anyone have any workarounds please help , also tell if i can get a dev lisence for free (for self mange )