Hi,
is there a way to save the custom query Job results/anomalies in a new Index? I think we can do that with ML but is there a way to do the same with other detection types like Custom query , Threshold, Event Correlation and Indicator Match ?
Hey @xahmi ,
Thanks for question! In your kibana.yml configuration file you can change the index using this key: xpack.securitySolution.signalsIndex. The configuration file is described here: Configure Kibana | Kibana Guide [7.12] | Elastic
If you're running Kibana from source you can put the configuration changes in the kibana.dev.yml file: Running Kibana | Kibana Guide [master] | Elastic
Here's an example:
xpack.securitySolution.signalsIndex: '.my-custom-signals-index'
Jonathan
xpack.securitySolution.signalsIndex only really changes the prefix though as each new space will create a new signals index based on that signalsIndex name with the space name added to the end since each space name gets added to the end of the index per space.
Also, there has been bugs around this setting where if it doesn't start with .siem-signals some UI components in the past have relied on it starting w/ that name. That and the key/value isn't supported directly on cloud instances.
In short, this is mostly a developer switch to help developers out when developing, so I would be careful with using this undocumented setting. We might remove it here shortly or change the name of it as well.
Really, the answer is no, we don't officially support a different name at this moment. Doesn't mean we can't support it well in the future, but it's not officially supported today.
Thanks for your responses,
i don't know if I explained it wrong.
I just want to store the anomalies that I found in a separate index.
I mean these anomalies that I found through Detection.
I just want to store the anomalies that I found in a separate index.
For the signals generated when they see an anomaly, no. All the signals will be in the same index.
The underlying anomaly jobs from ML where the signals are looking to see if they detect something should already be stored in separate indexes and those could be re-configured. You can clone ML jobs and change settings and have detections look at any of those for a different ml index if you want though.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.