Detection Rules, Signals and CCS

As far as I can tell, the SIEM app, in particular the builtin detection rules do not support cross cluster search? Is there any way to configure a CCS cluster/kibana instance such that the CCS kibana instance runs the detection rules, shows the signals and enables the siem workflow?

You can clone the builtin rules and then change their patterns for CCS.

It's the same pattern for detections and for setting up your indexes in advanced settings where you use the pattern: <cluster-names>:<pattern>

You can use '*' as well:

The default rules cannot make much about assumptions of how you have your CCS setup so your best bet is to copy/clone the rules you are using and then configure their index patterns to your CCS setup.

Yes, I've considered that, but of course it's a chunk of manual work that will need to be repeated every single time the stack is upgraded. So it's a very poor experience unfortunately.

Are there plans to improve this do you know? The default rules don't need to specify the exact index they use, that could be extracted out of the rule and replaced with configuration options instead.

Thanks for the reply, if you think of anything else, please let me know.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.