Hello,
i have a problem with setup detections in SIEM. I always get a message with Let's set up your detection engine.
I have logged in as a superuser
i cannot see the .siem-signals index.
I have check the role i have api management role and access to the siem space with create righs.
Hi @xennn,
So it sounds like you are using on prem install? Our cloud based one is the simplest setup for trying out detection engine if you're just getting your started and want to play with it as it doesn't really require much setup to be honest. [1]
However, if you want to setup and run on prem following this set of steps is the simplest:
https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html#detections-permissions
If you have already followed those steps but are still getting the same screen and just want more in depth trouble shooting because maybe you have a really involved on prem large custom setup and you're one of those in-depth geeky type of people 
you can open your dev tools from Chrome and look for this in your network tab [2]:
You can then see which part of the trouble shooting guide is still not satisfied. There have been some rare reports of large installations of on prem or corner cases involving reverse proxies that have been preventing detection engine from running but those have been rare and far inbetween. Most of the times it's just something missing from the checklist listed on our website.
[1] https://www.elastic.co/elasticsearch/service
[2] https://developers.google.com/web/tools/chrome-devtools/open
Hello Frank,
thank you for your feedback. This is a really helpful to check / debug the permissions.
You are right, i have a elastic on prem setup as a cluster. Its for my company.
I have check what you tell me, but the permissions looks good.But i notice the encryption key part. I have one in my config, but i check it again.
Thank you very much!
It work now. I have in Kibana.yml forget
xpack.encryptedSavedObjects.encryptionKey:
i allready have
xpack.security.encryptionKey:
Thank you!
YEA!
What an awesome Friday treat. Thanks for letting me know this solved it. Nothing makes me happier.
Happy detecting!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
