Hello everybody,
we use Elasticsearch as our SIEM/SOC solution for different customers.
Our environment is based on ECK and to not mix data between our customers, we have a seperate one for each customer.
Our SIEM ruleset is integrated in a seperate cluster which remotes into all customer clusters for detection.
Right now, we use a mixture of Beats and Logstash depending on the different types of logs.
We want to migrate our current Beats to the Elastic Agent and not only use it as a newer replica of beats but rather use integrations like Elastic Defend for further remediation possibilities.
As of now, we have a testing scenario consisting of a Fleet Server on our SOC cluster with output settings to different customer logstashes.
This ingests data from the Elastic Defend integration into the respective customer clusters.
We've set the Endpoint Security rule to throw alerts for anything suspicious the integration finds.
However, we can't use the Defend console in Elastic Security that way as that one doesn't recognize the already existing agents.
The same problem is with the agent logs and metrics which are currently going to the customer clusters as well.
Our SOC analysts currently only have access to the SOC cluster and not to the respective customer clusters.
We would love for them to be able to use the Defend integration on our SOC cluster while not needing to change around our current structure of strictly not mixing up different customer logs.
Is there any way to achieve this?