Elastic Agent - Indeces

Is it possible to send Elastic Agent data based on the policy applied to it or namespace when deployed via fleet? E.g. Group 1 sensors have data sent to a specfic set of indices specifically for group 2 and the same for group 3 etc. I am trying to separate the data between groups so I can assign Kibana dahsboards / spaces to specific users who are assigned and able to view only a specific group.

Hi @blcyb

It sounds like using a different namespace per Agent group is the answer you want. Changing the namespace is an option per Agent integration policy and namespaces make up a part of the index name where data is written.

If you enable the Elastic Endpoint Security integration beware there is a bug that will prevent the Endpoint from appearing in the Administration list in the Security App if the namespace is changed. The github issue tracking this bug is https://github.com/elastic/kibana/issues/86237 We hope to fix it soon.

Hi @ferullo

Thanks for your reply. I gave it a try and while this does help it doesn't quite work for our use case.

What would be better is if you could assign groups to elastic agents and subsequently use document level security to restrict viewing of both detections and events based on a group.

Thanks!