Hi all,
I think it is not needed to change each detection rule for each tentant to the tenant-specific index patterns.
I played some around with the multi-tenancy options. I discovered that when you create a rule with a user which has only access to specific tentant indexes it queries (signals) only on those indeces. So:
- Create a Kibana Space for the tenant, let say 'companyA'
- Create a user with a role which has:
o Cluster privileges: manage
o Index privileges: indeces: *companyA*, privileges: all
o Kibana: for the space 'companyA' all privileges except for the ingest manager - Add to all indices names the space-id after the indices, so for beats:
‘%{[@metadata][beat]}-%{[@metadata][version]} -%{+YYYY.MM.dd}-companyA
Now log in with the tentant user and load the pre-build rules or create one. The rules will only query the indices where the rule creater has acces too.
But watch out when you log in with a superuser / administrator which has access to all indices. If you create a rule for a tentant you are the creator of the rule and so will the rule query all indices. Then it is possible that you have a signal for companyB in .siem-signals-companyA. So only add rules with a user which has only access to the tentant indices.