SIEM detection engine is not getting started

I have installed stack on AWS, all three(Elastic, Logstash, Kibana) components are on different instance. Stack is running all good and functioning in a expected way.

Problem is, I am unable to enable detection engine, when I go on detection page with superuser(elastic) I see a message shown in attached. However, I followed all the steps provided in the documentation(https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html#detections-permissions) and created a new user with all mentioned privileges but message remains same.

image

Hey there @ankitdevnalkar !

What version of the stack are you running on? I see the link you added in your post points to 7.8 documentation. Wanted to double check as some new features were added in 7.9 and detection permissions changed up a bit.

If you are on 7.9, could you try running through the steps described here and let us know if that works for you?

Best,
Yara

Hey @yctercero,

I am using 7.9 and I did all configurations described in the documentation(https://www.elastic.co/guide/en/security/current/detections-permissions-section.html). I am attaching screenshot of my configurations.

Note : I coudnt find these indices .siem-signal-, .lists-, .items-*, therefore, I added which was similar to those.

Hi,
This is solution is a kind of workaround but could you try adding all indices? just put * in the indices section and see if it works.

@borna_talebi I tried that but no luck. I believe I should be able to enable this feature from superuser(elastic) because this user has all the rights to manage/modify anything. Not sure why its not happening.

Could you try adding .lists-* and .items-* in place of what you have their for them right now?

I am getting following error when added .lists-* and .items-*

Hmm ok, you seem to be running into issues with the creation and access of the signals index. I know you've likely already run through these things a number of times, but just to confirm:

  • HTTPS is configured

  • In elasticsearch.yml, the following is set to true, xpack.security.enabled

  • In kibana.yml the xpack.encryptedSavedObjects.encryptionKey is set to any alphanumeric value of 32+ charachters

  • Your Kibana space has All privileges

  • Try adding create, create_doc, write, index, all, create_index privileges for .siem-signals-*

1 Like
  • HTTP S is configured : no have not configured it. I am running on http. As I couldn't find it in any documentation that HTTPS is necessary.
  • In elasticsearch.yml , the following is set to true, xpack.security.enabled : yes this is done
  • Your Kibana space has All privileges : yes
  • Try adding create , create_doc , write , index , all , create_index privileges for .siem-signals-* : I will do it.

Hi @ankitdevnalkar,

  • HTTP S is configured : no have not configured it. I am running on http. As I couldn't find it in any documentation that HTTPS is necessary.

Yeah, HTTPS communication between Elasticsearch and Kibana is required in order for ensure the secure operation of the detection engine.

I'm wondering if the documentation is confusing with its use of "on-premises"? You mention that you're running your Stack in AWS, but since you are managing your own stack, it needs to meet these prerequisites and requirements.

This blog contains a nice 7-minute video that describes how to enable HTTPS between Elasticsearch and Kibana. Note: The video was created on an older version of the the Stack, but I found it helpful to understand what needs to be done.

1 Like

Hey @ankitdevnalkar!

Just wanted to check in to see if you were able to resolve the issue? Curious if it was in fact the HTTPS configuration.