hi
I was looking into to find
I don't know the answer to 2., but for 1., you can change what indexes the SIEM app looks for in the Kibana Advanced Settings (Under the Stack Management section in 7.8), in the SIEM section. The defaults it shows are:
"apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, packetbeat-*, winlogbeat-*"
@brian_m cheers for the advanced settings and upvoted.
Will wait to see where the "saved-objects" reside too before I mark it as the solution
Hi @kelk. Do you mean where do your detections saved objects live? You can use those queries in the example doc to query for your signals index, curl -X GET \ https://yourkibanainstance.com/api/detection_engine/index \ + credentials. Signal indices are created for each Kibana space. The naming convention is: .siem-signals-<space name> . For the default space, the signals index is named .siem-signals-default .
If you're looking for the output of signals and data, that example doc is the CURL you can use and you will get your data back from the siem signals index. The rules themselves are stored as a layer on top of saved objects. You can get to those using the detections API curl command but they're ultimately stored in the .kibana index in case you are just trying to understand saved object.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.