Where does the SIEM saved objects reside?

hi
I was looking into to find

  1. Which all index-patterns SIEM app looks by default? How to modify this to include more indices?
  2. Where are the saved-objects reside? I was trying to find the objects as per the example doc, but some of them are not working.

I don't know the answer to 2., but for 1., you can change what indexes the SIEM app looks for in the Kibana Advanced Settings (Under the Stack Management section in 7.8), in the SIEM section. The defaults it shows are:

"apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, packetbeat-*, winlogbeat-*"

1 Like

@brian_m cheers for the advanced settings and upvoted.

Will wait to see where the "saved-objects" reside too before I mark it as the solution

Hi @kelk. Do you mean where do your detections saved objects live? You can use those queries in the example doc to query for your signals index, curl -X GET \ https://yourkibanainstance.com/api/detection_engine/index \ + credentials. Signal indices are created for each Kibana space. The naming convention is: .siem-signals-<space name> . For the default space, the signals index is named .siem-signals-default .

If you're looking for the output of signals and data, that example doc is the CURL you can use and you will get your data back from the siem signals index. The rules themselves are stored as a layer on top of saved objects. You can get to those using the detections API curl command but they're ultimately stored in the .kibana index in case you are just trying to understand saved object.