I don't know the answer to 2., but for 1., you can change what indexes the SIEM app looks for in the Kibana Advanced Settings (Under the Stack Management section in 7.8), in the SIEM section. The defaults it shows are:
Hi @kelk. Do you mean where do your detections saved objects live? You can use those queries in the example doc to query for your signals index, curl -X GET \ https://yourkibanainstance.com/api/detection_engine/index \ + credentials. Signal indices are created for each Kibana space. The naming convention is: .siem-signals-<space name> . For the default space, the signals index is named .siem-signals-default .
If you're looking for the output of signals and data, that example doc is the CURL you can use and you will get your data back from the siem signals index. The rules themselves are stored as a layer on top of saved objects. You can get to those using the detections API curl command but they're ultimately stored in the .kibana index in case you are just trying to understand saved object.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.