kibana/config/serverless.security.yml

# Security Project config

# Make sure the plugins belonging to this project type are loaded
plugins.allowlistPluginGroups: ['platform', 'security']

# Ess plugins
xpack.securitySolutionEss.enabled: false

## Disable plugins
xpack.observabilityAIAssistant.enabled: false

## Fine-tune the security solution feature privileges. Also, refer to `serverless.yml` for the project-agnostic overrides.
xpack.features.overrides:
  ### The following features are hidden in Role management since they're automatically granted by SIEM feature.
  discover.hidden: true
  discover_v2.hidden: true
  dashboard.hidden: true
  dashboard_v2.hidden: true
  visualize.hidden: true
  visualize_v2.hidden: true
  maps.hidden: true
  maps_v2.hidden: true
  ### Machine Learning feature is moved from Analytics category to the Security one as the last item.
  ml:
    category: "security"
    order: 1101
  ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
  siemV2:
    privileges:
      ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
      ### Visualize features.
      all.composedOf:
        - feature: "discover_v2"
          privileges: [ "all" ]
        - feature: "dashboard_v2"
          privileges: [ "all" ]
        - feature: "visualize_v2"
          privileges: [ "all" ]
        - feature: "maps_v2"
          privileges: [ "all" ]
      # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
      # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
      ### Dashboard, and Visualize apps.
      read.composedOf:
        - feature: "discover_v2"
          privileges: [ "read" ]
        - feature: "dashboard_v2"
          privileges: [ "read" ]
        - feature: "visualize_v2"
          privileges: [ "read" ]
        - feature: "maps_v2"
          privileges: [ "read" ]

  ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
  siem:
    privileges:
      ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
      ### Visualize features.
      all.composedOf:
        - feature: "discover_v2"
          privileges: [ "all" ]
        - feature: "dashboard_v2"
          privileges: [ "all" ]
        - feature: "visualize_v2"
          privileges: [ "all" ]
        - feature: "maps_v2"
          privileges: [ "all" ]
        - feature: "savedQueryManagement"
          privileges: [ "all" ]
      # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
      # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
      ### Dashboard, and Visualize apps.
      read.composedOf:
        - feature: "discover_v2"
          privileges: [ "read" ]
        - feature: "dashboard_v2"
          privileges: [ "read" ]
        - feature: "visualize_v2"
          privileges: [ "read" ]
        - feature: "maps_v2"
          privileges: [ "read" ]
        - feature: "savedQueryManagement"
          privileges: [ "read" ]

## Cloud settings
xpack.cloud.serverless.project_type: security

## Enable the Security Solution Serverless plugin
xpack.securitySolutionServerless.enabled: true
xpack.securitySolutionServerless.productTypes:
  [
    { product_line: 'security', product_tier: 'complete' },
    { product_line: 'endpoint', product_tier: 'complete' },
    { product_line: 'cloud', product_tier: 'complete' },
  ]

xpack.securitySolution.offeringSettings: {
  ILMEnabled: false, # Index Lifecycle Management (ILM) functionalities disabled, not supported by serverless Elasticsearch
}

newsfeed.enabled: true

## Set the home route
uiSettings.overrides.defaultRoute: /app/security/get_started

# Specify in telemetry the project type
telemetry.labels.serverless: security

# Fleet specific configuration
xpack.fleet.internal.registry.capabilities: ['security']
xpack.fleet.internal.registry.spec.min: '3.0'
xpack.fleet.internal.registry.spec.max: '3.3'
xpack.fleet.internal.registry.kibanaVersionCheckEnabled: false
xpack.fleet.internal.registry.excludePackages: [
    # Oblt integrations
    'apm',
    'synthetics',
    'synthetics_dashboards',

    # Deprecated security integrations
    'bluecoat',
    'cisco',
    'cyberark',
    'cylance',
    'f5',
    'fortinet_forticlient',
    'juniper_junos',
    'juniper_netscreen',
    'microsoft',
    'netscout',
    'radware',
    'symantec',
    'tomcat',

    # ML integrations
    'dga',

    # Unsupported in serverless
    'cloud_defend',
  ]
# fleet_server package installed to publish agent metrics
xpack.fleet.packages:
  - name: fleet_server
    version: latest

xpack.ml.ad.enabled: true
xpack.ml.dfa.enabled: true
xpack.ml.nlp:
  enabled: true
  modelDeployment:
    allowStaticAllocations: false
    vCPURange:
      low:
        min: 0
        max: 2
      medium:
        min: 1
        max: 32
      high:
        min: 1
        max: 128
xpack.ml.compatibleModuleType: 'security'

# Disable the embedded Dev Console
console.ui.embeddedEnabled: false

# Enable project level rentention checks in DSL form from Index Management UI
xpack.index_management.enableProjectLevelRetentionChecks: true

# Increase task manager capacity because security projects have more resources (Memory and CPU)
xpack.task_manager.capacity: 20

## Enable uiSettings validations
xpack.securitySolution.enableUiSettingsValidations: true

# Alerting and action circuit breakers
xpack.alerting.rules.run.ruleTypeOverrides:
  - id: siem.indicatorRule
    timeout: 10m
  - id: siem.eqlRule
    timeout: 5m
  - id: attack-discovery
    timeout: 10m