mirror of
https://github.com/elastic/kibana.git
synced 2025-06-27 18:51:07 -04:00
5adeebab61
# Overview This pull request enables the Security Entity Analytics Privileged user monitoring feature. This feature has many accompanying PRs, that have until now been kept behind an experimental feature flag. The feature is currently slated to ship as a Technical Preview. Instead of removing the feature flag, we will be allowing for a "disabled" version of the experimental flag, which allows this feature to remain disabled in Serverless, until fully tested during the 9.1 release cycle. Disabling in Serverless is accomplished via setting the configuration to disabled in the `config/serverless.security.yml` file. --------- Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
213 lines
6.8 KiB
YAML
213 lines
6.8 KiB
YAML
# Security Project config
|
|
|
|
# Make sure the plugins belonging to this project type are loaded
|
|
plugins.allowlistPluginGroups: ['platform', 'security']
|
|
|
|
# Ess plugins
|
|
xpack.securitySolutionEss.enabled: false
|
|
|
|
## Disable plugins
|
|
xpack.observabilityAIAssistant.enabled: false
|
|
|
|
## Fine-tune the security solution feature privileges. Also, refer to `serverless.yml` for the project-agnostic overrides.
|
|
xpack.features.overrides:
|
|
### The following features are hidden in Role management since they're automatically granted by SIEM feature.
|
|
discover.hidden: true
|
|
discover_v2.hidden: true
|
|
dashboard.hidden: true
|
|
dashboard_v2.hidden: true
|
|
visualize.hidden: true
|
|
visualize_v2.hidden: true
|
|
maps.hidden: true
|
|
maps_v2.hidden: true
|
|
### Machine Learning feature is moved from Analytics category to the Security one as the last item.
|
|
ml:
|
|
category: "security"
|
|
order: 1101
|
|
### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
|
|
siemV3:
|
|
privileges:
|
|
### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
|
|
### Visualize features.
|
|
all.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "all" ]
|
|
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
|
|
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
|
|
### Dashboard, and Visualize apps.
|
|
read.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "read" ]
|
|
|
|
### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
|
|
siemV2:
|
|
privileges:
|
|
### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
|
|
### Visualize features.
|
|
all.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "all" ]
|
|
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
|
|
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
|
|
### Dashboard, and Visualize apps.
|
|
read.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "read" ]
|
|
|
|
### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps.
|
|
siem:
|
|
privileges:
|
|
### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and
|
|
### Visualize features.
|
|
all.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "all" ]
|
|
- feature: "savedQueryManagement"
|
|
privileges: [ "all" ]
|
|
# Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and
|
|
# Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover,
|
|
### Dashboard, and Visualize apps.
|
|
read.composedOf:
|
|
- feature: "discover_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "dashboard_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "visualize_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "maps_v2"
|
|
privileges: [ "read" ]
|
|
- feature: "savedQueryManagement"
|
|
privileges: [ "read" ]
|
|
|
|
## Cloud settings
|
|
xpack.cloud.serverless.project_type: security
|
|
|
|
## Enable the Security Solution Serverless plugin
|
|
xpack.securitySolutionServerless.enabled: true
|
|
xpack.securitySolutionServerless.productTypes:
|
|
[
|
|
{ product_line: 'security', product_tier: 'complete' },
|
|
{ product_line: 'endpoint', product_tier: 'complete' },
|
|
{ product_line: 'cloud', product_tier: 'complete' },
|
|
]
|
|
|
|
xpack.securitySolution.offeringSettings: {
|
|
ILMEnabled: false, # Index Lifecycle Management (ILM) functionalities disabled, not supported by serverless Elasticsearch
|
|
}
|
|
|
|
newsfeed.enabled: true
|
|
|
|
## Set the home route
|
|
uiSettings.overrides.defaultRoute: /app/security/get_started
|
|
|
|
# Specify in telemetry the project type
|
|
telemetry.labels.serverless: security
|
|
|
|
# Fleet specific configuration
|
|
xpack.fleet.internal.registry.capabilities: ['security']
|
|
xpack.fleet.internal.registry.excludePackages: [
|
|
# Oblt integrations
|
|
'apm',
|
|
'synthetics',
|
|
'synthetics_dashboards',
|
|
|
|
# Deprecated security integrations
|
|
'bluecoat',
|
|
'cisco',
|
|
'cyberark',
|
|
'cylance',
|
|
'f5',
|
|
'fortinet_forticlient',
|
|
'juniper_junos',
|
|
'juniper_netscreen',
|
|
'microsoft',
|
|
'netscout',
|
|
'radware',
|
|
'symantec',
|
|
'tomcat',
|
|
|
|
# ML integrations
|
|
'dga',
|
|
|
|
# Unsupported in serverless
|
|
'cloud_defend',
|
|
]
|
|
# fleet_server package installed to publish agent metrics
|
|
xpack.fleet.packages:
|
|
- name: fleet_server
|
|
version: latest
|
|
|
|
xpack.ml.ad.enabled: true
|
|
xpack.ml.dfa.enabled: true
|
|
xpack.ml.nlp:
|
|
enabled: true
|
|
modelDeployment:
|
|
allowStaticAllocations: false
|
|
vCPURange:
|
|
low:
|
|
min: 0
|
|
max: 2
|
|
medium:
|
|
min: 1
|
|
max: 32
|
|
high:
|
|
min: 1
|
|
max: 128
|
|
xpack.ml.compatibleModuleType: 'security'
|
|
|
|
# Disable the embedded Dev Console
|
|
console.ui.embeddedEnabled: false
|
|
|
|
# Enable project level rentention checks in DSL form from Index Management UI
|
|
xpack.index_management.enableProjectLevelRetentionChecks: true
|
|
|
|
# Increase task manager capacity because security projects have more resources (Memory and CPU)
|
|
xpack.task_manager.capacity: 20
|
|
|
|
## Enable uiSettings validations
|
|
xpack.securitySolution.enableUiSettingsValidations: true
|
|
|
|
# Alerting and action circuit breakers
|
|
xpack.alerting.rules.run.ruleTypeOverrides:
|
|
- id: siem.indicatorRule
|
|
timeout: 10m
|
|
- id: siem.eqlRule
|
|
timeout: 5m
|
|
- id: attack-discovery
|
|
timeout: 10m
|
|
|
|
# Experimental Security Solution features
|
|
|
|
# These features are disabled in Serverless until fully tested
|
|
xpack.securitySolution.enableExperimental:
|
|
- privilegedUserMonitoringDisabled
|