Open aarju opened 1 year ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-onboarding-and-lifecycle-mgt (Team:Onboarding and Lifecycle Mgt)
Pinging @elastic/security-solution (Team: SecuritySolution)
Any developments on this?
Describe the feature: This feature would make the Actions within the Security App work in a Cross Cluster Search environment. In our environment we have a central SIEM that we do all of our detections, investigation, and alerting from. This Central cluster can query the events in all of our other distributed clusters that are collecting events from the agents. Because this central cluster isn't using Fleet to control the agents I can not use the actions such as 'Run OSQuery', or 'Isolate Endpoint' from this cluster. I have to navigate to the cluster that is managing that particular agent and then take those actions.
Describe a specific use case for the feature: We use Cross Cluster search to centrally manage security within the Elastic Cloud environment. This environment spans 50+ distributed regional clusters each in its own different cloud region. With this capability we would be able to use the actions from the primary central cluster rather than by navigating to each of the 50+ regional clusters when we want to run OSQuery or isolate a host.