elasticmachine
commented
3 years ago Pinging @elastic/security-solution (Team: SecuritySolution)
Open a03nikki opened 3 years ago
elasticmachine
commented
3 years ago Pinging @elastic/security-solution (Team: SecuritySolution)
liladler
commented
3 years ago I've encountered the need for that on a customer with instabilities on a cluster with 130 TB. They want to scale their SIEM solution but scaling a cluster this size cause them instabilities on cloud. CCS on the for indicator match rules would be a perfect fit for them to be able to split use cases into clusters.
elasticmachine
commented
3 years ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
MadameSheema
commented
3 years ago ping @rylnd @peluja1012 @spong
Describe the feature:
Add support for CCS for indicator match rules; thus removing the limitation.
Describe a specific use case for the feature:
The documentation at https://www.elastic.co/guide/en/security/7.12/detection-engine-overview.html#support-indicator-rules says:
This is a problem for Elastic Security users who's data set is too large (aka against best practices) to fit into a single cluster. They want to run their detection rules from a central Kibana and Elasticsearch deployment where the indicators of compromise (IoCs) list are stored against the (log) events in their data clusters.