1. Elastic Docs/
2. Solutions and use cases/
3. Security solution/
4. Get started

Configure advanced settings for Elastic Security

The advanced settings control the behavior of the Elastic Security app, such as:

• Which indices Elastic Security uses to retrieve data
• Machine learning anomaly score display threshold
• The navigation menu style used throughout the Elastic Security app
• Whether the news feed is displayed on theOverview dashboard
• The default time interval used to filter Elastic Security pages
• The default Elastic Security pages refresh time
• Which IP reputation links appear onIP detail pages
• Whether cross-cluster search (CCS) privilege warnings are displayed
• Whether related integrations are displayed on the Rules page tables
• The options provided in the alert tag menu

Requirements

Your role must have the appropriate privileges to change advanced settings:

• In Elastic Stack, you must haveAll privileges for theAdvanced SettingsKibana feature.
• In Serverless, you need either the appropriatepredefined Security user role or acustom role withAll privileges.

Warning

Modifying advanced settings can affect Kibana performance and cause problems that are difficult to diagnose. Setting a property value to a blank field reverts to the default behavior, which might not be compatible with other configuration settings. Deleting a custom setting removes it from Kibana permanently.

Access advanced settings

To access advanced settings, go toStack Management →Advanced Settings in Elastic Stack orProject Settings →Stack Management →Advanced Settings in Serverless, then scroll down toSecurity Solution settings.

×

ThesecuritySolution:defaultIndex field defines which Elasticsearch indices the Elastic Security app uses to collect data. By default, index patterns are used to match sets of Elasticsearch indices.

ThesecuritySolution:defaultIndex field defines which Elasticsearch indices the Elastic Security app uses to collect data. By default, index patterns are used to match sets of Elasticsearch indices:

• apm-*-transaction*
• auditbeat-*
• endgame-*
• filebeat-*
• logs-*
• packetbeat-*
• winlogbeat-*

All of the default index patterns matchBeats andElastic Agent indices. This means all data shipped via Beats and the Elastic Agent is automatically added to the Elastic Security app.

You can add or remove any indices and index patterns as required. In Serverless, the maximum number of items that you can include in a comma-delimited list is 50. In Elastic Stack, there is no limit. For more information on Elasticsearch indices, refer toData in: documents and indices.

ThesecuritySolution:defaultThreatIndex advanced setting specifies threat intelligence indices that Elastic Security features query for ingested threat indicators. This setting affects features that query threat intelligence indices, such as the Threat Intelligence view on the Overview page, indicator match rules, and the alert enrichment query.

You can specify one or more threat intelligence indices; multiple indices must be separated by commas. By default, only thelogs-ti_* index pattern is specified. Do not remove or overwrite this index pattern, as it is used by Elastic Agent integrations.

Kibana transmits certain information about Elastic Security when users interact with the Elastic Security app, detailed below. Kibana redacts or obfuscates personal data (IP addresses, host names, usernames, etc.) before transmitting messages to Elastic. Security-specific telemetry events include:

• Detection rule security alerts: Information about Elastic-authored prebuilt detection rules using the detection engine. Examples of alert data include machine learning job influencers, process names, and cloud audit events.
• Elastic Endpoint Security alerts: Information about malicious activity detected using Elastic Endpoint detection engines. Examples of alert data include malicious process names, digital signatures, and file names written by the malicious software. Examples of alert metadata include the time of the alert, the Elastic Endpoint version and related detection engine versions.
• Configuration data for Elastic Endpoint: Information about the configuration of Elastic Endpoint deployments. Examples of configuration data include the Endpoint versions, operating system versions, and performance counters for Endpoint.
• Exception list entries for Elastic rules: Information about exceptions added for Elastic rules. Examples include trusted applications, detection exceptions, and rule exceptions.
• Security alert activity records: Information about actions taken on alerts generated in the Elastic Security app, such as acknowledged or closed.

To learn more, refer to ourPrivacy Statement.

When securitymachine learning jobs are enabled, this setting determines the threshold above which anomaly scores appear in Elastic Security:

• securitySolution:defaultAnomalyScore

You can change these settings, which affect the news feed displayed on the Elastic SecurityOverview page:

• securitySolution:enableNewsFeed: Enables the security news feed on the SecurityOverview page.
• securitySolution:newsFeedUrl: The URL from which the security news feed content is retrieved.

Turn on thesecuritySolution:enableGraphVisualization setting to integrate the GraphViz visualization into the Alert and Event flyouts for supported event types. When enabled, it appears in theVisualization section of the flyout and can be viewed in full-screen mode.

Turn on thesecuritySolution:enableAssetInventory setting to enable the Asset Inventory in your environment.

Turn on thesecuritySolution:enableCloudConnector setting to enable Cloud Connector deployment for Elastic's CSPM and Asset Inventory integrations.

Including data from cold and frozendata tiers invisual event analyzer queries may result in performance degradation. ThesecuritySolution:excludeColdAndFrozenTiersInAnalyzer setting allows you to exclude this data from analyzer queries. This setting is turned off by default.

ThesecuritySolution:enableVisualizationsInFlyout setting allows you to access the event analyzer and Session View in theVisualizetab on the alert or event details flyout.

These settings determine the default time interval and refresh rate Elastic Security pages use to display data when you open the app:

• securitySolution:timeDefaults: Default time interval
• securitySolution:refreshIntervalDefaults: Default refresh rate

On IP details pages (Security →Network →IP address), links to external sites for verifying the IP address’s reputation are displayed. By default, links to these sites are listed:TALOS andVIRUSTOTAL.

ThesecuritySolution:ipReputationLinks field determines which IP reputation sites are listed. To modify the listed sites, edit the field’s JSON array. These fields must be defined in each array element:

• name: The link’s UI display name.
• url_template: The link’s URL. It can include{{ip}}, which is placeholder for the IP address you are viewing on theIP detail page.

Example

Adds a link tohttps://www.dnschecker.org onIP detail pages:

[  { "name": "virustotal.com", "url_template": "https://www.virustotal.com/gui/search/{{ip}}" },  { "name": "dnschecker.org", "url_template": "https://www.dnschecker.org/ip-location.php?ip={{ip}}" },  { "name": "talosIntelligence.com", "url_template": "https://talosintelligence.com/reputation_center/lookup?search={{ip}}" }]

Each time a detection rule runs using a remote cross-cluster search (CCS) index pattern, it will return a warning saying that the rule may not have the requiredread privileges to the remote index. Because privileges cannot be checked across remote indices, this warning displays even when the rule actually does haveread privileges to the remote index.

If you’ve ensured that your detection rules have the required privileges across your remote indices, you can use thesecuritySolution:enableCcsWarning setting to disable this warning and reduce noise.

To control whether alert suppression continues after you close a supressed alert during anactive suppression window, configure thesecuritySolution:suppressionBehaviorOnAlertClosure advanced setting. This setting lets you choose whether suppression continues or restarts when the next qualifying alert meets the suppression criteria. The default selection isRestart suppression.

By default, Elastic prebuilt rules in theRules andRule Monitoring tables include a badge showing how many related integrations have been installed. Turn offsecuritySolution:showRelatedIntegrations to hide this in the rules tables (related integrations will still appear on rule details pages).

ThesecuritySolution:alertTags field determines which options display in the alert tag menu. The default alert tag options areDuplicate,False Positive, andFurther investigation required. You can update the alert tag menu by editing these options or adding more. To learn more about using alert tags, refer toApply and filter alert tags.

ThesecuritySolution:maxUnassociatedNotes field determines the maximum number ofnotes that you can attach to alerts and events. The maximum limit and default value is 10000.

To ensure the rules in your Kibana space exclude query results from cold and frozen tiers when executing, specify cold and frozendata tiers in theexcludedDataTiersForRuleExecution field. Multiple data tiers must be separated by commas, for example:data_frozen,data_cold. This setting is turned off by default; turning it on can improve rule performance and reduce execution time.

This setting does not apply to machine learning rules because machine learning anomalies are not stored in cold or frozen data tiers.

ThesecuritySolution:enablePrivilegedUserMonitoring setting allows you to access theEntity analytics overview page and theprivileged user monitoring feature. This setting is turned off by default.

By default,entity risk scoring calculations are based on ES|QL queries. Turn offsecuritySolution:enableEsqlRiskScoring to use scripted metrics instead.