Spaces and Elastic Security
Elastic Security supports the organization of your security operations into logical instances with thespaces feature. Each space in Kibana represents a separate logical instance of Elastic Security in which detection rules, rule exceptions, value lists, alerts, Timelines, cases, and Kibana advanced settings are private to the space and accessible only by users that have role privileges to access the space.
For example, if you create aSOC_prod space in which you load and activate all the Elastic Security prebuilt detection rules, these rules and any detection alerts they generate will be accessible only when visiting the Elastic Security app in theSOC_prod space. If you then create a newSOC_dev space, you’ll notice that no detection rules or alerts are present. Any rules subsequently loaded or created here will be private to theSOC_dev space, and they will run independently of those in theSOC_prod space.
You can fine-tune which Elastic Defend policies and artifacts are accessible from particular spaces. For example, you can control which of your hosts running Elastic Defend appear in a particular space by using Fleet to assign Elastic Agent policies to specific spaces. Elastic Defend artifacts associated with those policies will also appear in the designated spaces. To learn more, refer toSpaces and Elastic Security.
By default, alerts created by detection rules are stored in Elasticsearch indices under the.alerts-security.alerts-<space-name> index pattern, and they may be accessed by any user with role privileges to access those Elasticsearch indices. In our example above, any user with Elasticsearch privileges to access.alerts-security.alerts-SOC_prod will be able to viewSOC_prod alerts from within Elasticsearch and other Kibana apps such as Discover.
To ensure that detection alert data remains private to the space in which it was created, ensure that the roles assigned to your Elastic Security users include Elasticsearch privileges that limit their access to alerts within their space’s alerts index.