Skip to content

Commit 42c1181

Browse files
sdesalassdesalas
committed
Add requirement on 'search.allow_expensive_queries' to detections-requirement.md
1 parent 24f187e commit 42c1181

File tree

1 file changed

+8
-2
lines changed

1 file changed

+8
-2
lines changed

solutions/security/detect-and-alert/detections-requirements.md

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,11 +28,17 @@ stack:
2828
These steps are only required for **self-managed** deployments:
2929
3030
* HTTPS must be configured for communication between [{{es}} and {{kib}}](/deploy-manage/security/set-up-basic-security-plus-https.md#encrypt-kibana-http).
31-
* In the `elasticsearch.yml` configuration file, set the `xpack.security.enabled` setting to `true`. Also, remove the line `search.allow_expensive_queries=false` if you find it. For more information, refer to [Configuring {{es}}](/deploy-manage/deploy/self-managed/configure-elasticsearch.md) and [Security settings in {{es}}](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md).
32-
* In [`kibana.yml`](/deploy-manage/stack-settings.md), add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example:
31+
* In [`kibana.yml`](/deploy-manage/stack-settings.md):
32+
33+
Add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example:
3334

3435
`xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'`
3536
37+
* In [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md):
38+
1. We need to enable the `xpack.security.enabled` setting to `true`.
39+
2. We need the `search.allow_expensive_queries` setting to be left on its default value of `true` for key detection features like [alerting](https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/alerting-setup#alerting-prerequisites) to work. Please remove the line `search.allow_expensive_queries=false` if you find it.
40+
41+
For more information, also refer to [Security settings in {{es}}](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md).
3642

3743
::::{important}
3844
After changing the `xpack.encryptedSavedObjects.encryptionKey` value and restarting {{kib}}, you must restart all detection rules.

0 commit comments

Comments
 (0)