[Security][9.x] Add 'search.allow_expensive_queries' to detections-requirements.md #3543
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
🔍 Preview links for changed docs |
|
Ready to review. Thanks! 😁 🙏 |
7 tasks
sdesalas
changed the title
banderror
reviewed
Oct 20, 2025
There was a problem hiding this comment.
Thanks @sdesalas for the important observation and opening this documentation improvement! I left a small suggestion.
Let's defer to @nastasha-solomon for a final review and approval.
sdesalas
force-pushed
the
main
branch
2 times, most recently
from
478abde to
1316de5
Compare
Co-authored-by: Georgii Gorbachev <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
nastasha-solomon
approved these changes
Oct 21, 2025
Co-authored-by: Nastasha Solomon <[email protected]>
Co-authored-by: Nastasha Solomon <[email protected]>
| * In [`elasticsearch.yml`](/deploy-manage/deploy/self-managed/configure-elasticsearch.md): | ||
| * Set the `xpack.security.enabled` setting to `true`. Refer to [General security settings](elasticsearch://reference/elasticsearch/configuration-reference/security-settings.md#general-security-settings) for more information. | ||
| * Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like [alerting rules](https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/alerting-setup#alerting-prerequisites) and rule exceptions to work. |
There was a problem hiding this comment.
I just noticed that the link is hardcoded in. I fixed the syntax below and pointed to an explanation of alerting rules instead. Also expanded the explanation around the setting a bit so users know when and when not to act.
Suggested change
| * Remove the line `search.allow_expensive_queries=false` if you find it. The `search.allow_expensive_queries` setting must be left on its default value of `true` for key detection features like [alerting rules](https://www.elastic.co/docs/explore-analyze/alerts-cases/alerts/alerting-setup#alerting-prerequisites) and rule exceptions to work. | |
| * If the `search.allow_expensive_queries` setting is set to `false`, remove it. If the setting is set to its default value of `true` or not included in the `elasticsearch.yml` file, you don't need to change it. When this setting is set to `true`, it allows key detection features, such as [alerting rules](../../../explore-analyze/alerts-cases/alerts/alerting-getting-started.md#_rules) and rule exceptions, to work. |
nastasha-solomon
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
De-facto requirement of Security Detections, (and much of Kibana) that has not been documented properly.
Errors go as far back as
v8.18(but likely much further), and not only affect Security app, but also manyServer Managementfeatures such as Fleet, Saved Objects, Tags, etc.For more info: elastic/kibana#237496 -> Section
Risks that were found acceptableWe're documenting it under the correct location to make sure that users know about it. There is an internal slack thread for discussion.
Note also that this is documented as a requirement of the 'alerting' plugin that we're using under the hood.