Skip to content

[Security][9.x] Add 'search.allow_expensive_queries' to detections-requirements.md #3543

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 12 commits into from
Oct 22, 2025
Merged

[Security][9.x] Add 'search.allow_expensive_queries' to detections-requirements.md #3543

merged 12 commits into from
Oct 22, 2025

Conversation

@sdesalas
Copy link
Member

@sdesalas sdesalas commented Oct 20, 2025
edited
Loading

Summary

De-facto requirement of Security Detections, (and much of Kibana) that has not been documented properly.

# elasticsearch.yml

search.allow_expensive_queries=false    # <=== causes errors across Kibana 🤯

Errors go as far back as v8.18 (but likely much further), and not only affect Security app, but also many Server Management features such as Fleet, Saved Objects, Tags, etc.

For more info: elastic/kibana#237496 -> Section Risks that were found acceptable

We're documenting it under the correct location to make sure that users know about it. There is an internal slack thread for discussion.

Note also that this is documented as a requirement of the 'alerting' plugin that we're using under the hood.

image

@sdesalas sdesalas requested a review from a team as a code owner October 20, 2025 10:04
@github-actions
Copy link

github-actions bot commented Oct 20, 2025
edited
Loading

🔍 Preview links for changed docs

@sdesalas
Copy link
Member Author

Ready to review. Thanks! 😁 🙏

@sdesalas sdesalas mentioned this pull request Oct 20, 2025
Open
7 tasks
@sdesalas sdesalas changed the title Add requirement on 'search.allow_expensive_queries' to detections-requirements.md Add 'search.allow_expensive_queries' to detections-requirements.md Oct 20, 2025
alaudazzi
alaudazzi approved these changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@alaudazzi alaudazzi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

banderror
banderror reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @sdesalas for the important observation and opening this documentation improvement! I left a small suggestion.

Let's defer to @nastasha-solomon for a final review and approval.

@sdesalas sdesalas force-pushed the main branch 3 times, most recently from 1316de5 to 7104b04 Compare October 20, 2025 12:57
banderror
banderror approved these changes Oct 20, 2025
View reviewed changes
Copy link
Contributor

@banderror banderror left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

nastasha-solomon
nastasha-solomon reviewed Oct 20, 2025
View reviewed changes
Copy link
Contributor

@nastasha-solomon nastasha-solomon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left some suggestions for your consideration and a few questions as well. Thanks!

nastasha-solomon
nastasha-solomon approved these changes Oct 21, 2025
View reviewed changes
Copy link
Contributor

@nastasha-solomon nastasha-solomon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested changing the numbers to list bullets because these tasks don't need to be completed in a specific order. They just need to be completed in the same file (the elasticsearch.yml file).

@nastasha-solomon nastasha-solomon changed the title Add 'search.allow_expensive_queries' to detections-requirements.md [Security][9.x] Add 'search.allow_expensive_queries' to detections-requirements.md Oct 21, 2025
@nastasha-solomon nastasha-solomon mentioned this pull request Oct 21, 2025
Merged
@sdesalas sdesalas force-pushed the main branch 2 times, most recently from 809c4f9 to f880825 Compare October 22, 2025 07:42
@sdesalas sdesalas force-pushed the main branch 3 times, most recently from 32cd1be to 24eac20 Compare October 22, 2025 08:04
@sdesalas sdesalas enabled auto-merge (squash) October 22, 2025 09:37
@sdesalas sdesalas merged commit 1bd13dc into elastic:main Oct 22, 2025
6 of 7 checks passed
@mergify mergify bot mentioned this pull request Oct 22, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@banderror banderror banderror approved these changes

@nastasha-solomon nastasha-solomon nastasha-solomon approved these changes

@alaudazzi alaudazzi alaudazzi approved these changes

Assignees

@sdesalas sdesalas

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sdesalas @banderror @alaudazzi @nastasha-solomon