[Security Solution] [AI4SOC] Integrations and Rules are not space-aware — unexpected sharing across Kibana spaces

[pborgonovi]

Description:

When creating a new Kibana space, all previously installed integrations (e.g., CrowdStrike, SentinelOne, Splunk) from the Default space are automatically present in the new space — even though the new space did not explicitly install them.

When interacting with rules/integrations from one space, the actions are carried over to the second space - e.g: deleting/adding integrations reflect on the other space.

Screen.Recording.2025-07-09.at.2.06.30.PM.mov

Screen.Recording.2025-07-24.at.9.17.50.PM.mov

Kibana/Elasticsearch Stack version:

VERSION: 9.2.0
BUILD: 87993
COMMIT: 8a1eeec09a354d37620a8f0ccf6f38326f530fdd

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

AI4SOC

Steps to reproduce:

Scenario 1:

1. In the Default space:
   • Install multiple integrations (e.g., CrowdStrike, SentinelOne, Google SecOps).
   • Allow them to ingest data and generate alerts.
2. Create a new space.
3. Go to Integrations in the new space.

Scenario 2:

1. 2 spaces should exist
2. Integrations and rules should be intalled
3. Go to Default space and remove/uninstall 1 integration
4. Go to the second space and observe the integration was also removed/uninstalled

Current behavior:

Integrations and rules are not space-aware.

Expected behavior:

Integrations, detection rules, and alerts should be space-aware.

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[peluja1012]

Hi @pborgonovi, this behavior is expected. Alerts are space-aware and so are rules. We wouldn't expect the alerts from one space to be copied over to another space. You can see this behavior in ECH or any Serverless deployment as well.

[pborgonovi]

Hey @peluja1012 Yes for the alerts. The point here is integrations/rules being carried over to other spaces.
All installed integrations/rules are automatically carried over to other spaces. i.e: I have a default space with X integrations/rules. I create a second space - automatically all integrations/rules from default space are present in the second space as well.
As in any other deployment, rules should be individually tied to a specific space.

I see the confusion in the attached video. Let me try to clarify with the steps:

1. Integrations/rules were installed in default space
2. A second space was created
3. When second space was accessed - all integrations/rules from default space had been carried over to second space -- without any interaction.

Here's a fresh evidence as well:

Screen.Recording.2025-07-10.at.10.38.47.AM.mov

[pborgonovi]

Hey @peluja1012 who could help us checking this issue?

[pborgonovi]

Hey @ashokaditya I updated my AI4SOC with latest changes and still observe the same behavior.

Current project details:

VERSION: 9.2.0
BUILD: 88867
COMMIT: a48f653d01e8a48d9e8d18d804a18cb9ff07744a

1. I have a default space with 3 integrations/rules
2. I have several alerts generated by these rules in my Default space
3. I create a second space
4. Integrations/Rules are carried over to the second space
5. Alerts are not carried over

Screencast:

Screen.Recording.2025-07-28.at.8.02.13.AM.mov

Question 1: Should this behavior have changed with latest changes? Should Integrations/Rules be space-aware which would make the user need to install integrations for each particular Kibana space?

Question 2: If the observed behavior is expected, should the alerts be generated for all spaces?
Note by the screenshot below that I haven't configured any particular space in my Integrations config, which makes me assume that if Integrations are NOT space aware, alerts should also be generated in all spaces.

I learned from @PhilippeOberti that alerts are indeed space aware at this moment.

I tried a different scenario this time:

1. I have a Default space without any integration
2. I create a second space
3. I install and configure integrations in this second space
4. Integrations/Rules carried over to Default space
5. Alerts not generated until I set namespace under integration policy config to space2

Steps and screenshots

1. Default space without any integration:

2. A second space is created:

3. Launched second space and added integrations:

4. Alerts NOT generated:

5. Updated Integrations config to point namespace to second space:

6. Alerts are properly generated:

7. I launch Default space and check the Integrations config: space2 is set as namespace there as well:

Screen.Recording.2025-07-28.at.9.13.51.AM.mov

[ashokaditya]

Thanks @pborgonovi. Summarising your testing notes here:

case 1 (clip1):
a. You installed 3rd-party integrations only on the default space but they are visible as installed in space2 and
b. alerts and data from default are not visible in space2

case 2 (clip 2):
a. While at space2, you installed 3rd-party integrations only on space2 but alerts were not generated, until you manually configured the integrations for space2
b. Switching back to default space you can see the integrations installed in space2 (same as 1 in case 1)

As I understood from my conversation with @paul-tavares that, case 1a. should have been fixed by changes released in serverless last week. Case 1b seems to be expected as the installed rules are not configured for space2.

Looking at case 2a, it looks like the rules being installed are always defaulting to default space. That would explain what we see on case 1b as well.

Regardless, the installed integration from one space visible on another should not be happening.

[paul-tavares]

Hey all.

Rules showing up on other space

Looking at the video from @pborgonovi , it does look like maybe there is a problem with rules - they should not be shown in space_2 since they were created in space default (cc/ @peluja1012 )

Re: Integrations are being shown as installed

I'm pretty sure this is by design, but you can confirm with the Fleet team. Integrations are installed once and are global on the system.

Integration Policies, however, are space specific, so unless you shared the agent policies from default space with space_2 (which the video did not show), then you likely have no integration policies or fleet agents setup in space_2 thus why you have no data.

Also note that Detection Engine rules require setup to ensure the data it picks up to promote to alerts is from the right location (ex. from the correct namespaced index that the Fleet policies are using.

Spaces was enabled/release to production (serverless) last week and will be available with 9.1. Here are the docs for the Elastic Defend spaces support: https://www.elastic.co/docs/solutions/security/get-started/spaces-defend-faq

---

PS: I'm not really familiar with UI4SOC, so I'm assuming that users have access to Fleet and can manage agents, agent policies and integration policies.