From 74c68dd14cb33fae4be71c560a2b28ba3a0b5eca Mon Sep 17 00:00:00 2001 From: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> Date: Wed, 22 Oct 2025 12:55:19 -0400 Subject: [PATCH] [Security][8.18 & 8.19] Add 'search.allow_expensive_queries' to detection reqs (#7092) * First draft * Fixed attribute * Update docs/detections/detections-req.asciidoc Co-authored-by: Nastasha Solomon <79124755+nastasha-solomon@users.noreply.github.com> * Update docs/detections/detections-req.asciidoc Co-authored-by: Steven de Salas * Update docs/detections/detections-req.asciidoc --------- Co-authored-by: Steven de Salas (cherry picked from commit 9ae8ab229d9f9bd4da067010ee0eba06c146ffc6) --- docs/detections/detections-req.asciidoc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/detections/detections-req.asciidoc b/docs/detections/detections-req.asciidoc index fa5d106bab..e70f02a821 100644 --- a/docs/detections/detections-req.asciidoc +++ b/docs/detections/detections-req.asciidoc @@ -20,15 +20,16 @@ These steps are only required for *self-managed* deployments: * HTTPS must be configured for communication between {kibana-ref}/configuring-tls.html#configuring-tls-kib-es[{es} and {kib}]. -* In the `elasticsearch.yml` configuration file, set the -`xpack.security.enabled` setting to `true`. For more information, refer to -{ref}/settings.html[Configuring {es}] and -{ref}/security-settings.html[Security settings in {es}]. * In the `kibana.yml` {kibana-ref}/settings.html[configuration file], add the `xpack.encryptedSavedObjects.encryptionKey` setting with any alphanumeric value of at least 32 characters. For example: + `xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'` +* In the `elasticsearch.yml` {ref}/settings.html[configuration] file: + +** Set the `xpack.security.enabled` setting to `true`. For more information, refer to {ref}/security-settings.html[general security settings in {es}]. +** If the `search.allow_expensive_queries` setting is set to `false`, remove it. If set to its default value of `true` or not included in the file, you don't need to change it. This setting must be `true` for key detection features, such as {kibana-ref}/alerting-getting-started.html#_rules[alerting rules] and rule exceptions, to work. + IMPORTANT: After changing the `xpack.encryptedSavedObjects.encryptionKey` value and restarting {kib}, you must restart all detection rules.