Security Analytics not working for Cross-cluster search

OpenSearch version 2.9.0

I am trying to use sigma rules via opensearch security analytics plugin. We have remote clusters configured and cross cluster search works properly in discover but not working in security analytics plugin and even for query workbench plugin.

Are cross clusters not supported for plugins in opensearch?

Hi @kritikashahi , Thanks for reaching out. Thats right, cross cluster search isnt supported with security analytics. To help me understand better, could you expand on your usecase(s) ?

I would also encourage you to create a feature request in GitHub here - Sign in to GitHub ยท GitHub

Hi @kritikashahi , We are currently working on supporting Alerting on Cross Cluster set up. We plan to integrate with Security Analytics after that (2.13 or 2.14). Would love to understand more about your use case.

Hi @jimishs and @praveensameneni, currently we are trying to use sigma rules for threat detection, starting with windows log type and then moving to other log types. As in our architecture, we use remote clusters to store data, thus not being able to use the security analytics plugin for sigma rules/custom rules.

Our deployment is too large to sit in a single OpenSearch cluster, so we have 3 remote clusters where actual data resides and a coordinating cluster. Our data is stripped across the 3 remote clusters. Let me know if you need additional information. What is tentative the release data for 2.13 or 2.14?

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.