Elastic Security is an inbuilt part of Kibana. To use Elastic Security, you only need an Elastic Stack deployment (an Elasticsearch cluster and Kibana). For information on installing the Elastic Stack, see Getting started with the Elastic Stack.
The Support Matrix page lists officially supported operating systems, platforms, and browsers on which Elasticsearch, Kibana, Beats, and Elastic Endpoint have been tested.
Node role requirementsedit
To use Elastic Security, at least one node in your Elasticsearch cluster must have the
transform role. Nodes are automatically given this role when they’re created, so changes are not required if default role settings remain the same. This applies to on-premise and cloud deployments.
Changes might be required if your nodes have customized roles. When updating node roles, nodes are only assigned the roles you specify, and default roles are removed. If you need to reassign the
transform role to a node, create a dedicated transform node.
Kibana space and index privilegesedit
To use Elastic Security, you must have at least:
Readprivilege for the
Securityfeature in the Kibana space (see Spaces).
view_index_metadataprivileges for all Elastic Security indices, such as
Configure advanced settings describes how to modify Elastic Security indices.
For more information about index privileges, see Elasticsearch security privileges.
There are some additional requirements for specific features:
All features are available as part of the free Basic plan except:
Elastic Stack subscriptions lists the required subscription plans for all features.
Advanced configuration and UI optionsedit
Configure advanced settings describes how to modify advanced settings, such as the Elastic Security indices, default time intervals used in filters, and IP reputation links.
Third-party collectors mapped to ECSedit
The Elastic Common Schema (ECS) defines a common set of fields to be used for storing event data in Elasticsearch. ECS helps users normalize their event data to better analyze, visualize, and correlate the data represented in their events. Elastic Security can ingest and normalize events from any ECS-compliant data source.
For information on how to perform cross-cluster searches on Elastic Security indices, see: