[Security Solution] Include namespace of source indices in index patterns of prebuilt rules

[jameswiggins]

This feature request is related to a problem:
I need to deploy these detection rules, but I am utilizing multiple Kibana spaces and each space corresponds to a specific namespace in my index naming scheme. The index patterns in each rule are too broad for me to use. For example, the rules related to windows query the winlogbeat-* index pattern. I need to include a namespace in the index pattern like this: winlogbeat-production-*.

Here is the solution I would like:
I would like a way to include a user-defined namespace in the index patterns.

When installing the rules, I would like to be prompted for a value for a namespace and have that value injected into the index patterns for each rule. If that value is left empty, then the rules are deployed as is e.g. winlogbeat-*.

Alternative solutions I have considered:
Currently I cannot edit the index patterns for pre-built rules in Kibana. Could that field be made editable without breaking the connection / ability to update the rule. I do not want to duplicate the rule and lose the connection to updates from this repository!

This FR may be a duplicate of this one: elastic/detection-rules#1917, but I am creating this one to create some more information about the request and hopefully get some more traction on the topic. I feel like if Elastic allows you to create indices with namespaces then these Elastic Detection Rules should account for that!!

Thank you for considering this Feature Request!!

[botelastic]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[botelastic]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

[Mikaayenson]

👋 @jameswiggins Thanks for opening the issue. It sounds like you would like to update the index for prebuilt rules in the UI. Is that correct? This may be an issue better tracked by the team that manages the detection engine if this is the case. Based on your description, there are no changes that need to be made to this repo. Is that correct?

[elasticmachine]

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[banderror]

Hey @jameswiggins, thank you for your suggestions, that all makes sense. I moved it to the kibana repo where we track UX-related work.

Alternative solutions I have considered:
Currently I cannot edit the index patterns for pre-built rules in Kibana. Could that field be made editable without breaking the connection / ability to update the rule. I do not want to duplicate the rule and lose the connection to updates from this repository!

Yes, we will make this and other fields editable. We're working on adding support for customizing prebuilt rules: #174168.

Here is the solution I would like:
I would like a way to include a user-defined namespace in the index patterns.
When installing the rules, I would like to be prompted for a value for a namespace and have that value injected into the index patterns for each rule. If that value is left empty, then the rules are deployed as is e.g. winlogbeat-*.

We will consider this option as well 👍

[banderror]

FYI @approksiu @jpdjere I added it to #179907.