[Security Solution] Discussion - Security Profile experience for security users in One Discover

[logeekal]

Summary

Currently, One Discover does not gives security solution a way to know if a user is a security user or not. This might result in below issues:

Profile Conflict

Security wants to give users a "Security Experience" for all the events irrespective of where that event originated. For example, that event could be a log event or an event from any of the beats.

For simplicity, if we assume it is a log event, then it is difficult for One Discover to know which profile should take precedence because that event is relevant to both Security and O11y.

Data Source Profile Resolution

Since security does not have any particular index ( in addition to .alerts-security*) it wants to look at, users of security can create their custom data view and may look at any index they want.

Because of this, it is not straightforward to create any kind of heuristics to determine whether the security profile should be activated.

Possible Solutions

1. Allow users to explicitly select the experience?
2. Discover should open in the subpath of an app such as /app/security/discover... or /app/o11y/discover...

[elasticmachine]

Pinging @elastic/security-threat-hunting-investigations (Team:Threat Hunting:Investigations)

[ninoslavmiskovic]

@logeekal - We are tracking a contextual data presentation for Security users as part of the One Discover Program, so let's bring this to the sync. I will watch the recordings if it already have been shared, while I was on PTO.

[logeekal]

Thanks @ninoslavmiskovic for taking a look. It was not shared while you were away and that is why I added this point in this week's agenda just to get discussions started. @michaelolo24 will be talking about it as I have a vacation in Germany on Thursday.