Skip to content

[Internal]: Document Elastic Defend support for CCS and remote output #7220

Description

@roxana-gheorghe

Description

What: We are introducing support for Cross Cluster Search (based on remote output)
When: This will be available starting with 9.5.
Why: Cross Cluster Search (CCS) enables a Central SOC model where a single origin cluster runs all Security workflows — detection, triage, and investigation — while event data resides on linked clusters owned by different teams, regions, or business units.

Resources

Dev issues:

Which deployment methods does this change impact?

Elastic On-Prem and Cloud (all)

Feature differences

No response

What Elastic Stack release is this request related to?

9.5

Serverless release

No response

Collaboration model

The documentation team will create the first draft

Point of contact.

Main contact: @roxana-gheorghe @dasansol92


Elastic Docs AI Scoping 🤖

Docs issue scope

Summary

The issue requests first-draft documentation for Elastic Defend's new CCS (Cross Cluster Search) support via Fleet remote ES output, targeting Elastic 9.5 on stateful deployments only. The linked code changes confirm this: kibana#271559 adds a new defendRemoteOutputCcs experimental feature flag (off by default) that prefixes endpoint index patterns with *: so the managing cluster's Security Solution can read endpoint data written to a remote cluster. Supporting PRs — elasticsearch#152211 (grants fleet-server-remote write to Defend indices), endpoint-package#747 (adds cross-cluster source to metadata_united transform), and kibana#275649 (serverless-only install fix) — are already merged. The main kibana PR is still open as of this analysis.

Request accuracy

Accurate — the issue premise aligns with the linked code changes.

Next action for author

Enable the defendRemoteOutputCcs flag documentation in configure-advanced-settings.md, update the explicit "not supported" limitation in remote-elasticsearch-output.md, and create a new how-to page in configure-elastic-defend/ covering the end-to-end CCS setup.

Impact: High

Scope boundary

Response actions pages (endpoint-response-actions.md, response-actions-history.md, isolate-host.md, script-library.md) do not need content changes — the CCS behavior is transparent once the feature flag is enabled. Detection rules CCS, entity store, and cross-project search docs are also out of scope.

Recommended documentation targets

Page URL Action Impact Confidence Why this page?
Remote Elasticsearch output (Fleet) https://www.elastic.co/docs/reference/fleet/remote-elasticsearch-output Update existing page High High Contains an explicit "not currently supported" limitation for Elastic Defend (line 34) that must be versioned or removed for 9.5. The existing "Set up CCS to query remote data" section also needs Elastic Defend added as a use case.
Configure advanced settings (Security) https://www.elastic.co/docs/solutions/security/get-started/configure-advanced-settings Add section to existing page High High Existing page documents all security experimental/advanced settings. Needs a new section for the defendRemoteOutputCcs flag with {applies_to: stack: preview 9.5} and a note that serverless is not supported.
Configure Elastic Defend section https://www.elastic.co/docs/solutions/security/configure-elastic-defend Create new page High Medium No existing how-to covers this multi-step CCS setup for Elastic Defend. A new sibling page (e.g. configure-elastic-defend-with-remote-output-and-ccs.md) fits the section's how-to pattern alongside pages like configure-offline-endpoints-air-gapped-environments.md.
Elastic Security release notes https://www.elastic.co/docs/release-notes/elastic-security Update existing page High High New user-facing feature needs a 9.5.0 release note entry.
Elastic Security requirements https://www.elastic.co/docs/solutions/security/get-started/elastic-security-requirements Review only Low Low Existing CCS section may need a brief note about privilege requirements for the Defend endpoint indices (.logs-endpoint.action.responses-*, .logs-endpoint.diagnostic.collection-*), but only if the setup requires manual role configuration by the user.

Recommendations

  1. Update remote-elasticsearch-output.md to remove or version-gate the limitation bullet "Using {{elastic-defend}} when a remote {{es}} output is configured for an {{agent}} is not currently supported" (e.g., add {applies_to: stack: removed 9.5} or replace with a note pointing to the new setup page). Also expand the existing "Set up CCS to query remote data" section to mention Elastic Defend as a use case alongside Osquery.

  2. Add a section to configure-advanced-settings.md documenting the defendRemoteOutputCcs experimental flag, following the same format used for other preview settings on that page (e.g., Enable asset inventory, Enable alerts and attacks alignment). Mark it {applies_to: stack: preview 9.5} and note it is not available on serverless.

  3. Create a new how-to page in solutions/security/configure-elastic-defend/ (e.g., use-elastic-defend-with-remote-output-and-ccs.md) covering: prerequisites (Fleet remote ES output configured + CCS configured + 9.5+), how to enable the defendRemoteOutputCcs flag, which Security surfaces become CCS-aware (endpoints list, host details, response actions, policy responses, workflow insights, suggestions), and limitations (stateful only, not serverless). Add an entry for this page to configure-elastic-defend.md "Where to start" table. Cross-link from the detection rules CCS page (cross-cluster-search-detection-rules.md).

  4. Add a 9.5.0 release note to release-notes/elastic-security/index.md for the new CCS support under Elastic Defend.

Notes

  • The new page in configure-elastic-defend/ is a how-to (multi-step task), consistent with the other task-oriented pages in that section. Do not mix it into the remote-elasticsearch-output.md Fleet reference page — the audience and framing differ (Fleet admin vs. Security admin).
  • The defendRemoteOutputCcs flag controls all CCS-aware prefixing; no individual surface pages need separate mentions.
  • All new content should be marked {applies_to: stack: preview 9.5} (or ga if GA by publish time) and should explicitly state serverless is not supported.
  • The main kibana PR (#271559) was still open at analysis time; confirm merge before publishing docs.

Generated by Issue Scope Analyzer for issue #7220 · 164.8 AIC · ⌖ 10.2 AIC · ⊞ 8.8K ·

Metadata

Metadata

Labels

Team:SKIIssues owned by the SKI Docs Team

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions