Description
What: We are introducing support for Cross Cluster Search (based on remote output)
When: This will be available starting with 9.5.
Why: Cross Cluster Search (CCS) enables a Central SOC model where a single origin cluster runs all Security workflows — detection, triage, and investigation — while event data resides on linked clusters owned by different teams, regions, or business units.
Resources
Dev issues:
Which deployment methods does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
No response
What Elastic Stack release is this request related to?
9.5
Serverless release
No response
Collaboration model
The documentation team will create the first draft
Point of contact.
Main contact: @roxana-gheorghe @dasansol92
Elastic Docs AI Scoping 🤖
Docs issue scope
Summary
The issue requests first-draft documentation for Elastic Defend's new CCS (Cross Cluster Search) support via Fleet remote ES output, targeting Elastic 9.5 on stateful deployments only. The linked code changes confirm this: kibana#271559 adds a new defendRemoteOutputCcs experimental feature flag (off by default) that prefixes endpoint index patterns with *: so the managing cluster's Security Solution can read endpoint data written to a remote cluster. Supporting PRs — elasticsearch#152211 (grants fleet-server-remote write to Defend indices), endpoint-package#747 (adds cross-cluster source to metadata_united transform), and kibana#275649 (serverless-only install fix) — are already merged. The main kibana PR is still open as of this analysis.
Request accuracy
Accurate — the issue premise aligns with the linked code changes.
Next action for author
Enable the defendRemoteOutputCcs flag documentation in configure-advanced-settings.md, update the explicit "not supported" limitation in remote-elasticsearch-output.md, and create a new how-to page in configure-elastic-defend/ covering the end-to-end CCS setup.
Impact: High
Scope boundary
Response actions pages (endpoint-response-actions.md, response-actions-history.md, isolate-host.md, script-library.md) do not need content changes — the CCS behavior is transparent once the feature flag is enabled. Detection rules CCS, entity store, and cross-project search docs are also out of scope.
Recommended documentation targets
Recommendations
-
Update remote-elasticsearch-output.md to remove or version-gate the limitation bullet "Using {{elastic-defend}} when a remote {{es}} output is configured for an {{agent}} is not currently supported" (e.g., add {applies_to: stack: removed 9.5} or replace with a note pointing to the new setup page). Also expand the existing "Set up CCS to query remote data" section to mention Elastic Defend as a use case alongside Osquery.
-
Add a section to configure-advanced-settings.md documenting the defendRemoteOutputCcs experimental flag, following the same format used for other preview settings on that page (e.g., Enable asset inventory, Enable alerts and attacks alignment). Mark it {applies_to: stack: preview 9.5} and note it is not available on serverless.
-
Create a new how-to page in solutions/security/configure-elastic-defend/ (e.g., use-elastic-defend-with-remote-output-and-ccs.md) covering: prerequisites (Fleet remote ES output configured + CCS configured + 9.5+), how to enable the defendRemoteOutputCcs flag, which Security surfaces become CCS-aware (endpoints list, host details, response actions, policy responses, workflow insights, suggestions), and limitations (stateful only, not serverless). Add an entry for this page to configure-elastic-defend.md "Where to start" table. Cross-link from the detection rules CCS page (cross-cluster-search-detection-rules.md).
-
Add a 9.5.0 release note to release-notes/elastic-security/index.md for the new CCS support under Elastic Defend.
Notes
- The new page in
configure-elastic-defend/ is a how-to (multi-step task), consistent with the other task-oriented pages in that section. Do not mix it into the remote-elasticsearch-output.md Fleet reference page — the audience and framing differ (Fleet admin vs. Security admin).
- The
defendRemoteOutputCcs flag controls all CCS-aware prefixing; no individual surface pages need separate mentions.
- All new content should be marked
{applies_to: stack: preview 9.5} (or ga if GA by publish time) and should explicitly state serverless is not supported.
- The main kibana PR (#271559) was still open at analysis time; confirm merge before publishing docs.
Generated by Issue Scope Analyzer for issue #7220 · 164.8 AIC · ⌖ 10.2 AIC · ⊞ 8.8K · ◷
Description
What: We are introducing support for Cross Cluster Search (based on remote output)
When: This will be available starting with 9.5.
Why: Cross Cluster Search (CCS) enables a Central SOC model where a single origin cluster runs all Security workflows — detection, triage, and investigation — while event data resides on linked clusters owned by different teams, regions, or business units.
Resources
Dev issues:
Which deployment methods does this change impact?
Elastic On-Prem and Cloud (all)
Feature differences
No response
What Elastic Stack release is this request related to?
9.5
Serverless release
No response
Collaboration model
The documentation team will create the first draft
Point of contact.
Main contact: @roxana-gheorghe @dasansol92
Elastic Docs AI Scoping 🤖
Docs issue scope
Summary
The issue requests first-draft documentation for Elastic Defend's new CCS (Cross Cluster Search) support via Fleet remote ES output, targeting Elastic 9.5 on stateful deployments only. The linked code changes confirm this: kibana#271559 adds a new
defendRemoteOutputCcsexperimental feature flag (off by default) that prefixes endpoint index patterns with*:so the managing cluster's Security Solution can read endpoint data written to a remote cluster. Supporting PRs — elasticsearch#152211 (grants fleet-server-remote write to Defend indices), endpoint-package#747 (adds cross-cluster source tometadata_unitedtransform), and kibana#275649 (serverless-only install fix) — are already merged. The main kibana PR is still open as of this analysis.Request accuracy
Accurate — the issue premise aligns with the linked code changes.
Next action for author
Enable the
defendRemoteOutputCcsflag documentation inconfigure-advanced-settings.md, update the explicit "not supported" limitation inremote-elasticsearch-output.md, and create a new how-to page inconfigure-elastic-defend/covering the end-to-end CCS setup.Impact: High
Scope boundary
Response actions pages (
endpoint-response-actions.md,response-actions-history.md,isolate-host.md,script-library.md) do not need content changes — the CCS behavior is transparent once the feature flag is enabled. Detection rules CCS, entity store, and cross-project search docs are also out of scope.Recommended documentation targets
defendRemoteOutputCcsflag with{applies_to: stack: preview 9.5}and a note that serverless is not supported.configure-elastic-defend-with-remote-output-and-ccs.md) fits the section's how-to pattern alongside pages likeconfigure-offline-endpoints-air-gapped-environments.md..logs-endpoint.action.responses-*,.logs-endpoint.diagnostic.collection-*), but only if the setup requires manual role configuration by the user.Recommendations
Update
remote-elasticsearch-output.mdto remove or version-gate the limitation bullet "Using {{elastic-defend}} when a remote {{es}} output is configured for an {{agent}} is not currently supported" (e.g., add{applies_to: stack: removed 9.5}or replace with a note pointing to the new setup page). Also expand the existing "Set up CCS to query remote data" section to mention Elastic Defend as a use case alongside Osquery.Add a section to
configure-advanced-settings.mddocumenting thedefendRemoteOutputCcsexperimental flag, following the same format used for other preview settings on that page (e.g., Enable asset inventory, Enable alerts and attacks alignment). Mark it{applies_to: stack: preview 9.5}and note it is not available on serverless.Create a new how-to page in
solutions/security/configure-elastic-defend/(e.g.,use-elastic-defend-with-remote-output-and-ccs.md) covering: prerequisites (Fleet remote ES output configured + CCS configured + 9.5+), how to enable thedefendRemoteOutputCcsflag, which Security surfaces become CCS-aware (endpoints list, host details, response actions, policy responses, workflow insights, suggestions), and limitations (stateful only, not serverless). Add an entry for this page toconfigure-elastic-defend.md"Where to start" table. Cross-link from the detection rules CCS page (cross-cluster-search-detection-rules.md).Add a 9.5.0 release note to
release-notes/elastic-security/index.mdfor the new CCS support under Elastic Defend.Notes
configure-elastic-defend/is a how-to (multi-step task), consistent with the other task-oriented pages in that section. Do not mix it into theremote-elasticsearch-output.mdFleet reference page — the audience and framing differ (Fleet admin vs. Security admin).defendRemoteOutputCcsflag controls all CCS-aware prefixing; no individual surface pages need separate mentions.{applies_to: stack: preview 9.5}(orgaif GA by publish time) and should explicitly state serverless is not supported.