400 error code during event esclation for analyst user

[dgmyr]

Version

2.4.40

Installation Method

Network installation on Ubuntu

Description

configuration

Installation Type

Distributed

Location

other (please provide detail below)

Hardware Specs

other (please provide detail below)

CPU

6

RAM

16

Storage for /

200

Storage for /nsm

200

Network Traffic Collection

other (please provide detail below)

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

Hello we`ve encountered 400 errors code during events escalation to cases for users with analyst role. These problem is not permanent and sometimes SOC console signals to user that the event is already attached to case and event don't become acknowledged . When we assign superuser role problem no more repeats.
Here is the error in /opt/so/log/sensoroni-sever.log:

{"fields":{"error":"ERROR_CASE_EVENT_ALREADY_ATTACHED","requestId":"86eab86b-4c23-4018-9d42-12da80e814a4","requestor":{"id":"6c6c2dc4-2efd-45cc-aa06-72b0f24f07df","createTime":"2024-02-19T08:16:32.579487416Z","updateTime":"0001-01-01T00:00:00Z","email":"XXXXXXXXXX","firstName":"XXX","lastName":"XXXXX","totpStatus":"disabled","oidcStatus":"disabled","webauthnStatus":"enabled","note":"SO watchguard","roles":null,"status":"","searchUsername":"","password":"","passwordChanged":false}},"level":"warn","timestamp":"2024-02-19T08:16:33.279592599Z","message":"Request did not complete successfully"}
{"fields":{"clientHost":"https://socloud:9200/","error":": -\u003e {\n "took" : 138,\n "timed_out" : false,\n "total" : 1,\n "updated" : 0,\n "deleted" : 0,\n "batches" : 1,\n "version_conflicts" : 0,\n "noops" : 0,\n "retries" : {\n "bulk" : 0,\n "search" : 0\n },\n "throttled_millis" : 0,\n "requests_per_second" : -1.0,\n "throttled_until_millis" : 0,\n "failures" : [\n {\n "index" : ".ds-logs-ossec-so-2024.02.17-000016",\n "id" : "3z_puo0BmUK_SRtrjsrC",\n "cause" : {\n "type" : "security_exception",\n "reason" : "action [indices:admin/mapping/auto_put] is unauthorized for user [so_elastic] run as [XXXXXXXXXX] with effective roles [analyst], this action is granted by the index privileges [auto_configure,manage,write,all]"\n },\n "status" : 403\n }\n ]\n}\n"},"level":"error","timestamp":"2024-02-19T08:16:39.295835956Z","message":"Encountered error while updating elasticsearch"}
{"fields":{"error":": -\u003e {\n "took" : 138,\n "timed_out" : false,\n "total" : 1,\n "updated" : 0,\n "deleted" : 0,\n "batches" : 1,\n "version_conflicts" : 0,\n "noops" : 0,\n "retries" : {\n "bulk" : 0,\n "search" : 0\n },\n "throttled_millis" : 0,\n "requests_per_second" : -1.0,\n "throttled_until_millis" : 0,\n "failures" : [\n {\n "index" : ".ds-logs-ossec-so-2024.02.17-000016",\n "id" : "3z_puo0BmUK_SRtrjsrC",\n "cause" : {\n "type" : "security_exception",\n "reason" : "action [indices:admin/mapping/auto_put] is unauthorized for user [so_elastic] run as [XXXXXXXXXX] with effective roles [analyst], this action is granted by the index privileges [auto_configure,manage,write,all]"\n },\n "status" : 403\n }\n ]\n}\n","requestId":"f4a17d10-1260-4308-a1cc-bdd8dcde9f71","requestor":{"id":"6c6c2dc4-2efd-45cc-aa06-72b0f24f07df","createTime":"2024-02-19T08:16:39.154091295Z","updateTime":"0001-01-01T00:00:00Z","email":"XXXXXXXXXX","firstName":"XXX","lastName":"XXXXX","totpStatus":"disabled","oidcStatus":"disabled","webauthnStatus":"enabled","note":"SO watchguard","roles":null,"status":"","searchUsername":"","password":"","passwordChanged":false}},"level":"warn","timestamp":"2024-02-19T08:16:39.29590585Z","message":"Request did not complete successfully"}

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Have you tried to synchronize users from SOC > administration > users?

[dgmyr]

Yes

[cm-ops]

When you get the error, the one that shows ERROR_CASE_EVENT_ALREADY_ATTACHED do you see the update in Cases? I see the error in the log, it appears to be a permissions error.

[dgmyr]

Yes, I confirm that the case updates even when receive an error. So what pemission we should add to analyst role in order not to receive any more this error? Thanks

[dgmyr]

Hello, can you provide the correct role configuration in order to correctly process cases without recieving error codes and without assigning superuser role ? Thanks.

[cm-ops]

#12770

This will be fixed in 2.4.70, but in the meantime, edit /opt/so/saltstack/default/salt/elasticsearch/roles/analyst.json and add write to the privileges section, like below:

        "privileges": [
          "index",
          "maintenance",
          "monitor",
          "read",
          "read_cross_cluster",
          "view_index_metadata",
          "write"
        ],