Problem with access SIEM Rules actions tab

[rockowwc]

Running SO and everything appears to be working except when I try to setup new detection rules in Kabana Security. Every time I go to the action tab I get an error about not having read access to the plug in.
Anyone aware of how to correct this?

[rockowwc]

I have done a fresh install using the latest IOS and the error is still occurring.

[defensivedepth]

This has not been tested, as the recommendation is to use Security Onion's builtin Detections. Is there something in particular you need from the Kibana detections that is not possible in Security Onion?

It sounds like the user you are logged into Elastic as may not have the needed permissions.

[rockowwc]

Just wondering how it affects any build in rules that come with elastic integration as we plan to use a number of them.
Will i need to go through and make a large number of specific Sigma rules for each integration?

[defensivedepth]

As I said, the builtin Elastic Security Rules have not been tested within the context of Security Onion, so I am not sure if they will work as expected. The error you are getting sounds like it is more about the elastic user you are logged in as - I would make sure it has the permissions it needs.

I am seeing roughly 11 integrations that have Elastic rules: https://github.com/elastic/detection-rules/tree/main/rules/integrations

There are certainly some overlap with the SigmaHQ rules that Security Onion loads by default; Also certain that there will be some areas that the Elastic rules cover for a particular integration that is not covered by the SigmaHQ ruleset - in that case yes, writing or importing some Sigma rules would be necessary.