[Detections RBAC] Update references to detections RBAC #3874
Conversation
solutions/security/dashboards/detection-rule-monitoring-dashboard.md
Outdated
Show resolved
Hide resolved
|
@yctercero I believe |
There was a problem hiding this comment.
Thanks for opening this, @yctercero! This is a great starting point for updating the docs that explain the required Kibana privs that roles must have to use certain Security features. I'm planning to make some organizational improvements to the "Detections requirements" page for 9.3, so I may need to open a new PR to re-add the changes you made in this PR if my changes introduce too many gnarly conflicts.
However, before I move forward with the organizational changes, I do want to understand the schedule for the phases that you outlined here. I'll drop my questions the #security-detections-response-rbac channel so we can discuss there.
| To access this dashboard and its data, you must have: | ||
|
|
||
| * At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard** and **Security > Security** {{kib}} features. | ||
| * {applies_to}`serverless: ` The `Security > Rules: All` privilege. |
There was a problem hiding this comment.
@yctercero should this be at least Read instead of All?
| * {applies_to}`serverless: ` The `Security > Rules: All` privilege. | |
| * {applies_to}`serverless: ` At least the `Security > Rules: Read` privilege. |
Updated RBAC privileges for Attack Discovery to specify minimum requirements.
nastasha-solomon
left a comment
nastasha-solomon
left a comment
There was a problem hiding this comment.
@yctercero left some additional edits and questions. 🙇🏼♀️
| You need the `Attack Discovery: All` privileges to use Attack Discovery. | ||
|
|
||
|  | ||
| {applies_to}`serverless: ` You need the `Rules: Read` privilege at a minimum to use Attack Discovery. |
There was a problem hiding this comment.
@yctercero in Serverless, will users need the Attack Discovery: All privilege and the Rules: Read privilege to use Attack Discover? Or do they only need the Rules: Read privilege? The updated screenshot (security-attck-disc-rbac.png) makes me think both, but I don't want to assume.
|
|
||
| ### Custom role privileges [security-detections-requirements-custom-role-privileges] | ||
| The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). | ||
| The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). |
There was a problem hiding this comment.
| The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). | |
| ```yaml {applies_to} | |
| stack: ga | |
| serverless: ga |
The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to Feature access based on user privileges.
| | Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature | | ||
| | Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature | | ||
|
|
||
| ### Predefined roles [ers_roles] |
There was a problem hiding this comment.
Making the title and anchor a bit more descriptive so they're easier to understand.
| ### Predefined roles [ers_roles] | |
| ### Predefined {{serverless-full}} roles [predefined-serverless-roles-detections] |
|
|
||
| ### Predefined roles [ers_roles] | ||
| ```yaml {applies_to} | ||
| serverless: all |
There was a problem hiding this comment.
| serverless: all | |
| serverless: ga |
| serverless: all | ||
| ``` | ||
|
|
||
| | Action | Predefined role | |
There was a problem hiding this comment.
Adding a brief explanation of the table's purpose.
| | Action | Predefined role | | |
| You can use following [predefined roles](/deploy-manage/users-roles/cloud-organization/user-roles.md#general-assign-user-roles-table) in {{serverless-short}} projects to access the Detections feature, including rules, alerts, and exceptions. | |
There was a problem hiding this comment.
@yctercero at some point, it could be helpful for users to know which built-in ESS roles allow them to access detection rules.
| | Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `Read` for the `Security` feature<br><br>{applies_to}`serverless: ` `Read` for the `Rules` feature<br><br>**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. | | ||
| | Manage exceptions | N/A | N/A | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature | | ||
| | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | {applies_to}`stack: ` `All` for the `Security` and `Saved Objects Management` features<br><br>{applies_to}`serverless: ` `All` for the `Rules` and `Saved Objects Management` features | | ||
| | Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature | |
There was a problem hiding this comment.
Are timelines, notes, and cases considered a part of the "detections" feature set now? I'm just trying to understand why they've been added to this table.
| | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | {applies_to}`stack: ` `All` for the `Security` and `Saved Objects Management` features<br><br>{applies_to}`serverless: ` `All` for the `Rules` and `Saved Objects Management` features | | ||
| | Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature | | ||
| | Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature | | ||
| | Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature | |
There was a problem hiding this comment.
If we end up keeping this in the table, will need to link to the more details docs about case feature access at: https://www.elastic.co/docs/solutions/security/investigate/cases-requirements
| ## Grant access to notes [notes-privileges] | ||
|
|
||
| You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. | ||
| You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). |
There was a problem hiding this comment.
| You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). | |
| You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. | |
| ::::{note} | |
| Refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md) to learn about other available SIEM features and how to give your role access to them. | |
| :::: | |
| ## Grant access to Timeline [timeline-privileges] | ||
|
|
||
| You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. | ||
| You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). |
There was a problem hiding this comment.
| You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). | |
| You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. | |
| ::::{note} | |
| Refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md) to learn about other available SIEM features and how to give your role access to them. | |
4 participants
Summary
Related: #3589
In an effort to provide finer grained privileges to our users we have made the initial PR updates to move Rules, Alerts, and Exceptions Kibana privileges out from under
Security > Securityand into it's ownSecurity > Rules. There will be follow up work done dev side to break out Rules privileges into subfeatures.Changes made
Rules - AllRules - Readto view dashboardsRules - *for serverlessstackwhere required nowRules - Allfor serverless