diff --git a/solutions/images/security-attck-disc-rbac.png b/solutions/images/security-attck-disc-rbac.png index 36a3c27e42..8e32f99eb2 100644 Binary files a/solutions/images/security-attck-disc-rbac.png and b/solutions/images/security-attck-disc-rbac.png differ diff --git a/solutions/security/ai/attack-discovery.md b/solutions/security/ai/attack-discovery.md index 2323b5ae6b..4477c0f1ea 100644 --- a/solutions/security/ai/attack-discovery.md +++ b/solutions/security/ai/attack-discovery.md @@ -22,9 +22,11 @@ For a demo, refer to the following video (click to view). ## Role-based access control (RBAC) for Attack Discovery [attack-discovery-rbac] -You need the `Attack Discovery: All` privilege to use Attack Discovery. +You need the `Attack Discovery: All` privileges to use Attack Discovery. -![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png) +{applies_to}`serverless: ` You need the `Rules: Read` privilege at a minimum to use Attack Discovery. + +![attack-discovery-rbac](/solutions/images/security-attck-disc-rbac.png "=65%") {applies_to}`stack: ga 9.1` Your role must also have the following privileges: diff --git a/solutions/security/dashboards/detection-rule-monitoring-dashboard.md b/solutions/security/dashboards/detection-rule-monitoring-dashboard.md index f3d0c575bb..b15d880567 100644 --- a/solutions/security/dashboards/detection-rule-monitoring-dashboard.md +++ b/solutions/security/dashboards/detection-rule-monitoring-dashboard.md @@ -24,6 +24,7 @@ The Detection rule monitoring dashboard provides visualizations to help you moni To access this dashboard and its data, you must have: * At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard** and **Security > Security** {{kib}} features. +* {applies_to}`serverless: ` The `Security > Rules: All` privilege. * At least `read` [index privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges) for the `.kibana-event-log-*` index. :::: diff --git a/solutions/security/detect-and-alert/detections-requirements.md b/solutions/security/detect-and-alert/detections-requirements.md index bf9e2685d1..b12c2f76ca 100644 --- a/solutions/security/detect-and-alert/detections-requirements.md +++ b/solutions/security/detect-and-alert/detections-requirements.md @@ -55,17 +55,33 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j ### Custom role privileges [security-detections-requirements-custom-role-privileges] -The following table describes the required privileges to access the Detections feature, including rules and alerts. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). +The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). | Action | Cluster Privileges | Index Privileges | Kibana Privileges | | --- | --- | --- | --- | -| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature | -| Enable detections in all spaces

**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature | -| Preview rules | N/A | `read` for these indices:

- `.preview.alerts-security.alerts-`
- `.internal.preview.alerts-security.alerts--*`
| `All` for the `Security` feature | -| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `All` for the `Security` feature

**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:

- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
| -| Manage alerts

**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.internal.alerts-security.alerts--*`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| `Read` for the `Security` feature | -| Create the `.lists` and `.items` data streams in your space

**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:

- `.lists-`
- `.items-`
| `All` for the `Security` and `Saved Objects Management` features | +| Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| {applies_to}`stack: ` `All` for the `Security` feature

{applies_to}`serverless: ` `All` for the `Rules` feature | +| Enable detections in all spaces

**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:

- `.alerts-security.alerts-`
- `.siem-signals-` ^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| {applies_to}`stack: ` `All` for the `Security` feature

{applies_to}`serverless: ` `All` for the `Rules` feature | +| Preview rules | N/A | `read` for these indices:

- `.preview.alerts-security.alerts-`
- `.internal.preview.alerts-security.alerts--*`
| {applies_to}`stack: ` `All` for the `Security` feature

{applies_to}`serverless: ` `All` for the `Rules` feature | +| Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| {applies_to}`stack: ` `All` for the `Security` feature

{applies_to}`serverless: ` `All` for the `Rules` feature

**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:

- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.
| +| Manage alerts

**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `` is the space name:

- `.alerts-security.alerts-`
- `.internal.alerts-security.alerts--*`
- `.siem-signals-`^1^
- `.lists-`
- `.items-`

**NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.

^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-` AND `.siem-signals-` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-` index.
| {applies_to}`stack: ` `Read` for the `Security` feature

{applies_to}`serverless: ` `Read` for the `Rules` feature

**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. | +| Manage exceptions | N/A | N/A | {applies_to}`stack: ` `All` for the `Security` feature

{applies_to}`serverless: ` `All` for the `Rules` feature | +| Manage value lists.

Create the `.lists` and `.items` data streams in your space

**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `` is the space name:

- `.lists-`
- `.items-`
| {applies_to}`stack: ` `All` for the `Security` and `Saved Objects Management` features

{applies_to}`serverless: ` `All` for the `Rules` and `Saved Objects Management` features | +| Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature | +| Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature | +| Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature | + +### Predefined roles [ers_roles] +```yaml {applies_to} +serverless: all +``` +| Action | Predefined role | +| --- | --- | +| Manage rules | - Threat Intelligence Analyst
- Tier 3 Analyst
- Detections Eng
- SOC Manager
- Endpoint Policy Manager
- Tier 3 Analyst
- Platform Engineer
- Editor | +| Rules read only | - Tier 1 Analyst
- Tier 2 Analyst
- Viewer
- Endpoint Operations Analyst | +| Manage alerts | - All roles except for Viewer | +| Manage exceptions and value lists | - Threat Intelligence Analyst
- Tier 3 Analyst
- Detections Eng
- SOC Manager
- Endpoint Policy Manager
- Tier 3 Analyst
- Platform Engineer
- Editor | +| Exceptions and value lists read only | - Tier 1 Analyst
- Tier 2 Analyst
- Viewer
- Endpoint Operations Analyst | ### Authorization [alerting-auth-model] diff --git a/solutions/security/get-started/automatic-migration.md b/solutions/security/get-started/automatic-migration.md index 05004d7a4a..8d90ab2de0 100644 --- a/solutions/security/get-started/automatic-migration.md +++ b/solutions/security/get-started/automatic-migration.md @@ -18,6 +18,7 @@ You can ingest your data before migrating your assets, or migrate your assets fi ::::{admonition} Requirements * The `SIEM migrations: All` Security sub-feature privilege. +* {applies_to}`serverless: ` The `Rules: All` Security sub-feature privilege. * A working [LLM connector](/solutions/security/ai/set-up-connectors-for-large-language-models-llm.md). * {{stack}} users: an [Enterprise](https://www.elastic.co/pricing) subscription. * {{Stack}} users: {{ml}} must be enabled. diff --git a/solutions/security/investigate/notes.md b/solutions/security/investigate/notes.md index d15979707a..264dabfa6b 100644 --- a/solutions/security/investigate/notes.md +++ b/solutions/security/investigate/notes.md @@ -22,7 +22,7 @@ Incorporate notes into your investigative workflows to coordinate responses, con ## Grant access to notes [notes-privileges] -You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. +You can control access to notes by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Notes** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). ## View and add notes to alerts and events [notes-alerts-events] diff --git a/solutions/security/investigate/timeline.md b/solutions/security/investigate/timeline.md index 95659dcbca..8a5ec6d5a9 100644 --- a/solutions/security/investigate/timeline.md +++ b/solutions/security/investigate/timeline.md @@ -27,7 +27,7 @@ In addition to Timelines, you can create and attach Timeline templates to [detec ## Grant access to Timeline [timeline-privileges] -You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. +You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). ## Create new or open existing Timeline [open-create-timeline]