[Detections RBAC] Update references to detections RBAC #3874
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -24,6 +24,7 @@ The Detection rule monitoring dashboard provides visualizations to help you moni | |||||
| To access this dashboard and its data, you must have: | ||||||
|
|
||||||
| * At least `Read` [{{kib}} privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md) for both the **Analytics > Dashboard** and **Security > Security** {{kib}} features. | ||||||
| * {applies_to}`serverless: ` The `Security > Rules: All` privilege. | ||||||
|
Contributor
There was a problem hiding this comment. @yctercero should this be at least
Suggested change
Author
|
||||||
| * At least `read` [index privileges](/deploy-manage/users-roles/cluster-or-deployment-auth/kibana-role-management.md#adding_index_privileges) for the `.kibana-event-log-*` index. | ||||||
|
|
||||||
| :::: | ||||||
|
|
||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -55,17 +55,33 @@ For instructions about using {{ml}} jobs and rules, refer to [Machine learning j | |||||||||||
|
|
||||||||||||
|
|
||||||||||||
| ### Custom role privileges [security-detections-requirements-custom-role-privileges] | ||||||||||||
| The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to [Feature access based on user privileges](/deploy-manage/manage-spaces.md#spaces-control-user-access). | ||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
The following table describes the required privileges to access the Detections feature, including rules, alerts, and exceptions. For more information on {{kib}} privileges, refer to Feature access based on user privileges. |
||||||||||||
|
|
||||||||||||
| | Action | Cluster Privileges | Index Privileges | Kibana Privileges | | ||||||||||||
| | --- | --- | --- | --- | | ||||||||||||
| | Enable detections in your space | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature | | ||||||||||||
| | Enable detections in all spaces<br><br>**NOTE**: To turn on detections, visit the Rules and Alerts pages for each space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>` ^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature | | ||||||||||||
| | Preview rules | N/A | `read` for these indices:<br><br>- `.preview.alerts-security.alerts-<space-id>`<br>- `.internal.preview.alerts-security.alerts-<space-id>-*`<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature | | ||||||||||||
| | Manage rules | N/A | `manage`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature<br><br>**NOTE:** You need additional `Action and Connectors` feature privileges (**Management → Action and Connectors**) to manage rules with actions and connectors:<br><br>- To provide full access to rule actions and connectors, give your role `All` privileges. With `Read` privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, `Read` privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.<br>- To import rules with actions, you need at least `Read` privileges for the `Action and Connectors` feature. To overwrite or add new connectors, you need `All` privileges for the `Actions and Connectors` feature. To import rules without actions, you don’t need `Actions and Connectors` privileges.<br> | | ||||||||||||
| | Manage alerts<br><br>**NOTE**: Allows you to manage alerts, but not modify rules. | N/A | `maintenance`, `write`, `read`, and `view_index_metadata` for these system indices and data streams, where `<space-id>` is the space name:<br><br>- `.alerts-security.alerts-<space-id>`<br>- `.internal.alerts-security.alerts-<space-id>-*`<br>- `.siem-signals-<space-id>`^1^<br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br><br> **NOTE**: Before a user can be assigned to a case, they must log into Kibana at least once, which creates a user profile.<br><br>^1^ **NOTE**: If you’re upgrading to {{stack}} 8.0.0 or later, users should have privileges for the `.alerts-security.alerts-<space-id>` AND `.siem-signals-<space-id>` indices. If you’re newly installing the {{stack}}, then users do not need privileges for the `.siem-signals-<space-id>` index.<br> | {applies_to}`stack: ` `Read` for the `Security` feature<br><br>{applies_to}`serverless: ` `Read` for the `Rules` feature<br><br>**NOTE:** Alerts are managed through the ES privileges. To view the alert management flows requires at least the `Read` for th `Rules` feature. | | ||||||||||||
| | Manage exceptions | N/A | N/A | {applies_to}`stack: ` `All` for the `Security` feature<br><br>{applies_to}`serverless: ` `All` for the `Rules` feature | | ||||||||||||
| | Manage value lists.<br><br>Create the `.lists` and `.items` data streams in your space<br><br>**NOTE**: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. | `manage` | `manage`, `write`, `read`, and `view_index_metadata` for these data streams, where `<space-id>` is the space name:<br><br>- `.lists-<space-id>`<br>- `.items-<space-id>`<br> | {applies_to}`stack: ` `All` for the `Security` and `Saved Objects Management` features<br><br>{applies_to}`serverless: ` `All` for the `Rules` and `Saved Objects Management` features | | ||||||||||||
| | Manage [timelines](/solutions/security/investigate/timeline.md) | N/A | N/A | `All` for the `Timelines` feature | | ||||||||||||
|
Contributor
There was a problem hiding this comment. Are timelines, notes, and cases considered a part of the "detections" feature set now? I'm just trying to understand why they've been added to this table. |
||||||||||||
| | Manage [notes](/solutions/security/investigate/notes.md) | N/A | N/A | `All` for the `Notes` feature | | ||||||||||||
| | Manage [cases](/solutions/security/investigate/cases.md) | N/A | N/A | `All` for the `Cases` feature | | ||||||||||||
|
Contributor
There was a problem hiding this comment. If we end up keeping this in the table, will need to link to the more details docs about case feature access at: https://www.elastic.co/docs/solutions/security/investigate/cases-requirements |
||||||||||||
|
|
||||||||||||
| ### Predefined roles [ers_roles] | ||||||||||||
|
Contributor
There was a problem hiding this comment. Making the title and anchor a bit more descriptive so they're easier to understand.
Suggested change
|
||||||||||||
| ```yaml {applies_to} | ||||||||||||
| serverless: all | ||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||
| ``` | ||||||||||||
|
|
||||||||||||
| | Action | Predefined role | | ||||||||||||
|
Contributor
There was a problem hiding this comment. Adding a brief explanation of the table's purpose.
Suggested change
Contributor
There was a problem hiding this comment. @yctercero at some point, it could be helpful for users to know which built-in ESS roles allow them to access detection rules. |
||||||||||||
| | --- | --- | | ||||||||||||
| | Manage rules | - Threat Intelligence Analyst<br>- Tier 3 Analyst<br>- Detections Eng<br>- SOC Manager<br>- Endpoint Policy Manager<br>- Tier 3 Analyst<br>- Platform Engineer<br>- Editor | | ||||||||||||
| | Rules read only | - Tier 1 Analyst<br>- Tier 2 Analyst<br>- Viewer<br>- Endpoint Operations Analyst | | ||||||||||||
| | Manage alerts | - All roles except for Viewer | | ||||||||||||
| | Manage exceptions and value lists | - Threat Intelligence Analyst<br>- Tier 3 Analyst<br>- Detections Eng<br>- SOC Manager<br>- Endpoint Policy Manager<br>- Tier 3 Analyst<br>- Platform Engineer<br>- Editor | | ||||||||||||
| | Exceptions and value lists read only | - Tier 1 Analyst<br>- Tier 2 Analyst<br>- Viewer<br>- Endpoint Operations Analyst | | ||||||||||||
|
|
||||||||||||
| ### Authorization [alerting-auth-model] | ||||||||||||
|
|
||||||||||||
|
|
||||||||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
@@ -27,7 +27,7 @@ In addition to Timelines, you can create and attach Timeline templates to [detec | |||||||||||||
|
|
||||||||||||||
| ## Grant access to Timeline [timeline-privileges] | ||||||||||||||
|
|
||||||||||||||
| You can control access to Timeline by setting the [{{kib}} privileges](../../../deploy-manage/users-roles/cluster-or-deployment-auth/kibana-privileges.md) for the **Timeline** feature under **Security**. For more details on SIEM requirements, refer to [Detections requirements](/solutions/security/detect-and-alert/detections-requirements.md). | ||||||||||||||
|
Contributor
There was a problem hiding this comment.
Suggested change
|
||||||||||||||
|
|
||||||||||||||
| ## Create new or open existing Timeline [open-create-timeline] | ||||||||||||||
|
|
||||||||||||||
|
|
||||||||||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@yctercero in Serverless, will users need the
Attack Discovery: Allprivilege and theRules: Readprivilege to use Attack Discover? Or do they only need theRules: Readprivilege? The updated screenshot (security-attck-disc-rbac.png) makes me think both, but I don't want to assume.