Add {m365_defender,microsoft_defender_endpoint}.vulnerability indices to kibana_system role permissions #132445
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…party vulnerability findings workflow.
kcreddy
added
:Security/Authorization
|
Pinging @elastic/es-security (Team:Security) |
kcreddy
commented
Aug 5, 2025
Comment on lines
521
to
522
| "logs-m365_defender.vulnerability-*", | ||
| "logs-microsoft_defender_endpoint.vulnerability-*" |
There was a problem hiding this comment.
This adds permission for the transform, without which results in following error inside the transform:
Cannot create transform [logs-m365_defender.latest_cdr_vulnerabilities-default-0.1.0] because user elastic/kibana lacks the required permissions [logs-m365_defender.vulnerability-*:[read], security_solution-m365_defender.vulnerability_latest:[], security_solution-m365_defender.vulnerability_latest-v1:[]]
There was a problem hiding this comment.
Just a note: Per ILM policy you shared, Kibana needs the permission to execute rollover action but that is already covered by logs-* pattern here:
kcreddy
commented
Aug 5, 2025
Comment on lines
526
to
534
| // For source indices of the Cloud Detection & Response (CDR) packages | ||
| // that has ILM policy | ||
| RoleDescriptor.IndicesPrivileges.builder() | ||
| .indices("logs-m365_defender.vulnerability-*", "logs-microsoft_defender_endpoint.vulnerability-*") | ||
| .privileges( | ||
| // Require "delete_index" to perform ILM policy actions | ||
| TransportDeleteIndexAction.TYPE.name() | ||
| ) | ||
| .build(), |
There was a problem hiding this comment.
This fixes the permission error for the ILM policy.
The ILM policies are already part of existing integration code: here and here.
Without this correct permissions following error is received when deleting index as user with kibana_system role (as in ILM).
{
"error": {
"root_cause": [
{
"type": "security_exception",
"reason": "action [indices:admin/delete] is unauthorized for user [kibana-system] with effective roles [editor,kibana_system,viewer] on indices [.ds-logs-m365_defender.vulnerability-default-2025.08.05-000002], this action is granted by the index privileges [delete_index,manage,all]"
}
],
"type": "security_exception",
"reason": "action [indices:admin/delete] is unauthorized for user [kibana-system] with effective roles [editor,kibana_system,viewer] on indices [.ds-logs-m365_defender.vulnerability-default-2025.08.05-000002], this action is granted by the index privileges [delete_index,manage,all]"
},
"status": 403
}
5 tasks
|
@slobodanadamovic, I couldn't see labels |
...src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
Outdated
Show resolved
Hide resolved
...va/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
Show resolved
Hide resolved
slobodanadamovic
approved these changes
Aug 6, 2025
The |
|
And |
|
I'm wrong about the |
…permissions # Conflicts: # x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
SiddharthMantri
approved these changes
Aug 7, 2025
This was referenced Aug 11, 2025
kcreddy
added a commit
to kcreddy/elasticsearch
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (elastic#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
kcreddy
added a commit
to kcreddy/elasticsearch
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (elastic#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
kcreddy
added a commit
to kcreddy/elasticsearch
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (elastic#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
kcreddy
added a commit
to kcreddy/elasticsearch
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (elastic#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (#132445) (#132627) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (#132445) (#132628) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
… to kibana_system role permissions (#132445) (#132629) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8)
elasticsearchmachine
pushed a commit
that referenced
this pull request
Aug 11, 2025
…indices to kibana_system role permissions (#132445) (#132630) * Add {m365_defender,microsoft_defender_endpoint}.vulnerability indices to kibana_system role permissions (#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff8) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java * fix conflicts * fix conflicts
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add
logs-m365_defender.vulnerability-*andlogs-microsoft_defender_endpoint.vulnerability-*data stream indices to thekibana_system'sreadprivileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work.Also add
delete_indexonlogs-m365_defender.vulnerability-*andlogs-microsoft_defender_endpoint.vulnerability-*to facilitate index removal through ILM policies defined here and hereRelated:
Similar to #124074 and #128350