From 1d8d47f41b888429ec9a98063ff55365e66d35f0 Mon Sep 17 00:00:00 2001 From: Krishna Chaitanya Reddy Burri Date: Thu, 7 Aug 2025 18:16:37 +0530 Subject: [PATCH] Add {m365_defender,microsoft_defender_endpoint}.vulnerability indices to kibana_system role permissions (#132445) Add logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* data stream indices to the kibana_system's read privileges. This is required for the latest transform for 3rd party integrations CDR workflows (vulnerability findings) to work. Also add delete_index on logs-m365_defender.vulnerability-* and logs-microsoft_defender_endpoint.vulnerability-* to facilitate index removal through ILM policies. (cherry picked from commit 716bff837087cf24f5d5724d69e940441f5a3cfd) --- .../KibanaOwnedReservedRoleDescriptors.java | 11 ++++++ .../authz/store/ReservedRolesStoreTests.java | 34 +++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 3ba3a4dc2b2b7..d98ae60af3198 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -519,6 +519,17 @@ static RoleDescriptor kibanaSystem(String name) { ) .privileges("read", "view_index_metadata") .build(), + // For source indices of the Cloud Detection & Response (CDR) packages + // that ships a transform and has ILM policy + RoleDescriptor.IndicesPrivileges.builder() + .indices("logs-m365_defender.vulnerability-*", "logs-microsoft_defender_endpoint.vulnerability-*") + .privileges( + "read", + "view_index_metadata", + // Require "delete_index" to perform ILM policy actions + TransportDeleteIndexAction.TYPE.name() + ) + .build(), // For ExtraHop and QualysGAV specific actions. Kibana reads, writes and manages this index // for configured ILM policies. RoleDescriptor.IndicesPrivileges.builder() diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 3222fd8b6796d..1c68045678042 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1710,6 +1710,40 @@ public void testKibanaSystemRole() { ); assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true)); assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); + // Implied by the overall view_index_metadata and monitor privilege + assertViewIndexMetadata(kibanaRole, indexName); + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:monitor/").test(indexAbstraction), is(true)); + }); + + Arrays.asList( + "logs-m365_defender.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)), + "logs-microsoft_defender_endpoint.vulnerability-" + randomAlphaOfLength(randomIntBetween(0, 13)) + ).forEach(indexName -> { + final IndexAbstraction indexAbstraction = mockIndexAbstraction(indexName); + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:bar").test(indexAbstraction), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteIndexAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(GetIndexAction.NAME).test(indexAbstraction), is(true)); + assertThat( + kibanaRole.indices().allowedIndicesMatcher(TransportCreateIndexAction.TYPE.name()).test(indexAbstraction), + is(false) + ); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportIndexAction.NAME).test(indexAbstraction), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportDeleteAction.NAME).test(indexAbstraction), is(false)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportSearchAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportMultiSearchAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportGetAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(READ_CROSS_CLUSTER_NAME).test(indexAbstraction), is(false)); + assertThat( + kibanaRole.indices().allowedIndicesMatcher(TransportUpdateSettingsAction.TYPE.name()).test(indexAbstraction), + is(true) + ); + assertThat(kibanaRole.indices().allowedIndicesMatcher(TransportPutMappingAction.TYPE.name()).test(indexAbstraction), is(true)); + assertThat(kibanaRole.indices().allowedIndicesMatcher(RolloverAction.NAME).test(indexAbstraction), is(true)); + // Implied by the overall view_index_metadata and monitor privilege + assertViewIndexMetadata(kibanaRole, indexName); + assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:monitor/").test(indexAbstraction), is(true)); + }); Arrays.asList(