Skip to content

[Sentinel One] - Fix Cannot execute ILM policy delete step #133793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 4, 2025
Merged

[Sentinel One] - Fix Cannot execute ILM policy delete step #133793

merged 5 commits into from
Sep 4, 2025

Conversation

mohitjha-elastic
Copy link
Contributor

@mohitjha-elastic mohitjha-elastic commented Aug 29, 2025
edited
Loading

PR Description:
This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:

It shows permission issue while deleting the index.

Closes - elastic/kibana#235996
Similar Issues : elastic/kibana#197390, #131825

@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner August 29, 2025 09:00
@elasticsearchmachine elasticsearchmachine added needs:triage Requires assignment of a team area label v9.2.0 external-contributor Pull request authored by a developer outside the Elasticsearch team labels Aug 29, 2025
@mohitjha-elastic mohitjha-elastic force-pushed the enhancement/sentinel_one-add_ilm_delete_index branch from 2fd1db5 to e04c727 Compare August 29, 2025 09:06
@mohitjha-elastic
Copy link
Contributor Author

We would need this to be backported to at least 8.18.0 and above.

@mohitjha-elastic mohitjha-elastic mentioned this pull request Aug 29, 2025
Merged
5 tasks
elasticsearchmachine and others added 3 commits August 29, 2025 09:13
[CI] Auto commit changes from spotless
061cb93
@mohitjha-elastic
Merge branch 'main' of github.com:mohitjha-elastic/elasticsearch into…
7c3696f 
… enhancement/sentinel_one-add_ilm_delete_index
@mohitjha-elastic
Merge branch 'enhancement/sentinel_one-add_ilm_delete_index' of githu…
1a26fb3 
…b.com:mohitjha-elastic/elasticsearch into enhancement/sentinel_one-add_ilm_delete_index
@kcreddy kcreddy added >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Security Meta label for security team auto-backport Automatically create backport pull requests when merged Team:Cloud Security Meta label for Cloud Security team labels Sep 2, 2025
@elasticsearchmachine
Copy link
Collaborator

Pinging @elastic/es-security (Team:Security)

@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Sep 2, 2025
@kcreddy kcreddy added needs:triage Requires assignment of a team area label v9.1.4 v9.0.7 v8.18.7 v8.19.4 labels Sep 2, 2025
@elasticsearchmachine elasticsearchmachine removed the needs:triage Requires assignment of a team area label label Sep 2, 2025
@kcreddy
Copy link
Contributor

kcreddy commented Sep 2, 2025

@elasticsearchmachine test this please

@kcreddy
Copy link
Contributor

kcreddy commented Sep 2, 2025

@elasticsearchmachine test this please

@kc13greiner kc13greiner self-requested a review September 2, 2025 12:38
@kc13greiner
Copy link
Contributor

Heya @mohitjha-elastic

The PR description mentions the need to delete, but the changes include additional permissions being granted, is this intentional? Could you provide some additional context?

New read access for:
- logs-microsoft_defender_cloud.assessment-*,
- logs-sentinel_one.application_risk-*

New manage, create_index, read, index, write, delete access for:
- logs-sentinel_one.application-*

@kcreddy kcreddy self-assigned this Sep 3, 2025
@kcreddy kcreddy assigned mohitjha-elastic and unassigned kcreddy Sep 3, 2025
@mohitjha-elastic
Copy link
Contributor Author

Heya @mohitjha-elastic

The PR description mentions the need to delete, but the changes include additional permissions being granted, is this intentional? Could you provide some additional context?

New read access for: - logs-microsoft_defender_cloud.assessment-*, - logs-sentinel_one.application_risk-*

New manage, create_index, read, index, write, delete access for: - logs-sentinel_one.application-*

Thanks @kc13greiner! I have updated the PR description.

The SentinelOne application and application_risk data streams require read, write, and delete permissions, as they are shipped with both a Transform pipeline and an ILM policy. These privileges are essential to prevent errors during the ILM lifecycle deletion phase and to ensure the proper functioning of the associated transform processes.

Sorry for any confusion but the access for the logs-microsoft_defender_cloud.assessment-* is not added in this PR.

@kcreddy
Copy link
Contributor

kcreddy commented Sep 3, 2025
edited
Loading

New read access for: - logs-microsoft_defender_cloud.assessment-*,

Sorry for any confusion but the access for the logs-microsoft_defender_cloud.assessment-* is not added in this PR.

@kc13greiner, the access for logs-microsoft_defender_cloud.assessment-* is already added in: #133623 and backported.

This PR only adds logs-sentinel_one.application_risk-* and logs-sentinel_one.application-* necessary permissions as required.

@kc13greiner
Copy link
Contributor

++ thank you for the additional context!

We can allow these new permissions on the sentinel one indicies, logs-* are a known, documented collision pattern.

LGTM!

kc13greiner
kc13greiner approved these changes Sep 3, 2025
View reviewed changes
Copy link
Contributor

@kc13greiner kc13greiner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the discussion! LGTM!

@kcreddy kcreddy assigned kcreddy and unassigned mohitjha-elastic Sep 4, 2025
@kcreddy kcreddy merged commit bfde47a into elastic:main Sep 4, 2025
41 checks passed
This was referenced Sep 4, 2025
Merged
Merged
Merged
Merged
@mohitjha-elastic
Copy link
Contributor Author

💚 All backports created successfully

Status Branch Result
9.1
9.0
8.19
8.18

Questions ?

Please refer to the Backport tool documentation

mohitjha-elastic added a commit to mohitjha-elastic/elasticsearch that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (elastic#1…
46f362c 
…33793)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
mohitjha-elastic added a commit to mohitjha-elastic/elasticsearch that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (elastic#1…
00d1717 
…33793)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
mohitjha-elastic added a commit to mohitjha-elastic/elasticsearch that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (elastic#1…
83890d6 
…33793)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
elasticsearchmachine pushed a commit that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (#133793) (#…
648aad5 
…134114)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
elasticsearchmachine pushed a commit that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (#133793) (#…
90810c7 
…134113)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
elasticsearchmachine pushed a commit that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (#133793) (#…
e0c16f0 
…134112)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
elasticsearchmachine pushed a commit that referenced this pull request Sep 4, 2025
@mohitjha-elastic
[Sentinel One] - Fix Cannot execute ILM policy delete step (#133793) (#…
6be41ce 
…134111)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
@mohitjha-elastic mohitjha-elastic deleted the enhancement/sentinel_one-add_ilm_delete_index branch September 4, 2025 09:58
sarog pushed a commit to portsbuild/elasticsearch that referenced this pull request Sep 11, 2025
@mohitjha-elastic @sarog
[Sentinel One] - Fix Cannot execute ILM policy delete step (elastic#1…
4c71f92 
…33793) (elastic#134113)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
sarog pushed a commit to portsbuild/elasticsearch that referenced this pull request Sep 19, 2025
@mohitjha-elastic @sarog
[Sentinel One] - Fix Cannot execute ILM policy delete step (elastic#1…
ec5b92b 
…33793) (elastic#134113)

This PR focuses on the short term solution which add the logs-sentinel_one.application-* and logs-sentinel_one.application_risk-* indices under the kibana_system role with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.

Current behavior:
It shows permission issue while deleting the index.

(cherry picked from commit bfde47a)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kc13greiner kc13greiner kc13greiner approved these changes

Assignees

@kcreddy kcreddy

Labels

auto-backport Automatically create backport pull requests when merged external-contributor Pull request authored by a developer outside the Elasticsearch team >non-issue :Security/Authorization Roles, Privileges, DLS/FLS, RBAC/ABAC Team:Cloud Security Meta label for Cloud Security team Team:Security Meta label for security team v8.18.7 v8.19.4 v9.0.7 v9.1.4 v9.2.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mohitjha-elastic @elasticsearchmachine @kcreddy @kc13greiner