From 13c2080f94f82bd6cdfb6f18127c0f0d81fc8f03 Mon Sep 17 00:00:00 2001 From: Mohit Jha <138874484+mohitjha-elastic@users.noreply.github.com> Date: Fri, 31 Oct 2025 12:37:58 +0530 Subject: [PATCH] [Sentinel One] - Fix Cannot execute ILM policy delete step for threat event (#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502d85c5c0fcc5ef286888d1acaea1375ef9) --- docs/changelog/137222.yaml | 6 ++++++ .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 3 ++- .../core/security/authz/store/ReservedRolesStoreTests.java | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 docs/changelog/137222.yaml diff --git a/docs/changelog/137222.yaml b/docs/changelog/137222.yaml new file mode 100644 index 0000000000000..15b649bb5cea6 --- /dev/null +++ b/docs/changelog/137222.yaml @@ -0,0 +1,6 @@ +pr: 137222 +summary: "[Sentinel One] Add `manage`, `create_index`, `read`, `index`, `write`, `delete`, permission for third-party agent indices in the `Kibana system` to support the threat event data stream." +area: Authorization +type: enhancement +issues: + - 240901 diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index 23e2ba1884636..ce18bbe0b9922 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -550,7 +550,7 @@ static RoleDescriptor kibanaSystem(String name) { TransportDeleteIndexAction.TYPE.name() ) .build(), - // For ExtraHop, QualysGAV, SentinelOne Application Dataset, Island Browser and Cyera specific actions. + // For ExtraHop, QualysGAV, SentinelOne, Island Browser and Cyera specific actions. // Kibana reads, writes and manages this index // for configured ILM policies. RoleDescriptor.IndicesPrivileges.builder() @@ -558,6 +558,7 @@ static RoleDescriptor kibanaSystem(String name) { "logs-extrahop.investigation-*", "logs-qualys_gav.asset-*", "logs-sentinel_one.application-*", + "logs-sentinel_one.threat_event-*", "logs-island_browser.user-*", "logs-island_browser.device-*", "logs-cyera.classification-*", diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 87b6dafdb2c65..d829b79f2e2e5 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1984,6 +1984,7 @@ public void testKibanaSystemRole() { "logs-extrahop.investigation-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-qualys_gav.asset-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-sentinel_one.threat_event-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-cyera.classification-" + randomAlphaOfLength(randomIntBetween(1, 10)),