From 9edfb967af047917df089650a7af5e184cf1feb5 Mon Sep 17 00:00:00 2001 From: Mohit Jha <138874484+mohitjha-elastic@users.noreply.github.com> Date: Fri, 31 Oct 2025 12:37:58 +0530 Subject: [PATCH] [Sentinel One] - Fix Cannot execute ILM policy delete step for threat event (#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502d85c5c0fcc5ef286888d1acaea1375ef9) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java --- docs/changelog/137222.yaml | 6 ++++++ .../authz/store/KibanaOwnedReservedRoleDescriptors.java | 3 ++- .../core/security/authz/store/ReservedRolesStoreTests.java | 1 + 3 files changed, 9 insertions(+), 1 deletion(-) create mode 100644 docs/changelog/137222.yaml diff --git a/docs/changelog/137222.yaml b/docs/changelog/137222.yaml new file mode 100644 index 0000000000000..15b649bb5cea6 --- /dev/null +++ b/docs/changelog/137222.yaml @@ -0,0 +1,6 @@ +pr: 137222 +summary: "[Sentinel One] Add `manage`, `create_index`, `read`, `index`, `write`, `delete`, permission for third-party agent indices in the `Kibana system` to support the threat event data stream." +area: Authorization +type: enhancement +issues: + - 240901 diff --git a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java index d8740c8aab234..5a05d37465bba 100644 --- a/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java +++ b/x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java @@ -500,7 +500,7 @@ static RoleDescriptor kibanaSystem(String name) { TransportDeleteIndexAction.TYPE.name() ) .build(), - // For ExtraHop, QualysGAV, SentinelOne Application Dataset and Island Browser specific actions. + // For ExtraHop, QualysGAV, SentinelOne and Island Browser specific actions. // Kibana reads, writes and manages this index // for configured ILM policies. RoleDescriptor.IndicesPrivileges.builder() @@ -508,6 +508,7 @@ static RoleDescriptor kibanaSystem(String name) { "logs-extrahop.investigation-*", "logs-qualys_gav.asset-*", "logs-sentinel_one.application-*", + "logs-sentinel_one.threat_event-*", "logs-island_browser.user-*", "logs-island_browser.device-*" ) diff --git a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java index 788c85169bfe9..1e8e592b00436 100644 --- a/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java +++ b/x-pack/plugin/core/src/test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java @@ -1901,6 +1901,7 @@ public void testKibanaSystemRole() { "logs-extrahop.investigation-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-qualys_gav.asset-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-sentinel_one.application-" + randomAlphaOfLength(randomIntBetween(1, 10)), + "logs-sentinel_one.threat_event-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-island_browser.user-" + randomAlphaOfLength(randomIntBetween(1, 10)), "logs-island_browser.device-" + randomAlphaOfLength(randomIntBetween(1, 10)) ).forEach((index_qualys_extra_hop) -> {