[8.18] [Security Solution] SIEM Migrations RBAC (#207087) (#210152)

# Backport

This will backport the following commits from `main` to `8.18`:
- [[Security Solution] SIEM Migrations RBAC
(#207087)](#207087)

<!--- Backport version: 9.6.4 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Sergi
Massaneda","email":"[email protected]"},"sourceCommit":{"committedDate":"2025-02-06T17:41:21Z","message":"[Security
Solution] SIEM Migrations RBAC (#207087)\n\n## Summary\r\n\r\nImplements
the access controls for SIEM rule migrations.\r\n\r\n## API
changes\r\n\r\n- All API routes have been secured with \"SIEM
Migration\" feature checks\r\n- Start migration API route now checks if
the user has privileges to use\r\nthe connector ID received\r\n \r\n##
UI changes\r\n\r\n### Onboarding SIEM migrations\r\n\r\n- AI Connector
selection\r\n- Actions & Connectors: Read -> This privilege allows
reading and\r\nselecting a connector\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![connector
read\r\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\r\n\r\n-
Create a migration\r\n - Security All -> Main Security read & write
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n- Actions & Connectors: Read -> This privilege allows
connector\r\nexecution for LLM calls\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![onboarding start
card\r\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\r\n\r\n###
Rule Translations page\r\n\r\n- Minimum privileges to make the page
accessible (read access):\r\n - Security Read -> Main Security read
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n \r\nOtherwise, we hide the link in the navigation and
display the generic\r\nempty state if accessed:\r\n![rules minimum
privileges\r\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\r\n\r\n-
To successfully install rules the following privileges are
also\r\nrequired (write access):\r\n - Security All -> Main Security
read & write access\r\n- Index privileges for `.alerts*` pattern: _read,
write,\r\nview_index_metadata, manage_\r\n - Index privileges for
`lookup_*` pattern: _read_\r\n\r\nOtherwise, we show a callout at the
top of the page, this callout is\r\nconsistent with the one displayed on
the Detection Rules page\r\n(`/app/security/rules`)\r\n![alerts
privileges\r\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\r\n\r\n-
To retry rule translations (upload missing macros/lookups or
retry\r\nerrors)\r\n- Actions & Connectors: Read -> This privilege
allows connector\r\nexecution for LLM calls\r\n\r\nOtherwise, when
attempted, we show a toast with the missing privilege.
\r\n\r\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\r\n\r\n##
Other changes\r\n\r\n- Technical preview
label\r\n\r\n![technical\r\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\r\n\r\n-
No connector selected
toast\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\r\n\r\n##
Fixes\r\n\r\n- [Fixed] Not possible to select a connector when no
connector
is\r\nselected:\r\n![bug\r\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"a990be66dffbe89b271722630fd78b544b6ae903","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Threat
Hunting","backport:version","v8.18.0","v9.1.0","v8.19.0"],"title":"[Security
Solution] SIEM Migrations
RBAC","number":207087,"url":"https://github.com/elastic/kibana/pull/207087","mergeCommit":{"message":"[Security
Solution] SIEM Migrations RBAC (#207087)\n\n## Summary\r\n\r\nImplements
the access controls for SIEM rule migrations.\r\n\r\n## API
changes\r\n\r\n- All API routes have been secured with \"SIEM
Migration\" feature checks\r\n- Start migration API route now checks if
the user has privileges to use\r\nthe connector ID received\r\n \r\n##
UI changes\r\n\r\n### Onboarding SIEM migrations\r\n\r\n- AI Connector
selection\r\n- Actions & Connectors: Read -> This privilege allows
reading and\r\nselecting a connector\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![connector
read\r\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\r\n\r\n-
Create a migration\r\n - Security All -> Main Security read & write
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n- Actions & Connectors: Read -> This privilege allows
connector\r\nexecution for LLM calls\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![onboarding start
card\r\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\r\n\r\n###
Rule Translations page\r\n\r\n- Minimum privileges to make the page
accessible (read access):\r\n - Security Read -> Main Security read
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n \r\nOtherwise, we hide the link in the navigation and
display the generic\r\nempty state if accessed:\r\n![rules minimum
privileges\r\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\r\n\r\n-
To successfully install rules the following privileges are
also\r\nrequired (write access):\r\n - Security All -> Main Security
read & write access\r\n- Index privileges for `.alerts*` pattern: _read,
write,\r\nview_index_metadata, manage_\r\n - Index privileges for
`lookup_*` pattern: _read_\r\n\r\nOtherwise, we show a callout at the
top of the page, this callout is\r\nconsistent with the one displayed on
the Detection Rules page\r\n(`/app/security/rules`)\r\n![alerts
privileges\r\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\r\n\r\n-
To retry rule translations (upload missing macros/lookups or
retry\r\nerrors)\r\n- Actions & Connectors: Read -> This privilege
allows connector\r\nexecution for LLM calls\r\n\r\nOtherwise, when
attempted, we show a toast with the missing privilege.
\r\n\r\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\r\n\r\n##
Other changes\r\n\r\n- Technical preview
label\r\n\r\n![technical\r\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\r\n\r\n-
No connector selected
toast\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\r\n\r\n##
Fixes\r\n\r\n- [Fixed] Not possible to select a connector when no
connector
is\r\nselected:\r\n![bug\r\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"a990be66dffbe89b271722630fd78b544b6ae903"}},"sourceBranch":"main","suggestedTargetBranches":["8.18","8.x"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/210086","number":210086,"state":"MERGED","mergeCommit":{"sha":"8acee959bc8252dade3aa5f2a335dbe129d962c3","message":"[9.0]
[Security Solution] SIEM Migrations RBAC (#207087) (#210086)\n\n#
Backport\n\nThis will backport the following commits from `main` to
`9.0`:\n- [[Security Solution] SIEM Migrations
RBAC\n(#207087)](https://github.com/elastic/kibana/pull/207087)\n\n<!---
Backport version: 9.4.3 -->\n\n### Questions ?\nPlease refer to the
[Backport
tool\ndocumentation](https://github.com/sqren/backport)\n\n<!--BACKPORT
[{\"author\":{\"name\":\"Sergi\nMassaneda\",\"email\":\"[email protected]\"},\"sourceCommit\":{\"committedDate\":\"2025-02-06T17:41:21Z\",\"message\":\"[Security\nSolution]
SIEM Migrations RBAC (#207087)\\n\\n##
Summary\\r\\n\\r\\nImplements\nthe access controls for SIEM rule
migrations.\\r\\n\\r\\n## API\nchanges\\r\\n\\r\\n- All API routes have
been secured with \\\"SIEM\nMigration\\\" feature checks\\r\\n- Start
migration API route now checks if\nthe user has privileges to
use\\r\\nthe connector ID received\\r\\n \\r\\n##\nUI
changes\\r\\n\\r\\n### Onboarding SIEM migrations\\r\\n\\r\\n- AI
Connector\nselection\\r\\n- Actions & Connectors: Read -> This privilege
allows\nreading and\\r\\nselecting a connector\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing
privileges:\\r\\n![connector\nread\\r\\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\\r\\n\\r\\n-\nCreate
a migration\\r\\n - Security All -> Main Security read &
write\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n- Actions & Connectors: Read -> This privilege
allows\nconnector\\r\\nexecution for LLM calls\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing privileges:\\r\\n![onboarding
start\ncard\\r\\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\\r\\n\\r\\n###\nRule
Translations page\\r\\n\\r\\n- Minimum privileges to make the
page\naccessible (read access):\\r\\n - Security Read -> Main Security
read\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n \\r\\nOtherwise, we hide the link in the
navigation and\ndisplay the generic\\r\\nempty state if
accessed:\\r\\n![rules
minimum\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\\r\\n\\r\\n-\nTo
successfully install rules the following privileges
are\nalso\\r\\nrequired (write access):\\r\\n - Security All -> Main
Security\nread & write access\\r\\n- Index privileges for `.alerts*`
pattern: _read,\nwrite,\\r\\nview_index_metadata, manage_\\r\\n - Index
privileges for\n`lookup_*` pattern: _read_\\r\\n\\r\\nOtherwise, we show
a callout at the\ntop of the page, this callout is\\r\\nconsistent with
the one displayed on\nthe Detection Rules
page\\r\\n(`/app/security/rules`)\\r\\n![alerts\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\\r\\n\\r\\n-\nTo
retry rule translations (upload missing macros/lookups
or\nretry\\r\\nerrors)\\r\\n- Actions & Connectors: Read -> This
privilege\nallows connector\\r\\nexecution for LLM
calls\\r\\n\\r\\nOtherwise, when\nattempted, we show a toast with the
missing
privilege.\n\\r\\n\\r\\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\\r\\n\\r\\n##\nOther
changes\\r\\n\\r\\n- Technical
preview\nlabel\\r\\n\\r\\n![technical\\r\\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\\r\\n\\r\\n-\nNo
connector
selected\ntoast\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\\r\\n\\r\\n##\nFixes\\r\\n\\r\\n-
[Fixed] Not possible to select a connector when
no\nconnector\nis\\r\\nselected:\\r\\n![bug\\r\\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\\r\\nCo-authored-by:\nkibanamachine\n<[email protected]>\",\"sha\":\"a990be66dffbe89b271722630fd78b544b6ae903\",\"branchLabelMapping\":{\"^v9.1.0$\":\"main\",\"^v8.19.0$\":\"8.x\",\"^v(\\\\d+).(\\\\d+).\\\\d+$\":\"$1.$2\"}},\"sourcePullRequest\":{\"labels\":[\"release_note:skip\",\"v9.0.0\",\"Team:Threat\nHunting\",\"backport:version\",\"v8.18.0\",\"v9.1.0\",\"v8.19.0\"],\"title\":\"[Security\nSolution]
SIEM
Migrations\nRBAC\",\"number\":207087,\"url\":\"https://github.com/elastic/kibana/pull/207087\",\"mergeCommit\":{\"message\":\"[Security\nSolution]
SIEM Migrations RBAC (#207087)\\n\\n##
Summary\\r\\n\\r\\nImplements\nthe access controls for SIEM rule
migrations.\\r\\n\\r\\n## API\nchanges\\r\\n\\r\\n- All API routes have
been secured with \\\"SIEM\nMigration\\\" feature checks\\r\\n- Start
migration API route now checks if\nthe user has privileges to
use\\r\\nthe connector ID received\\r\\n \\r\\n##\nUI
changes\\r\\n\\r\\n### Onboarding SIEM migrations\\r\\n\\r\\n- AI
Connector\nselection\\r\\n- Actions & Connectors: Read -> This privilege
allows\nreading and\\r\\nselecting a connector\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing
privileges:\\r\\n![connector\nread\\r\\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\\r\\n\\r\\n-\nCreate
a migration\\r\\n - Security All -> Main Security read &
write\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n- Actions & Connectors: Read -> This privilege
allows\nconnector\\r\\nexecution for LLM calls\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing privileges:\\r\\n![onboarding
start\ncard\\r\\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\\r\\n\\r\\n###\nRule
Translations page\\r\\n\\r\\n- Minimum privileges to make the
page\naccessible (read access):\\r\\n - Security Read -> Main Security
read\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n \\r\\nOtherwise, we hide the link in the
navigation and\ndisplay the generic\\r\\nempty state if
accessed:\\r\\n![rules
minimum\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\\r\\n\\r\\n-\nTo
successfully install rules the following privileges
are\nalso\\r\\nrequired (write access):\\r\\n - Security All -> Main
Security\nread & write access\\r\\n- Index privileges for `.alerts*`
pattern: _read,\nwrite,\\r\\nview_index_metadata, manage_\\r\\n - Index
privileges for\n`lookup_*` pattern: _read_\\r\\n\\r\\nOtherwise, we show
a callout at the\ntop of the page, this callout is\\r\\nconsistent with
the one displayed on\nthe Detection Rules
page\\r\\n(`/app/security/rules`)\\r\\n![alerts\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\\r\\n\\r\\n-\nTo
retry rule translations (upload missing macros/lookups
or\nretry\\r\\nerrors)\\r\\n- Actions & Connectors: Read -> This
privilege\nallows connector\\r\\nexecution for LLM
calls\\r\\n\\r\\nOtherwise, when\nattempted, we show a toast with the
missing
privilege.\n\\r\\n\\r\\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\\r\\n\\r\\n##\nOther
changes\\r\\n\\r\\n- Technical
preview\nlabel\\r\\n\\r\\n![technical\\r\\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\\r\\n\\r\\n-\nNo
connector
selected\ntoast\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\\r\\n\\r\\n##\nFixes\\r\\n\\r\\n-
[Fixed] Not possible to select a connector when
no\nconnector\nis\\r\\nselected:\\r\\n![bug\\r\\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\\r\\nCo-authored-by:\nkibanamachine\n<[email protected]>\",\"sha\":\"a990be66dffbe89b271722630fd78b544b6ae903\"}},\"sourceBranch\":\"main\",\"suggestedTargetBranches\":[\"9.0\",\"8.18\",\"8.x\"],\"targetPullRequestStates\":[{\"branch\":\"9.0\",\"label\":\"v9.0.0\",\"branchLabelMappingKey\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"},{\"branch\":\"8.18\",\"label\":\"v8.18.0\",\"branchLabelMappingKey\":\"^v(\\\\d+).(\\\\d+).\\\\d+$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"},{\"branch\":\"main\",\"label\":\"v9.1.0\",\"branchLabelMappingKey\":\"^v9.1.0$\",\"isSourceBranch\":true,\"state\":\"MERGED\",\"url\":\"https://github.com/elastic/kibana/pull/207087\",\"number\":207087,\"mergeCommit\":{\"message\":\"[Security\nSolution]
SIEM Migrations RBAC (#207087)\\n\\n##
Summary\\r\\n\\r\\nImplements\nthe access controls for SIEM rule
migrations.\\r\\n\\r\\n## API\nchanges\\r\\n\\r\\n- All API routes have
been secured with \\\"SIEM\nMigration\\\" feature checks\\r\\n- Start
migration API route now checks if\nthe user has privileges to
use\\r\\nthe connector ID received\\r\\n \\r\\n##\nUI
changes\\r\\n\\r\\n### Onboarding SIEM migrations\\r\\n\\r\\n- AI
Connector\nselection\\r\\n- Actions & Connectors: Read -> This privilege
allows\nreading and\\r\\nselecting a connector\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing
privileges:\\r\\n![connector\nread\\r\\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\\r\\n\\r\\n-\nCreate
a migration\\r\\n - Security All -> Main Security read &
write\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n- Actions & Connectors: Read -> This privilege
allows\nconnector\\r\\nexecution for LLM calls\\r\\n\\r\\nOtherwise, we
show a callout\nwith the missing privileges:\\r\\n![onboarding
start\ncard\\r\\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\\r\\n\\r\\n###\nRule
Translations page\\r\\n\\r\\n- Minimum privileges to make the
page\naccessible (read access):\\r\\n - Security Read -> Main Security
read\naccess\\r\\n - Siem Migrations All -> new feature under the
Security\ncatalog\\r\\n \\r\\nOtherwise, we hide the link in the
navigation and\ndisplay the generic\\r\\nempty state if
accessed:\\r\\n![rules
minimum\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\\r\\n\\r\\n-\nTo
successfully install rules the following privileges
are\nalso\\r\\nrequired (write access):\\r\\n - Security All -> Main
Security\nread & write access\\r\\n- Index privileges for `.alerts*`
pattern: _read,\nwrite,\\r\\nview_index_metadata, manage_\\r\\n - Index
privileges for\n`lookup_*` pattern: _read_\\r\\n\\r\\nOtherwise, we show
a callout at the\ntop of the page, this callout is\\r\\nconsistent with
the one displayed on\nthe Detection Rules
page\\r\\n(`/app/security/rules`)\\r\\n![alerts\nprivileges\\r\\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\\r\\n\\r\\n-\nTo
retry rule translations (upload missing macros/lookups
or\nretry\\r\\nerrors)\\r\\n- Actions & Connectors: Read -> This
privilege\nallows connector\\r\\nexecution for LLM
calls\\r\\n\\r\\nOtherwise, when\nattempted, we show a toast with the
missing
privilege.\n\\r\\n\\r\\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\\r\\n\\r\\n##\nOther
changes\\r\\n\\r\\n- Technical
preview\nlabel\\r\\n\\r\\n![technical\\r\\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\\r\\n\\r\\n-\nNo
connector
selected\ntoast\\r\\n\\r\\n\\r\\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\\r\\n\\r\\n##\nFixes\\r\\n\\r\\n-
[Fixed] Not possible to select a connector when
no\nconnector\nis\\r\\nselected:\\r\\n![bug\\r\\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\\r\\n\\r\\n---------\\r\\n\\r\\nCo-authored-by:\nElastic
Machine\n<[email protected]>\\r\\nCo-authored-by:\nkibanamachine\n<[email protected]>\",\"sha\":\"a990be66dffbe89b271722630fd78b544b6ae903\"}},{\"branch\":\"8.x\",\"label\":\"v8.19.0\",\"branchLabelMappingKey\":\"^v8.19.0$\",\"isSourceBranch\":false,\"state\":\"NOT_CREATED\"}]}]\nBACKPORT-->\n\nCo-authored-by:
Sergi Massaneda
<[email protected]>"}},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/207087","number":207087,"mergeCommit":{"message":"[Security
Solution] SIEM Migrations RBAC (#207087)\n\n## Summary\r\n\r\nImplements
the access controls for SIEM rule migrations.\r\n\r\n## API
changes\r\n\r\n- All API routes have been secured with \"SIEM
Migration\" feature checks\r\n- Start migration API route now checks if
the user has privileges to use\r\nthe connector ID received\r\n \r\n##
UI changes\r\n\r\n### Onboarding SIEM migrations\r\n\r\n- AI Connector
selection\r\n- Actions & Connectors: Read -> This privilege allows
reading and\r\nselecting a connector\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![connector
read\r\nmissing](https://github.com/user-attachments/assets/2eb474df-78f0-488c-803b-7c874123b62a)\r\n\r\n-
Create a migration\r\n - Security All -> Main Security read & write
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n- Actions & Connectors: Read -> This privilege allows
connector\r\nexecution for LLM calls\r\n\r\nOtherwise, we show a callout
with the missing privileges:\r\n![onboarding start
card\r\ncallout](https://github.com/user-attachments/assets/19975efd-d684-47d8-b4c0-0352b7c319b4)\r\n\r\n###
Rule Translations page\r\n\r\n- Minimum privileges to make the page
accessible (read access):\r\n - Security Read -> Main Security read
access\r\n - Siem Migrations All -> new feature under the Security
catalog\r\n \r\nOtherwise, we hide the link in the navigation and
display the generic\r\nempty state if accessed:\r\n![rules minimum
privileges\r\nmissing](https://github.com/user-attachments/assets/9dd88c72-e669-4fde-8397-e76d3d5069f9)\r\n\r\n-
To successfully install rules the following privileges are
also\r\nrequired (write access):\r\n - Security All -> Main Security
read & write access\r\n- Index privileges for `.alerts*` pattern: _read,
write,\r\nview_index_metadata, manage_\r\n - Index privileges for
`lookup_*` pattern: _read_\r\n\r\nOtherwise, we show a callout at the
top of the page, this callout is\r\nconsistent with the one displayed on
the Detection Rules page\r\n(`/app/security/rules`)\r\n![alerts
privileges\r\nmissing](https://github.com/user-attachments/assets/105e53d7-9591-457f-983a-7fe4f9f33068)\r\n\r\n-
To retry rule translations (upload missing macros/lookups or
retry\r\nerrors)\r\n- Actions & Connectors: Read -> This privilege
allows connector\r\nexecution for LLM calls\r\n\r\nOtherwise, when
attempted, we show a toast with the missing privilege.
\r\n\r\n![](https://github.com/user-attachments/assets/f6090bb5-e6f8-4be7-bb9b-c4192155bdf8)\r\n\r\n##
Other changes\r\n\r\n- Technical preview
label\r\n\r\n![technical\r\npreview](https://github.com/user-attachments/assets/244724e2-9756-4c6d-805f-3459367f7975)\r\n\r\n-
No connector selected
toast\r\n\r\n\r\nhttps://github.com/user-attachments/assets/e4900129-ae9c-413f-9a41-f7dca452e71d\r\n\r\n##
Fixes\r\n\r\n- [Fixed] Not possible to select a connector when no
connector
is\r\nselected:\r\n![bug\r\nconnectors](https://github.com/user-attachments/assets/2f5a831e-2172-4e77-9997-2447b4ee866f)\r\n\r\n---------\r\n\r\nCo-authored-by:
Elastic Machine
<[email protected]>\r\nCo-authored-by:
kibanamachine
<[email protected]>","sha":"a990be66dffbe89b271722630fd78b544b6ae903"}},{"branch":"8.x","label":"v8.19.0","branchLabelMappingKey":"^v8.19.0$","isSourceBranch":false,"state":"NOT_CREATED"}]}]
BACKPORT-->

Author: semd

x-pack/solutions/security/packages/features/actions.ts

@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export * from './src/actions';

x-pack/solutions/security/packages/features/config.ts

@@ -11,5 +11,6 @@ export { assistantDefaultProductFeaturesConfig } from './src/assistant/product_f
 export { attackDiscoveryDefaultProductFeaturesConfig } from './src/attack_discovery/product_feature_config';
 export { timelineDefaultProductFeaturesConfig } from './src/timeline/product_feature_config';
 export { notesDefaultProductFeaturesConfig } from './src/notes/product_feature_config';
+export { siemMigrationsDefaultProductFeaturesConfig } from './src/siem_migrations/product_feature_config';
 
 export { createEnabledProductFeaturesConfigMap } from './src/helpers';

x-pack/solutions/security/packages/features/constants.ts

@@ -0,0 +1,7 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+export * from './src/constants';

x-pack/solutions/security/packages/features/product_features.ts

@@ -11,3 +11,4 @@ export { getAssistantFeature } from './src/assistant';
 export { getAttackDiscoveryFeature } from './src/attack_discovery';
 export { getTimelineFeature } from './src/timeline';
 export { getNotesFeature } from './src/notes';
+export { getSiemMigrationsFeature } from './src/siem_migrations';

x-pack/solutions/security/packages/features/src/actions.ts

@@ -0,0 +1,14 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+
+import { APP_ID } from './constants';
+
+// The prefix ("securitySolution-") must be used by all the Security Solution API action privileges.
+// This ensures product features are honored by the Kibana routes security authz.
+export const API_ACTION_PREFIX = `${APP_ID}-`;
+
+export const SIEM_MIGRATIONS_API_ACTION_ALL = `${API_ACTION_PREFIX}siemMigrationsAll`;

x-pack/solutions/security/packages/features/src/assistant/kibana_features.ts

@@ -20,7 +20,7 @@ export const getAssistantBaseKibanaFeature = (): BaseKibanaFeatureConfig => ({
       defaultMessage: 'Elastic AI Assistant',
     }
   ),
-  order: 1100,
+  order: 1300,
   category: DEFAULT_APP_CATEGORIES.security,
   scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
   app: [ASSISTANT_FEATURE_ID, 'kibana'],

x-pack/solutions/security/packages/features/src/attack_discovery/kibana_features.ts

@@ -20,7 +20,7 @@ export const getAttackDiscoveryBaseKibanaFeature = (): BaseKibanaFeatureConfig =
       defaultMessage: 'Attack discovery',
     }
   ),
-  order: 1100,
+  order: 1400,
   category: DEFAULT_APP_CATEGORIES.security,
   scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
   app: [ATTACK_DISCOVERY_FEATURE_ID, 'kibana'],

x-pack/solutions/security/packages/features/src/cases/v1_features/kibana_features.ts

@@ -42,7 +42,7 @@ export const getCasesBaseKibanaFeature = ({
         defaultMessage: 'Cases (Deprecated)',
       }
     ),
-    order: 1100,
+    order: 1200,
     category: DEFAULT_APP_CATEGORIES.security,
     scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
     app: [CASES_FEATURE_ID, 'kibana'],

x-pack/solutions/security/packages/features/src/cases/v2_features/kibana_features.ts

@@ -44,7 +44,7 @@ export const getCasesBaseKibanaFeatureV2 = ({
         defaultMessage: 'Cases',
       }
     ),
-    order: 1100,
+    order: 1200,
     category: DEFAULT_APP_CATEGORIES.security,
     scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security],
     app: [CASES_FEATURE_ID, 'kibana'],

x-pack/solutions/security/packages/features/src/constants.ts

@@ -29,6 +29,7 @@ export const ASSISTANT_FEATURE_ID = 'securitySolutionAssistant' as const;
 export const ATTACK_DISCOVERY_FEATURE_ID = 'securitySolutionAttackDiscovery' as const;
 export const TIMELINE_FEATURE_ID = 'securitySolutionTimeline' as const;
 export const NOTES_FEATURE_ID = 'securitySolutionNotes' as const;
+export const SIEM_MIGRATIONS_FEATURE_ID = 'securitySolutionSiemMigrations' as const;
 
 // Same as the plugin id defined by Cloud Security Posture
 export const CLOUD_POSTURE_APP_ID = 'csp' as const;