[Security Solution][Attack Discovery] Granting reserved role access to .adhoc.alerts* and .internal.adhoc.alerts* indices (elastic#221759)

## Summary

Main ticket ([Internal
link](elastic/security-team#12484))

These changes reflect serverless roles updates in the
elastic/elasticsearch-controller#996.

## Description

This is a part of the "Attack Discovery" feature where we introduce the
scheduling and alerts generation. The attack discovery scheduling
feature requires a possibility to generate alerts without running an
existing (registered in alerting framework) rule and for that we are
writing "adhoc" generated alerts to a separate index (than normal
alerts) so they won't show up with standard `.alerts*` queries, but
still need the same permissions as "normal" alert indices.

The new `.adhoc.alerts*` act same way as existing `.alerts*` and
`.preview.alerts*` indices and reserved roles should have same access
rights.

Author: e40pud

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/oblt/roles.yml

@@ -21,6 +21,7 @@ viewer:
     - names:
         - '.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'
@@ -68,6 +69,8 @@ editor:
         - '.alerts*'
         - '.internal.preview.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
+        - '.internal.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml

@@ -16,6 +16,7 @@ viewer:
     - names:
         - '.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'
@@ -95,6 +96,8 @@ editor:
         - '.alerts*'
         - '.internal.preview.alerts*'
         - '.preview.alerts*'
+        - '.internal.adhoc.alerts*'
+        - '.adhoc.alerts*'
         - 'risk-score.risk-score-*'
       privileges:
         - 'read'
@@ -420,6 +423,8 @@ rule_author:
         - .siem-signals-*
         - .internal.preview.alerts-security*
         - .preview.alerts-security*
+        - .internal.adhoc.alerts-security*
+        - .adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -492,6 +497,8 @@ soc_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -568,6 +575,8 @@ detections_admin:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -631,6 +640,8 @@ platform_engineer:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
         - risk-score.risk-score-*
       privileges:
         - all
@@ -708,6 +719,8 @@ endpoint_operations_analyst:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -794,6 +807,8 @@ endpoint_policy_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write

src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json

@@ -200,6 +200,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".siem-signals-*"
           ],
           "privileges": ["read", "write", "maintenance", "view_index_metadata"]
@@ -255,6 +257,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".siem-signals-*"
           ],
           "privileges": ["read", "write", "manage"]
@@ -295,6 +299,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".lists*",
             ".items*",
             "apm-*-transaction*",
@@ -366,6 +372,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".siem-signals-*"
           ],
           "privileges": ["all"]

src/platform/packages/shared/kbn-es/src/stateful_resources/roles.yml

@@ -9,6 +9,7 @@ viewer:
     - names:
         - '.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'
@@ -80,6 +81,8 @@ editor:
         - '.internal.alerts*'
         - '.internal.preview.alerts*'
         - '.preview.alerts*'
+        - '.internal.adhoc.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'maintenance'
         - 'read'

x-pack/platform/plugins/shared/alerting/server/alerts_service/resource_installer_utils.test.ts

@@ -47,6 +47,8 @@ describe('getIndexTemplateAndPattern', () => {
         '.preview.alerts-',
         '.internal.preview.alerts-',
         '.reindexed-v8-internal.preview.alerts-',
+        '.adhoc.alerts-',
+        '.internal.adhoc.alerts-',
       ],
       name: '.internal.alerts-test.alerts-default-000001',
     });
@@ -67,6 +69,8 @@ describe('getIndexTemplateAndPattern', () => {
         '.preview.alerts-',
         '.internal.preview.alerts-',
         '.reindexed-v8-internal.preview.alerts-',
+        '.adhoc.alerts-',
+        '.internal.adhoc.alerts-',
       ],
       name: '.internal.alerts-test.alerts-special-000001',
     });
@@ -94,6 +98,8 @@ describe('getIndexTemplateAndPattern', () => {
         '.preview.alerts-',
         '.internal.preview.alerts-',
         '.reindexed-v8-internal.preview.alerts-',
+        '.adhoc.alerts-',
+        '.internal.adhoc.alerts-',
       ],
       secondaryAlias: `siem.signals-special`,
     });

x-pack/platform/plugins/shared/alerting/server/alerts_service/resource_installer_utils.ts

@@ -25,6 +25,8 @@ export const VALID_ALERT_INDEX_PREFIXES = [
   '.preview.alerts-',
   '.internal.preview.alerts-',
   '.reindexed-v8-internal.preview.alerts-',
+  '.adhoc.alerts-',
+  '.internal.adhoc.alerts-',
 ];
 
 export const getComponentTemplateName = ({ context, name }: GetComponentTemplateNameOpts = {}) =>

x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json

@@ -185,6 +185,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".siem-signals-*"
           ],
           "privileges": ["read", "write", "manage"]
@@ -239,6 +241,8 @@
             ".alerts-security*",
             ".preview.alerts-security*",
             ".internal.preview.alerts-security*",
+            ".adhoc.alerts-security*",
+            ".internal.adhoc.alerts-security*",
             ".siem-signals-*"
           ],
           "privileges": ["read", "write", "manage"]

x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts

@@ -40,6 +40,8 @@ export const getEndpointOperationsAnalyst: () => Omit<Role, 'name'> = () => {
             '.siem-signals-*',
             '.preview.alerts-security*',
             '.internal.preview.alerts-security*',
+            '.adhoc.alerts-security*',
+            '.internal.adhoc.alerts-security*',
           ],
           privileges: ['read', 'write'],
         },

x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml

@@ -35,6 +35,7 @@ viewer:
     - names:
         - '.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'
@@ -113,6 +114,8 @@ editor:
         - '.alerts*'
         - '.internal.preview.alerts*'
         - '.preview.alerts*'
+        - '.internal.adhoc.alerts*'
+        - '.adhoc.alerts*'
         - 'risk-score.risk-score-*'
       privileges:
         - 'read'
@@ -435,6 +438,8 @@ rule_author:
         - .siem-signals-*
         - .internal.preview.alerts-security*
         - .preview.alerts-security*
+        - .internal.adhoc.alerts-security*
+        - .adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -509,6 +514,8 @@ soc_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -585,6 +592,8 @@ detections_admin:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -649,6 +658,8 @@ platform_engineer:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
         - risk-score.risk-score-*
       privileges:
         - all
@@ -727,6 +738,8 @@ endpoint_operations_analyst:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -810,6 +823,8 @@ endpoint_policy_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write

x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml

@@ -16,6 +16,7 @@ viewer:
     - names:
         - '.alerts*'
         - '.preview.alerts*'
+        - '.adhoc.alerts*'
       privileges:
         - 'read'
         - 'view_index_metadata'
@@ -94,6 +95,8 @@ editor:
         - '.alerts*'
         - '.internal.preview.alerts*'
         - '.preview.alerts*'
+        - '.internal.adhoc.alerts*'
+        - '.adhoc.alerts*'
         - 'risk-score.risk-score-*'
       privileges:
         - 'read'
@@ -419,6 +422,8 @@ rule_author:
         - .siem-signals-*
         - .internal.preview.alerts-security*
         - .preview.alerts-security*
+        - .internal.adhoc.alerts-security*
+        - .adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -494,6 +499,8 @@ soc_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -573,6 +580,8 @@ detections_admin:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -637,6 +646,8 @@ platform_engineer:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
         - risk-score.risk-score-*
       privileges:
         - all
@@ -715,6 +726,8 @@ endpoint_operations_analyst:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write
@@ -798,6 +811,8 @@ endpoint_policy_manager:
         - .siem-signals-*
         - .preview.alerts-security*
         - .internal.preview.alerts-security*
+        - .adhoc.alerts-security*
+        - .internal.adhoc.alerts-security*
       privileges:
         - read
         - write