The docs say that in order to view SIEM signals, the user needs the following index privileges:
.siem-signals-<space>
.lists-<space>
.items-<space>
I've assigned these roles to a user account along with access to the Security feature. When I sign in and go to view alerts, I can see several signals in the table under Security > Alerts. However, clicking on one of those signals to view additional data results in a blank flyout:
After some digging, I noticed that the SIEM signal indices were managed by ILM:
.siem-signals-<space>-000001
.siem-signals-<space>-000002
I thought perhaps the documentation was incorrect and should've said that the role needs access to a .siem-signals-<space>-* index, so I updated the index permissions on my custom role to the following:
.siem-signals-<space>-* (instead of .siem-signals-<space>)
.lists-<space>
.items-<space>
A refresh of the page showed an error and I was unable to even see the list of detection signals:
As a last ditch effort, I decided to update the index permissions on my role to include both.siem-signals-<space> and .siem-signals-<space>-*:
.siem-signals-<space>
.siem-signals-<space>-*
.lists-<space>
.items-<space>
Doing that actually worked, and I was able to both see the list of alerts and access the specific data for an alert:
I'm not sure if this is an issue with the documentation or a discrepancy in Kibana, but it seems weird for the role to require index access to both the alias .siem-signals-<space> as well as a backing index .siem-signals-<space>-*.
I also haven't tested whether the same issue applies to the .lists-<space> and .items-<space> indices, but it might be worth investigating.
Kibana/Elasticsearch Stack version:
7.17.1
Original install method (e.g. download page, yum, from source, etc.):
The ELK stack is deployed via Docker using the provided images from Elastic.
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Create a detection signal, then go to Security > Alerts
Observe that you are able to see the list of SIEM signals
Open the details flyout for the signal.
Observe that you are unable to review the signal's details.
Current behavior:
Following the prerequisites documentation to set up a role for interacting with SIEM signals does not produce the correct set of permissions in order to view all of the data.
Expected behavior:
After setting up the roles and privileges as documented, the user is able to view the list of SIEM signals and data for individual signals.
Describe the bug:
I'm following the documentation in https://www.elastic.co/guide/en/security/7.17/detections-permissions-section.html (which also appears to have some published merge conflicts). The documentation walks through setting up the required feature and index permissions specific to viewing SIEM detection rules and alerts.
The docs say that in order to view SIEM signals, the user needs the following index privileges:
.siem-signals-<space>
.lists-<space>
.items-<space>
I've assigned these roles to a user account along with access to the Security feature. When I sign in and go to view alerts, I can see several signals in the table under Security > Alerts. However, clicking on one of those signals to view additional data results in a blank flyout:
After some digging, I noticed that the SIEM signal indices were managed by ILM:
.siem-signals-<space>-000001
.siem-signals-<space>-000002
I thought perhaps the documentation was incorrect and should've said that the role needs access to a
.siem-signals-<space>-*
index, so I updated the index permissions on my custom role to the following:.siem-signals-<space>-*
(instead of.siem-signals-<space>
).lists-<space>
.items-<space>
A refresh of the page showed an error and I was unable to even see the list of detection signals:
As a last ditch effort, I decided to update the index permissions on my role to include both
.siem-signals-<space>
and.siem-signals-<space>-*
:.siem-signals-<space>
.siem-signals-<space>-*
.lists-<space>
.items-<space>
Doing that actually worked, and I was able to both see the list of alerts and access the specific data for an alert:
I'm not sure if this is an issue with the documentation or a discrepancy in Kibana, but it seems weird for the role to require index access to both the alias
.siem-signals-<space>
as well as a backing index.siem-signals-<space>-*
.I also haven't tested whether the same issue applies to the
.lists-<space>
and.items-<space>
indices, but it might be worth investigating.Kibana/Elasticsearch Stack version:
7.17.1
Original install method (e.g. download page, yum, from source, etc.):
The ELK stack is deployed via Docker using the provided images from Elastic.
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Steps to reproduce:
Current behavior:
Following the prerequisites documentation to set up a role for interacting with SIEM signals does not produce the correct set of permissions in order to view all of the data.
Expected behavior:
After setting up the roles and privileges as documented, the user is able to view the list of SIEM signals and data for individual signals.