elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.59k stars 8.21k forks source link

[ResponseOps][Alerting] classify API unauthorized errors as user error #196619

Open pmuellr opened 2 weeks ago

pmuellr commented 2 weeks ago

Saw a number of messages of the following form in a QA project:

error(s): ResponseError: security_exception
    Root causes:
        security_exception: action [indices:data/read/search] is unauthorized for API key id [redacted] of user [redacted], this action is granted by the index privileges [read,all]

These are logged with tags: framework-error

These feel like they should be user error. It appears these set our rule run failure SLO off.

elasticmachine commented 2 weeks ago

Pinging @elastic/response-ops (Team:ResponseOps)

pmuellr commented 1 week ago

Was asked to check if these show up in alerting framework messages or just in the SIEM-specific messages logged by the rule executor.

Both. The ones from the SIEM-specific rule executors are noisy, but aren't specifically considered "errors" at all by the framework, they're just messages logged by the executor.

However, those rule executions do seem to be returned as failed by the executor, so we see the following logged when the rule completes:

message: Executing Rule siem.queryRule:<rule-id> has resulted in the following error(s): ResponseError: security_exception\n\tRoot causes:\n\t\tsecurity_exception: action [indices:data/read/search] is unauthorized for API key id [<api-key-id>] of user [<user-id>], this action is granted by the index privileges [read,all]

tags: <rule-id>, siem.queryRule, rule-run-failed, framework-error

So seems like we should get the SIEM rule to return these as user-error, unless we can figure out how to do this ourselves, by using our wrapped ES client library. Seems like that should be our first approach, since it would end up working for all rule types - see if we can determine this at the framework level.