Skip to content

[Security Solution][Attacks/Alerts][Setup and miscellaneous] Attacks indices RBAC (#243079) #244667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Dec 2, 2025
Merged

[Security Solution][Attacks/Alerts][Setup and miscellaneous] Attacks indices RBAC (#243079) #244667

merged 5 commits into from
Dec 2, 2025
+1,439 −5

Conversation

@e40pud
Copy link
Contributor

@e40pud e40pud commented Nov 28, 2025
edited
Loading

Summary

Related to #243079

Here we introduce a new internal attack discovery endpoint that returns missing index privileges for the users.

There are two indices user should have access to in order to be able to work with attack discovery feature: .alerts-security.attack.discovery.alerts-* and .adhoc.alerts-security.attack.discovery.alerts.

The required privileges are read, write, view_index_metadata and maintenance.

The endpoint checks whether any of those required privileges are missing for those two indices and returns the information about it in a form like this:

[
  {
    index_name: '.alerts-security.attack.discovery.alerts-default',
    privileges: ['read', 'write', 'view_index_metadata', 'maintenance'],
  },
  {
    index_name: '.adhoc.alerts-security.attack.discovery.alerts-default',
    privileges: ['read', 'write', 'view_index_metadata', 'maintenance'],
  },
]

Testing

  1. Create a role which has attack discovery kibana privileges and lacks index privileges to one of the indices: .alerts-security.attack.discovery.alerts-* and/or .adhoc.alerts-security.attack.discovery.alerts.
  2. Use this cURL request to get missing privileges information
curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/_missing_privileges' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'

NOTE: You need to add credentials of the user with the created role rights in this request.

@e40pud e40pud self-assigned this Nov 28, 2025
@e40pud e40pud requested review from a team as code owners November 28, 2025 16:48
@e40pud e40pud added release_note:skip Skip the PR/issue when compiling release notes backport:skip This PR does not require backporting Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Security Generative AI Security Generative AI labels Nov 28, 2025
@elasticmachine
Copy link
Contributor

elasticmachine commented Nov 28, 2025

Pinging @elastic/security-solution (Team: SecuritySolution)

@e40pud
Copy link
Contributor Author

e40pud commented Nov 30, 2025

@elasticmachine merge upstream

KDKHD
KDKHD approved these changes Dec 1, 2025
View reviewed changes
Copy link
Member

@KDKHD KDKHD left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, tested locally with changing index privileges!

image

andrew-goldstein
andrew-goldstein approved these changes Dec 1, 2025
View reviewed changes
Copy link
Contributor

@andrew-goldstein andrew-goldstein left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @e40pud for this new API!
✅ Desk tested locally
LGTM 🚀

@e40pud e40pud enabled auto-merge (squash) December 2, 2025 10:55
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 2, 2025

💛 Build succeeded, but was flaky

Failed CI Steps

Test Failures

  • [job] [logs] Scout: [ platform / streams_app ] plugin / ECS/Otel type pre-selection for known fields
  • [job] [logs] Scout: [ platform / streams_app ] plugin / serverless-oblt - Stream data mapping - schema editor - Wired Streams - ECS/Otel type pre-selection for known fields

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id before after diff
alerting 347 348 +1
apm 2047 2048 +1
automaticImport 976 977 +1
cases 1194 1195 +1
datasetQuality 892 893 +1
discover 1860 1861 +1
elasticAssistant 537 538 +1
embeddableAlertsTable 561 562 +1
infra 1742 1743 +1
ml 2815 2816 +1
monitoring 749 750 +1
observability 1616 1617 +1
observabilityAIAssistantApp 768 769 +1
observabilityShared 329 330 +1
onechat 1513 1514 +1
securitySolution 8436 8437 +1
slo 1316 1317 +1
stackAlerts 251 252 +1
synthetics 1372 1373 +1
timelines 280 281 +1
transform 810 811 +1
triggersActionsUi 1092 1093 +1
uptime 894 895 +1
total +23

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
@kbn/elastic-assistant-common 774 778 +4
Unknown metric groups

API count

id before after diff
@kbn/elastic-assistant-common 904 909 +5

References to deprecated APIs

id before after diff
securitySolution 431 432 +1

History

cc @e40pud

@e40pud e40pud merged commit 56b5b1e into elastic:main Dec 2, 2025
12 checks passed
NicholasPeretti pushed a commit to NicholasPeretti/kibana that referenced this pull request Dec 2, 2025
@e40pud @elasticmachine @NicholasPeretti
[Security Solution][Attacks/Alerts][Setup and miscellaneous] Attacks …
c4c96cd 
…indices RBAC (elastic#243079) (elastic#244667)

## Summary

Related to elastic#243079

Here we introduce a new internal attack discovery endpoint that returns
missing index privileges for the users.

There are two indices user should have access to in order to be able to
work with attack discovery feature:
`.alerts-security.attack.discovery.alerts-*` and
`.adhoc.alerts-security.attack.discovery.alerts`.

The required privileges are `read`, `write`, `view_index_metadata` and
`maintenance`.

The endpoint checks whether any of those required privileges are missing
for those two indices and returns the information about it in a form
like this:


```
[
  {
    indexName: '.alerts-security.attack.discovery.alerts-default',
    privileges: ['read', 'write', 'view_index_metadata', 'maintenance'],
  },
  {
    indexName: '.adhoc.alerts-security.attack.discovery.alerts-default',
    privileges: ['read', 'write', 'view_index_metadata', 'maintenance'],
  },
]
```

## Testing

1. Create a role which has attack discovery kibana privileges and lacks
index privileges to one of the indices:
`.alerts-security.attack.discovery.alerts-*` and/or
`.adhoc.alerts-security.attack.discovery.alerts`.
2. Use this cURL request to get missing privileges information

```
curl --location 'http://localhost:5601/internal/elastic_assistant/attack_discovery/_missing_privileges' \
--header 'kbn-xsrf: true' \
--header 'elastic-api-version: 1' \
--header 'x-elastic-internal-origin: security-solution'
```

**NOTE**: You need to add credentials of the user with the created role
rights in this request.

---------

Co-authored-by: Elastic Machine <elasticmachine@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@andrew-goldstein andrew-goldstein andrew-goldstein approved these changes

@delanni delanni delanni approved these changes

@KDKHD KDKHD KDKHD approved these changes

Assignees

@e40pud e40pud

Labels

backport:skip This PR does not require backporting release_note:skip Skip the PR/issue when compiling release notes Team:Security Generative AI Security Generative AI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v9.3.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@e40pud @elasticmachine @andrew-goldstein @delanni @KDKHD @kibanamachine