From 9a7c0e7bdf379f53daf543f50ff2abad194cfc5f Mon Sep 17 00:00:00 2001 From: DonNateR Date: Tue, 2 Feb 2021 21:30:51 -0600 Subject: [PATCH 1/6] Issue #437: Add maintenance permission for SIEM index --- docs/getting-started/detections-req.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index 893b1d9bbe..34a4c10de3 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -42,11 +42,11 @@ and restarting {kib}, you must restart all detection rules. To enable the <>, a user with these privileges must visit (click on) the *Detections* page: -* The `manage` cluster privilege +* The `manage` cluster privilege. * {kib} space `All` privileges for the `Security` feature (see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]). +* The `maintenance` permission for `.siem-signals-`. * The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices: -** `.siem-signals-` ** `.lists-` ** `.items-` + @@ -78,9 +78,9 @@ After enabling Detections, only users with these permission can view and use the *Detections* page: * {kib} space `All` privileges for the `Security` and `Saved Objects -Management` features +Management` features. +* The `maintenance` permission for `.siem-signals-`. * The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: -** `.siem-signals-` ** `.lists-` ** `.items-` + From 5f8e162f00c6481d1866fed382e24e301d4d5d08 Mon Sep 17 00:00:00 2001 From: DonNateR <> Date: Tue, 23 Feb 2021 16:36:08 -0600 Subject: [PATCH 2/6] Rework detections section --- docs/getting-started/detections-req.asciidoc | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index 34a4c10de3..39d6011608 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -45,7 +45,6 @@ these privileges must visit (click on) the *Detections* page: * The `manage` cluster privilege. * {kib} space `All` privileges for the `Security` feature (see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]). -* The `maintenance` permission for `.siem-signals-`. * The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices: ** `.lists-` ** `.items-` @@ -77,8 +76,10 @@ image::images/sec-admin-user.png[] After enabling Detections, only users with these permission can view and use the *Detections* page: -* {kib} space `All` privileges for the `Security` and `Saved Objects -Management` features. +**All** + +These permissions are required for both rule and alert management: + * The `maintenance` permission for `.siem-signals-`. * The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: ** `.lists-` @@ -86,12 +87,18 @@ Management` features. + Where `` is the {kib} space name. -Here's a screenshot of a user role that can view and create detection rules in all {kib} -spaces: - [role="screenshot"] image::images/sec-user.png[] +**Rule** + +For rule management, make sure {kib} space with `All` privileges enabled for both `Security` and `Saved Objects Management` features. + +**Alert** + +If you only want a user to be update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. + + [discrete] [[adv-list-settings]] == Configure list upload limits From 660ccfcf482f0ee590a66213451562df450b13a1 Mon Sep 17 00:00:00 2001 From: DonNateR <> Date: Tue, 23 Feb 2021 18:42:30 -0600 Subject: [PATCH 3/6] Add slight edits to the new section. --- docs/getting-started/detections-req.asciidoc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index 39d6011608..a20b99615d 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -73,13 +73,13 @@ image::images/sec-admin-user.png[] [[access-detections-ui]] == Access and use Detections -After enabling Detections, only users with these permission can view and use the -*Detections* page: +After enabling Detections, only users with these permission can view and use rules and alerts on *Detections* page: **All** These permissions are required for both rule and alert management: +* {kib} space with `All` privileges enabled for `Security`. * The `maintenance` permission for `.siem-signals-`. * The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: ** `.lists-` @@ -92,11 +92,11 @@ image::images/sec-user.png[] **Rule** -For rule management, make sure {kib} space with `All` privileges enabled for both `Security` and `Saved Objects Management` features. +For rule management, make sure {kib} space with `All` privileges is enabled for both `Security` and `Saved Objects Management` features. **Alert** -If you only want a user to be update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. +If you only want a user to be update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. [discrete] From 11d45eaebac54f90ecc7393a3e165201dca416bc Mon Sep 17 00:00:00 2001 From: DonNateR Date: Tue, 23 Feb 2021 19:09:34 -0600 Subject: [PATCH 4/6] Add a couple more grammar edits. --- docs/getting-started/detections-req.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index a20b99615d..eddd34f40f 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -73,7 +73,7 @@ image::images/sec-admin-user.png[] [[access-detections-ui]] == Access and use Detections -After enabling Detections, only users with these permission can view and use rules and alerts on *Detections* page: +After enabling Detections, only users with these permissions can view and use rules and alerts on the *Detections* page: **All** @@ -96,7 +96,7 @@ For rule management, make sure {kib} space with `All` privileges is enabled for **Alert** -If you only want a user to be update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. +If you only want a user to update the status of alerts but not rule, only {kib} space with `All` privileges enabled for `Security` is required. [discrete] From 60c1726a0359c57681f8e0e060793e540e05f260 Mon Sep 17 00:00:00 2001 From: Nate Archer <12628964+DonNateR@users.noreply.github.com> Date: Tue, 23 Feb 2021 19:33:50 -0600 Subject: [PATCH 5/6] Update docs/getting-started/detections-req.asciidoc Co-authored-by: Garrett Spong --- docs/getting-started/detections-req.asciidoc | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index eddd34f40f..a17cacded1 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -80,8 +80,7 @@ After enabling Detections, only users with these permissions can view and use ru These permissions are required for both rule and alert management: * {kib} space with `All` privileges enabled for `Security`. -* The `maintenance` permission for `.siem-signals-`. -* The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: +* The `read`, `write`, `view_index_metadata`, and `maintenance` index privileges for all of these system indices: ** `.lists-` ** `.items-` + From 473007ae888e72278fe62ec428059e76cb11d91d Mon Sep 17 00:00:00 2001 From: DonNateR Date: Tue, 23 Feb 2021 19:36:07 -0600 Subject: [PATCH 6/6] Add back in accidental deletion --- docs/getting-started/detections-req.asciidoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/getting-started/detections-req.asciidoc b/docs/getting-started/detections-req.asciidoc index eddd34f40f..d5f6d4848e 100644 --- a/docs/getting-started/detections-req.asciidoc +++ b/docs/getting-started/detections-req.asciidoc @@ -46,6 +46,7 @@ these privileges must visit (click on) the *Detections* page: * {kib} space `All` privileges for the `Security` feature (see {kibana-ref}/xpack-spaces.html#spaces-control-user-access[Feature access based on user privileges]). * The `manage`, `write`,`read`, and `view_index_metadata` index privileges for all of these system indices: +** `.siem-signals-` ** `.lists-` ** `.items-` + @@ -82,6 +83,7 @@ These permissions are required for both rule and alert management: * {kib} space with `All` privileges enabled for `Security`. * The `maintenance` permission for `.siem-signals-`. * The `read`, `write`, and `view_index_metadata` index privileges for all of these system indices: +** `.siem-signals-` ** `.lists-` ** `.items-` +