Hello,
So I made a SIEM rule which triggers on access_denied in event.action on Elastic audit logs.
And so I discovered the user _async_search triggers this rule.
I guess I can safely exclude this, but I'm curious what is causing this. Any feedback on the behaviour of _async_search, is the above expected?
Grtz
Willem
That would relate to https://www.elastic.co/guide/en/elasticsearch/reference/7.9/async-search.html.
You'd have to figure out what is asking that request, is there more to the event?
Thanks @warkolm for your answer. I already read through the documentation. There is not a lot of extra info I can give you. The access denieds alwasy seem to come from Kibana nodes and always have
"action":"cluster:admin/tasks/cancel"
"request.name":"CancelTasksRequest"
As this is a user provided by Elastic, I don't know if and what I should do with these access denieds. Imho, this seems like a bug or a questionable async search consequence. The original queries I know which were related were all executed by superusers, so at first sight I see no reason why an access denied is being thrown.
Grtz
Willem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.