So I made a SIEM rule which triggers on
event.action on Elastic audit logs.
And so I discovered the user
_async_search triggers this rule.
I guess I can safely exclude this, but I'm curious what is causing this. Any feedback on the behaviour of
_async_search, is the above expected?
That would relate to https://www.elastic.co/guide/en/elasticsearch/reference/7.9/async-search.html.
You'd have to figure out what is asking that request, is there more to the event?
Thanks @warkolm for your answer. I already read through the documentation. There is not a lot of extra info I can give you. The access denieds alwasy seem to come from Kibana nodes and always have
As this is a user provided by Elastic, I don't know if and what I should do with these access denieds. Imho, this seems like a bug or a questionable async search consequence. The original queries I know which were related were all executed by superusers, so at first sight I see no reason why an access denied is being thrown.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.