_async_search thowing access denieds in elasticsearch audit logs

Hello,

So I made a SIEM rule which triggers on access_denied in event.action on Elastic audit logs.

And so I discovered the user _async_search triggers this rule.

image

I guess I can safely exclude this, but I'm curious what is causing this. Any feedback on the behaviour of _async_search, is the above expected?

Grtz

Willem

That would relate to https://www.elastic.co/guide/en/elasticsearch/reference/7.9/async-search.html.

You'd have to figure out what is asking that request, is there more to the event?

Thanks @warkolm for your answer. I already read through the documentation. There is not a lot of extra info I can give you. The access denieds alwasy seem to come from Kibana nodes and always have

"action":"cluster:admin/tasks/cancel"
"request.name":"CancelTasksRequest"

As this is a user provided by Elastic, I don't know if and what I should do with these access denieds. Imho, this seems like a bug or a questionable async search consequence. The original queries I know which were related were all executed by superusers, so at first sight I see no reason why an access denied is being thrown.

Grtz

Willem

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.