Alrighty, perfect! Thanks for the added details @ManuelF!
So from those errors we can see that the
.items (for exceptions/value-lists) indices haven't been created yet for the
it-dpt space, so there must be something afoot with the privileges on the initial user you used to try and set it up.
You had mentioned that you had full access to all Security features with your admin user before:
As you noticed, I have full access to all Security features with my full admin user, so the index the app may need, should have been created already
Is there a chance you didn't visit the Security app at least once with your admin user? Perhaps you were on the
default space instead of
it-dpt? Perhaps the
.siem-signals-* ES index privileges were too specific?
Either way, next steps here are going to be to see what the responses are for those same requests when visiting with your
admin user. It's of course easiest if your admin has the
superuser role, but you'll really only need the privileges outlined in the first part of the docs you linked to in your original post (
cluster manage, and
.siem-signals-* manage being key).
My next guess here is that perhaps your admin user had
.siem-signals-default instead of
.siem-signals-*, and so when visiting the the
it-dept space there weren't sufficient privileges to create the index. Though we'll know for sure by inspecting those same requests when visiting with your admin user.
We're almost there -- hopefully this takes care of it for you!