Custom SIEM rules: illegal_argument_exception permission issue

Elastic Security SIEM
1

I've created a custom rule, which seems working if I run via the console. But when I put it as a SIEM rule, below error occurs

Any idea which permission/privilege I need to do to fix the issue?

An error occurred during rule execution: message: "
[illegal_argument_exception] unknown cluster privilege [grant_api_key]. 
a privilege must be either one of the predefined cluster privilege names [monitor_ml,manage_enrich,read_slm,monitor_watcher,manage_index_templates,manage_ccr,monitor_transform,delegate_pki,none,monitor_snapshot,manage_data_frame_transforms,
read_ilm,monitor_data_frame_transforms,manage_api_key,manage_security,
manage_saml,manage_own_api_key,all,manage_ilm,manage_oidc,manage_ingest_pipelines,read_ccr,monitor,manage_rollup,manage_slm,manage_watcher,manage,manage_transform,
manage_token,manage_ml,manage_pipeline,monitor_rollup,transport_client,create_snapshot] or a pattern over one of the available cluster actions" 
name: "MY_CUSTOM_RULE_ID" id: "4a5b8028-d035-43f4-814c-3cf7fb6d0598" rule id: "MY_CUSTOM_RULE_ID" signals index: ".siem-signals-default"
2

What version of Elasticsearch are you using?

3

7.8.1

4

@kelk thanks for the info, I've got a few follow up questions to try and narrow this down:

  1. Do you have security enabled on your stack? How are you authenticating/creating users, etc. ?

    • roles/privileges for the user that created the rule are most relevant, here

  2. I've created a custom rule, which seems working if I run via the console

    Could you explain this in a bit more detail? Are you performing an analogous query in kibana's dev console, or via curl? A copy of this working query would be very helpful (and who you're authenticated as when performing it).

Thanks in advance!

5

Yes security is enabled on stack. authenticating user via Kibana (role is superuser)

code below. This is a simple test for certain event code. the only change is to send to my_own_index

{
"actions": [],
"description": "TEST TEST TEST",
"enabled": true,
"false_positives": [],
"from": "now-60m",
"index": [ "*win*"],
"interval": "30m",
"language": "kuery",
"max_signals": 100,
"name": "TEST FOR MANIPULATE FIREWALL ",
"output_index": "my_own_index",
"query": "\n        event.code:(4950 or 853)\n       ",
"filters": [],
"references": [],
"risk_score": 48,
"rule_id": "SIMPLE_TEST_RULE_ID",
"severity": "low",
"tags": ["Elastic", "Host", "Windows", "Defense Evasion"],
"threat": [
    {
        "framework": "MITRE ATT&CK",
        "tactic": {
            "id": "TA0005",
            "name": "Defense Evasion",
            "reference": "https://attack.mitre.org/tactics/TA0005"
        },
        "technique": [
            {
             "id": "T1562",
             "name": "Disabling Security Tools",
             "reference": "https://attack.mitre.org/techniques/T1562"
            }
        ]
    }
],
"throttle": "no_actions",
"to": "now-30m",
"type": "query"

}

6

@kelk I don't see anything inherently wrong with that rule, but I do want to note that the leading wildcard on your index pattern could cause the rule to query across clusters; that may be a clue to your problem. However, it's unclear in your previous message whether this rule is working (or not), and what differences it has from the broken (or not) rule. It would be ideal if you could provide both:

  1. A minimal example of a rule that isn't working
  2. A minimal example of a rule that is working, as similar to the working rule as possible. If you don't have such an example rule, please explain (with examples) the reasoning behind your original statement "a custom rule, which seems working if I run via the console"

Thanks in advance, I look forward to figuring this out with you!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.