Detection engine permission issues after upgrade to 7.9

Hi,

Yesterday we have upgraded our cluster to 7.9 and users are reporting problems with the Detection tab in SIEM app. When opened they get "Let's set up your detection engine" message.

The role assigned to the users has the following privileges as specifed in Detections configuration and index privilege prerequisites (version 7.8)

Cluster privileges: manage_pipeline, manage_api_key, manage
Index privileges .siem-signals-*: create_doc, write, index, read, all
Kibana Space privilege SIEM app all

Kibana has setup the xpack.encryptedSavedObjects.encryptionKey (we use two Kibana nodes and both have the same key).

Anyway it worked without any problems with 7.8.1. I have no problems using the detection tab with superuser role. Has anything changed with 7.9 regarding user permissions to access SIEM app?

I haven't noticed anything suspicious in Kibana logs.

Hi Ján,

Has anything changed with 7.9 regarding user permissions to access SIEM app?

Yes, 7.9 introduces new capabilities, including the ability to upload "value lists" that can be used as part of detection rule exceptions, that require permissions to access new indices associated with the lists.

We've updated the relevant details in the Detections prerequisites and requirements section of the 7.9 documentation.

Please let us know if this addresses the issue you've experienced.

1 Like

Granting privileges to.lists-* and .items-* solved the issue. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.