We are new to elastic and are working to get detections up and running. I created a role with all the required permissions according to the documentation and assigned it to my user, but when going to the detections page I still get the error message "To use the detection engine, a user with the required cluster and index privileges must first access this page. You need permissions for the signals index. For more help, contact your Elastic Stack administrator.". We also have TLS setup. What are we missing? Thanks in advance!
Hi @yarooski - thank you for using Elastic Security!
You will need to ensure that you are logging in as a user who has all of the required permissions for the signals index. After logged in as a user with the required permissions, you need to visit the detections page to enable the engine.
Take a look at this documentation: https://www.elastic.co/guide/en/security/current/detections-permissions-section.html
Especially, take a look at the "Enable Detections" section as it has details on the permissions you must have when you visit the detections page.
Additionally, take a look at this discussion thread which troubleshoots some similar issues. SIEM detection engine is not getting started
Let me know if that helps, thanks!
- Kevin
Have you carried out this bit from the link Kevin_Logan sent?
It was the bit i missed when setting up the first time
- In the
kibana.yml
configuration file, add thexpack.encryptedSavedObjects.encryptionKey
setting with any alphanumeric value of at least 32 characters. For example:xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliverpoolfcr'
After changing the xpack.encryptedSavedObjects.encryptionKey
value and restarting Kibana, you must restart all detection rules.
Thanks for your guys' suggestions, after meddling with it for a few weeks we keep running into the same issue where we get a "permissions denied" to start the Kibana service after enabling TLS. I'm going to make a new post because the issue is a little different than the one initially posted. Thanks again.
Hi @yarooski,
I think you posted your other problem here:
And I think you also posted on reddit too, no? We try to track a lot of these problems and help people across multiple social platforms.
https://www.reddit.com/r/elasticsearch/comments/kyowf2/cant_start_elasticsearch_service_after_enabling/
Getting TLS setup is the first step for sure and there are hiccups with how operating systems work with security that are inherently tricky. Once you sleuth out and get TLS setup again, if you run into problems with the instructions on how to get detection engine setup there is a more in-depth trouble shooting guide here that might help you out with any gotcha's fwiw:
Thanks for the reply Frank, yes that's all me haha. I made a new post here because the initial issue on this post was not even being able to get to the detections page-- we ARE able to get to the detections page after setting up the role and enabling security but after setting up TLS we run into that permissions issue.
We'll go ahead and run through setting up TLS again and see if we run into the same issue. Quick side question here: We are currently on the open-source (free) license and the goal of this project was to use ELK as a SIEM and send alerts to a Slack connector. Is this possible with the free license? When I go to edit detection rule settings and try to add an Action, it says all the actions require a gold license. Is this also going to be the case once we get TLS working and go to Stack Management > Alerts and create alerts there..?
Thanks again for your help.