Elastic SIEM detection rule query permissions


Just a simple question:
I was wondering how does the detection engine in Kibana execute queries?
I couldn't find any documentation about who (which user) runs the queries with which permissions.

So is there an internal user with read permissions to all indices which it uses, or does it use whoever happens to create the detection rule to execute the queries after that (run as <creation_user)?


Hi there @admlko! :wave:

So I don't think this is called out explicitly in the Security Docs (I'll relay this to the docs team so we can get it added :), but it does look like this is covered in the Alerting documentation here, on which the Detection Rules are built, so they will follow the same authorization/privilege model.

Rules, including all background detection and the actions they generate are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges at that moment in time. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.

If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.

Hope this helps -- cheers! :slight_smile:


Nice, thank you!

Then it works exactly as I expected and hoped :slight_smile:

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.