Fleet service account permissions for filebeat threat intel

albbapm · October 8, 2021, 2:53pm

I am trying to use the elastic agent via fleet and filebeat to gather threat intel. I realize this is currently not working out of the box. That being said, I think I can massage it and get it working but I have some questions about that.

First, it appears that when you install the elastic agent, it automatically runs filebeat. For whatever reason, it appears to run it twice. Same with Metricbeat. It also seems that since filebeat is not an integration, it's not something I can prevent through fleet policies. I would prefer not to have a third instance of filebeat running just for threat intel. The elastic agent takes up enough resources as it is.

I enabled the threat intel module by stopping the elastic agent, navigating to the install directory and running filebeat manually with the "enable module threatintel" command. Restarting the agent and looking at logs, it appears that it did enable the module and it is trying to send data.

My current issue is the permissions. It appears the elastic/fleet-server service doesn't have all the permissions that is needs. The log output is below.

cluster:admin/ingest/pipeline/put is unauthorized for API key id xxxxx of user elastic/fleet-server
This is granted by the cluster privileges [manage_ingest_pipeline, manage_pipeline,manage,all]

My question is, can I use the API to update the privileges of the elastic/fleet-server user without breaking everything? I think adding the correct permissions will allow this to work.
Could I update the service permissions to the following?

   "elastic/fleet-server" : {
   "role_descriptor" : {
     "cluster" : [
       "monitor",
       "manage_own_api_key",
       "manage_ingest_pipelines",
       "manage_pipeline",
       "manage",
       "all"
     ],
     "indices" : [
       {
         "names" : [
           "logs-*",
           "metrics-*",
           "traces-*",
           "synthetics-*",
           ".logs-endpoint.diagnostic.collection-*"
         ],
         "privileges" : [
           "write",
           "create_index",
           "auto_configure"
         ],
         "allow_restricted_indices" : false
       },
       {
         "names" : [
           ".fleet-*"
         ],
         "privileges" : [
           "read",
           "write",
           "monitor",
           "create_index",
           "auto_configure"
         ],
         "allow_restricted_indices" : false
       }
     ],
     "applications" : [ ],
     "run_as" : [ ],
     "metadata" : { },
     "transient_metadata" : {
       "enabled" : true
     }
   }
 }
}```

system · November 5, 2021, 4:53pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.