Kibana 9.1 Security Rule exception edit not possible

Elastic Stack Kibana
1

Hey there, since kibana 9.1.0 (i think, we upgraded from 8.17.X to 9.1.3), we are unable to edit exception made under SIEM rules. I cant even edit my own exception. Only possible if I have superuser role which is not desired. Me and coworker tried to tinker with permissions separately but were not able to figure it out, even if we gave ouresleves custom “all” permissions for all spaces. (EDIT: and for all indexes/lists)

Is there any way to configure this, in not licensed elk, that we are just missing? Thanks.

2

Hi @stanley783

In Kibana 9.1.3, editing SIEM rule exceptions is restricted to users with superuser privileges or those who have both:

  1. All space privileges for the Security app.

  2. Write access to the .siem-signals-default index (or your signals index).

Even if you assigned “all” permissions for all spaces, proper index privileges are still required. Check the roles to ensure they include write access to the signals index and rule management. Some users have resolved this by upgrading to a newer Kibana version.

If you use Elastic Cloud, Elastic Cloud Enterprise, or support from companies like Qbox, Webkul or Found, you can contact them for assistance.

1 Like
3

Hi, thanks for answer. By “all” i meant all reasonable privileges (create, write, manage…) on all possible indexes (various signal and alerts indexes) but still had no luck. Maybe will try upgrading and update later on.

4

Hello @stanley783

As we can see below are the privileges needed to edit the rules which should be assigned to a role :

You need the following privileges to fully access this functionality. Contact your administrator for further assistance.

Missing Elasticsearch index privileges:

  1. Missing write, view_index_metadata, manage privileges for the .items-default data stream. Without these privileges, you cannot create or edit value lists.
  2. Missing write, view_index_metadata, manage privileges for the .lists-default data stream. Without these privileges, you cannot create or edit value lists.
  3. Missing write, view_index_metadata, manage privileges for the .alerts-security.alerts-default index.

Missing Kibana feature privileges:

  1. Missing all privileges for the siemV2 feature. Without that privilege you cannot create or edit detection engine rules.

image
image1656×526 71.7 KB

Thanks!!

5

Hi, thanks for advice, unfortunately this did not change the situation as well.

image
image2278×916 181 KB

1 Like