Kibana Rules Authentication when Creator leaves Project

Good Morning,

I am wondering if anyone has run into a similar scenario.

We have implemented watchers and rules in our environment. One of the people who created some of these rules has left the project. We use AD to authenticate and authorize users in our environment. The person who left the projects password expired in AD and we quickly started seeing a large amount of authentication logs being created. All these auth failures were created by the rules that were created or updated by this person's account.

Issue: As people cycle through our environment that set up rules and siem detections we will constantly run into this issue. This quickly turns into a management issue. We don't want to have to go through and reassign every rule to a new account whenever anyone leaves the project. We don't want to set up a service account, because anyone who wants to set up or change a rule will have to log into that account in order to perform these tasks. Which is also not the point of a service account.

I am interested if anyone else has run into this issue and has been able to come up with an enduring solution to this issue.

Basically, how do you create rules that are not dependent on the creds of the user account that created them to exist indefinitely?


The authentication we use for Kibana Rules - API keys - shouldn't be causing this to happen, as the API keys only contain privileges of the user that created them - no further auth is required beyond those privs.

What type of rules did this happen with? Could you provide some samples of the error messages you saw?


Thanks for getting back to me. We took a much deeper look as it didn't make sense.

Turned out the person who left the team had used his creds on a beats instance on a remote infrequently used logstash server. It was his account trying to auth to provide monitoring data to the stack.

Now I am trying to wrap my head around the authentication process though for the SIEM rules. He created some of the rules within the stack (which are still working fine), but that has me a little confused. Once a rule is created with an account that has appropriate privileges to actually create a rule does it no longer authenticate to anything. Or is there an individual api key that gets created for that rule?

Basically, if someone creates detection rules within our environment, leaves the project and their account ages out or we deactivate it will we run into issues?


You shouldn't have an issue with the API keys associated with rules. See Create API key API | Elasticsearch Guide [8.4] | Elastic :

  • the API key will have a point in time snapshot of permissions of the authenticated user

The API key contains the permissions of the user when created, and does not contain any user or role info (that would be used for auth). So when a user leaves the project, the API key should still work as it did before.

1 Like

Awesome. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.