New space: I wanna see "Detection Alerts" in Security and I can't disable "Stack Monitoring"

Dear people, I hace an ELK 7.9.0 platform running OK.

I've created a new Space enabling "Security" and disabling "Stack Monitoring" feature:

image

I've created a new rol and I have not enabled the Stack Monitoring again:

image

I have created a new user with the above rol, and after accessing to Kibana, he enters to the new space.

But I have two problems:

  1. The user can see and enter to the Stack Management feature from Kibana (I have disabled it);

  2. When the user accesses to Security/Overview, he can't see any detection alert at all:

Please can you help me???

Special thanks!!!

Can you confirm that you're able to access Stack Monitoring, and it's not Stack Management? If it's Stack Management you're seeing then you will have to wait for https://github.com/elastic/kibana/pull/67791.

For the detection alerts, you will want to make sure the role has access to the .siem-signals* indices per https://www.elastic.co/guide/en/security/current/detection-engine-overview.html#det-engine-terminology

Dear Tyler, sorry for my confusion, I wanted to say Stack Management and not Stack Monitoring...When I create a new space/rol/user, after login Kibaba that user can see always "Stack Management" in his space. This are my customized features from the space, you can see there is no option to disable "Stack Management":

image.pngthe

In relation with users can't see any detection alert from Security panel, I've defined all indices (*) and all privileges on these indices (all):

image.png

Can you help me again please?

Thanks a lot!!!

Hi Robert,

you are correct that there is no option to hide stack management. Its just there.
The way your role is set up with All cluster privileges and the ability to run as any user you effectively created a superuser. If you remove those privileges from the role they can still SEE the stack management option however now they are unable to actually change anything.

Furthermore I was able to replicate your issue. I have two spaces set up with detection rules, in one space I can see open signals and rules in the other one I cannot. My user definitely has the privileges to see all signal indices. However I do think this is intended?

If I am not completely mistaken spaces do not share their content with each other. So you are unable to access detection rules you set up in Space A from Space B, you'll have to define new ones or export/import the ones you want to share.

Cheers

DearMadduck, thanks a lot four your help.

I've followed your advice and I've installed new detection rules and now I can see detection alerts in the new space. That's Ok and I think it's what you have made.

I have an ELK 7.9.0 platform

Regards!!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.