Permission to read SIEM signal index

Attempting to adjust our read-only role for SIEM viewers, but users fails to get permission to the signal index, wondering how to allow read/search access to this?

When Users access the SIEM app thay get this error:

[security_exception] action [indices:data/read/search] is unauthorized for user [X]

Signal indicies are named .siem-signal-<SPACE NAME>-* have tried to allow read, monitor, view-index-metadata for these indicies to role, but no luck.

Why do I get the above permission error when user got a custom role assgn which does what's required accoridng to the doc. Puzzles me...

Or rather user fails to fetch the signal index name and where this be read of?

Screenshot 2020-06-10 at 11.48.56

The siem signals data indexes are conventioned as:

.siem-signal-<SPACE NAME>

without any extra dash's or globs needed at the end. Is that possibly why?

Possibly not as I'm having these indices for this space:

Needless to say but as admin with full access I've got Detection Signals just fine in this Space.

Well it turns out it was as the alias is without dash's or globs :wink:

Thank U for hinting me, adding both with read access to the role fixed access for users.

Awesome news! Yeah, it is using life cycle management for the index:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.