Restricting rights to detection rules

marcou · August 12, 2024, 12:58pm

Hello,

we would like to give our analysts the option to create detection rules, but they should not be able to activate them. The engineer should only be able to activate them after an engineer has looked at them.

However, we have not found a way to restrict a user's rights to detection rules. If you do this via the index permissions, the user is also extremely restricted when it comes to case and alarm processing.

Have we overlooked something here or is it really not possible? If it doesn't work, we would really like this feature.

Best regards
Marco

vitaliidm · August 13, 2024, 10:01am

Hey @marcou

At the moment it's not possible to restrict rights to rule in a way it can be created by one user and enabled by another.

Configured Security Feature Detections prerequisites and requirements | Elastic Security Solution [8.15] | Elastic gives permission to edit or read rules through API/UI and do not have capabilities to limit enable rule functionality.

Please create feature request in Kibana issues Issues · elastic/kibana · GitHub and I will tag appropriate teams to look into it

system · September 10, 2024, 10:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic SIEM detection rule query permissions Elastic Security	3	385	August 18, 2021
Required Permissions to Create Alert Rules Kibana elastic-stack-alerting	3	1627	September 26, 2022
Increasing number of Alerts for Detection Rules Elasticsearch detection-rules	18	466	July 10, 2024
Rules API Key Kibana elastic-stack-alerting	10	809	August 16, 2022
Elastic Detections permissions issues Elastic Security elastic-stack-security , elastic-stack-alerting	7	2381	November 4, 2022

Restricting rights to detection rules

Related Topics