Is there any role to provide read only access to SIEM? Its working for superusers however i cannot find a specific role just for that.
To make sure I understand, you want to give some Kibana users only Read only access to the SIEM data?
The data itself lives in Beats indexes (filebeat-*, auditbeat-*, packetbeat-*, winlogbeat-* and you can add more index patterns from the Kibana advanced settings). We don't have a role that gives only read-only access to these indices, but you should be able to create one.
Thank you, i got the idea 
.. works now
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.