Unable to create new rule

Elastic Stack Kibana
1

Hello,

I'm trying to create a rule using 'Search threshold rule' bases alerting option in Discover.

image
image338×101 5.82 KB

Could anybody point out what additional user role is required to create new rule and alert. Currently my account has following roles allowed - watcher, watcher_admin, read_only, Dashboards_write_permissions, Alerts and Insights permissions

2

Hi @Devanshu-soni Welcome to the community

What version are you on?

Please go to Kibana -> Dev Tools and run

GET _security/user/_privileges

And show the entire result.

Most likely you have been limited on which indices you can access...

3

Hello @stephenb, thanks for responding. Currently I'm working on version 8.17.3
Also below is the output you requested.

{
  "cluster": [
    "all",
    "manage_enrich",
    "manage_watcher",
    "monitor",
    "monitor_enrich"
  ],
  "global": [],
  "indices": [
    {
      "names": [
        "*"
      ],
      "privileges": [
        "all",
        "create_index",
        "cross_cluster_replication",
        "manage",
        "monitor",
        "read",
        "view_index_metadata",
        "write"
      ],
      "allow_restricted_indices": false
    },
    {
      "names": [
        ".triggered_watches",
        ".watcher-history-*",
        ".watches"
      ],
      "privileges": [
        "read"
      ],
      "allow_restricted_indices": true
    }
  ],
  "applications": [
    {
      "application": "kibana-.kibana",
      "privileges": [
        "feature_rulesSettings.all",
        "feature_visualize.read",
        "feature_maps.read",
        "feature_discover.generate_report",
        "feature_ml.read",
        "feature_graph.read",
        "feature_dashboard.download_csv_report",
        "feature_discover.minimal_all",
        "feature_discover.store_search_session",
        "feature_canvas.read",
        "feature_dashboard.minimal_read"
      ],
      "resources": [
        "space:default"
      ]
    },
    {
      "application": "kibana-.kibana",
      "privileges": [
        "feature_savedObjectsTagging.read",
        "feature_fleet.read",
        "feature_ml.all",
        "feature_advancedSettings.read",
        "feature_generalCases.read",
        "feature_fleetv2.read",
        "feature_actions.read",
        "feature_aiAssistantManagementSelection.read",
        "feature_maintenanceWindow.read",
        "feature_graph.all",
        "feature_filesManagement.read",
        "feature_stackAlerts.read",
        "feature_rulesSettings.read",
        "feature_dashboard.all",
        "feature_canvas.all",
        "feature_dev_tools.all",
        "feature_discover.all",
        "feature_osquery.read",
        "feature_maps.all",
        "feature_visualize.all",
        "feature_savedObjectsManagement.read",
        "feature_filesSharedImage.read",
        "feature_indexPatterns.all"
      ],
      "resources": [
        "*"
      ]
    }
  ],
  "run_as": []
}
4

I suspect these need to be all

Also I expect you may need all on these indices in the restricted indices section

".internal.alerts-*"