Unable to get rule triggered

My current version of ES Security is on 7.16.1. I was trying to setup a threshold rule, and everything goes well. I could see the result from the preview and such. However, after created the rule and activate the rule, nothing happened. No records in failure history, last run or etc.

When I look into the kibana log. I'm seeing message about siem.signals
{"type":"log","@timestamp":"2022-10-25T22:17:38+00:00","tags":["error","plugins","alerting"],"pid":8,"message":"Executing Alert default:siem.signals:c5075f40-e10a-11ec-a773-912bc7a4e855 has resulted in Error: Unauthorized to get a \"siem.signals\" rule for \"siem\""}

Here is the GET /.kibana-event-log*/_search result from Dev Tool

    {
        "_index" : ".kibana-event-log-7.16.1-000008",
        "_type" : "_doc",
        "_id" : "Juhdj4IBULdjhsFsupyj",
        "_score" : 1.0,
        "_source" : {
          "@timestamp" : "2022-08-12T00:04:20.753Z",
          "event" : {
            "provider" : "alerting",
            "action" : "execute",
            "kind" : "alert",
            "category" : [
              "siem"
            ],
            "start" : "2022-08-12T00:04:20.753Z",
            "end" : "2022-08-12T00:04:20.769Z",
            "duration" : 16000000,
            "reason" : "read",
            "outcome" : "failure"
          },
          "kibana" : {
            "saved_objects" : [
              {
                "rel" : "primary",
                "type" : "alert",
                "id" : "d4059501-d6d0-11ec-8a91-b1b48ab074b2",
                "type_id" : "siem.signals"
              }
            ],
            "task" : {
              "scheduled" : "2022-08-12T00:04:17.681Z",
              "schedule_delay" : 3072000000
            },
            "alerting" : {
              "status" : "error"
            },
            "server_uuid" : "89244e13-1f7f-4577-af78-23e28c88efd4",
            "version" : "7.16.1"
          },
          "rule" : {
            "id" : "d4059501-d6d0-11ec-8a91-b1b48ab074b2",
            "license" : "basic",
            "category" : "siem.signals",
            "ruleset" : "siem"
          },
          "error" : {
            "message" : "Unauthorized to get a \"siem.signals\" rule for \"siem\""
          },
          "message" : "siem.signals:d4059501-d6d0-11ec-8a91-b1b48ab074b2: execution failed",
          "ecs" : {
            "version" : "1.8.0"
          }
        }
      }

Am I missing something? Thank you

Update #1:
We found it is related to permission issue, as we are able to get the rule executed when it was activated by elastic user. Not quite sure which specific role helps at the moment.

1 Like

@GUruisaDog This is a known issue that many of our users encounter.

When a rule executes, it does all its work on behalf of the user who created it or last updated it. This user must have certain privileges. There are no prebuilt roles for them, so you will need to create roles manually according to the docs:

Of course, if you're running a non-production system you might be ok with using the elastic user which is a superuser.

One subtle bug to be aware of: if you created a rule on behalf of a user who has all the required privileges, but then the rule was modified by a user who has more or fewer privileges, then it can cause unintended effects like the rule can start generating more or fewer alerts.

Here are links with more information about this issue:

1 Like

Hi @georgii,

Thanks for providing the solution. Funny thing is superuser doesn't work, only elastic could activate rules without issue. Is there anything to be aware of in this case?

@GUruisaDog Can you please expand on that?

Both the pre-built elastic user and any custom user with the superuser role should be able to set up the Detections feature.

@georgii , we assigned a custom user with superuser role. But we are still seeing the error message Reason: read Message: Unauthorized to get a "siem.signals" rule for "siem" while we using that user to activate rule. So far, only elastic user would able to activate rule without issue.

We've also attempted to create a new role as the guide instructed, but still.

@GUruisaDog Oh, this is really interesting. I tried to reproduce it on 7.16.1 but it worked without issues, as expected.

Before opening the Security app for the first time, I created a custom user and assigned the pre-built superuser role to it, and then logged in under this user:

Then I opened the Rules page, it successfully initialized the Detection Engine. I was able to load prebuilt rules and activate some of them - all without any issues.

I guess we would need more information in order to investigate your issue! :slightly_smiling_face: I'd suggest proceeding with filing a bug in the Kibana repo. Please open a new issue there and post a link in this thread. In the issue, please try to provide the following information:

  • An output of the get privileges endpoint for the two users that you're using to activate the rules and getting errors:
    • your custom user with the superuser role
    • the custom user that you created according to the docs
  • If possible, any of the rules that you try to activate and the activation fails with the error you mentioned. You will need to get it via the API. If your rule contains any sensitive data, please replace it with ****.
  • An output of the get privileges endpoint for the two users associated with this rule:
    • the created_by user
    • the updated_by user
  • Screenshots and/or screen recordings showing the errors you're getting.

Hope that's not too much for you, because for us it could be a good starting point for trying to reproduce this edge case.

@georgii thanks for trying to reproduce the issue, it inspired us to find the root cause.

Our ELK is set with SSO. Once the user authenticated, our proxy will redirect it back to Kibana with extra headers. During the redirection process, we insert header with a Basic authorization token as a proxy user with minimal privilege, and the second header es-security-runas-user: <SSO username> . Based on Submitting requests on behalf of other users | Elasticsearch Guide [7.16] | Elastic, we were expecting the authenticated user would inherit role from the user specified in es-security-runas-user header. This setting works for most of the scenario, we are able to restrict user to access spaces or indices.

Except inheriting superuser role to manage rule in Elasitc Security. Like what we've mentioned previously, no rules can be activated even we assigned superuser role to specific user. During the troubleshooting, we assigned a superuser to our proxy user and remove superuser role from the SSO user. We found there's no issue in activating the rule. In summary, the proxy user cannot inherit the superuser role from the user speicified in es-security-runas-user.

Is it a bug for es-security-runas-user header or there is a limitation of inheriting privileged role from it? Thank you.