My current version of ES Security is on 7.16.1. I was trying to setup a threshold rule, and everything goes well. I could see the result from the preview and such. However, after created the rule and activate the rule, nothing happened. No records in failure history, last run or etc.
When I look into the kibana log. I'm seeing message about siem.signals
{"type":"log","@timestamp":"2022-10-25T22:17:38+00:00","tags":["error","plugins","alerting"],"pid":8,"message":"Executing Alert default:siem.signals:c5075f40-e10a-11ec-a773-912bc7a4e855 has resulted in Error: Unauthorized to get a \"siem.signals\" rule for \"siem\""}
Here is the GET /.kibana-event-log*/_search result from Dev Tool
{
"_index" : ".kibana-event-log-7.16.1-000008",
"_type" : "_doc",
"_id" : "Juhdj4IBULdjhsFsupyj",
"_score" : 1.0,
"_source" : {
"@timestamp" : "2022-08-12T00:04:20.753Z",
"event" : {
"provider" : "alerting",
"action" : "execute",
"kind" : "alert",
"category" : [
"siem"
],
"start" : "2022-08-12T00:04:20.753Z",
"end" : "2022-08-12T00:04:20.769Z",
"duration" : 16000000,
"reason" : "read",
"outcome" : "failure"
},
"kibana" : {
"saved_objects" : [
{
"rel" : "primary",
"type" : "alert",
"id" : "d4059501-d6d0-11ec-8a91-b1b48ab074b2",
"type_id" : "siem.signals"
}
],
"task" : {
"scheduled" : "2022-08-12T00:04:17.681Z",
"schedule_delay" : 3072000000
},
"alerting" : {
"status" : "error"
},
"server_uuid" : "89244e13-1f7f-4577-af78-23e28c88efd4",
"version" : "7.16.1"
},
"rule" : {
"id" : "d4059501-d6d0-11ec-8a91-b1b48ab074b2",
"license" : "basic",
"category" : "siem.signals",
"ruleset" : "siem"
},
"error" : {
"message" : "Unauthorized to get a \"siem.signals\" rule for \"siem\""
},
"message" : "siem.signals:d4059501-d6d0-11ec-8a91-b1b48ab074b2: execution failed",
"ecs" : {
"version" : "1.8.0"
}
}
}
Am I missing something? Thank you
Update #1:
We found it is related to permission issue, as we are able to get the rule executed when it was activated by elastic
user. Not quite sure which specific role helps at the moment.