My SOC team is staring to use Elastic Stack for Security purposes, and we are planning to use both SIEM and Endpoint Security capabilities.
We have T1 and T2 analysts, and I'd wanted to give them different permissions for different parts of Security module.
I've managed to create a separate role with read-only access to SIEM rules and exceptions and full access to signals, and another role with full access to SIEM rules, exceptions and signals.
But I've encountered an issue with providing access to Endpoint Security module. I want to provide an ability to review all pages in Endpoint Security and perform actions like endpoints isolation for both roles. I haven't found any ways to create custom roles with such capabilities in docs, it is told there that the user must have superuser role to access those tabs.
Any ideas on how to find a work-around and provide users with full-access capabilities in Endpoint Security module without giving them superuser role? I just want to make sure my analysts will have access to features that are required to do their job without giving them an ability to break something inside Elastic.