Warning in Rules

Hi,

I have an environment with several spaces to separate access to different indices, e.g. space a has only access to indices "filebeat-a-*", space b to "filebeat-b-*".

In Security I've activated some of the provided rules in space a with a user, who has only access to the "filebeat-a-*" indices.

The rules then throw a warning: "Missing required read privileges on the following indices: ["filebeat-*"]".

My question: Are the rules executing against the "filebeat-a-*" indices despite this warning or do the rules not execute at all and I must clone any rule I want to use and change the setting in the new rule to "filebeat-a-*"?

Best regards,
Norbert

Hey @norgro2601 thanks for reaching out!

I believe the warning is indicating that the rule will not being executing because it is attempting to read on the index pattern filebeat-* and does not have permissions to do so.

Yeah unfortunately I think you'll need to clone the rules you'd like to run and modify them such that they use the index pattern filebeat-a-*.

Hey @Jonathan_Buttner,

does this mean, that also the setting in the space, which Elasticsearch indices will be used for the Security solution, is ignored, and it must be filebeat-* anyway?

Then the only possible solution to avoid clones and achieving the same result is to have a setting in a role, that allows access to filebeat-* in general but uses a "Grant read privileges to specific documents" filter, that only allows access to the documents in filebeat-a-*, right?

Kind regards,
Norbert

Hey @Jonathan_Buttner,

good news, this warning is just an information and doesn't prevent the rule from working.

Fortunately, today I noticed that the rule "Threat Intel Filebeat Module Indicator Match", that was still activated, created some new alerts.

Kind regards,
Norbert

1 Like