diff --git a/.buildkite/ftr_security_stateful_configs.yml b/.buildkite/ftr_security_stateful_configs.yml index 84f65d1aa81f0..44056edc57828 100644 --- a/.buildkite/ftr_security_stateful_configs.yml +++ b/.buildkite/ftr_security_stateful_configs.yml @@ -101,6 +101,9 @@ enabled: - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/policy/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/response_actions/trial_license_complete_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/siem_migrations/rules/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_endpoint/configs/endpoint.config.ts diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index fd27889c566a9..0d5eeabc3c499 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -23,9 +23,25 @@ xpack.features.overrides: securitySolutionNotes.hidden: true siem.description: null siemV2.description: null + siemV3.description: null securitySolutionSiemMigrations.hidden: true ## Fine-tune the security solution essentials feature privileges. These feature privilege overrides are set individually for each project type. Also, refer to `serverless.yml` for the project-agnostic overrides. + siemV3: + privileges: + all.composedOf: + ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten + ## We do not need to compose siemV3 from maps and visualizations because these functionalities are disabled in this tier + - feature: "discover_v2" + privileges: [ "all" ] + ## We need limited access to fleet (v1) in order to use integrations + - feature: "fleet" + privileges: [ "all" ] + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "fleet" + privileges: [ "read" ] siemV2: privileges: all.composedOf: @@ -33,7 +49,7 @@ xpack.features.overrides: ## We do not need to compose siemV2 from maps and visualizations because these functionalities are disabled in this tier - feature: "discover_v2" privileges: [ "all" ] - ## We need limited read access to fleet (v1) in order to use integrations + ## We need limited access to fleet (v1) in order to use integrations - feature: "fleet" privileges: [ "all" ] read.composedOf: diff --git a/config/serverless.security.yml b/config/serverless.security.yml index 5ba16b1a8e765..616552a2555f5 100644 --- a/config/serverless.security.yml +++ b/config/serverless.security.yml @@ -25,6 +25,33 @@ xpack.features.overrides: category: "security" order: 1101 ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. + siemV3: + privileges: + ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and + ### Visualize features. + all.composedOf: + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "dashboard_v2" + privileges: [ "all" ] + - feature: "visualize_v2" + privileges: [ "all" ] + - feature: "maps_v2" + privileges: [ "all" ] + # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and + # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover, + ### Dashboard, and Visualize apps. + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "dashboard_v2" + privileges: [ "read" ] + - feature: "visualize_v2" + privileges: [ "read" ] + - feature: "maps_v2" + privileges: [ "read" ] + + ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. siemV2: privileges: ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index ea73253a41860..21593e638c4b1 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -45,9 +45,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -121,19 +121,20 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -187,9 +188,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -246,9 +247,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -310,21 +311,22 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -389,9 +391,10 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all + - feature_siemV3.blocklist_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -456,17 +459,18 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -531,22 +535,23 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -611,9 +616,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -669,17 +675,18 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -745,21 +752,22 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -833,16 +841,17 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json index e6727ccd754b6..246ce53fc0034 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json @@ -32,7 +32,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["read"], @@ -81,7 +81,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["read"], @@ -140,7 +140,7 @@ { "feature": { "ml": ["read"], - "siemV2": [ + "siemV3": [ "all", "read_alerts", "crud_alerts", @@ -217,7 +217,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -274,7 +274,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -326,7 +326,7 @@ { "feature": { "ml": ["all"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -385,7 +385,7 @@ { "feature": { "ml": ["all"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json index 320122af2e679..246d161edce4c 100644 --- a/x-pack/platform/plugins/private/translations/translations/fr-FR.json +++ b/x-pack/platform/plugins/private/translations/translations/fr-FR.json @@ -7740,7 +7740,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "Cas", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "Cas (Déclassé)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "Notes", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "Les permissions {currentId} sont déclassées, veuillez consulter {idV2}.", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "Les permissions {currentId} sont déclassées, veuillez consulter {latestId}.", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "Migrations SIEM", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "Chronologie", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "Sécurité", @@ -48680,4 +48680,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "Ce champ est requis.", "xpack.watcher.watcherDescription": "Détectez les modifications survenant dans vos données en créant, gérant et monitorant des alertes." } -} +} \ No newline at end of file diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json index e1ca164b1d882..edc24279c4ca3 100644 --- a/x-pack/platform/plugins/private/translations/translations/ja-JP.json +++ b/x-pack/platform/plugins/private/translations/translations/ja-JP.json @@ -7734,7 +7734,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "ケース", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "ケース(廃止予定)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "メモ", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId}権限は廃止予定です。{idV2}を参照してください。", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId}権限は廃止予定です。{latestId}を参照してください。", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "SIEM移行", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "Timeline", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "セキュリティ", @@ -48633,4 +48633,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "フィールドを選択してください。", "xpack.watcher.watcherDescription": "アラートの作成、管理、監視によりデータへの変更を検知します。" } -} +} \ No newline at end of file diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json index cc8e425d14dc7..1da7da1df741b 100644 --- a/x-pack/platform/plugins/private/translations/translations/zh-CN.json +++ b/x-pack/platform/plugins/private/translations/translations/zh-CN.json @@ -7745,7 +7745,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "案例", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "案例(已过时)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "备注", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId} 权限已过时,请参阅 {idV2}。", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId} 权限已过时,请参阅 {latestId}。", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "SIEM 迁移", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "时间线", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "安全", @@ -48723,4 +48723,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "此字段必填。", "xpack.watcher.watcherDescription": "通过创建、管理和监测警报来检测数据中的更改。" } -} +} \ No newline at end of file diff --git a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts index abe2b8c8d22d2..2bf8de9433548 100644 --- a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts +++ b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts @@ -16,7 +16,7 @@ import { calculatePackagePrivilegesFromKibanaPrivileges, getAuthorizationFromPrivileges, } from './authz'; -import { ENDPOINT_PRIVILEGES } from './constants'; +import { ENDPOINT_PRIVILEGES, SECURITY_SOLUTION_APP_ID } from './constants'; const SECURITY_SOLUTION_ID = DEFAULT_APP_CATEGORIES.security.id; @@ -69,7 +69,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointCapabilities, transform: transformCapabilities, }); @@ -95,7 +95,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointExceptionsCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointExceptionsCapabilities, }); expect(actual).toEqual(expected); @@ -120,7 +120,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointCapabilities, }); expect(actual).toEqual(expected); diff --git a/x-pack/platform/plugins/shared/fleet/common/authz.ts b/x-pack/platform/plugins/shared/fleet/common/authz.ts index e04a1fe215c2d..52a0c79870d15 100644 --- a/x-pack/platform/plugins/shared/fleet/common/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/authz.ts @@ -8,6 +8,7 @@ import type { Capabilities } from '@kbn/core-capabilities-common'; import { TRANSFORM_PLUGIN_ID } from './constants/plugin'; +import { SECURITY_SOLUTION_APP_ID } from './constants/authz'; import { ENDPOINT_EXCEPTIONS_PRIVILEGES, ENDPOINT_PRIVILEGES } from './constants'; @@ -180,7 +181,9 @@ export function calculatePackagePrivilegesFromCapabilities( (acc, [privilege, { privilegeName }]) => { acc[privilege] = { executePackageAction: - (capabilities.siemV2 && (capabilities.siemV2[privilegeName] as boolean)) || false, + (capabilities[SECURITY_SOLUTION_APP_ID] && + (capabilities[SECURITY_SOLUTION_APP_ID][privilegeName] as boolean)) || + false, }; return acc; }, @@ -210,14 +213,15 @@ export function calculatePackagePrivilegesFromCapabilities( export function calculateEndpointExceptionsPrivilegesFromCapabilities( capabilities: Capabilities | undefined ): FleetAuthz['endpointExceptionsPrivileges'] { - if (!capabilities || !capabilities.siemV2) { + if (!capabilities || !capabilities[SECURITY_SOLUTION_APP_ID]) { return; } const endpointExceptionsActions = Object.keys(ENDPOINT_EXCEPTIONS_PRIVILEGES).reduce< Record >((acc, privilegeName) => { - acc[privilegeName] = (capabilities.siemV2[privilegeName] as boolean) || false; + acc[privilegeName] = + (capabilities[SECURITY_SOLUTION_APP_ID][privilegeName] as boolean) || false; return acc; }, {}); diff --git a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts index 4363f45acf9d8..290b86bf8edee 100644 --- a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts @@ -8,7 +8,7 @@ import { deepFreeze } from '@kbn/std'; import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; -const SECURITY_SOLUTION_APP_ID = 'siemV2'; +export const SECURITY_SOLUTION_APP_ID = 'siemV3'; export interface PrivilegeMapObject { appId: string; diff --git a/x-pack/platform/test/api_integration/apis/features/features/features.ts b/x-pack/platform/test/api_integration/apis/features/features/features.ts index 7386d58ed939d..199c61e5d5c61 100644 --- a/x-pack/platform/test/api_integration/apis/features/features/features.ts +++ b/x-pack/platform/test/api_integration/apis/features/features/features.ts @@ -136,7 +136,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchSynonyms', 'searchQueryRules', 'searchPlayground', - 'siemV2', + 'siemV3', 'slo', 'streams', 'securitySolutionAssistant', @@ -200,6 +200,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchPlayground', 'siem', 'siemV2', + 'siemV3', 'slo', 'streams', 'securitySolutionAssistant', diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index e82bfd81a8a11..7132cbcfa34b3 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -156,6 +156,34 @@ export default function ({ getService }: FtrProviderContext) { 'execute_operations_all', 'scan_operations_all', ], + siemV3: [ + 'all', + 'read', + 'minimal_all', + 'minimal_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'workflow_insights_all', + 'workflow_insights_read', + 'global_artifact_management_all', + 'trusted_applications_all', + 'trusted_applications_read', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'blocklist_all', + 'blocklist_read', + 'event_filters_all', + 'event_filters_read', + 'policy_management_all', + 'policy_management_read', + 'actions_log_management_all', + 'actions_log_management_read', + 'host_isolation_all', + 'process_operations_all', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + ], uptime: [ 'all', 'read', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index 1f285475c70ad..df09177bad26a 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -56,6 +56,7 @@ export default function ({ getService }: FtrProviderContext) { ml: ['all', 'read', 'minimal_all', 'minimal_read'], siem: ['all', 'read', 'minimal_all', 'minimal_read'], siemV2: ['all', 'read', 'minimal_all', 'minimal_read'], + siemV3: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'], @@ -261,6 +262,34 @@ export default function ({ getService }: FtrProviderContext) { 'workflow_insights_all', 'workflow_insights_read', ], + siemV3: [ + 'actions_log_management_all', + 'actions_log_management_read', + 'all', + 'global_artifact_management_all', + 'blocklist_all', + 'blocklist_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'event_filters_all', + 'event_filters_read', + 'host_isolation_all', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'minimal_all', + 'minimal_read', + 'policy_management_all', + 'policy_management_read', + 'process_operations_all', + 'read', + 'trusted_applications_all', + 'trusted_applications_read', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + 'workflow_insights_all', + 'workflow_insights_read', + ], uptime: [ 'all', 'can_manage_private_locations', diff --git a/x-pack/solutions/security/packages/features/product_features.ts b/x-pack/solutions/security/packages/features/product_features.ts index 683e43335a34b..1649458e866d1 100644 --- a/x-pack/solutions/security/packages/features/product_features.ts +++ b/x-pack/solutions/security/packages/features/product_features.ts @@ -6,7 +6,7 @@ */ export { getCasesFeature, getCasesV2Feature, getCasesV3Feature } from './src/cases'; -export { getSecurityFeature, getSecurityV2Feature } from './src/security'; +export { getSecurityFeature, getSecurityV2Feature, getSecurityV3Feature } from './src/security'; export { getAssistantFeature } from './src/assistant'; export { getAttackDiscoveryFeature } from './src/attack_discovery'; export { getTimelineFeature } from './src/timeline'; diff --git a/x-pack/solutions/security/packages/features/src/constants.ts b/x-pack/solutions/security/packages/features/src/constants.ts index 3b033b0685abb..059e3f3162200 100644 --- a/x-pack/solutions/security/packages/features/src/constants.ts +++ b/x-pack/solutions/security/packages/features/src/constants.ts @@ -11,6 +11,8 @@ export const SERVER_APP_ID = 'siem' as const; // New version created in 8.18. It was previously `SERVER_APP_ID`. export const SECURITY_FEATURE_ID_V2 = 'siemV2' as const; +// New version for 9.1. +export const SECURITY_FEATURE_ID_V3 = 'siemV3' as const; /** * @deprecated deprecated in 8.17. Use CASE_FEATURE_ID_V2 instead diff --git a/x-pack/solutions/security/packages/features/src/security/index.ts b/x-pack/solutions/security/packages/features/src/security/index.ts index 910710a4b9f28..ccad3cc1f9334 100644 --- a/x-pack/solutions/security/packages/features/src/security/index.ts +++ b/x-pack/solutions/security/packages/features/src/security/index.ts @@ -17,6 +17,11 @@ import { getSecurityV2BaseKibanaSubFeatureIds, } from './v2_features/kibana_sub_features'; import type { SecurityFeatureParams } from './types'; +import { getSecurityV3BaseKibanaFeature } from './v3_features/kibana_features'; +import { + getSecurityV3BaseKibanaSubFeatureIds, + getSecurityV3SubFeaturesMap, +} from './v3_features/kibana_sub_features'; /** * @deprecated Use getSecurityV2Feature instead @@ -29,6 +34,9 @@ export const getSecurityFeature = ( subFeaturesMap: getSecuritySubFeaturesMap(params), }); +/** + * @deprecated Use getSecurityV3Feature instead + */ export const getSecurityV2Feature = ( params: SecurityFeatureParams ): ProductFeatureParams => ({ @@ -36,3 +44,11 @@ export const getSecurityV2Feature = ( baseKibanaSubFeatureIds: getSecurityV2BaseKibanaSubFeatureIds(params), subFeaturesMap: getSecurityV2SubFeaturesMap(params), }); + +export const getSecurityV3Feature = ( + params: SecurityFeatureParams +): ProductFeatureParams => ({ + baseKibanaFeature: getSecurityV3BaseKibanaFeature(params), + baseKibanaSubFeatureIds: getSecurityV3BaseKibanaSubFeatureIds(params), + subFeaturesMap: getSecurityV3SubFeaturesMap(params), +}); diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 54617d8c0ec67..d6ba5d5791428 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -126,16 +126,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature // Adds no additional kibana feature controls [ProductFeatureSecurityKey.endpointPolicyProtections]: {}, - [ProductFeatureSecurityKey.endpointArtifactManagement]: { - subFeatureIds: [ - SecuritySubFeatureId.hostIsolationExceptionsBasic, - SecuritySubFeatureId.trustedApplications, - SecuritySubFeatureId.blocklist, - SecuritySubFeatureId.eventFilters, - SecuritySubFeatureId.globalArtifactManagement, - ], - }, - // Endpoint Complete Tier: // Allows access to create/update HIEs [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: { diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index dda61b6e86b9a..7660b02866fc3 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -22,6 +22,7 @@ export interface SecurityFeatureParams { export type DefaultSecurityProductFeaturesConfig = Omit< Record>, - ProductFeatureSecurityKey.endpointExceptions + | ProductFeatureSecurityKey.endpointExceptions + | ProductFeatureSecurityKey.endpointArtifactManagement // | add not generic security app features here >; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index f4cbe0bdf1b4f..ce1e889b2d314 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -24,7 +24,7 @@ import { SERVER_APP_ID, LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, - SECURITY_FEATURE_ID_V2, + SECURITY_FEATURE_ID_V3, TIMELINE_FEATURE_ID, NOTES_FEATURE_ID, } from '../../constants'; @@ -55,10 +55,10 @@ export const getSecurityBaseKibanaFeature = ({ notice: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', { - defaultMessage: 'The {currentId} permissions are deprecated, please see {idV2}.', + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SERVER_APP_ID, - idV2: SECURITY_FEATURE_ID_V2, + latestId: SECURITY_FEATURE_ID_V3, }, } ), @@ -93,12 +93,14 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['all'] }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['minimal_all'] }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -141,12 +143,12 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['minimal_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index b72220e2a57d8..31f24b670752a 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -14,7 +14,7 @@ import { } from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { APP_ID, SECURITY_FEATURE_ID_V2 } from '../../constants'; +import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; const endpointListSubFeature = (): SubFeatureConfig => ({ @@ -43,7 +43,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_list_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_all'] }], api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], id: 'endpoint_list_all', includeIn: 'none', @@ -55,7 +55,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ui: ['writeEndpointList', 'readEndpointList'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_list_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_read'] }], api: [`${APP_ID}-readEndpointList`], id: 'endpoint_list_read', includeIn: 'none', @@ -98,7 +98,16 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['trusted_applications_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'trusted_applications_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, ], api: [ 'lists-all', @@ -118,7 +127,7 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['trusted_applications_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_read'] }, ], api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], id: 'trusted_applications_read', @@ -161,7 +170,16 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'host_isolation_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, ], api: [ 'lists-all', @@ -181,7 +199,7 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_exceptions_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_read'] }, ], api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], id: 'host_isolation_exceptions_read', @@ -220,7 +238,18 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['blocklist_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'blocklist_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -238,7 +267,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ ui: ['writeBlocklist', 'readBlocklist'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['blocklist_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], id: 'blocklist_read', includeIn: 'none', @@ -279,7 +308,18 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['event_filters_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'event_filters_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -297,7 +337,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ ui: ['writeEventFilters', 'readEventFilters'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['event_filters_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], id: 'event_filters_read', includeIn: 'none', @@ -338,7 +378,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['policy_management_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_all'] }], api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], id: 'policy_management_all', includeIn: 'none', @@ -350,7 +390,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ ui: ['writePolicyManagement', 'readPolicyManagement'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['policy_management_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_read'] }], api: [`${APP_ID}-readPolicyManagement`], id: 'policy_management_read', includeIn: 'none', @@ -392,7 +432,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['actions_log_management_all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_all'] }, ], api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_all', @@ -406,7 +446,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['actions_log_management_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_read'] }, ], api: [`${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_read', @@ -445,7 +485,7 @@ const hostIsolationSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_all'] }], api: [`${APP_ID}-writeHostIsolationRelease`], id: 'host_isolation_all', includeIn: 'none', @@ -486,7 +526,7 @@ const processOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['process_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['process_operations_all'] }], api: [`${APP_ID}-writeProcessOperations`], id: 'process_operations_all', includeIn: 'none', @@ -526,7 +566,7 @@ const fileOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['file_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['file_operations_all'] }], api: [`${APP_ID}-writeFileOperations`], id: 'file_operations_all', includeIn: 'none', @@ -569,7 +609,7 @@ const executeActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['execute_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['execute_operations_all'] }], api: [`${APP_ID}-writeExecuteOperations`], id: 'execute_operations_all', includeIn: 'none', @@ -611,7 +651,7 @@ const scanActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['scan_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['scan_operations_all'] }], api: [`${APP_ID}-writeScanOperations`], id: 'scan_operations_all', @@ -645,7 +685,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', { - defaultMessage: 'Use Endpoint Exceptions (this is a test sub-feature).', + defaultMessage: 'Manage Endpoint Exceptions.', } ), privilegeGroups: [ @@ -654,7 +694,17 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'endpoint_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for the serverless offering, where endpoint exception privilege exists. + 'global_artifact_management_all', + ], + }, ], id: 'endpoint_exceptions_all', includeIn: 'all', @@ -667,7 +717,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_exceptions_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_read'] }, ], id: 'endpoint_exceptions_read', includeIn: 'read', diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 0bfc3f7e79920..ef37fa35dd4f2 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -25,6 +25,7 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, + SECURITY_FEATURE_ID_V3, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -49,6 +50,19 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + deprecated: { + notice: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', + { + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', + values: { + currentId: SECURITY_FEATURE_ID_V2, + latestId: SECURITY_FEATURE_ID_V3, + }, + } + ), + }, + id: SECURITY_FEATURE_ID_V2, name: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', @@ -74,6 +88,16 @@ export const getSecurityV2BaseKibanaFeature = ({ ), privileges: { all: { + replacedBy: { + default: [ + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + ], + minimal: [ + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, + ], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], @@ -91,6 +115,10 @@ export const getSecurityV2BaseKibanaFeature = ({ ui: ['show', 'crud'], }, read: { + replacedBy: { + default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }], + minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-read'], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index f7d84abb5a830..613b52fb179cc 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -14,7 +14,7 @@ import { } from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { APP_ID } from '../../constants'; +import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; const TRANSLATIONS = Object.freeze({ @@ -58,6 +58,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_all'] }], api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], id: 'endpoint_list_all', includeIn: 'none', @@ -69,6 +70,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ui: ['writeEndpointList', 'readEndpointList'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_read'] }], api: [`${APP_ID}-readEndpointList`], id: 'endpoint_list_read', includeIn: 'none', @@ -110,6 +112,18 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'trusted_applications_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -127,6 +141,9 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ ui: ['writeTrustedApplications', 'readTrustedApplications'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_read'] }, + ], api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], id: 'trusted_applications_read', includeIn: 'none', @@ -167,6 +184,18 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'host_isolation_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -184,6 +213,9 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ ui: ['readHostIsolationExceptions', 'deleteHostIsolationExceptions'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_read'] }, + ], api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], id: 'host_isolation_exceptions_read', includeIn: 'none', @@ -221,6 +253,18 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'blocklist_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -238,6 +282,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ ui: ['writeBlocklist', 'readBlocklist'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], id: 'blocklist_read', includeIn: 'none', @@ -278,6 +323,18 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'event_filters_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -295,6 +352,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ ui: ['writeEventFilters', 'readEventFilters'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], id: 'event_filters_read', includeIn: 'none', @@ -335,6 +393,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_all'] }], api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], id: 'policy_management_all', includeIn: 'none', @@ -346,6 +405,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ ui: ['writePolicyManagement', 'readPolicyManagement'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_read'] }], api: [`${APP_ID}-readPolicyManagement`], id: 'policy_management_read', includeIn: 'none', @@ -386,6 +446,9 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_all'] }, + ], api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_all', includeIn: 'none', @@ -397,6 +460,9 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ ui: ['writeActionsLogManagement', 'readActionsLogManagement'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_read'] }, + ], api: [`${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_read', includeIn: 'none', @@ -434,6 +500,7 @@ const hostIsolationSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_all'] }], api: [`${APP_ID}-writeHostIsolationRelease`], id: 'host_isolation_all', includeIn: 'none', @@ -474,6 +541,7 @@ const processOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['process_operations_all'] }], api: [`${APP_ID}-writeProcessOperations`], id: 'process_operations_all', includeIn: 'none', @@ -513,6 +581,7 @@ const fileOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['file_operations_all'] }], api: [`${APP_ID}-writeFileOperations`], id: 'file_operations_all', includeIn: 'none', @@ -555,6 +624,7 @@ const executeActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['execute_operations_all'] }], api: [`${APP_ID}-writeExecuteOperations`], id: 'execute_operations_all', includeIn: 'none', @@ -596,6 +666,7 @@ const scanActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['scan_operations_all'] }], api: [`${APP_ID}-writeScanOperations`], id: 'scan_operations_all', includeIn: 'none', @@ -637,6 +708,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['workflow_insights_all'] }], api: [`${APP_ID}-writeWorkflowInsights`, `${APP_ID}-readWorkflowInsights`], id: 'workflow_insights_all', includeIn: 'none', @@ -648,6 +720,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({ ui: ['writeWorkflowInsights', 'readWorkflowInsights'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['workflow_insights_read'] }], api: [`${APP_ID}-readWorkflowInsights`], id: 'workflow_insights_read', includeIn: 'none', @@ -680,7 +753,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', { - defaultMessage: 'Use Endpoint Exceptions (this is a test sub-feature).', + defaultMessage: 'Manage Endpoint Exceptions.', } ), privilegeGroups: [ @@ -688,6 +761,19 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'endpoint_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for the serverless offering, where endpoint exception privilege exists. + 'global_artifact_management_all', + ], + }, + ], id: 'endpoint_exceptions_all', includeIn: 'all', name: TRANSLATIONS.all, @@ -698,6 +784,9 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_read'] }, + ], id: 'endpoint_exceptions_read', includeIn: 'read', name: TRANSLATIONS.read, @@ -735,6 +824,9 @@ const globalArtifactManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['global_artifact_management_all'] }, + ], api: [`${APP_ID}-writeGlobalArtifacts`], id: 'global_artifact_management_all', includeIn: 'none', diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts new file mode 100644 index 0000000000000..0a6041919ae53 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import { KibanaFeatureScope } from '@kbn/features-plugin/common'; + +import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; +import { + EQL_RULE_TYPE_ID, + ESQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, +} from '@kbn/securitysolution-rules'; +import { + APP_ID, + SECURITY_FEATURE_ID_V3, + LEGACY_NOTIFICATIONS_ID, + CLOUD_POSTURE_APP_ID, + SERVER_APP_ID, +} from '../../constants'; +import type { SecurityFeatureParams } from '../types'; +import type { BaseKibanaFeatureConfig } from '../../types'; + +const SECURITY_RULE_TYPES = [ + LEGACY_NOTIFICATIONS_ID, + ESQL_RULE_TYPE_ID, + EQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, +]; + +const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ + ruleTypeId, + consumers: [SERVER_APP_ID], +})); + +export const getSecurityV3BaseKibanaFeature = ({ + savedObjects, +}: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + id: SECURITY_FEATURE_ID_V3, + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', + { + defaultMessage: 'Security', + } + ), + order: 1100, + category: DEFAULT_APP_CATEGORIES.security, + scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security], + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + management: { + insightsAndAlerting: ['triggersActions'], + }, + alerting: alertingFeatures, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.securityGroupDescription', + { + defaultMessage: + "Each sub-feature privilege in this group must be assigned individually. Global assignment is only supported if your pricing plan doesn't allow individual feature privileges.", + } + ), + privileges: { + all: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], + savedObject: { + all: ['alert', ...savedObjects], + read: [], + }, + alerting: { + rule: { all: alertingFeatures }, + alert: { all: alertingFeatures }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show', 'crud'], + }, + read: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-read'], + savedObject: { + all: [], + read: [...savedObjects], + }, + alerting: { + rule: { + read: alertingFeatures, + }, + alert: { + all: alertingFeatures, + }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show'], + }, + }, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts new file mode 100644 index 0000000000000..3dda2774804b5 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -0,0 +1,862 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import type { SubFeatureConfig } from '@kbn/features-plugin/common'; +import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; +import { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from '../../product_features_privileges'; + +import { SecuritySubFeatureId } from '../../product_features_keys'; +import { APP_ID } from '../../constants'; +import type { SecurityFeatureParams } from '../types'; + +const TRANSLATIONS = Object.freeze({ + all: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.allPrivilegeName', + { + defaultMessage: 'All', + } + ), + read: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.readPrivilegeName', + { + defaultMessage: 'Read', + } + ), +}); + +const endpointListSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Endpoint List access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList', + { + defaultMessage: 'Endpoint List', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList.description', + { + defaultMessage: + 'Displays all hosts running Elastic Defend and their relevant integration details.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], + id: 'endpoint_list_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeEndpointList', 'readEndpointList'], + }, + { + api: [`${APP_ID}-readEndpointList`], + id: 'endpoint_list_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readEndpointList'], + }, + ], + }, + ], +}); + +const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Trusted Applications access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications', + { + defaultMessage: 'Trusted Applications', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.description', + { + defaultMessage: + 'Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeTrustedApplications`, + `${APP_ID}-readTrustedApplications`, + ], + id: 'trusted_applications_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeTrustedApplications', 'readTrustedApplications'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], + id: 'trusted_applications_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readTrustedApplications'], + }, + ], + }, + ], +}); +const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Host Isolation Exceptions access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions', + { + defaultMessage: 'Host Isolation Exceptions', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.description', + { + defaultMessage: + 'Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-deleteHostIsolationExceptions`, + `${APP_ID}-readHostIsolationExceptions`, + ], + id: 'host_isolation_exceptions_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['readHostIsolationExceptions', 'deleteHostIsolationExceptions'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], + id: 'host_isolation_exceptions_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readHostIsolationExceptions'], + }, + ], + }, + ], +}); +const blocklistSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Blocklist access.', + } + ), + name: i18n.translate('securitySolutionPackages.features.featureRegistry.subFeatures.blockList', { + defaultMessage: 'Blocklist', + }), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.description', + { + defaultMessage: + 'Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeBlocklist`, + `${APP_ID}-readBlocklist`, + ], + id: 'blocklist_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeBlocklist', 'readBlocklist'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], + id: 'blocklist_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readBlocklist'], + }, + ], + }, + ], +}); +const eventFiltersSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Event Filters access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters', + { + defaultMessage: 'Event Filters', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.description', + { + defaultMessage: + 'Filter out endpoint events that you do not need or want stored in Elasticsearch.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeEventFilters`, + `${APP_ID}-readEventFilters`, + ], + id: 'event_filters_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeEventFilters', 'readEventFilters'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], + id: 'event_filters_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readEventFilters'], + }, + ], + }, + ], +}); +const policyManagementSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Policy Management access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement', + { + defaultMessage: 'Elastic Defend Policy Management', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement.description', + { + defaultMessage: + 'Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], + id: 'policy_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: ['policy-settings-protection-updates-note'], + read: [], + }, + ui: ['writePolicyManagement', 'readPolicyManagement'], + }, + { + api: [`${APP_ID}-readPolicyManagement`], + id: 'policy_management_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: ['policy-settings-protection-updates-note'], + }, + ui: ['readPolicyManagement'], + }, + ], + }, + ], +}); + +const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Response Actions History access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory', + { + defaultMessage: 'Response Actions History', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory.description', + { + defaultMessage: 'Access the history of response actions performed on endpoints.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], + id: 'actions_log_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeActionsLogManagement', 'readActionsLogManagement'], + }, + { + api: [`${APP_ID}-readActionsLogManagement`], + id: 'actions_log_management_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readActionsLogManagement'], + }, + ], + }, + ], +}); +const hostIsolationSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Host Isolation access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation', + { + defaultMessage: 'Host Isolation', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation.description', + { defaultMessage: 'Perform the "isolate" and "release" response actions.' } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeHostIsolationRelease`], + id: 'host_isolation_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeHostIsolationRelease'], + }, + ], + }, + ], +}); + +const processOperationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Process Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations', + { + defaultMessage: 'Process Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations.description', + { + defaultMessage: 'Perform process-related response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeProcessOperations`], + id: 'process_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeProcessOperations'], + }, + ], + }, + ], +}); +const fileOperationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for File Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations', + { + defaultMessage: 'File Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations.description', + { + defaultMessage: 'Perform file-related response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeFileOperations`], + id: 'file_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeFileOperations'], + }, + ], + }, + ], +}); + +// execute operations are not available in 8.7, +// but will be available in 8.8 +const executeActionSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Execute Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations', + { + defaultMessage: 'Execute Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations.description', + { + defaultMessage: 'Perform script execution response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeExecuteOperations`], + id: 'execute_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeExecuteOperations'], + }, + ], + }, + ], +}); + +// 8.15 feature +const scanActionSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Scan Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations', + { + defaultMessage: 'Scan Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations.description', + { + defaultMessage: 'Perform folder scan response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeScanOperations`], + id: 'scan_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeScanOperations'], + }, + ], + }, + ], +}); + +const workflowInsightsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Automatic Troubleshooting access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights', + { + defaultMessage: 'Automatic Troubleshooting', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights.description', + { + defaultMessage: 'Access to the automatic troubleshooting.', + } + ), + + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeWorkflowInsights`, `${APP_ID}-readWorkflowInsights`], + id: 'workflow_insights_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeWorkflowInsights', 'readWorkflowInsights'], + }, + { + api: [`${APP_ID}-readWorkflowInsights`], + id: 'workflow_insights_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readWorkflowInsights'], + }, + ], + }, + ], +}); + +const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Endpoint Exceptions access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions', + { + defaultMessage: 'Endpoint Exceptions', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', + { + defaultMessage: 'Manage Endpoint Exceptions.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + id: 'endpoint_exceptions_all', + includeIn: 'all', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, + }, + { + id: 'endpoint_exceptions_read', + includeIn: 'read', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, + }, + ], + }, + ], +}); + +/** + * Writing global (i.e. not per-policy) Artifacts is gated with `Global Artifact Management: ALL`, starting with `siemV3`. + * + * **Role migration implemented:** + * Users, who have been able to write ANY artifact before, are now granted with this privilege to keep existing behavior. + * - for Trusted Apps, Event Filters, Host Isolation Exceptions, Blocklists: the new privilege is added based on `artifact:ALL` sub-feature privilege + * - for Endpoint Exceptions: + * - on Serverless offering, the new privilege is added for Endpoint Exceptions sub-privilege `ALL`, + * - on ESS offering, there is no EE sub-privilege, so the new privilege is added to `siem|siemV2:ALL|MINIMAL_ALL`, + * as these include the Endpoint Exceptions write privilege + * + */ +const globalArtifactManagementSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => { + const GLOBAL_ARTIFACT_MANAGEMENT = i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement', + { defaultMessage: 'Global Artifact Management' } + ); + + const COMING_SOON = i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.comingSoon', + { defaultMessage: '(coming soon)' } + ); + + const name = experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? GLOBAL_ARTIFACT_MANAGEMENT + : `${GLOBAL_ARTIFACT_MANAGEMENT} ${COMING_SOON}`; + + return { + requireAllSpaces: false, + privilegesTooltip: undefined, + name, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.description', + { + defaultMessage: + 'Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) ' + + 'across all policies. This privilege controls global assignment rights only; privileges for each ' + + 'artifact type are required for full artifact management.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeGlobalArtifacts`], + id: 'global_artifact_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeGlobalArtifacts'], + }, + ], + }, + ], + }; +}; + +/** + * Sub-features that will always be available for Security + * regardless of the product type. + */ +export const getSecurityV3BaseKibanaSubFeatureIds = ( + { experimentalFeatures }: SecurityFeatureParams // currently un-used, but left here as a convenience for possible future use +): SecuritySubFeatureId[] => []; + +/** + * Defines all the Security Assistant subFeatures available. + * The order of the subFeatures is the order they will be displayed + */ + +export const getSecurityV3SubFeaturesMap = ({ + experimentalFeatures, +}: SecurityFeatureParams): Map => { + const enableSpaceAwarenessIfNeeded = (subFeature: SubFeatureConfig): SubFeatureConfig => { + if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { + subFeature.requireAllSpaces = false; + subFeature.privilegesTooltip = undefined; + } + + return subFeature; + }; + + const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ + [SecuritySubFeatureId.endpointList, enableSpaceAwarenessIfNeeded(endpointListSubFeature())], + [ + SecuritySubFeatureId.endpointExceptions, + enableSpaceAwarenessIfNeeded(endpointExceptionsSubFeature()), + ], + + [ + SecuritySubFeatureId.globalArtifactManagement, + enableSpaceAwarenessIfNeeded(globalArtifactManagementSubFeature(experimentalFeatures)), + ], + + [ + SecuritySubFeatureId.trustedApplications, + enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()), + ], + [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature()), + ], + [SecuritySubFeatureId.blocklist, enableSpaceAwarenessIfNeeded(blocklistSubFeature())], + [SecuritySubFeatureId.eventFilters, enableSpaceAwarenessIfNeeded(eventFiltersSubFeature())], + + [ + SecuritySubFeatureId.policyManagement, + enableSpaceAwarenessIfNeeded(policyManagementSubFeature()), + ], + [ + SecuritySubFeatureId.responseActionsHistory, + enableSpaceAwarenessIfNeeded(responseActionsHistorySubFeature()), + ], + [SecuritySubFeatureId.hostIsolation, enableSpaceAwarenessIfNeeded(hostIsolationSubFeature())], + [ + SecuritySubFeatureId.processOperations, + enableSpaceAwarenessIfNeeded(processOperationsSubFeature()), + ], + [SecuritySubFeatureId.fileOperations, enableSpaceAwarenessIfNeeded(fileOperationsSubFeature())], + [SecuritySubFeatureId.executeAction, enableSpaceAwarenessIfNeeded(executeActionSubFeature())], + [SecuritySubFeatureId.scanAction, enableSpaceAwarenessIfNeeded(scanActionSubFeature())], + ]; + + // Use the following code to add feature based on feature flag + // if (experimentalFeatures.featureFlagName) { + // securitySubFeaturesList.push([SecuritySubFeatureId.featureId, featureSubFeature]); + // } + + if (experimentalFeatures.defendInsights) { + // place with other All/Read/None options + securitySubFeaturesList.splice(1, 0, [ + SecuritySubFeatureId.workflowInsights, + enableSpaceAwarenessIfNeeded(workflowInsightsSubFeature()), + ]); + } + + const securitySubFeaturesMap = new Map( + securitySubFeaturesList + ); + + return Object.freeze(securitySubFeaturesMap); +}; diff --git a/x-pack/solutions/security/packages/features/src/types.ts b/x-pack/solutions/security/packages/features/src/types.ts index b40cace936e20..1d7dd25455bf6 100644 --- a/x-pack/solutions/security/packages/features/src/types.ts +++ b/x-pack/solutions/security/packages/features/src/types.ts @@ -35,6 +35,15 @@ export type ProductFeatureKibanaConfig = RecursivePartial & { subFeatureIds?: T[]; subFeaturesPrivileges?: SubFeaturesPrivileges[]; + + /** An option for product features to modify the base kibana feature. + * + * @param baseFeatureConfig + * @returns modified baseFeatureConfig + */ + baseFeatureConfigModifier?: ( + baseFeatureConfig: BaseKibanaFeatureConfig + ) => BaseKibanaFeatureConfig; }; export type ProductFeaturesConfig = Map< ProductFeatureKeyType, diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx index 30b3f01808724..dbf4dcf1fb23a 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx @@ -20,6 +20,7 @@ import { useCspIntegrationLink } from '../../common/navigation/use_csp_integrati import { useLicenseManagementLocatorApi } from '../../common/api/use_license_management_locator_api'; import { useCspBenchmarkIntegrationsV2 } from '../benchmarks/use_csp_benchmark_integrations'; import * as TEST_SUBJECTS from './test_subjects'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; jest.mock('@kbn/cloud-security-posture/src/hooks/use_csp_setup_status_api'); jest.mock('../../common/api/use_license_management_locator_api'); @@ -47,7 +48,7 @@ const getTestComponent = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: true }, + [SECURITY_FEATURE_ID]: { crud: true }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx index a5c5a534db189..c89e259391c91 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx @@ -16,6 +16,7 @@ import { TestProvider } from '../../test/test_provider'; import type { CspBenchmarkRule } from '@kbn/cloud-security-posture-common/schema/rules/latest'; import { useParams } from 'react-router-dom'; import { coreMock } from '@kbn/core/public/mocks'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; const chance = new Chance(); @@ -47,7 +48,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx index ed9b45c88d55b..39f9d3eb0ed2c 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx @@ -22,6 +22,7 @@ import { import { useChangeCspRuleState } from './use_change_csp_rule_state'; import userEvent from '@testing-library/user-event'; import { RULES_TABLE } from './test_subjects'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; const queryClient = new QueryClient({ defaultOptions: { @@ -41,7 +42,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx index 5226731ff2f0f..6c1ed280a6da9 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx @@ -16,6 +16,7 @@ import userEvent from '@testing-library/user-event'; import { useChangeCspRuleState } from './use_change_csp_rule_state'; import { QueryClient, QueryClientProvider } from '@tanstack/react-query'; import { selectRulesMock } from './__mocks__'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; jest.mock('./use_change_csp_rule_state'); @@ -37,7 +38,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts new file mode 100644 index 0000000000000..b1b7f9298e31c --- /dev/null +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const SECURITY_FEATURE_ID = 'siemV3'; diff --git a/x-pack/solutions/security/plugins/security_solution/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/common/constants.ts index 20375aaa525b2..4ee017be3f70c 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/constants.ts @@ -25,7 +25,7 @@ export const CASES_FEATURE_ID = 'securitySolutionCasesV3' as const; export const TIMELINE_FEATURE_ID = 'securitySolutionTimeline' as const; export const NOTES_FEATURE_ID = 'securitySolutionNotes' as const; export const SERVER_APP_ID = 'siem' as const; -export const SECURITY_FEATURE_ID = 'siemV2' as const; +export const SECURITY_FEATURE_ID = 'siemV3' as const; export const APP_NAME = 'Security' as const; export const APP_ICON_SOLUTION = 'logoSecurity' as const; export const APP_PATH = `/app/security` as const; diff --git a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json index 484884a8259b4..2447c3e1ea8a4 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json +++ b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json @@ -27,7 +27,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["none"], "securitySolutionAttackDiscovery": ["none"], "securitySolutionCasesV2": ["read"], @@ -78,7 +78,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -129,7 +129,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -152,7 +152,7 @@ "kibana": [ { "feature": { - "siemV2": ["read"] + "siemV3": ["read"] }, "spaces": ["*"], "base": [] @@ -202,7 +202,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -258,7 +258,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx index c19d307d6334d..16dd7cdc34f32 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx @@ -16,7 +16,7 @@ import React from 'react'; import useLocalStorage from 'react-use/lib/useLocalStorage'; import { TestProviders } from '../../common/mock'; -import { ATTACK_DISCOVERY_PATH } from '../../../common/constants'; +import { ATTACK_DISCOVERY_PATH, SECURITY_FEATURE_ID } from '../../../common/constants'; import { mockHistory } from '../../common/utils/route/mocks'; import { AttackDiscoveryPage } from '.'; import { mockTimelines } from '../../common/mock/mock_timelines_plugin'; @@ -64,15 +64,18 @@ jest.mock( }) ); +const mockSecurityCapabilities = [`${SECURITY_FEATURE_ID}.show`]; + jest.mock('../../common/links', () => ({ - useLinkInfo: jest.fn().mockReturnValue({ - capabilities: ['siemV2.show'], - globalNavPosition: 4, - globalSearchKeywords: ['Attack discovery'], - id: 'attack_discovery', - path: '/attack_discovery', - title: 'Attack discovery', - }), + useLinkInfo: () => + jest.fn().mockReturnValue({ + capabilities: mockSecurityCapabilities, + globalNavPosition: 4, + globalSearchKeywords: ['Attack discovery'], + id: 'attack_discovery', + path: '/attack_discovery', + title: 'Attack discovery', + }), })); jest.mock('./use_attack_discovery', () => ({ @@ -108,81 +111,82 @@ const mockDataViewsService = { const mockUpselling = new UpsellingService(); +const mockUseKibanaReturnValue = { + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + navigateToUrl: jest.fn(), + }, + cases: { + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + connectors: true, + create: true, + delete: true, + push: true, + read: true, + settings: true, + update: true, + }), + }, + hooks: { + useCasesAddToExistingCase: jest.fn(), + useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), + useCasesAddToNewCaseFlyout: jest.fn(), + }, + ui: { getCasesContext: mockCasesContext }, + }, + data: { + query: { + filterManager: mockFilterManager, + }, + }, + dataViews: mockDataViewsService, + docLinks: { + links: { + [SECURITY_FEATURE_ID]: { + privileges: 'link', + }, + }, + }, + featureFlags: { + getBooleanValue: jest.fn().mockReturnValue(false), // legacy view enabled + }, + notifications: jest.fn().mockReturnValue({ + addError: jest.fn(), + addSuccess: jest.fn(), + addWarning: jest.fn(), + remove: jest.fn(), + }), + sessionView: { + getSessionView: jest.fn(() =>
), + }, + storage: { + get: jest.fn(), + set: jest.fn(), + }, + theme: { + getTheme: jest.fn().mockReturnValue({ darkMode: false }), + }, + timelines: { ...mockTimelines }, + triggersActionsUi: { + alertsTableConfigurationRegistry: {}, + getAlertsStateTable: () => <>, + }, + uiSettings: { + get: jest.fn(), + }, + }, +}; jest.mock('../../common/lib/kibana', () => { const original = jest.requireActual('../../common/lib/kibana'); return { ...original, - useKibana: () => ({ - services: { - application: { - capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, - }, - navigateToUrl: jest.fn(), - }, - cases: { - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - connectors: true, - create: true, - delete: true, - push: true, - read: true, - settings: true, - update: true, - }), - }, - hooks: { - useCasesAddToExistingCase: jest.fn(), - useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), - useCasesAddToNewCaseFlyout: jest.fn(), - }, - ui: { getCasesContext: mockCasesContext }, - }, - data: { - query: { - filterManager: mockFilterManager, - }, - }, - dataViews: mockDataViewsService, - docLinks: { - links: { - siemV2: { - privileges: 'link', - }, - }, - }, - featureFlags: { - getBooleanValue: jest.fn().mockReturnValue(false), // legacy view enabled - }, - notifications: jest.fn().mockReturnValue({ - addError: jest.fn(), - addSuccess: jest.fn(), - addWarning: jest.fn(), - remove: jest.fn(), - }), - sessionView: { - getSessionView: jest.fn(() =>
), - }, - storage: { - get: jest.fn(), - set: jest.fn(), - }, - theme: { - getTheme: jest.fn().mockReturnValue({ darkMode: false }), - }, - timelines: { ...mockTimelines }, - triggersActionsUi: { - alertsTableConfigurationRegistry: {}, - getAlertsStateTable: () => <>, - }, - uiSettings: { - get: jest.fn(), - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx index 033261a1e0ab9..d110a0c2b9495 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx @@ -18,6 +18,7 @@ import { useKibana } from '../../../common/lib/kibana'; import { TestProviders } from '../../../common/mock'; import { mockAttackDiscovery } from '../mock/mock_attack_discovery'; import { Results } from '.'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; jest.mock('../../../common/lib/kibana'); @@ -101,7 +102,7 @@ describe('Results', () => { services: { application: { capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, navigateToUrl: jest.fn(), }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx index bba8b76ad8377..2699e9b22a16b 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx @@ -20,6 +20,7 @@ import { Actions } from './actions'; import { initialUserPrivilegesState as mockInitialUserPrivilegesState } from '../user_privileges/user_privileges_context'; import { useUserPrivileges } from '../user_privileges'; import { useHiddenByFlyout } from '../guided_onboarding_tour/use_hidden_by_flyout'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; const useHiddenByFlyoutMock = useHiddenByFlyout as jest.Mock; jest.mock('../guided_onboarding_tour/use_hidden_by_flyout', () => ({ @@ -52,26 +53,27 @@ jest.mock('./add_note_icon_item', () => { }; }); +const mockUseKibanaReturnValue = { + services: { + application: { + navigateToApp: jest.fn(), + getUrlForApp: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + }, + cases: mockCasesContract(), + savedObjects: { + client: {}, + }, + }, +}; jest.mock('../../lib/kibana', () => { const originalKibanaLib = jest.requireActual('../../lib/kibana'); return { ...originalKibanaLib, - useKibana: () => ({ - services: { - application: { - navigateToApp: jest.fn(), - getUrlForApp: jest.fn(), - capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, - }, - }, - cases: mockCasesContract(), - savedObjects: { - client: {}, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts index 1711e4f224411..116df0d93d260 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts @@ -18,6 +18,7 @@ import { licenseService } from '../../../hooks/use_license'; import { useEndpointPrivileges } from './use_endpoint_privileges'; import { getEndpointPrivilegesInitialStateMock } from './mocks'; import { getEndpointPrivilegesInitialState } from './utils'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../lib/kibana'); jest.mock('../../../hooks/use_license', () => { @@ -53,7 +54,7 @@ describe('When using useEndpointPrivileges hook', () => { catalogue: {}, management: {}, navLinks: {}, - siemV2: { + [SECURITY_FEATURE_ID]: { crud: true, show: true, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx index 0783033495503..006bf80de8ef3 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx @@ -31,7 +31,11 @@ import { } from '../lib/kibana/kibana_react.mock'; import type { FieldHook } from '../../shared_imports'; import { localStorageMock } from './mock_local_storage'; -import { ASSISTANT_FEATURE_ID, CASES_FEATURE_ID } from '../../../common/constants'; +import { + ASSISTANT_FEATURE_ID, + CASES_FEATURE_ID, + SECURITY_FEATURE_ID, +} from '../../../common/constants'; import { UserPrivilegesProvider } from '../components/user_privileges/user_privileges_context'; import { MockDiscoverInTimelineContext } from '../components/discover_in_timeline/mocks/discover_in_timeline_provider'; import { createMockStore } from './create_store'; @@ -140,7 +144,7 @@ const TestProvidersWithPrivilegesComponent: React.FC = ({ ({ - useKibana: jest.fn().mockReturnValue({ - services: { - application: { - getUrlForApp: jest.fn(), - capabilities: { - siemV2: { - crud: true, - }, - actions: { - read: true, - }, +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; + +const mockUseKibana = jest.fn().mockReturnValue({ + services: { + application: { + getUrlForApp: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { + crud: true, + }, + actions: { + read: true, }, - }, - triggersActionsUi: { - actionTypeRegistry: jest.fn(), }, }, - }), + triggersActionsUi: { + actionTypeRegistry: jest.fn(), + }, + }, +}); +jest.mock('../../../../common/lib/kibana', () => ({ + useKibana: () => mockUseKibana(), })); jest.mock('../../../../common/hooks/use_experimental_features', () => ({ diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx index e51dcb6f57cde..d0fb84d9627c2 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx @@ -16,6 +16,7 @@ import { initialUserPrivilegesState as mockInitialUserPrivilegesState } from '.. import { useUserPrivileges } from '../../../../common/components/user_privileges'; import { TableId } from '@kbn/securitysolution-data-table'; import { TimelineId } from '../../../../../common/types/timeline'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../../common/components/user_privileges'); @@ -61,6 +62,30 @@ const props = { timelineId: 'alerts-page', }; +const mockUseKibanaReturnValue = { + services: { + timelines: { ...mockTimelines }, + application: { + capabilities: { [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true } }, + }, + cases: { + ...mockCasesContract(), + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + create: true, + read: true, + update: true, + delete: true, + push: true, + createComment: true, + reopenCase: true, + }), + getRuleIdFromEvent: jest.fn(), + }, + }, + }, +}; jest.mock('../../../../common/lib/kibana', () => { const original = jest.requireActual('../../../../common/lib/kibana'); @@ -72,30 +97,7 @@ jest.mock('../../../../common/lib/kibana', () => { addWarning: jest.fn(), remove: jest.fn(), }), - useKibana: () => ({ - services: { - timelines: { ...mockTimelines }, - application: { - capabilities: { siemV2: { crud_alerts: true, read_alerts: true } }, - }, - cases: { - ...mockCasesContract(), - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - create: true, - read: true, - update: true, - delete: true, - push: true, - createComment: true, - reopenCase: true, - }), - getRuleIdFromEvent: jest.fn(), - }, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, }; }); diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx index 2db975340ca4e..af3d69508bc69 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx @@ -15,6 +15,7 @@ import * as api from '../../containers/detection_engine/alerts/api'; import { TestProviders } from '../../../common/mock/test_providers'; import { UserPrivilegesProvider } from '../../../common/components/user_privileges/user_privileges_context'; import { sourcererSelectors } from '../../../common/store'; +import { SECURITY_FEATURE_ID } from '../../../../common'; jest.mock('../../../common/lib/kibana'); jest.mock('../../containers/detection_engine/alerts/api'); @@ -26,7 +27,7 @@ describe('useUserInfo', () => { services: { application: { capabilities: { - siemV2: { + [SECURITY_FEATURE_ID]: { crud: true, }, }, @@ -68,7 +69,9 @@ describe('useUserInfo', () => { const wrapper = ({ children }: React.PropsWithChildren) => ( {children} diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx index f5b67bb90e8f5..0d5e8cec24b45 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx @@ -24,6 +24,7 @@ import * as alertFilterControlsPackage from '@kbn/alerts-ui-shared/src/alert_fil import { DetectionEnginePage } from './detection_engine'; import { TableId } from '@kbn/securitysolution-data-table'; import { useUpsellingMessage } from '../../../common/hooks/use_upselling'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; // Test will fail because we will to need to mock some core services to make the test work // For now let's forget about SiemSearchBar and QueryBar @@ -77,59 +78,60 @@ const mockDataViewsService = { clearInstanceCache: () => Promise.resolve(), }; +const mockUseKibanaReturnValue = { + services: { + application: { + navigateToUrl: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + }, + dataViews: mockDataViewsService, + cases: { + ui: { getCasesContext: mockCasesContext }, + }, + timelines: { ...mockTimelines }, + data: { + query: { + filterManager: mockFilterManager, + }, + }, + docLinks: { + links: { + [SECURITY_FEATURE_ID]: { + privileges: 'link', + }, + }, + }, + storage: { + get: jest.fn(), + set: jest.fn(), + }, + triggersActionsUi: { + alertsTableConfigurationRegistry: {}, + getAlertsStateTable: () => <>, + }, + sessionView: { + getSessionView: jest.fn(() =>
), + }, + notifications: { + toasts: { + addWarning: jest.fn(), + addError: jest.fn(), + addSuccess: jest.fn(), + addDanger: jest.fn(), + remove: jest.fn(), + }, + }, + }, +}; jest.mock('../../../common/lib/kibana', () => { const original = jest.requireActual('../../../common/lib/kibana'); return { ...original, useUiSetting$: jest.fn().mockReturnValue([]), - useKibana: () => ({ - services: { - application: { - navigateToUrl: jest.fn(), - capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, - }, - }, - dataViews: mockDataViewsService, - cases: { - ui: { getCasesContext: mockCasesContext }, - }, - timelines: { ...mockTimelines }, - data: { - query: { - filterManager: mockFilterManager, - }, - }, - docLinks: { - links: { - siemV2: { - privileges: 'link', - }, - }, - }, - storage: { - get: jest.fn(), - set: jest.fn(), - }, - triggersActionsUi: { - alertsTableConfigurationRegistry: {}, - getAlertsStateTable: () => <>, - }, - sessionView: { - getSessionView: jest.fn(() =>
), - }, - notifications: { - toasts: { - addWarning: jest.fn(), - addError: jest.fn(), - addSuccess: jest.fn(), - addDanger: jest.fn(), - remove: jest.fn(), - }, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx index 21f66ea713118..db2f192f59bb5 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx @@ -18,6 +18,7 @@ import { NetworkRoutes } from './navigation'; import { mockCasesContract } from '@kbn/cases-plugin/public/mocks'; import { InputsModelId } from '../../../common/store/inputs/constants'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; jest.mock('../../../common/components/empty_prompt'); jest.mock('../../../sourcerer/containers'); @@ -77,6 +78,9 @@ const mockProps = { const mockMapVisibility = jest.fn(); const mockNavigateToApp = jest.fn(); +const mockSecurityCapabilities = { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, +}; jest.mock('../../../common/lib/kibana', () => { const original = jest.requireActual('../../../common/lib/kibana'); @@ -88,7 +92,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { ...original.useKibana().services.application, capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + ...mockSecurityCapabilities, maps_v2: mockMapVisibility(), }, navigateToApp: mockNavigateToApp, diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx index d862c6c09e62b..92ccd0b51f65f 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx @@ -28,6 +28,7 @@ import { ALERT_TAGS_CONTEXT_MENU_ITEM_TITLE, } from '../../../../common/components/toolbar/bulk_actions/translations'; import { FLYOUT_FOOTER_DROPDOWN_BUTTON_TEST_ID } from './test_ids'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../../common/components/endpoint/host_isolation'); jest.mock('../../../../common/components/endpoint/responder'); @@ -108,7 +109,10 @@ describe('take action dropdown', () => { isOsqueryAvailable: jest.fn().mockReturnValue(true), }, application: { - capabilities: { siemV2: { crud_alerts: true, read_alerts: true }, osquery: true }, + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + osquery: true, + }, }, }, }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx b/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx index c22513a989a06..bb5a4d1a9e991 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx @@ -7,6 +7,7 @@ import { useCallback, useState } from 'react'; import { useKibana } from './common/lib/kibana'; +import { SECURITY_FEATURE_ID } from '../common'; export const useOnOpenCloseHandler = (): [boolean, () => void, () => void] => { const [isOpen, setIsOpen] = useState(false); @@ -27,5 +28,5 @@ export const useOnOpenCloseHandler = (): [boolean, () => void, () => void] => { */ export const useHasSecurityCapability = (capability: string): boolean => { const { capabilities } = useKibana().services.application; - return !!capabilities.siemV2[capability]; + return !!capabilities[SECURITY_FEATURE_ID][capability]; }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts b/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts index 6c2247e8fce96..3141578680a20 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts @@ -9,7 +9,6 @@ import { SECURITY_FEATURE_ID, CASES_FEATURE_ID } from '../common/constants'; export function hasAccessToSecuritySolution(capabilities: Capabilities): boolean { return Boolean( - // Using `siemV2` capabilities[SECURITY_FEATURE_ID]?.show || capabilities.securitySolutionAttackDiscovery?.['attack-discovery'] ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts index 0266914a17182..f7d402bdc4f62 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts @@ -20,3 +20,19 @@ export const KIBANA_KNOWN_DEFAULT_ACCOUNTS = { system_indices_superuser: 'system_indices_superuser', admin: 'admin', } as const; + +/** + * Siem feature versions to test. + * + * When a new `siem` version is implemented, please update the list below. + */ +export const SIEM_VERSIONS = [ + // deprecated siem versions + 'siem', + 'siemV2', + + // actual version, should equal to SECURITY_FEATURE_ID + 'siemV3', +] as const; + +export type SiemVersion = (typeof SIEM_VERSIONS)[number]; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts index b6232dc052e3b..3903d82c1c830 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts @@ -20,6 +20,7 @@ import { login, ROLE } from '../../tasks/login'; import { performUserActions } from '../../tasks/perform_user_actions'; import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; import type { ReturnTypeFromChainable } from '../../types'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; const loginWithPrivilegeAll = () => { login(ROLE.endpoint_policy_manager); @@ -45,9 +46,9 @@ const getRoleWithoutArtifactPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV2: endpointSecurityPolicyManagerRole.kibana[0].feature.siemV2.filter( - (privilege) => privilege !== `${privilegePrefix}all` - ), + [SECURITY_FEATURE_ID]: endpointSecurityPolicyManagerRole.kibana[0].feature[ + SECURITY_FEATURE_ID + ].filter((privilege) => privilege !== `${privilegePrefix}all`), }, }, ], diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts deleted file mode 100644 index b5c41d1e66faf..0000000000000 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts +++ /dev/null @@ -1,180 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { getRoleWithArtifactReadPrivilege } from '../../fixtures/role_with_artifact_read_privilege'; -import { login, ROLE } from '../../tasks/login'; -import { loadPage } from '../../tasks/common'; - -import { getArtifactsListTestsData } from '../../fixtures/artifacts_page'; -import { - createArtifactList, - createPerPolicyArtifact, - removeAllArtifacts, -} from '../../tasks/artifacts'; -import { performUserActions } from '../../tasks/perform_user_actions'; -import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; -import type { ReturnTypeFromChainable } from '../../types'; - -const loginWithWriteAccess = (url: string) => { - login(ROLE.endpoint_policy_manager); - loadPage(url); -}; - -const loginWithReadAccess = (privilegePrefix: string, url: string) => { - const roleWithArtifactReadPrivilege = getRoleWithArtifactReadPrivilege(privilegePrefix); - login.withCustomRole({ name: 'roleWithArtifactReadPrivilege', ...roleWithArtifactReadPrivilege }); - loadPage(url); -}; - -const loginWithoutAccess = (url: string) => { - login(ROLE.t1_analyst); - loadPage(url); -}; - -describe('Artifacts pages', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, () => { - let endpointData: ReturnTypeFromChainable | undefined; - - before(() => { - indexEndpointHosts().then((indexEndpoints) => { - endpointData = indexEndpoints; - }); - }); - - beforeEach(() => { - removeAllArtifacts(); - }); - - after(() => { - removeAllArtifacts(); - - endpointData?.cleanup(); - endpointData = undefined; - }); - - for (const testData of getArtifactsListTestsData()) { - describe(`When on the ${testData.title} entries list`, () => { - describe('given there are no artifacts yet', () => { - it(`no access - should show no privileges callout`, () => { - loginWithoutAccess(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj('noPrivilegesPage').should('exist'); - cy.getByTestSubj('empty-page-feature-action').should('exist'); - cy.getByTestSubj(testData.emptyState).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - }); - - it( - `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` - ); - cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - } - ); - - it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); - }); - - it(`write - should create new ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Opens add flyout - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); - - performUserActions(testData.create.formActions); - - // Submit create artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - - // Check new artifact is in the list - for (const checkResult of testData.create.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } - - // Title is shown after adding an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); - }); - - describe('given there is an existing artifact', () => { - beforeEach(() => { - createArtifactList(testData.createRequestBody.list_id); - createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); - }); - - it( - `read - should not be able to update/delete an existing ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` - ); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( - 'not.exist' - ); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should('not.exist'); - } - ); - - it( - `read - should not be able to create a new ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` - ); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); - } - ); - - it(`write - should be able to update an existing ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Opens edit flyout - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); - - performUserActions(testData.update.formActions); - - // Submit edit artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - - for (const checkResult of testData.update.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } - - // Title still shown after editing an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); - - it(`write - should be able to delete the existing ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Remove it - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); - // No card visible after removing it - cy.getByTestSubj(testData.delete.card).should('not.exist'); - // Empty state is displayed after removing last item - cy.getByTestSubj(testData.emptyState).should('exist'); - }); - }); - }); - } -}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts new file mode 100644 index 0000000000000..a71104f41af05 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Blocklist RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('blocklists')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts new file mode 100644 index 0000000000000..12d31adadc11c --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Event filters RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('eventFilters')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts new file mode 100644 index 0000000000000..880ea031924f9 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Host Isolation Exceptions RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('hostIsolationExceptions')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts new file mode 100644 index 0000000000000..a00fbf52a7bda --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Trusted apps RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedApps')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts deleted file mode 100644 index 42874e420138c..0000000000000 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts +++ /dev/null @@ -1,201 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { PACKAGE_POLICY_API_ROUTES } from '@kbn/fleet-plugin/common/constants/routes'; -import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy'; -import { getT1Analyst } from '../../../../../scripts/endpoint/common/roles_users'; -import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; -import type { ReturnTypeFromChainable } from '../../types'; -import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; -import { login } from '../../tasks/login'; -import { loadPage } from '../../tasks/common'; - -describe('Endpoints RBAC', { tags: ['@ess'] }, () => { - type Privilege = 'all' | 'read' | 'none'; - const PRIVILEGES: Privilege[] = ['none', 'read', 'all']; - - const loginWithCustomRole: (privileges: { - integrationsPrivilege?: Privilege; - fleetPrivilege?: Privilege; - endpointPolicyManagementPrivilege?: Privilege; - }) => void = ({ - integrationsPrivilege = 'none', - fleetPrivilege = 'none', - endpointPolicyManagementPrivilege = 'none', - }) => { - const base = getT1Analyst(); - - const customRole: typeof base = { - ...base, - kibana: [ - { - ...base.kibana[0], - feature: { - ...base.kibana[0].feature, - siemV2: [ - ...base.kibana[0].feature.siemV2, - `endpoint_list_all`, - `policy_management_${endpointPolicyManagementPrivilege}`, - ], - fleet: [integrationsPrivilege], - fleetv2: [fleetPrivilege], - }, - }, - ], - }; - - login.withCustomRole({ name: 'customRole', ...customRole }); - }; - - beforeEach(() => { - login(); - }); - - describe('neither Defend policy nor hosts are present', () => { - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldAllowOnboarding = - fleetPrivilege === 'all' && integrationsPrivilege === 'all'; - - it(`should show onboarding screen ${ - shouldAllowOnboarding ? 'with' : 'without' - } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyOnboardingInstructions').should('exist'); - if (shouldAllowOnboarding) { - cy.getByTestSubj('onboardingStartButton').should('exist'); - } else { - cy.getByTestSubj('onboardingStartButton').should('not.exist'); - } - }); - } - } - }); - } - }); - - describe('Defend policy is present, but no hosts', () => { - let loadedPolicyData: IndexedFleetEndpointPolicyResponse; - - before(() => { - cy.task( - 'indexFleetEndpointPolicy', - { policyName: 'tests-serverless' }, - { timeout: 5 * 60 * 1000 } - ).then((res) => { - const response = res as IndexedFleetEndpointPolicyResponse; - loadedPolicyData = response; - }); - }); - - after(() => { - if (loadedPolicyData) { - cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); - } - }); - - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldShowOnboardingSteps = - (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || - (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); - - it(`should ${ - shouldShowOnboardingSteps ? '' : ' NOT ' - } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - if (shouldShowOnboardingSteps) { - cy.getByTestSubj('emptyHostsTable').should('exist'); - cy.getByTestSubj('onboardingSteps').should('exist'); - } else { - // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required - cy.getByTestSubj('emptyPolicyTable').should('exist'); - cy.getByTestSubj('onboardingStartButton').should('not.exist'); - } - }); - } - } - }); - } - }); - - describe('some hosts are enrolled', () => { - let endpointData: ReturnTypeFromChainable; - - before(() => { - indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { - endpointData = indexEndpoints; - }); - }); - - after(() => { - if (endpointData) { - endpointData.cleanup(); - // @ts-expect-error ignore setting to undefined - endpointData = undefined; - } - }); - - beforeEach(() => { - // if there is a request towards this API, it should return 200 - cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { - req.on('response', (res) => { - expect(res.statusCode).to.equal(200); - }); - }); - }); - - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; - - it(`should show Endpoint list ${ - shouldProvidePolicyLink ? 'with' : 'without' - } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyNameCellLink').should('exist'); - cy.getByTestSubj('policyNameCellLink').within(() => { - if (shouldProvidePolicyLink) { - cy.get('a').should('have.attr', 'href'); - } else { - cy.get('a').should('not.exist'); - } - }); - }); - } - } - }); - } - }); -}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts new file mode 100644 index 0000000000000..d5f1152d77c72 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { APP_ENDPOINTS_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe( + 'Endpoints page RBAC - neither Defend policy nor hosts are present', + { tags: ['@ess'] }, + () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + it('latest siem version should be in version list', () => { + expect(SIEM_VERSIONS.at(-1)).to.equal(SECURITY_FEATURE_ID); + }); + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldAllowOnboarding = + fleetPrivilege === 'all' && integrationsPrivilege === 'all'; + + it(`should show onboarding screen ${ + shouldAllowOnboarding ? 'with' : 'without' + } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyOnboardingInstructions').should('exist'); + if (shouldAllowOnboarding) { + cy.getByTestSubj('onboardingStartButton').should('exist'); + } else { + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); + } + } + }); + } + }); + } + } +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts new file mode 100644 index 0000000000000..bf5e1c9e9e407 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PACKAGE_POLICY_API_ROUTES } from '@kbn/fleet-plugin/common/constants/routes'; +import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; +import type { ReturnTypeFromChainable } from '../../types'; +import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe('Endpoints page RBAC - some hosts are enrolled', { tags: ['@ess'] }, () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + let endpointData: ReturnTypeFromChainable; + + before(() => { + indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { + endpointData = indexEndpoints; + }); + }); + + after(() => { + if (endpointData) { + endpointData.cleanup(); + // @ts-expect-error ignore setting to undefined + endpointData = undefined; + } + }); + + beforeEach(() => { + // if there is a request towards this API, it should return 200 + cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { + req.on('response', (res) => { + expect(res.statusCode).to.equal(200); + }); + }); + }); + + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; + + it(`should show Endpoint list ${ + shouldProvidePolicyLink ? 'with' : 'without' + } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyNameCellLink').should('exist'); + cy.getByTestSubj('policyNameCellLink').within(() => { + if (shouldProvidePolicyLink) { + cy.get('a').should('have.attr', 'href'); + } else { + cy.get('a').should('not.exist'); + } + }); + }); + } + } + }); + } + }); + } +}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts new file mode 100644 index 0000000000000..0705d43e3416b --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy'; +import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe('Endpoints page RBAC - Defend policy is present, but no hosts', { tags: ['@ess'] }, () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + let loadedPolicyData: IndexedFleetEndpointPolicyResponse; + + before(() => { + cy.task( + 'indexFleetEndpointPolicy', + { policyName: 'tests-serverless' }, + { timeout: 5 * 60 * 1000 } + ).then((res) => { + const response = res as IndexedFleetEndpointPolicyResponse; + loadedPolicyData = response; + }); + }); + + after(() => { + if (loadedPolicyData) { + cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); + } + }); + + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldShowOnboardingSteps = + (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || + (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); + + it(`should ${ + shouldShowOnboardingSteps ? '' : ' NOT ' + } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + if (shouldShowOnboardingSteps) { + cy.getByTestSubj('emptyHostsTable').should('exist'); + cy.getByTestSubj('onboardingSteps').should('exist'); + } else { + // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required + cy.getByTestSubj('emptyPolicyTable').should('exist'); + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); + } + } + }); + } + }); + } +}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 19cd08fce518c..ffd0caab70b83 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -14,6 +14,7 @@ import { } from '../../screens/stack_management/role_page'; import { closeAllToasts } from '../../tasks/toasts'; import { login, ROLE } from '../../tasks/login'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'When defining a kibana role for Endpoint security access', @@ -23,7 +24,7 @@ describe( () => { const getAllSubFeatureRows = (): Cypress.Chainable> => { return cy - .get('#featurePrivilegeControls_siemV2') + .get(`#featurePrivilegeControls_${SECURITY_FEATURE_ID}`) .findByTestSubj('mutexSubFeaturePrivilegeControl') .closest('.euiFlexGroup'); }; @@ -52,6 +53,7 @@ describe( .should('deep.equal', [ 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', 'Automatic Troubleshooting Access to the automatic troubleshooting.Automatic Troubleshooting sub-feature privilegeAllReadNone', + 'Global Artifact Management (coming soon) Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) across all policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management.Global Artifact Management (coming soon) sub-feature privilegeAllNone', 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 3dbea89c49dc3..e5f8c1bf4aad0 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -22,6 +22,7 @@ import { setRoleName, setSecuritySolutionEndpointGroupPrivilege, } from '../../screens/stack_management/role_page'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'When defining a kibana role for Endpoint security access with space awareness enabled', @@ -88,7 +89,7 @@ describe( .findByTestSubj(`space-avatar-${spaceId}`) .should('exist'); - cy.get('#row_siemV2_expansion') + cy.get(`#row_${SECURITY_FEATURE_ID}_expansion`) .findByTestSubj('subFeatureEntry') .then(($element) => { const features: string[] = []; @@ -103,11 +104,12 @@ describe( // up in this list - `Endpoint exceptions`. .should('include.members', [ 'Endpoint ListAll', + 'Automatic TroubleshootingNone', + 'Global Artifact ManagementNone', 'Trusted ApplicationsNone', 'Host Isolation ExceptionsNone', 'BlocklistNone', 'Event FiltersNone', - 'Global Artifact ManagementNone', 'Elastic Defend Policy ManagementNone', 'Response Actions HistoryNone', 'Host IsolationAll', @@ -120,14 +122,16 @@ describe( it('should not display the privilege tooltip', () => { ENDPOINT_SUB_FEATURE_PRIVILEGE_IDS.forEach((subFeaturePrivilegeId) => { - cy.getByTestSubj(`securitySolution_siemV2_${subFeaturePrivilegeId}_nameTooltip`).should( - 'not.exist' - ); + cy.getByTestSubj( + `securitySolution_${SECURITY_FEATURE_ID}_${subFeaturePrivilegeId}_nameTooltip` + ).should('not.exist'); }); }); it('should include new Global Artifact Management privilege', () => { - cy.getByTestSubj('securitySolution_siemV2_global_artifact_management').should('exist'); + cy.getByTestSubj(`securitySolution_${SECURITY_FEATURE_ID}_global_artifact_management`).should( + 'exist' + ); }); } ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts index 088f6780faec9..2630a64cdb794 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts @@ -21,7 +21,7 @@ interface FormEditingDescription { export interface ArtifactsFixtureType { title: string; pagePrefix: string; - tabId: string; + tabId: keyof typeof ENDPOINT_ARTIFACT_LISTS; nextTabId: string; artifactName: string; privilegePrefix: string; @@ -43,6 +43,10 @@ export interface ArtifactsFixtureType { }; } +export const getArtifactsListTestDataForArtifact = ( + artifact: keyof typeof ENDPOINT_ARTIFACT_LISTS +) => getArtifactsListTestsData().find(({ tabId }) => tabId === artifact) as ArtifactsFixtureType; + export const getArtifactsListTestsData = (): ArtifactsFixtureType[] => [ { title: 'Trusted applications', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts index 25bc5d2da1f8b..043967d8c3a29 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; import { getEndpointSecurityPolicyManager } from '../../../../scripts/endpoint/common/roles_users'; export const getRoleWithArtifactReadPrivilege = (privilegePrefix: string) => { @@ -17,8 +18,8 @@ export const getRoleWithArtifactReadPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV2: [ - ...endpointSecurityPolicyManagerRole.kibana[0].feature.siemV2.filter( + [SECURITY_FEATURE_ID]: [ + ...endpointSecurityPolicyManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( (privilege) => privilege !== `${privilegePrefix}all` ), `${privilegePrefix}read`, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts index 1b6d7e6c92548..d38d6525a95ab 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; import { loadPage } from '../../tasks/common'; /** @@ -66,12 +67,14 @@ export const getSecuritySolutionCategoryKibanaPrivileges = (): Cypress.Chainable */ export const expandEndpointSecurityFeaturePrivileges = (): Cypress.Chainable => { return cy - .getByTestSubj('featurePrivilegeControls_securitySolution_siemV2_accordionToggle') + .getByTestSubj( + `featurePrivilegeControls_securitySolution_${SECURITY_FEATURE_ID}_accordionToggle` + ) .click(); }; export const getEndpointSecurityFeaturePrivileges = () => { - return cy.getByTestSubj('featureCategory_securitySolution_siemV2'); + return cy.getByTestSubj(`featureCategory_securitySolution_${SECURITY_FEATURE_ID}`); }; /** @@ -104,7 +107,7 @@ export const setSecuritySolutionEndpointGroupPrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getSecuritySolutionCategoryKibanaPrivileges() - .findByTestSubj(`siemV2_${privilege}`) + .findByTestSubj(`${SECURITY_FEATURE_ID}_${privilege}`) .click(); }; @@ -148,7 +151,7 @@ export const setEndpointSubFeaturePrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getEndpointSecurityFeaturePrivileges() - .findByTestSubj(`securitySolution_siemV2_${feature}_privilegeGroup`) + .findByTestSubj(`securitySolution_${SECURITY_FEATURE_ID}_${feature}_privilegeGroup`) .find(`button[title="${privilegeMapToTitle[privilege]}"]`) .click(); }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts new file mode 100644 index 0000000000000..5095699e79a57 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts @@ -0,0 +1,212 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { login, ROLE } from '../tasks/login'; +import { loadPage } from '../tasks/common'; + +import { type ArtifactsFixtureType } from '../fixtures/artifacts_page'; +import { + createArtifactList, + createPerPolicyArtifact, + removeAllArtifacts, +} from '../tasks/artifacts'; +import { performUserActions } from '../tasks/perform_user_actions'; +import { indexEndpointHosts } from '../tasks/index_endpoint_hosts'; +import type { ReturnTypeFromChainable } from '../types'; +import { SIEM_VERSIONS } from '../common/constants'; +import { SECURITY_FEATURE_ID } from '../../../../common'; + +/** + * Notes: + * ESS: + * - testing NONE, READ, WRITE privileges with custom roles + * - also, all SIEM feature versions are tested to check backward compatibility + * + * Serverless: a subset of tests. + * - only NONE and WRITE privileges are tested with predefined roles + * - and only the latest SIEM feature (SECURITY_FEATURE_ID) + * + * Possible improvement: use custom roles on serverless to test the same as on ESS. + */ +export const getArtifactMockedDataTests = (testData: ArtifactsFixtureType) => () => { + let endpointData: ReturnTypeFromChainable | undefined; + + const isServerless = Cypress.env('IS_SERVERLESS'); + const siemVersionsToTest = isServerless ? [SECURITY_FEATURE_ID] : SIEM_VERSIONS; + + let loginWithoutAccess: () => void; + let loginWithReadAccess: () => void; + let loginWithWriteAccess: () => void; + + before(() => { + indexEndpointHosts().then((indexEndpoints) => { + endpointData = indexEndpoints; + }); + }); + + beforeEach(() => { + removeAllArtifacts(); + }); + + after(() => { + removeAllArtifacts(); + + endpointData?.cleanup(); + endpointData = undefined; + }); + + for (const siemVersion of siemVersionsToTest) { + describe(siemVersion, () => { + describe(`When on the ${testData.title} entries list`, () => { + beforeEach(() => { + const { privilegePrefix } = testData; + + loginWithWriteAccess = () => { + if (isServerless) { + login(ROLE.endpoint_policy_manager); + } else { + login.withCustomKibanaPrivileges({ + [siemVersion]: ['read', `${privilegePrefix}all`], + }); + } + }; + + loginWithReadAccess = () => { + expect(isServerless, 'Testing read access is implemented only on ESS').to.equal(false); + login.withCustomKibanaPrivileges({ [siemVersion]: ['read', `${privilegePrefix}read`] }); + }; + + loginWithoutAccess = () => { + if (isServerless) { + login(ROLE.t1_analyst); + } else { + login.withCustomKibanaPrivileges({ [siemVersion]: ['read'] }); + } + }; + }); + + describe('given there are no artifacts yet', () => { + it(`no access - should show no privileges callout`, () => { + loginWithoutAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('noPrivilegesPage').should('exist'); + cy.getByTestSubj('empty-page-feature-action').should('exist'); + cy.getByTestSubj(testData.emptyState).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); + }); + + it( + `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj(testData.emptyState).should('exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); + } + ); + + it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj(testData.emptyState).should('exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); + }); + + it(`write - should create new ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens add flyout + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); + + performUserActions(testData.create.formActions); + + // Submit create artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + + // Check new artifact is in the list + for (const checkResult of testData.create.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } + + // Title is shown after adding an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + }); + + describe('given there is an existing artifact', () => { + beforeEach(() => { + createArtifactList(testData.createRequestBody.list_id); + createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); + }); + + it( + `read - should not be able to update/delete an existing ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( + 'not.exist' + ); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should('not.exist'); + } + ); + + it( + `read - should not be able to create a new ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); + } + ); + + it(`write - should be able to update an existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens edit flyout + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); + + performUserActions(testData.update.formActions); + + // Submit edit artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + + for (const checkResult of testData.update.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } + + // Title still shown after editing an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + + it(`write - should be able to delete the existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Remove it + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); + // No card visible after removing it + cy.getByTestSubj(testData.delete.card).should('not.exist'); + // Empty state is displayed after removing last item + cy.getByTestSubj(testData.emptyState).should('exist'); + }); + }); + }); + }); + } +}; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts index 019b441e3173c..39e4121a2115d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts @@ -6,8 +6,11 @@ */ import type { LoginState } from '@kbn/security-plugin/common/login_state'; -import type { Role } from '@kbn/security-plugin/common'; -import { ENDPOINT_SECURITY_ROLE_NAMES } from '../../../../scripts/endpoint/common/roles_users'; +import type { FeaturesPrivileges, Role } from '@kbn/security-plugin/common'; +import { + ENDPOINT_SECURITY_ROLE_NAMES, + getT1Analyst, +} from '../../../../scripts/endpoint/common/roles_users'; import type { SecurityTestUser } from '../common/constants'; import { KIBANA_KNOWN_DEFAULT_ACCOUNTS } from '../common/constants'; import { COMMON_API_HEADERS, request } from './common'; @@ -33,6 +36,15 @@ interface CyLoginTask { * @param role */ withCustomRole(role: Role): ReturnType; + + /** + * Creates a role with the provided Kibana privileges, and basic ES/index privileges, + * then creates a user and logs in with the new user. + * @param kibanaPrivileges + */ + withCustomKibanaPrivileges( + kibanaPrivileges: FeaturesPrivileges + ): ReturnType; } /** @@ -103,6 +115,22 @@ login.withCustomRole = (role: Role): ReturnType => { }); }; +login.withCustomKibanaPrivileges = (kibanaPrivileges: FeaturesPrivileges) => { + const base = getT1Analyst(); + + const customRole: typeof base = { + ...base, + kibana: [ + { + ...base.kibana[0], + feature: kibanaPrivileges, + }, + ], + }; + + return login.withCustomRole({ name: 'customRole', ...customRole }); +}; + /** * Send login via API * @param username diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx index c33e12cc49717..e61ea3341bc53 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx @@ -28,6 +28,7 @@ import { appReducer } from '../../../../../common/store/app'; import { ExperimentalFeaturesService } from '../../../../../common/experimental_features_service'; import { RenderContextProviders } from '../../../../../common/components/with_security_context/render_context_providers'; import type { AppAction } from '../../../../../common/store/actions'; +import { SECURITY_FEATURE_ID } from '../../../../../../common/constants'; // Defined a private custom reducer that reacts to an action that enables us to update the // store with new values for technical preview features/flags. Because the `action.type` is a `Symbol`, @@ -96,7 +97,7 @@ export const createFleetContextRendererMock = (): AppContextTestRender => { startServices.application.capabilities = deepFreeze({ ...startServices.application.capabilities, - siemV2: { show: true, crud: true }, + [SECURITY_FEATURE_ID]: { show: true, crud: true }, }); return ( diff --git a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx index 1cc1e49516364..b95e226a86ddf 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx @@ -16,6 +16,7 @@ import type { RouteSpyState } from '../../common/utils/route/types'; import { DEFAULT_DATA_VIEW_ID, DEFAULT_INDEX_PATTERN, + SECURITY_FEATURE_ID, SecurityPageName, } from '../../../common/constants'; import { useUserInfo, initialState as userInfoState } from '../../detections/components/user_info'; @@ -69,6 +70,77 @@ const mockCreateSourcererDataView = jest.fn(() => { errToReturn.name = 'AbortError'; throw errToReturn; }); +const mockUseKibana = () => ({ + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { + crud: true, + }, + }, + }, + data: { + dataViews: { + get: mockSearch.mockImplementation( + async (dataViewId: string, displayErrors?: boolean, refreshFields = false) => + Promise.resolve({ + id: dataViewId, + matchedIndices: refreshFields ? ['hello', 'world', 'refreshed'] : ['hello', 'world'], + fields: [ + { + name: 'bytes', + type: 'number', + esTypes: ['long'], + aggregatable: true, + searchable: true, + count: 10, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + { + name: 'ssl', + type: 'boolean', + esTypes: ['boolean'], + aggregatable: true, + searchable: true, + count: 20, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + { + name: '@timestamp', + type: 'date', + esTypes: ['date'], + aggregatable: true, + searchable: true, + count: 30, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + ], + getIndexPattern: () => 'hello*,world*,refreshed*', + getRuntimeMappings: () => ({ + myfield: { + type: 'keyword', + }, + }), + toSpec: () => ({ + id: dataViewId, + }), + }) + ), + getExistingIndices: jest.fn(() => [] as string[]), + }, + indexPatterns: { + getTitles: jest.fn().mockImplementation(() => Promise.resolve(mockPatterns)), + }, + }, + notifications: {}, + }, +}); jest.mock('../../common/lib/kibana', () => ({ useToasts: () => ({ @@ -77,79 +149,7 @@ jest.mock('../../common/lib/kibana', () => ({ addWarning: mockAddWarning, remove: jest.fn(), }), - useKibana: () => ({ - services: { - application: { - capabilities: { - siemV2: { - crud: true, - }, - }, - }, - data: { - dataViews: { - get: mockSearch.mockImplementation( - async (dataViewId: string, displayErrors?: boolean, refreshFields = false) => - Promise.resolve({ - id: dataViewId, - matchedIndices: refreshFields - ? ['hello', 'world', 'refreshed'] - : ['hello', 'world'], - fields: [ - { - name: 'bytes', - type: 'number', - esTypes: ['long'], - aggregatable: true, - searchable: true, - count: 10, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - { - name: 'ssl', - type: 'boolean', - esTypes: ['boolean'], - aggregatable: true, - searchable: true, - count: 20, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - { - name: '@timestamp', - type: 'date', - esTypes: ['date'], - aggregatable: true, - searchable: true, - count: 30, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - ], - getIndexPattern: () => 'hello*,world*,refreshed*', - getRuntimeMappings: () => ({ - myfield: { - type: 'keyword', - }, - }), - toSpec: () => ({ - id: dataViewId, - }), - }) - ), - getExistingIndices: jest.fn(() => [] as string[]), - }, - indexPatterns: { - getTitles: jest.fn().mockImplementation(() => Promise.resolve(mockPatterns)), - }, - }, - notifications: {}, - }, - }), + useKibana: () => mockUseKibana(), useUiSetting$: jest.fn().mockImplementation(() => [mockPatterns]), })); diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts similarity index 80% rename from x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts rename to x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts index f2e0d5c72001d..8719fe03dee2c 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts @@ -7,8 +7,9 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; -export const getDetectionsEngineer: () => Omit = () => { +export const getDetectionsAdmin: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); return { ...noResponseActionsRole, @@ -17,11 +18,12 @@ export const getDetectionsEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'policy_management_read', + 'global_artifact_management_all', 'trusted_applications_read', 'event_filters_read', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 284aafda4fa9e..586c99049f497 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -6,6 +6,7 @@ */ import type { Role } from '@kbn/security-plugin/common'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointOperationsAnalyst: () => Omit = () => { // IMPORTANT @@ -59,11 +60,12 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - siemV2: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'policy_management_all', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 6535f42154a20..22085aaeedb09 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointSecurityPolicyManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,11 +18,12 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', @@ -46,7 +48,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,8 +18,8 @@ export const getHunter: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts index 7861ee4d6e0d5..6b41177ec3ccf 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts @@ -19,7 +19,7 @@ import { getEndpointSecurityPolicyManagementReadRole, getEndpointSecurityPolicyManager, } from './endpoint_security_policy_manager'; -import { getDetectionsEngineer } from './detections_engineer'; +import { getDetectionsAdmin } from './detections_admin'; import { getWithResponseActionsRole } from './with_response_actions_role'; import { getNoResponseActionsRole } from './without_response_actions_role'; import { getWithArtifactReadPrivilegesRole } from './with_artifact_read_privileges_role'; @@ -35,7 +35,7 @@ export * from './soc_manager'; export * from './platform_engineer'; export * from './endpoint_operations_analyst'; export * from './endpoint_security_policy_manager'; -export * from './detections_engineer'; +export * from './detections_admin'; export type EndpointSecurityRoleNames = keyof typeof ENDPOINT_SECURITY_ROLE_NAMES; @@ -105,7 +105,7 @@ export const getAllEndpointSecurityRoles = (): EndpointSecurityRoleDefinitions = name: 'soc_manager', }, detections_admin: { - ...getDetectionsEngineer(), + ...getDetectionsAdmin(), name: 'detections_admin', }, platform_engineer: { diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index ff6c9aaa82933..889abe32d5746 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getPlatformEngineer: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,11 +18,12 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index 2c32c21a1d521..aaa622113f21d 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getRuleAuthor: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,12 +18,13 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'crud_alerts', 'policy_management_all', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index eb34c89fe0e1b..57a1f78479b0f 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -63,9 +63,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -139,19 +139,20 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -204,9 +205,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -264,9 +265,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -328,21 +329,22 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -403,9 +405,10 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all + - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -471,17 +474,18 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -547,22 +551,23 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -628,9 +633,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -687,17 +693,18 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -764,21 +771,22 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response History - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all # Execute - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response History + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all # Execute + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -845,16 +853,17 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index 65d3327c8d000..9b4ac9913b5f1 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getSocManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,11 +18,12 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index 5bdb7c3883f26..f2b5f2fb76d85 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT1Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index d99ceba8014f3..4e3b74fe2ddd2 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT2Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: ['all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index b174994e04874..219083cbebc7d 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT3Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,11 +18,12 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'crud_alerts', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index 3707cbfb61bfd..193eed6484d8e 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getThreatIntelligenceAnalyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,12 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: [ + 'all', + 'blocklist_all', + 'global_artifact_management_all', + 'actions_log_management_read', + ], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 5a168de59f5eb..d3fd073268136 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithArtifactReadPrivilegesRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,8 +18,8 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'blocklist_read', 'trusted_applications_read', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index a8a4bb31b2089..decc743d14592 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithResponseActionsRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,8 +18,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - ...noResponseActionsRole.kibana[0].feature.siemV2, + [SECURITY_FEATURE_ID]: [ + ...noResponseActionsRole.kibana[0].feature[SECURITY_FEATURE_ID], 'file_operations_all', 'execute_operations_all', 'scan_operations_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 53d8003618266..9a2ea9537f3a6 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -6,6 +6,7 @@ */ import type { Role } from '@kbn/security-plugin/common'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getNoResponseActionsRole: () => Omit = () => ({ elasticsearch: { @@ -42,8 +43,8 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - siemV2: [ - 'minimal_all', + [SECURITY_FEATURE_ID]: [ + 'all', 'endpoint_list_all', 'endpoint_list_read', 'trusted_applications_all', diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index 9122bc202e73b..e9e03c62eb94d 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -26,6 +26,11 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ baseKibanaSubFeatureIds: [], subFeaturesMap: new Map(), })), + getSecurityV3Feature: jest.fn(() => ({ + baseKibanaFeature: {}, + baseKibanaSubFeatureIds: [], + subFeaturesMap: new Map(), + })), getCasesFeature: jest.fn(() => ({ baseKibanaFeature: {}, baseKibanaSubFeatureIds: [], diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts index b6925ed408a25..02ba9ee6e5869 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts @@ -352,6 +352,50 @@ describe('ProductFeaturesConfigMerger', () => { }); }); + it('should call baseFeatureConfigModifier() for all product features', () => { + const enabledProductFeaturesConfigs: ProductFeatureKibanaConfig[] = [ + { + subFeatureIds: ['subFeature3', 'subFeature1'], + baseFeatureConfigModifier: jest + .fn() + .mockImplementation((baseConfig: KibanaFeatureConfig): KibanaFeatureConfig => { + return { ...baseConfig, name: 'NEW NAME' }; + }), + }, + { + baseFeatureConfigModifier: jest + .fn() + .mockImplementation((baseConfig: KibanaFeatureConfig): KibanaFeatureConfig => { + return { ...baseConfig, order: 666 }; + }), + }, + ]; + + const merged = merger.mergeProductFeatureConfigs( + baseKibanaFeature, + [], + enabledProductFeaturesConfigs + ); + + expect(enabledProductFeaturesConfigs[0].baseFeatureConfigModifier).toBeCalledWith( + baseKibanaFeature + ); + expect(enabledProductFeaturesConfigs[1].baseFeatureConfigModifier).toBeCalledWith({ + ...baseKibanaFeature, + name: 'NEW NAME', + }); + + expect(merged).toEqual({ + ...baseKibanaFeature, + + // modifications: + name: 'NEW NAME', + order: 666, + + subFeatures: [subFeature1, subFeature3], + }); + }); + it('should merge everything at the same time', () => { const enabledProductFeaturesConfigs: ProductFeatureKibanaConfig[] = [ { diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts index e4f6a4df95f86..de8cef06445e3 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts @@ -32,20 +32,28 @@ export class ProductFeaturesConfigMerger { kibanaSubFeatureIds: T[], productFeaturesConfigs: ProductFeatureKibanaConfig[] ): KibanaFeatureConfig { - const mergedKibanaFeatureConfig = cloneDeep(kibanaFeatureConfig) as KibanaFeatureConfig; + let mergedKibanaFeatureConfig = cloneDeep(kibanaFeatureConfig) as KibanaFeatureConfig; const subFeaturesPrivilegesToMerge: SubFeaturesPrivileges[] = []; const enabledSubFeaturesIndexed = Object.fromEntries( kibanaSubFeatureIds.map((id) => [id, true]) ); productFeaturesConfigs.forEach((productFeatureConfig) => { - const { subFeaturesPrivileges, subFeatureIds, ...productFeatureConfigToMerge } = - cloneDeep(productFeatureConfig); + const { + subFeaturesPrivileges, + subFeatureIds, + baseFeatureConfigModifier, + ...productFeatureConfigToMerge + } = cloneDeep(productFeatureConfig); subFeatureIds?.forEach((subFeatureId) => { enabledSubFeaturesIndexed[subFeatureId] = true; }); + if (baseFeatureConfigModifier) { + mergedKibanaFeatureConfig = baseFeatureConfigModifier(mergedKibanaFeatureConfig); + } + if (subFeaturesPrivileges) { subFeaturesPrivilegesToMerge.push(...subFeaturesPrivileges); } diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index 68c328e76de66..b707630e100d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -43,6 +43,7 @@ const mockGetFeature = jest.fn().mockReturnValue(productFeature); jest.mock('@kbn/security-solution-features/product_features', () => ({ getSecurityFeature: () => mockGetFeature(), getSecurityV2Feature: () => mockGetFeature(), + getSecurityV3Feature: () => mockGetFeature(), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), @@ -62,8 +63,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; new ProductFeaturesService(loggerMock.create(), experimentalFeatures); - expect(mockGetFeature).toHaveBeenCalledTimes(10); - expect(MockedProductFeatures).toHaveBeenCalledTimes(10); + expect(mockGetFeature).toHaveBeenCalledTimes(11); + expect(MockedProductFeatures).toHaveBeenCalledTimes(11); }); it('should init all ProductFeatures when initialized', () => { diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index ef81c27fe99ed..9fbfd6d2572de 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -20,6 +20,7 @@ import { getCasesV2Feature, getCasesV3Feature, getSecurityV2Feature, + getSecurityV3Feature, getTimelineFeature, getNotesFeature, getSiemMigrationsFeature, @@ -39,6 +40,7 @@ import { casesApiTags, casesUiCapabilities } from './cases_privileges'; export class ProductFeaturesService { private securityProductFeatures: ProductFeatures; private securityV2ProductFeatures: ProductFeatures; + private securityV3ProductFeatures: ProductFeatures; private casesProductFeatures: ProductFeatures; private casesProductV2Features: ProductFeatures; private casesProductFeaturesV3: ProductFeatures; @@ -75,6 +77,17 @@ export class ProductFeaturesService { securityV2Feature.baseKibanaSubFeatureIds ); + const securityV3Feature = getSecurityV3Feature({ + savedObjects: securityDefaultSavedObjects, + experimentalFeatures: this.experimentalFeatures, + }); + this.securityV3ProductFeatures = new ProductFeatures( + this.logger, + securityV3Feature.subFeaturesMap, + securityV3Feature.baseKibanaFeature, + securityV3Feature.baseKibanaSubFeatureIds + ); + const casesFeature = getCasesFeature({ uiCapabilities: casesUiCapabilities, apiTags: casesApiTags, @@ -164,6 +177,7 @@ export class ProductFeaturesService { public init(featuresSetup: FeaturesPluginSetup) { this.securityProductFeatures.init(featuresSetup); this.securityV2ProductFeatures.init(featuresSetup); + this.securityV3ProductFeatures.init(featuresSetup); this.casesProductFeatures.init(featuresSetup); this.casesProductV2Features.init(featuresSetup); this.casesProductFeaturesV3.init(featuresSetup); @@ -178,6 +192,7 @@ export class ProductFeaturesService { const securityProductFeaturesConfig = configurator.security(); this.securityProductFeatures.setConfig(securityProductFeaturesConfig); this.securityV2ProductFeatures.setConfig(securityProductFeaturesConfig); + this.securityV3ProductFeatures.setConfig(securityProductFeaturesConfig); const casesProductFeaturesConfig = configurator.cases(); this.casesProductFeatures.setConfig(casesProductFeaturesConfig); @@ -226,6 +241,7 @@ export class ProductFeaturesService { return ( this.securityProductFeatures.isActionRegistered(action) || this.securityV2ProductFeatures.isActionRegistered(action) || + this.securityV3ProductFeatures.isActionRegistered(action) || this.casesProductFeatures.isActionRegistered(action) || this.casesProductV2Features.isActionRegistered(action) || this.securityAssistantProductFeatures.isActionRegistered(action) || diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts index 0cec48bda5e44..c3465bd5dd484 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts @@ -11,7 +11,7 @@ import type { } from '@kbn/security-solution-features'; import { ProductFeatureSecurityKey, - type SecuritySubFeatureId, + SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import { securityDefaultProductFeaturesConfig, @@ -21,6 +21,7 @@ import { ProductFeaturesPrivilegeId, ProductFeaturesPrivileges, } from '@kbn/security-solution-features/privileges'; +import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; export const getSecurityProductFeaturesConfigurator = (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => { @@ -47,4 +48,77 @@ const securityProductFeaturesConfig: Record< [ProductFeatureSecurityKey.endpointExceptions]: { privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions], }, + + [ProductFeatureSecurityKey.endpointArtifactManagement]: { + subFeatureIds: [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + SecuritySubFeatureId.trustedApplications, + SecuritySubFeatureId.blocklist, + SecuritySubFeatureId.eventFilters, + SecuritySubFeatureId.globalArtifactManagement, + ], + + baseFeatureConfigModifier: (baseFeatureConfig) => { + if ( + !['siem', 'siemV2'].includes(baseFeatureConfig.id) || + !baseFeatureConfig.privileges?.all.replacedBy || + !('default' in baseFeatureConfig.privileges.all.replacedBy) + ) { + return baseFeatureConfig; + } + + return { + ...baseFeatureConfig, + privileges: { + ...baseFeatureConfig.privileges, + + all: { + ...baseFeatureConfig.privileges.all, + + // overwriting siem:ALL role migration in siem and siemV2 + replacedBy: { + default: baseFeatureConfig.privileges.all.replacedBy.default.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + + minimal: baseFeatureConfig.privileges.all.replacedBy.minimal.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'minimal_all', + + // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + }, + }, + }, + }; + }, + }, }; diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts index caec038374c23..91c8fb966f944 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts @@ -17,6 +17,7 @@ import { ProductFeatureSecurityKey, SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; +import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; import type { ExperimentalFeatures } from '../../common/experimental_features'; export const getSecurityProductFeaturesConfigurator = @@ -48,4 +49,63 @@ const securityProductFeaturesConfig: Record< [ProductFeatureSecurityKey.endpointExceptions]: { subFeatureIds: [SecuritySubFeatureId.endpointExceptions], }, + + [ProductFeatureSecurityKey.endpointArtifactManagement]: { + subFeatureIds: [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + SecuritySubFeatureId.trustedApplications, + SecuritySubFeatureId.blocklist, + SecuritySubFeatureId.eventFilters, + SecuritySubFeatureId.globalArtifactManagement, + ], + + baseFeatureConfigModifier: (baseFeatureConfig) => { + if ( + !['siem', 'siemV2'].includes(baseFeatureConfig.id) || + !baseFeatureConfig.privileges?.all.replacedBy || + !('default' in baseFeatureConfig.privileges.all.replacedBy) + ) { + return baseFeatureConfig; + } + + return { + ...baseFeatureConfig, + privileges: { + ...baseFeatureConfig.privileges, + + all: { + ...baseFeatureConfig.privileges.all, + + // overwriting siem:ALL role migration in siem and siemV2 + replacedBy: { + ...baseFeatureConfig.privileges.all.replacedBy, + + default: baseFeatureConfig.privileges.all.replacedBy.default.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + }, + + // minimal_all is not overwritten, as it does not includes Endpoint Exceptions ALL. + }, + }, + }; + }, + }, }; diff --git a/x-pack/solutions/security/test/api_integration/apis/cloud_security_posture/helper.ts b/x-pack/solutions/security/test/api_integration/apis/cloud_security_posture/helper.ts index bcf15ff806fd5..01d948ecc7500 100644 --- a/x-pack/solutions/security/test/api_integration/apis/cloud_security_posture/helper.ts +++ b/x-pack/solutions/security/test/api_integration/apis/cloud_security_posture/helper.ts @@ -10,6 +10,7 @@ import type { Agent as SuperTestAgent } from 'supertest'; import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import { CLOUD_SECURITY_PLUGIN_VERSION } from '@kbn/cloud-security-posture-plugin/common/constants'; import { RoleCredentials, SecurityService } from '@kbn/ftr-common-functional-services'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; export async function createPackagePolicy( supertest: SuperTestAgent, @@ -123,7 +124,7 @@ export const createCSPRole = async ( await security.role.create(roleName, { kibana: [ { - feature: { siemV2: ['read'], fleetv2: ['all'], fleet: ['read'] }, + feature: { [SECURITY_FEATURE_ID]: ['read'], fleetv2: ['all'], fleet: ['read'] }, spaces: ['*'], }, ], diff --git a/x-pack/solutions/security/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts b/x-pack/solutions/security/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts index a04a5e2ab7dd1..4138d5260d538 100644 --- a/x-pack/solutions/security/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts +++ b/x-pack/solutions/security/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts @@ -14,6 +14,7 @@ import { BENCHMARK_SCORE_INDEX_PATTERN, ALERTS_INDEX_PATTERN, } from '@kbn/cloud-security-posture-plugin/common/constants'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { FtrProviderContext } from '../../ftr_provider_context'; const alertsSecurityUserIndices = [ @@ -89,7 +90,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], @@ -107,7 +108,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], fleet: ['all'], fleetv2: ['all'], }, @@ -140,7 +141,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], diff --git a/x-pack/test/fleet_api_integration/apis/test_users.ts b/x-pack/test/fleet_api_integration/apis/test_users.ts index ac944f0a1e669..2f350c69a57e4 100644 --- a/x-pack/test/fleet_api_integration/apis/test_users.ts +++ b/x-pack/test/fleet_api_integration/apis/test_users.ts @@ -6,6 +6,7 @@ */ import type { SecurityService } from '@kbn/ftr-common-functional-services'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; export const testUsers: { [rollName: string]: { username: string; password: string; permissions?: any }; @@ -179,7 +180,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV2: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'trusted_applications_read', 'host_isolation_exceptions_read', @@ -200,7 +201,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV2: ['minimal_all', 'policy_management_all'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'policy_management_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -214,7 +215,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV2: ['minimal_all', 'policy_management_read'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'policy_management_read'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -228,7 +229,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV2: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -241,7 +242,7 @@ export const testUsers: { endpoint_integr_read_only_fleet_none: { permissions: { feature: { - siemV2: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, diff --git a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts index 4bf5acb6e9cdb..1842c512fcfd5 100644 --- a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts +++ b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts @@ -190,6 +190,7 @@ export default function ({ getService }: FtrProviderContext) { "securitySolutionCases", "securitySolutionCasesV2", "siem", + "siemV2", "visualize", ] `); @@ -217,6 +218,7 @@ export default function ({ getService }: FtrProviderContext) { 'visualize', 'maps', 'siem', + 'siemV2', ]); for (const feature of features) { if ( diff --git a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts index 54e32092d05ed..8e8611db9eb04 100644 --- a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts +++ b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts @@ -4,6 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { Role } from '../services/types'; /** @@ -88,7 +89,7 @@ export const secTimelineAllV2: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionTimeline: ['all'], }, spaces: ['*'], @@ -111,7 +112,7 @@ export const secTimelineReadV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionTimeline: ['read'], }, spaces: ['*'], @@ -134,7 +135,7 @@ export const secTimelineNoneV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionTimeline: ['none'], }, spaces: ['*'], @@ -157,7 +158,7 @@ export const secNotesAllV2: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionNotes: ['all'], }, spaces: ['*'], @@ -180,7 +181,7 @@ export const secNotesReadV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionNotes: ['read'], }, spaces: ['*'], @@ -203,7 +204,7 @@ export const secNotesNoneV2: Role = { kibana: [ { feature: { - siemV2: ['none'], + [SECURITY_FEATURE_ID]: ['none'], securitySolutionNotes: ['none'], }, spaces: ['*'], diff --git a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts index 51a9c887a562b..9396689e4c260 100644 --- a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts +++ b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts @@ -13,6 +13,7 @@ import { } from '@kbn/security-solution-plugin/scripts/endpoint/common/roles_users'; import { EndpointSecurityTestRolesLoader } from '@kbn/security-solution-plugin/scripts/endpoint/common/role_and_user_loader'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { FtrProviderContext } from '../../ftr_provider_context_edr_workflows'; export const ROLE = ENDPOINT_SECURITY_ROLE_NAMES; @@ -63,8 +64,8 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { if (predefinedRole) { const roleConfig = rolesMapping[predefinedRole]; if (extraPrivileges) { - roleConfig.kibana[0].feature.siemV2 = [ - ...roleConfig.kibana[0].feature.siemV2, + roleConfig.kibana[0].feature[SECURITY_FEATURE_ID] = [ + ...roleConfig.kibana[0].feature[SECURITY_FEATURE_ID], ...extraPrivileges, ]; } @@ -84,7 +85,7 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { spaces: ['*'], base: [], feature: { - siemV2: customRole.extraPrivileges, + [SECURITY_FEATURE_ID]: customRole.extraPrivileges, }, }, ], diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts index 0b7ddd8187155..39da7fbbf1836 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts @@ -7,7 +7,10 @@ import expect from '@kbn/expect'; -import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugin/common/constants'; +import { + DETECTION_ENGINE_QUERY_SIGNALS_URL, + SECURITY_FEATURE_ID, +} from '@kbn/security-solution-plugin/common/constants'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; import { deleteAllAlerts } from '../../../../../../common/utils/security_solution'; @@ -25,7 +28,7 @@ const roleToAccessSecuritySolution = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], }, spaces: ['*'], }, @@ -48,7 +51,7 @@ const roleToAccessSecuritySolutionWithDls = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], }, spaces: ['*'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts new file mode 100644 index 0000000000000..4a207eb099b10 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/serverless/config.base.edr_workflows') + ); + + return { + ...functionalConfig.getAll(), + kbnTestServer: { + ...functionalConfig.get('kbnTestServer'), + serverArgs: [ + ...functionalConfig.get('kbnTestServer.serverArgs'), + + `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([ + { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, + ])}`, + ], + }, + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - search AI lake tier', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts new file mode 100644 index 0000000000000..6104f56d6a501 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { + describe('Endpoint related user role migrations without Endpoint product line', function () { + loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts new file mode 100644 index 0000000000000..fcd2ace39cfa3 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts @@ -0,0 +1,97 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; +import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + + const ROLE_NAME = 'siem_v3_test_role'; + + const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => + supertest + .put(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .send({ + elasticsearch: { cluster: [], indices: [], run_as: [] }, + kibana: [ + { + base: [], + feature: { + [feature]: privileges, + }, + spaces: ['*'], + }, + ], + }) + .expect(204); + + const getMigratedSiemFeaturesFromRole = async (): Promise => { + const response = await supertest + .get(`/api/security/role/${ROLE_NAME}`) + .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect(200); + + const role = response.body as Role; + expect(role._transform_error).to.have.length( + 0, + `Role migration encountered an error, probably a non-existing privilege is added. + Transform error: ${JSON.stringify(role._transform_error)}` + ); + + // migrating from `siem` adds timeline and notes, but in this test it is irrelevant + return role.kibana[0].feature.siemV3; + }; + + describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => { + afterEach(async () => { + await supertest + .delete(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect([204, 404]); + }); + + for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + + it(`should keep ${deprecatedSiem}:READ privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); + }); + + it(`should keep ${deprecatedSiem}:MINIMAL_READ privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); + + it(`should keep ${deprecatedSiem}:ALL privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['all']); + }); + + it(`should keep ${deprecatedSiem}:MINIMAL_ALL privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + }); + } + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts new file mode 100644 index 0000000000000..76c55bc7739b7 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/ess/config.base.edr_workflows.trial') + ); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows - Role Migration Tests - ESS Env - Trial License', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts new file mode 100644 index 0000000000000..f0686ff6a9d74 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/serverless/config.base.edr_workflows') + ); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - Complete', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts new file mode 100644 index 0000000000000..880f66a3185c8 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { + describe('Endpoint related user role migrations', function () { + loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts new file mode 100644 index 0000000000000..550e048258e6c --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts @@ -0,0 +1,194 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; +import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + + // these artifact privileges are shared between ESS and Serverless, while Endpoint Exceptions privilege exists only on Serverless + const ARTIFACTS = [ + 'trusted_applications', + 'event_filters', + 'blocklist', + 'host_isolation_exceptions', + ]; + + const ROLE_NAME = 'siem_v3_test_role'; + + const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => + supertest + .put(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .send({ + elasticsearch: { cluster: [], indices: [], run_as: [] }, + kibana: [ + { + base: [], + feature: { + [feature]: privileges, + }, + spaces: ['*'], + }, + ], + }) + .expect(204); + + const getMigratedSiemFeaturesFromRole = async (): Promise => { + const response = await supertest + .get(`/api/security/role/${ROLE_NAME}`) + .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect(200); + + const role = response.body as Role; + expect(role._transform_error).to.have.length( + 0, + `Role migration encountered an error, probably a non-existing privilege is added. + Transform error: ${JSON.stringify(role._transform_error)}` + ); + + // migrating from `siem` adds timeline and notes, but in this test it is irrelevant + return role.kibana[0].feature.siemV3; + }; + + describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => { + afterEach(async () => { + await supertest + .delete(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect([204, 404]); + }); + + for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + + describe(`${deprecatedSiem}:READ`, () => { + it('should keep READ privilege', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + for (const artifact of ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + } + + // Endpoint Exception privilege only exists on Serverless + it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `endpoint_exceptions_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `endpoint_exceptions_read`, + ]); + }); + + // adding Global Artifact Management to any artifact:WRITE privilege + for (const artifact of ARTIFACTS) { + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + + // Endpoint Exception privilege only exists on Serverless + it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:ALL`, () => { + // siem:ALL includes Endpoint Exceptions both on ESS and Serverless + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Global Artifact Management + 'minimal_all', + // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all + 'global_artifact_management_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + // on ESS, siem:MINIMAL_ALL includes Endpoint Exceptions ALL + describe('@skipInServerless ESS', () => { + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + ]); + }); + }); + + // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege, it can be NONE + describe('@skipInEss on Serverless', () => { + it('@skipInEss should NOT add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + for (const artifact of [...ARTIFACTS, 'endpoint_exceptions']) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + }); + }); + }); + } + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts index 8034d098da1c6..7332e3c3dc148 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts @@ -26,6 +26,7 @@ import type { } from '@kbn/securitysolution-io-ts-list-types'; import { Role } from '@kbn/security-plugin-types-common'; import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { binaryToString } from '../../../detections_response/utils'; import { PolicyTestResourceInfo } from '../../../../../security_solution_endpoint/services/endpoint_policy'; import { createSupertestErrorLogger } from '../../utils'; @@ -62,9 +63,13 @@ export default function ({ getService }: FtrProviderContext) { { name: 'artifactManager' } ); - if (artifactManagerRole.kibana[0].feature.siemV2.includes('global_artifact_management_all')) { - artifactManagerRole.kibana[0].feature.siemV2 = - artifactManagerRole.kibana[0].feature.siemV2.filter( + if ( + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( + 'global_artifact_management_all' + ) + ) { + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID] = + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( (privilege) => privilege !== 'global_artifact_management_all' ); } @@ -75,11 +80,13 @@ export default function ({ getService }: FtrProviderContext) { ); if ( - !globalArtifactManagerRole.kibana[0].feature.siemV2.includes( + !globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( 'global_artifact_management_all' ) ) { - globalArtifactManagerRole.kibana[0].feature.siemV2.push('global_artifact_management_all'); + globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].push( + 'global_artifact_management_all' + ); } const [artifactManagerUser, globalArtifactManagerUser] = await Promise.all([ diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts index 24c5349691e4d..a2aec0bbbe0d4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts @@ -6,6 +6,7 @@ */ import expect from '@kbn/expect'; import { ROLES as SERVERLESS_USERNAMES } from '@kbn/security-solution-plugin/common/test'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { assetCriticalityRouteHelpersFactoryNoAuth } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; import { usersAndRolesFactory } from '../../utils/users_and_roles'; @@ -18,7 +19,7 @@ const ROLES = [ kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts index bb02dec475989..36ac273742f29 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts @@ -5,6 +5,7 @@ * 2.0. */ import expect from '@kbn/expect'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { riskEngineRouteHelpersFactoryNoAuth } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; import { usersAndRolesFactory } from '../../utils/users_and_roles'; @@ -16,7 +17,7 @@ const ROLES = [ kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts index 0d04c7b3f4fb0..d1d9e6ce7e314 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { Role } from './types'; export const noKibanaPrivileges: Role = { @@ -40,7 +41,7 @@ export const securitySolutionOnlyAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -60,7 +61,7 @@ export const securitySolutionOnlyAllSpace2: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -80,7 +81,7 @@ export const securitySolutionOnlyRead: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -100,7 +101,7 @@ export const securitySolutionOnlyReadSpace2: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -123,7 +124,7 @@ export const securitySolutionOnlyAllSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -148,7 +149,7 @@ export const securitySolutionOnlyAllSpacesAllWithReadESIndices: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -168,7 +169,7 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -188,7 +189,7 @@ export const securitySolutionOnlyAllSpacesAllAssistantMinimalAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['minimal_all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], diff --git a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts index 22cfa186d6531..44ace03e5b28c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts @@ -9,6 +9,7 @@ import expect from '@kbn/expect'; import { LIST_PRIVILEGES_URL } from '@kbn/securitysolution-list-constants'; import { getReadPrivilegeMock } from '@kbn/lists-plugin/server/routes/list_privileges/read_list_privileges_route.mock'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces'; export default ({ getService }: FtrProviderContextWithSpaces) => { @@ -38,7 +39,7 @@ export default ({ getService }: FtrProviderContextWithSpaces) => { { feature: { dashboard: ['all'], - siemV2: ['all', 'read'], + [SECURITY_FEATURE_ID]: ['all', 'read'], }, spaces: [space1Id], }, diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts index 1ad23d0d0c014..ac7c492fdce7f 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts @@ -73,6 +73,29 @@ describe('Capabilities', { tags: '@serverless' }, () => { cy.task('deleteServerlessCustomRole', 'siemV2'); }, }, + { + name: 'User with siem v3 role', + loginAs: 'siemV3', + setup: () => { + cy.task('createServerlessCustomRole', { + roleDescriptor: { + elasticsearch: { + indices: [{ names: ['*'], privileges: ['all'] }], + }, + kibana: [ + { + feature: { siemV3: ['all'], fleet: ['all'] }, + spaces: ['*'], + }, + ], + }, + roleName: 'siemV3', + }); + }, + teardown: () => { + cy.task('deleteServerlessCustomRole', 'siemV3'); + }, + }, ]; // Iterate through each user role diff --git a/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts b/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts index e55bcdd6381cb..881576bd16a77 100644 --- a/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts +++ b/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts @@ -11,7 +11,7 @@ export const SPACE_SELECTOR_COMBO_BOX = '[data-test-subj="spaceSelectorComboBox" export const SECURITY_CATEGORY = '[data-test-subj="featureCategory_securitySolution"]'; // Sub-privileges -export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV2"]'; +export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV3"]'; export const SECURITY_FEATURE_DESCRIPTION = '[aria-describedby="Security description text"]'; export const CASES_FEATURE = diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts b/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts index 8ae129b55b209..4149aee69063f 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts @@ -62,7 +62,7 @@ export const secAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -100,7 +100,7 @@ export const secReadCasesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -137,7 +137,7 @@ export const secAllCasesOnlyReadDelete: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -174,7 +174,7 @@ export const secAllCasesNoDelete: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], diff --git a/x-pack/test/session_view/basic/tests/index.ts b/x-pack/test/session_view/basic/tests/index.ts index d471882963566..38d84e8936ed4 100644 --- a/x-pack/test/session_view/basic/tests/index.ts +++ b/x-pack/test/session_view/basic/tests/index.ts @@ -57,7 +57,7 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], }, spaces: ['*'], }, diff --git a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts index 9bbde8eb36fe1..bb7f9d1a336f9 100644 --- a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts @@ -101,6 +101,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv 'securitySolutionTimeline', 'siem', 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts index 5691fff8d0381..5d806fcd10a02 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts @@ -105,6 +105,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex 'securitySolutionTimeline', 'siem', 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts index a2ebcf2a2c62b..651bfd429e92d 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts @@ -93,6 +93,7 @@ const ALL_SPACE_RESULTS: Space[] = [ 'securitySolutionTimeline', 'siem', 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts index dffd646b96e0e..8ea3b8d820ede 100644 --- a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts +++ b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts @@ -97,6 +97,7 @@ export default function ({ getService }: FtrProviderContext) { searchQueryRules: 0, siem: 0, siemV2: 0, + siemV3: 0, securitySolutionCases: 0, securitySolutionCasesV2: 0, securitySolutionCasesV3: 0, diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 5a882fabdba9e..2db438f8dc20e 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -30,7 +30,7 @@ export default function ({ getService }: FtrProviderContext) { // The following features are composed of other features in a way that is // specific to the security solution. - // The deprecated dashboard and discover features are listed here because + // The deprecated features are listed here because // they are not explicitly hidden, and we can check them to confirm legacy // roles will still function correctly const compositeFeatureIds = [ @@ -39,7 +39,9 @@ export default function ({ getService }: FtrProviderContext) { 'discover', 'discover_v2', 'reporting', + 'siem', 'siemV2', + 'siemV3', ]; const features = Object.fromEntries( @@ -229,18 +231,5281 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/close_point_in_time", ], }, + "siem": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siem/writeActionsLogManagement", + "ui:siem/readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siem/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:rac", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:timeline_write", + "api:timeline_read", + "api:notes_write", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-note/create", + "saved_object:siem-ui-timeline-note/bulk_create", + "saved_object:siem-ui-timeline-note/update", + "saved_object:siem-ui-timeline-note/bulk_update", + "saved_object:siem-ui-timeline-note/delete", + "saved_object:siem-ui-timeline-note/bulk_delete", + "saved_object:siem-ui-timeline-note/share_to_space", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/create", + "saved_object:siem-ui-timeline-pinned-event/bulk_create", + "saved_object:siem-ui-timeline-pinned-event/update", + "saved_object:siem-ui-timeline-pinned-event/bulk_update", + "saved_object:siem-ui-timeline-pinned-event/delete", + "saved_object:siem-ui-timeline-pinned-event/bulk_delete", + "saved_object:siem-ui-timeline-pinned-event/share_to_space", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:siem-ui-timeline/create", + "saved_object:siem-ui-timeline/bulk_create", + "saved_object:siem-ui-timeline/update", + "saved_object:siem-ui-timeline/bulk_update", + "saved_object:siem-ui-timeline/delete", + "saved_object:siem-ui-timeline/bulk_delete", + "saved_object:siem-ui-timeline/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/crud", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "ui:siem/showEndpointExceptions", + "ui:siem/crudEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "api:savedQuery:manage", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "saved_object:query/create", + "saved_object:query/bulk_create", + "saved_object:query/update", + "saved_object:query/bulk_update", + "saved_object:query/delete", + "saved_object:query/bulk_delete", + "saved_object:query/share_to_space", + "ui:savedQueryManagement/showQueries", + "ui:savedQueryManagement/saveQuery", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:securitySolutionTimeline/crud", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:securitySolutionNotes/crud", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeBlocklist", + "ui:siem/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siem/readBlocklist", + "ui:siemV3/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "ui:siem/showEndpointExceptions", + "ui:siem/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "ui:siem/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siem/writeEndpointList", + "ui:siem/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siem/readEndpointList", + "ui:siemV3/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeEventFilters", + "ui:siem/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", + "ui:siemV3/writeGlobalArtifacts", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siem/readEventFilters", + "ui:siemV3/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siem/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siem/writeFileOperations", + "ui:siemV3/writeFileOperations", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siem/writeHostIsolationRelease", + "ui:siem/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/readHostIsolationExceptions", + "ui:siem/deleteHostIsolationExceptions", + "ui:siem/accessHostIsolationExceptions", + "ui:siem/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siem/readHostIsolationExceptions", + "ui:siem/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:rac", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:timeline_write", + "api:timeline_read", + "api:notes_write", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-note/create", + "saved_object:siem-ui-timeline-note/bulk_create", + "saved_object:siem-ui-timeline-note/update", + "saved_object:siem-ui-timeline-note/bulk_update", + "saved_object:siem-ui-timeline-note/delete", + "saved_object:siem-ui-timeline-note/bulk_delete", + "saved_object:siem-ui-timeline-note/share_to_space", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/create", + "saved_object:siem-ui-timeline-pinned-event/bulk_create", + "saved_object:siem-ui-timeline-pinned-event/update", + "saved_object:siem-ui-timeline-pinned-event/bulk_update", + "saved_object:siem-ui-timeline-pinned-event/delete", + "saved_object:siem-ui-timeline-pinned-event/bulk_delete", + "saved_object:siem-ui-timeline-pinned-event/share_to_space", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:siem-ui-timeline/create", + "saved_object:siem-ui-timeline/bulk_create", + "saved_object:siem-ui-timeline/update", + "saved_object:siem-ui-timeline/bulk_update", + "saved_object:siem-ui-timeline/delete", + "saved_object:siem-ui-timeline/bulk_delete", + "saved_object:siem-ui-timeline/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/crud", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "api:savedQuery:manage", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "saved_object:query/create", + "saved_object:query/bulk_create", + "saved_object:query/update", + "saved_object:query/bulk_update", + "saved_object:query/delete", + "saved_object:query/bulk_delete", + "saved_object:query/share_to_space", + "ui:savedQueryManagement/showQueries", + "ui:savedQueryManagement/saveQuery", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:securitySolutionTimeline/crud", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:securitySolutionNotes/crud", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:lists-read", + "api:rac", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:timeline_read", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "ui:savedQueryManagement/showQueries", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siem/writePolicyManagement", + "ui:siem/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siem/readPolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siem/writeProcessOperations", + "ui:siemV3/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:lists-read", + "api:rac", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:timeline_read", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "ui:siem/showEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "ui:savedQueryManagement/showQueries", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siem/writeScanOperations", + "ui:siemV3/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeTrustedApplications", + "ui:siem/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", + "ui:siemV3/writeGlobalArtifacts", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siem/readTrustedApplications", + "ui:siemV3/readTrustedApplications", + ], + }, "siemV2": Object { "actions_log_management_all": Array [ "login:", "api:securitySolution-writeActionsLogManagement", "api:securitySolution-readActionsLogManagement", - "ui:siemV2/writeActionsLogManagement", - "ui:siemV2/readActionsLogManagement", + "ui:siemV2/writeActionsLogManagement", + "ui:siemV2/readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siemV2/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/crud", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "ui:siemV2/showEndpointExceptions", + "ui:siemV2/crudEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeBlocklist", + "ui:siemV2/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siemV2/readBlocklist", + "ui:siemV3/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "ui:siemV2/showEndpointExceptions", + "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "ui:siemV2/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siemV2/writeEndpointList", + "ui:siemV2/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siemV2/readEndpointList", + "ui:siemV3/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeEventFilters", + "ui:siemV2/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", + "ui:siemV3/writeGlobalArtifacts", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siemV2/readEventFilters", + "ui:siemV3/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siemV2/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siemV2/writeFileOperations", + "ui:siemV3/writeFileOperations", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siemV2/writeHostIsolationRelease", + "ui:siemV2/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/readHostIsolationExceptions", + "ui:siemV2/deleteHostIsolationExceptions", + "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV2/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siemV2/readHostIsolationExceptions", + "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/crud", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siemV2/writePolicyManagement", + "ui:siemV2/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siemV2/readPolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siemV2/writeProcessOperations", + "ui:siemV3/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "ui:siemV2/showEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siemV2/writeScanOperations", + "ui:siemV3/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeTrustedApplications", + "ui:siemV2/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", + "ui:siemV3/writeGlobalArtifacts", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siemV2/readTrustedApplications", + "ui:siemV3/readTrustedApplications", + ], + "workflow_insights_all": Array [ + "login:", + "api:securitySolution-writeWorkflowInsights", + "api:securitySolution-readWorkflowInsights", + "ui:siemV2/writeWorkflowInsights", + "ui:siemV2/readWorkflowInsights", + "ui:siemV3/writeWorkflowInsights", + "ui:siemV3/readWorkflowInsights", + ], + "workflow_insights_read": Array [ + "login:", + "api:securitySolution-readWorkflowInsights", + "ui:siemV2/readWorkflowInsights", + "ui:siemV3/readWorkflowInsights", + ], + }, + "siemV3": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", - "ui:siemV2/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", ], "all": Array [ "login:", @@ -531,15 +5796,15 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/crud", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", - "ui:siemV2/showEndpointExceptions", - "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", @@ -1030,39 +6295,39 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeBlocklist", - "ui:siemV2/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", ], "blocklist_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readBlocklist", - "ui:siemV2/readBlocklist", + "ui:siemV3/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", - "ui:siemV2/showEndpointExceptions", - "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", "api:securitySolution-showEndpointExceptions", - "ui:siemV2/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", "api:securitySolution-writeEndpointList", "api:securitySolution-readEndpointList", - "ui:siemV2/writeEndpointList", - "ui:siemV2/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", - "ui:siemV2/readEndpointList", + "ui:siemV3/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -1083,32 +6348,37 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeEventFilters", - "ui:siemV2/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", ], "event_filters_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readEventFilters", - "ui:siemV2/readEventFilters", + "ui:siemV3/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", - "ui:siemV2/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", - "ui:siemV2/writeFileOperations", + "ui:siemV3/writeFileOperations", + ], + "global_artifact_management_all": Array [ + "login:", + "api:securitySolution-writeGlobalArtifacts", + "ui:siemV3/writeGlobalArtifacts", ], "host_isolation_all": Array [ "login:", "api:securitySolution-writeHostIsolationRelease", "api:securitySolution-writeHostIsolation", - "ui:siemV2/writeHostIsolationRelease", - "ui:siemV2/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -1131,10 +6401,10 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/readHostIsolationExceptions", - "ui:siemV2/deleteHostIsolationExceptions", - "ui:siemV2/accessHostIsolationExceptions", - "ui:siemV2/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", ], "host_isolation_exceptions_read": Array [ "login:", @@ -1142,8 +6412,8 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readHostIsolationExceptions", "api:securitySolution-accessHostIsolationExceptions", - "ui:siemV2/readHostIsolationExceptions", - "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -1432,13 +6702,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/crud", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", @@ -2048,12 +7318,12 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", @@ -2284,8 +7554,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/delete", "saved_object:policy-settings-protection-updates-note/bulk_delete", "saved_object:policy-settings-protection-updates-note/share_to_space", - "ui:siemV2/writePolicyManagement", - "ui:siemV2/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -2295,12 +7565,12 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/find", "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", - "ui:siemV2/readPolicyManagement", + "ui:siemV3/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", - "ui:siemV2/writeProcessOperations", + "ui:siemV3/writeProcessOperations", ], "read": Array [ "login:", @@ -2441,13 +7711,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", - "ui:siemV2/showEndpointExceptions", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", @@ -2665,7 +7935,7 @@ export default function ({ getService }: FtrProviderContext) { "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", - "ui:siemV2/writeScanOperations", + "ui:siemV3/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -2686,27 +7956,27 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeTrustedApplications", - "ui:siemV2/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", ], "trusted_applications_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readTrustedApplications", - "ui:siemV2/readTrustedApplications", + "ui:siemV3/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", "api:securitySolution-writeWorkflowInsights", "api:securitySolution-readWorkflowInsights", - "ui:siemV2/writeWorkflowInsights", - "ui:siemV2/readWorkflowInsights", + "ui:siemV3/writeWorkflowInsights", + "ui:siemV3/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", - "ui:siemV2/readWorkflowInsights", + "ui:siemV3/readWorkflowInsights", ], }, } diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml index 6c56742b315fa..33115bc70a192 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml @@ -1,5 +1,5 @@ # ----- -# Source: https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml +# Source: https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.yaml # modeled after the t1_analyst minus osquery run saved queries privilege viewer: @@ -44,9 +44,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -120,19 +120,20 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -187,9 +188,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -247,9 +248,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -312,21 +313,22 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -387,9 +389,10 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all + - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -456,17 +459,18 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -534,22 +538,23 @@ soc_manager: privileges: - feature_ml.read - feature_generalCases.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_observabilityCases.all - feature_securitySolutionAssistant.all @@ -616,9 +621,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -675,17 +681,18 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -752,21 +759,22 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response History - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all # Execute - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response History + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all # Execute + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -833,16 +841,17 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -860,4 +869,4 @@ endpoint_policy_manager: - feature_maps_v2.all - feature_visualize_v2.all - feature_savedQueryManagement.all - resources: '*' \ No newline at end of file + resources: '*'