From df14a42edf938eb3eabb56eb8b9698ee1a1fde4c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 29 Apr 2025 16:16:46 +0200 Subject: [PATCH 01/52] switch from `siemV2` to `siemV3` --- .../serverless_resources/security_roles.json | 14 +- .../plugins/shared/fleet/common/authz.ts | 10 +- .../shared/fleet/common/constants/authz.ts | 2 +- .../packages/features/product_features.ts | 2 +- .../packages/features/src/constants.ts | 2 + .../packages/features/src/security/index.ts | 16 + .../security/v1_features/kibana_features.ts | 20 +- .../v1_features/kibana_sub_features.ts | 44 +- .../security/v2_features/kibana_features.ts | 46 + .../v2_features/kibana_sub_features.ts | 44 +- .../security/v3_features/kibana_features.ts | 115 +++ .../v3_features/kibana_sub_features.ts | 839 ++++++++++++++++++ .../security_solution/common/constants.ts | 2 +- .../security_solution/public/helper_hooks.tsx | 3 +- .../public/helpers_access.ts | 1 - .../artifact_tabs_in_policy_details.cy.ts | 2 +- .../endpoints_rbac_mocked_data.cy.ts | 4 +- .../view/ingest_manager_integration/mocks.tsx | 2 +- .../product_features_service.ts | 16 + 19 files changed, 1135 insertions(+), 49 deletions(-) create mode 100644 x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts create mode 100644 x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json index f17ddb48672ea..c305c7867a1d7 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json @@ -32,7 +32,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["read"], @@ -81,7 +81,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["read"], @@ -140,7 +140,7 @@ { "feature": { "ml": ["read"], - "siemV2": [ + "siemV3": [ "all", "read_alerts", "crud_alerts", @@ -215,7 +215,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -270,7 +270,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -320,7 +320,7 @@ { "feature": { "ml": ["all"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -377,7 +377,7 @@ { "feature": { "ml": ["all"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], diff --git a/x-pack/platform/plugins/shared/fleet/common/authz.ts b/x-pack/platform/plugins/shared/fleet/common/authz.ts index e04a1fe215c2d..52a0c79870d15 100644 --- a/x-pack/platform/plugins/shared/fleet/common/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/authz.ts @@ -8,6 +8,7 @@ import type { Capabilities } from '@kbn/core-capabilities-common'; import { TRANSFORM_PLUGIN_ID } from './constants/plugin'; +import { SECURITY_SOLUTION_APP_ID } from './constants/authz'; import { ENDPOINT_EXCEPTIONS_PRIVILEGES, ENDPOINT_PRIVILEGES } from './constants'; @@ -180,7 +181,9 @@ export function calculatePackagePrivilegesFromCapabilities( (acc, [privilege, { privilegeName }]) => { acc[privilege] = { executePackageAction: - (capabilities.siemV2 && (capabilities.siemV2[privilegeName] as boolean)) || false, + (capabilities[SECURITY_SOLUTION_APP_ID] && + (capabilities[SECURITY_SOLUTION_APP_ID][privilegeName] as boolean)) || + false, }; return acc; }, @@ -210,14 +213,15 @@ export function calculatePackagePrivilegesFromCapabilities( export function calculateEndpointExceptionsPrivilegesFromCapabilities( capabilities: Capabilities | undefined ): FleetAuthz['endpointExceptionsPrivileges'] { - if (!capabilities || !capabilities.siemV2) { + if (!capabilities || !capabilities[SECURITY_SOLUTION_APP_ID]) { return; } const endpointExceptionsActions = Object.keys(ENDPOINT_EXCEPTIONS_PRIVILEGES).reduce< Record >((acc, privilegeName) => { - acc[privilegeName] = (capabilities.siemV2[privilegeName] as boolean) || false; + acc[privilegeName] = + (capabilities[SECURITY_SOLUTION_APP_ID][privilegeName] as boolean) || false; return acc; }, {}); diff --git a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts index 4363f45acf9d8..290b86bf8edee 100644 --- a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts @@ -8,7 +8,7 @@ import { deepFreeze } from '@kbn/std'; import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; -const SECURITY_SOLUTION_APP_ID = 'siemV2'; +export const SECURITY_SOLUTION_APP_ID = 'siemV3'; export interface PrivilegeMapObject { appId: string; diff --git a/x-pack/solutions/security/packages/features/product_features.ts b/x-pack/solutions/security/packages/features/product_features.ts index 683e43335a34b..1649458e866d1 100644 --- a/x-pack/solutions/security/packages/features/product_features.ts +++ b/x-pack/solutions/security/packages/features/product_features.ts @@ -6,7 +6,7 @@ */ export { getCasesFeature, getCasesV2Feature, getCasesV3Feature } from './src/cases'; -export { getSecurityFeature, getSecurityV2Feature } from './src/security'; +export { getSecurityFeature, getSecurityV2Feature, getSecurityV3Feature } from './src/security'; export { getAssistantFeature } from './src/assistant'; export { getAttackDiscoveryFeature } from './src/attack_discovery'; export { getTimelineFeature } from './src/timeline'; diff --git a/x-pack/solutions/security/packages/features/src/constants.ts b/x-pack/solutions/security/packages/features/src/constants.ts index 3b033b0685abb..059e3f3162200 100644 --- a/x-pack/solutions/security/packages/features/src/constants.ts +++ b/x-pack/solutions/security/packages/features/src/constants.ts @@ -11,6 +11,8 @@ export const SERVER_APP_ID = 'siem' as const; // New version created in 8.18. It was previously `SERVER_APP_ID`. export const SECURITY_FEATURE_ID_V2 = 'siemV2' as const; +// New version for 9.1. +export const SECURITY_FEATURE_ID_V3 = 'siemV3' as const; /** * @deprecated deprecated in 8.17. Use CASE_FEATURE_ID_V2 instead diff --git a/x-pack/solutions/security/packages/features/src/security/index.ts b/x-pack/solutions/security/packages/features/src/security/index.ts index 910710a4b9f28..ccad3cc1f9334 100644 --- a/x-pack/solutions/security/packages/features/src/security/index.ts +++ b/x-pack/solutions/security/packages/features/src/security/index.ts @@ -17,6 +17,11 @@ import { getSecurityV2BaseKibanaSubFeatureIds, } from './v2_features/kibana_sub_features'; import type { SecurityFeatureParams } from './types'; +import { getSecurityV3BaseKibanaFeature } from './v3_features/kibana_features'; +import { + getSecurityV3BaseKibanaSubFeatureIds, + getSecurityV3SubFeaturesMap, +} from './v3_features/kibana_sub_features'; /** * @deprecated Use getSecurityV2Feature instead @@ -29,6 +34,9 @@ export const getSecurityFeature = ( subFeaturesMap: getSecuritySubFeaturesMap(params), }); +/** + * @deprecated Use getSecurityV3Feature instead + */ export const getSecurityV2Feature = ( params: SecurityFeatureParams ): ProductFeatureParams => ({ @@ -36,3 +44,11 @@ export const getSecurityV2Feature = ( baseKibanaSubFeatureIds: getSecurityV2BaseKibanaSubFeatureIds(params), subFeaturesMap: getSecurityV2SubFeaturesMap(params), }); + +export const getSecurityV3Feature = ( + params: SecurityFeatureParams +): ProductFeatureParams => ({ + baseKibanaFeature: getSecurityV3BaseKibanaFeature(params), + baseKibanaSubFeatureIds: getSecurityV3BaseKibanaSubFeatureIds(params), + subFeaturesMap: getSecurityV3SubFeaturesMap(params), +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index f4cbe0bdf1b4f..b4ae435863071 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -24,7 +24,7 @@ import { SERVER_APP_ID, LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, - SECURITY_FEATURE_ID_V2, + SECURITY_FEATURE_ID_V3, TIMELINE_FEATURE_ID, NOTES_FEATURE_ID, } from '../../constants'; @@ -55,10 +55,10 @@ export const getSecurityBaseKibanaFeature = ({ notice: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', { - defaultMessage: 'The {currentId} permissions are deprecated, please see {idV2}.', + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SERVER_APP_ID, - idV2: SECURITY_FEATURE_ID_V2, + latestId: SECURITY_FEATURE_ID_V3, }, } ), @@ -93,12 +93,15 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['minimal_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['minimal_all'], + }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -141,12 +144,15 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V2, privileges: ['minimal_read'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['minimal_read'], + }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index b72220e2a57d8..43c76e5d0f805 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -14,7 +14,7 @@ import { } from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { APP_ID, SECURITY_FEATURE_ID_V2 } from '../../constants'; +import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; const endpointListSubFeature = (): SubFeatureConfig => ({ @@ -43,7 +43,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_list_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_all'] }], api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], id: 'endpoint_list_all', includeIn: 'none', @@ -55,7 +55,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ui: ['writeEndpointList', 'readEndpointList'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_list_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_read'] }], api: [`${APP_ID}-readEndpointList`], id: 'endpoint_list_read', includeIn: 'none', @@ -98,7 +98,7 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['trusted_applications_all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_all'] }, ], api: [ 'lists-all', @@ -118,7 +118,7 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['trusted_applications_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_read'] }, ], api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], id: 'trusted_applications_read', @@ -161,7 +161,7 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_exceptions_all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_all'] }, ], api: [ 'lists-all', @@ -181,7 +181,7 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_exceptions_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_read'] }, ], api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], id: 'host_isolation_exceptions_read', @@ -220,7 +220,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['blocklist_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_all'] }], api: [ 'lists-all', 'lists-read', @@ -238,7 +238,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ ui: ['writeBlocklist', 'readBlocklist'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['blocklist_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], id: 'blocklist_read', includeIn: 'none', @@ -279,7 +279,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['event_filters_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_all'] }], api: [ 'lists-all', 'lists-read', @@ -297,7 +297,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ ui: ['writeEventFilters', 'readEventFilters'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['event_filters_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], id: 'event_filters_read', includeIn: 'none', @@ -338,7 +338,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['policy_management_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_all'] }], api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], id: 'policy_management_all', includeIn: 'none', @@ -350,7 +350,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ ui: ['writePolicyManagement', 'readPolicyManagement'], }, { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['policy_management_read'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_read'] }], api: [`${APP_ID}-readPolicyManagement`], id: 'policy_management_read', includeIn: 'none', @@ -392,7 +392,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['actions_log_management_all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_all'] }, ], api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_all', @@ -406,7 +406,7 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['actions_log_management_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_read'] }, ], api: [`${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_read', @@ -445,7 +445,7 @@ const hostIsolationSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['host_isolation_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_all'] }], api: [`${APP_ID}-writeHostIsolationRelease`], id: 'host_isolation_all', includeIn: 'none', @@ -486,7 +486,7 @@ const processOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['process_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['process_operations_all'] }], api: [`${APP_ID}-writeProcessOperations`], id: 'process_operations_all', includeIn: 'none', @@ -526,7 +526,7 @@ const fileOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['file_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['file_operations_all'] }], api: [`${APP_ID}-writeFileOperations`], id: 'file_operations_all', includeIn: 'none', @@ -569,7 +569,7 @@ const executeActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['execute_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['execute_operations_all'] }], api: [`${APP_ID}-writeExecuteOperations`], id: 'execute_operations_all', includeIn: 'none', @@ -611,7 +611,7 @@ const scanActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V2, privileges: ['scan_operations_all'] }], + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['scan_operations_all'] }], api: [`${APP_ID}-writeScanOperations`], id: 'scan_operations_all', @@ -654,7 +654,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_exceptions_all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_all'] }, ], id: 'endpoint_exceptions_all', includeIn: 'all', @@ -667,7 +667,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ }, { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V2, privileges: ['endpoint_exceptions_read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_read'] }, ], id: 'endpoint_exceptions_read', includeIn: 'read', diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 0bfc3f7e79920..344df71e86eb4 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -25,6 +25,9 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, + SECURITY_FEATURE_ID_V3, + TIMELINE_FEATURE_ID, + NOTES_FEATURE_ID, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -49,6 +52,19 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + deprecated: { + notice: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', + { + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', + values: { + currentId: SECURITY_FEATURE_ID_V2, + latestId: SECURITY_FEATURE_ID_V3, + }, + } + ), + }, + id: SECURITY_FEATURE_ID_V2, name: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', @@ -74,6 +90,21 @@ export const getSecurityV2BaseKibanaFeature = ({ ), privileges: { all: { + replacedBy: { + default: [ + { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, + { feature: NOTES_FEATURE_ID, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + ], + minimal: [ + { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, + { feature: NOTES_FEATURE_ID, privileges: ['all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['minimal_all'], + }, + ], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], @@ -91,6 +122,21 @@ export const getSecurityV2BaseKibanaFeature = ({ ui: ['show', 'crud'], }, read: { + replacedBy: { + default: [ + { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, + { feature: NOTES_FEATURE_ID, privileges: ['read'] }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, + ], + minimal: [ + { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, + { feature: NOTES_FEATURE_ID, privileges: ['read'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['minimal_read'], + }, + ], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-read'], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index f7d84abb5a830..d4d1527426704 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -14,7 +14,7 @@ import { } from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { APP_ID } from '../../constants'; +import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; const TRANSLATIONS = Object.freeze({ @@ -58,6 +58,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_all'] }], api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], id: 'endpoint_list_all', includeIn: 'none', @@ -69,6 +70,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ui: ['writeEndpointList', 'readEndpointList'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_list_read'] }], api: [`${APP_ID}-readEndpointList`], id: 'endpoint_list_read', includeIn: 'none', @@ -110,6 +112,9 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_all'] }, + ], api: [ 'lists-all', 'lists-read', @@ -127,6 +132,9 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ ui: ['writeTrustedApplications', 'readTrustedApplications'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_read'] }, + ], api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], id: 'trusted_applications_read', includeIn: 'none', @@ -167,6 +175,9 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_all'] }, + ], api: [ 'lists-all', 'lists-read', @@ -184,6 +195,9 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ ui: ['readHostIsolationExceptions', 'deleteHostIsolationExceptions'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_read'] }, + ], api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], id: 'host_isolation_exceptions_read', includeIn: 'none', @@ -221,6 +235,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_all'] }], api: [ 'lists-all', 'lists-read', @@ -238,6 +253,7 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ ui: ['writeBlocklist', 'readBlocklist'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], id: 'blocklist_read', includeIn: 'none', @@ -278,6 +294,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_all'] }], api: [ 'lists-all', 'lists-read', @@ -295,6 +312,7 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ ui: ['writeEventFilters', 'readEventFilters'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_read'] }], api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], id: 'event_filters_read', includeIn: 'none', @@ -335,6 +353,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_all'] }], api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], id: 'policy_management_all', includeIn: 'none', @@ -346,6 +365,7 @@ const policyManagementSubFeature = (): SubFeatureConfig => ({ ui: ['writePolicyManagement', 'readPolicyManagement'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['policy_management_read'] }], api: [`${APP_ID}-readPolicyManagement`], id: 'policy_management_read', includeIn: 'none', @@ -386,6 +406,9 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_all'] }, + ], api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_all', includeIn: 'none', @@ -397,6 +420,9 @@ const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ ui: ['writeActionsLogManagement', 'readActionsLogManagement'], }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['actions_log_management_read'] }, + ], api: [`${APP_ID}-readActionsLogManagement`], id: 'actions_log_management_read', includeIn: 'none', @@ -434,6 +460,7 @@ const hostIsolationSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_all'] }], api: [`${APP_ID}-writeHostIsolationRelease`], id: 'host_isolation_all', includeIn: 'none', @@ -474,6 +501,7 @@ const processOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['process_operations_all'] }], api: [`${APP_ID}-writeProcessOperations`], id: 'process_operations_all', includeIn: 'none', @@ -513,6 +541,7 @@ const fileOperationsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['file_operations_all'] }], api: [`${APP_ID}-writeFileOperations`], id: 'file_operations_all', includeIn: 'none', @@ -555,6 +584,7 @@ const executeActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['execute_operations_all'] }], api: [`${APP_ID}-writeExecuteOperations`], id: 'execute_operations_all', includeIn: 'none', @@ -596,6 +626,7 @@ const scanActionSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['scan_operations_all'] }], api: [`${APP_ID}-writeScanOperations`], id: 'scan_operations_all', includeIn: 'none', @@ -637,6 +668,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['workflow_insights_all'] }], api: [`${APP_ID}-writeWorkflowInsights`, `${APP_ID}-readWorkflowInsights`], id: 'workflow_insights_all', includeIn: 'none', @@ -648,6 +680,7 @@ const workflowInsightsSubFeature = (): SubFeatureConfig => ({ ui: ['writeWorkflowInsights', 'readWorkflowInsights'], }, { + replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['workflow_insights_read'] }], api: [`${APP_ID}-readWorkflowInsights`], id: 'workflow_insights_read', includeIn: 'none', @@ -688,6 +721,9 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_all'] }, + ], id: 'endpoint_exceptions_all', includeIn: 'all', name: TRANSLATIONS.all, @@ -698,6 +734,9 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, }, { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_read'] }, + ], id: 'endpoint_exceptions_read', includeIn: 'read', name: TRANSLATIONS.read, @@ -735,6 +774,9 @@ const globalArtifactManagementSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { + replacedBy: [ + { feature: SECURITY_FEATURE_ID_V3, privileges: ['global_artifact_management_all'] }, + ], api: [`${APP_ID}-writeGlobalArtifacts`], id: 'global_artifact_management_all', includeIn: 'none', diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts new file mode 100644 index 0000000000000..0a6041919ae53 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import { KibanaFeatureScope } from '@kbn/features-plugin/common'; + +import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; +import { + EQL_RULE_TYPE_ID, + ESQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, +} from '@kbn/securitysolution-rules'; +import { + APP_ID, + SECURITY_FEATURE_ID_V3, + LEGACY_NOTIFICATIONS_ID, + CLOUD_POSTURE_APP_ID, + SERVER_APP_ID, +} from '../../constants'; +import type { SecurityFeatureParams } from '../types'; +import type { BaseKibanaFeatureConfig } from '../../types'; + +const SECURITY_RULE_TYPES = [ + LEGACY_NOTIFICATIONS_ID, + ESQL_RULE_TYPE_ID, + EQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, +]; + +const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ + ruleTypeId, + consumers: [SERVER_APP_ID], +})); + +export const getSecurityV3BaseKibanaFeature = ({ + savedObjects, +}: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + id: SECURITY_FEATURE_ID_V3, + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', + { + defaultMessage: 'Security', + } + ), + order: 1100, + category: DEFAULT_APP_CATEGORIES.security, + scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security], + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + management: { + insightsAndAlerting: ['triggersActions'], + }, + alerting: alertingFeatures, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.securityGroupDescription', + { + defaultMessage: + "Each sub-feature privilege in this group must be assigned individually. Global assignment is only supported if your pricing plan doesn't allow individual feature privileges.", + } + ), + privileges: { + all: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], + savedObject: { + all: ['alert', ...savedObjects], + read: [], + }, + alerting: { + rule: { all: alertingFeatures }, + alert: { all: alertingFeatures }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show', 'crud'], + }, + read: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-read'], + savedObject: { + all: [], + read: [...savedObjects], + }, + alerting: { + rule: { + read: alertingFeatures, + }, + alert: { + all: alertingFeatures, + }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show'], + }, + }, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts new file mode 100644 index 0000000000000..9764b8b78f90e --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -0,0 +1,839 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import type { SubFeatureConfig } from '@kbn/features-plugin/common'; +import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; + +import { SecuritySubFeatureId } from '../../product_features_keys'; +import { APP_ID } from '../../constants'; +import type { SecurityFeatureParams } from '../types'; + +const TRANSLATIONS = Object.freeze({ + all: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.allPrivilegeName', + { + defaultMessage: 'All', + } + ), + read: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.readPrivilegeName', + { + defaultMessage: 'Read', + } + ), +}); + +const endpointListSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Endpoint List access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList', + { + defaultMessage: 'Endpoint List', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointList.description', + { + defaultMessage: + 'Displays all hosts running Elastic Defend and their relevant integration details.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeEndpointList`, `${APP_ID}-readEndpointList`], + id: 'endpoint_list_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeEndpointList', 'readEndpointList'], + }, + { + api: [`${APP_ID}-readEndpointList`], + id: 'endpoint_list_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readEndpointList'], + }, + ], + }, + ], +}); + +const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Trusted Applications access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications', + { + defaultMessage: 'Trusted Applications', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.description', + { + defaultMessage: + 'Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeTrustedApplications`, + `${APP_ID}-readTrustedApplications`, + ], + id: 'trusted_applications_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeTrustedApplications', 'readTrustedApplications'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readTrustedApplications`], + id: 'trusted_applications_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readTrustedApplications'], + }, + ], + }, + ], +}); +const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Host Isolation Exceptions access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions', + { + defaultMessage: 'Host Isolation Exceptions', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.description', + { + defaultMessage: + 'Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-deleteHostIsolationExceptions`, + `${APP_ID}-readHostIsolationExceptions`, + ], + id: 'host_isolation_exceptions_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['readHostIsolationExceptions', 'deleteHostIsolationExceptions'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readHostIsolationExceptions`], + id: 'host_isolation_exceptions_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readHostIsolationExceptions'], + }, + ], + }, + ], +}); +const blocklistSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Blocklist access.', + } + ), + name: i18n.translate('securitySolutionPackages.features.featureRegistry.subFeatures.blockList', { + defaultMessage: 'Blocklist', + }), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.description', + { + defaultMessage: + 'Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeBlocklist`, + `${APP_ID}-readBlocklist`, + ], + id: 'blocklist_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeBlocklist', 'readBlocklist'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readBlocklist`], + id: 'blocklist_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readBlocklist'], + }, + ], + }, + ], +}); +const eventFiltersSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Event Filters access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters', + { + defaultMessage: 'Event Filters', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.description', + { + defaultMessage: + 'Filter out endpoint events that you do not need or want stored in Elasticsearch.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-writeEventFilters`, + `${APP_ID}-readEventFilters`, + ], + id: 'event_filters_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + read: [], + }, + ui: ['writeEventFilters', 'readEventFilters'], + }, + { + api: ['lists-read', 'lists-summary', `${APP_ID}-readEventFilters`], + id: 'event_filters_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readEventFilters'], + }, + ], + }, + ], +}); +const policyManagementSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Policy Management access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement', + { + defaultMessage: 'Elastic Defend Policy Management', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.policyManagement.description', + { + defaultMessage: + 'Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writePolicyManagement`, `${APP_ID}-readPolicyManagement`], + id: 'policy_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: ['policy-settings-protection-updates-note'], + read: [], + }, + ui: ['writePolicyManagement', 'readPolicyManagement'], + }, + { + api: [`${APP_ID}-readPolicyManagement`], + id: 'policy_management_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: ['policy-settings-protection-updates-note'], + }, + ui: ['readPolicyManagement'], + }, + ], + }, + ], +}); + +const responseActionsHistorySubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Response Actions History access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory', + { + defaultMessage: 'Response Actions History', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.responseActionsHistory.description', + { + defaultMessage: 'Access the history of response actions performed on endpoints.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeActionsLogManagement`, `${APP_ID}-readActionsLogManagement`], + id: 'actions_log_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeActionsLogManagement', 'readActionsLogManagement'], + }, + { + api: [`${APP_ID}-readActionsLogManagement`], + id: 'actions_log_management_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readActionsLogManagement'], + }, + ], + }, + ], +}); +const hostIsolationSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Host Isolation access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation', + { + defaultMessage: 'Host Isolation', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolation.description', + { defaultMessage: 'Perform the "isolate" and "release" response actions.' } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeHostIsolationRelease`], + id: 'host_isolation_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeHostIsolationRelease'], + }, + ], + }, + ], +}); + +const processOperationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Process Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations', + { + defaultMessage: 'Process Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.processOperations.description', + { + defaultMessage: 'Perform process-related response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeProcessOperations`], + id: 'process_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeProcessOperations'], + }, + ], + }, + ], +}); +const fileOperationsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for File Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations', + { + defaultMessage: 'File Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.fileOperations.description', + { + defaultMessage: 'Perform file-related response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeFileOperations`], + id: 'file_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeFileOperations'], + }, + ], + }, + ], +}); + +// execute operations are not available in 8.7, +// but will be available in 8.8 +const executeActionSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Execute Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations', + { + defaultMessage: 'Execute Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.executeOperations.description', + { + defaultMessage: 'Perform script execution response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeExecuteOperations`], + id: 'execute_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeExecuteOperations'], + }, + ], + }, + ], +}); + +// 8.15 feature +const scanActionSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Scan Operations access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations', + { + defaultMessage: 'Scan Operations', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.scanOperations.description', + { + defaultMessage: 'Perform folder scan response actions in the response console.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeScanOperations`], + id: 'scan_operations_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeScanOperations'], + }, + ], + }, + ], +}); + +const workflowInsightsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Automatic Troubleshooting access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights', + { + defaultMessage: 'Automatic Troubleshooting', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.workflowInsights.description', + { + defaultMessage: 'Access to the automatic troubleshooting.', + } + ), + + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeWorkflowInsights`, `${APP_ID}-readWorkflowInsights`], + id: 'workflow_insights_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeWorkflowInsights', 'readWorkflowInsights'], + }, + { + api: [`${APP_ID}-readWorkflowInsights`], + id: 'workflow_insights_read', + includeIn: 'none', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + ui: ['readWorkflowInsights'], + }, + ], + }, + ], +}); + +const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: true, + privilegesTooltip: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.privilegesTooltip', + { + defaultMessage: 'All Spaces is required for Endpoint Exceptions access.', + } + ), + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions', + { + defaultMessage: 'Endpoint Exceptions', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', + { + defaultMessage: 'Manage Endpoint Exceptions.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + id: 'endpoint_exceptions_all', + includeIn: 'all', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + ui: ['showEndpointExceptions', 'crudEndpointExceptions'], + }, + { + id: 'endpoint_exceptions_read', + includeIn: 'read', + name: TRANSLATIONS.read, + savedObject: { + all: [], + read: [], + }, + api: [`${APP_ID}-showEndpointExceptions`], + ui: ['showEndpointExceptions'], + }, + ], + }, + ], +}); + +const globalArtifactManagementSubFeature = (): SubFeatureConfig => ({ + requireAllSpaces: false, + privilegesTooltip: undefined, + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement', + { + defaultMessage: 'Global Artifact Management', + } + ), + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.description', + { + defaultMessage: + 'Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) ' + + 'across all policies. This privilege controls global assignment rights only; privileges for each ' + + 'artifact type are required for full artifact management.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeGlobalArtifacts`], + id: 'global_artifact_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeGlobalArtifacts'], + }, + ], + }, + ], +}); + +/** + * Sub-features that will always be available for Security + * regardless of the product type. + */ +export const getSecurityV3BaseKibanaSubFeatureIds = ( + { experimentalFeatures }: SecurityFeatureParams // currently un-used, but left here as a convenience for possible future use +): SecuritySubFeatureId[] => []; + +/** + * Defines all the Security Assistant subFeatures available. + * The order of the subFeatures is the order they will be displayed + */ + +export const getSecurityV3SubFeaturesMap = ({ + experimentalFeatures, +}: SecurityFeatureParams): Map => { + const enableSpaceAwarenessIfNeeded = (subFeature: SubFeatureConfig): SubFeatureConfig => { + if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { + subFeature.requireAllSpaces = false; + subFeature.privilegesTooltip = undefined; + } + + return subFeature; + }; + + const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ + [SecuritySubFeatureId.endpointList, enableSpaceAwarenessIfNeeded(endpointListSubFeature())], + [ + SecuritySubFeatureId.endpointExceptions, + enableSpaceAwarenessIfNeeded(endpointExceptionsSubFeature()), + ], + + ...((experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? [ + [ + SecuritySubFeatureId.globalArtifactManagement, + enableSpaceAwarenessIfNeeded(globalArtifactManagementSubFeature()), + ], + ] + : []) as Array<[SecuritySubFeatureId, SubFeatureConfig]>), + + [ + SecuritySubFeatureId.trustedApplications, + enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()), + ], + [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature()), + ], + [SecuritySubFeatureId.blocklist, enableSpaceAwarenessIfNeeded(blocklistSubFeature())], + [SecuritySubFeatureId.eventFilters, enableSpaceAwarenessIfNeeded(eventFiltersSubFeature())], + + [ + SecuritySubFeatureId.policyManagement, + enableSpaceAwarenessIfNeeded(policyManagementSubFeature()), + ], + [ + SecuritySubFeatureId.responseActionsHistory, + enableSpaceAwarenessIfNeeded(responseActionsHistorySubFeature()), + ], + [SecuritySubFeatureId.hostIsolation, enableSpaceAwarenessIfNeeded(hostIsolationSubFeature())], + [ + SecuritySubFeatureId.processOperations, + enableSpaceAwarenessIfNeeded(processOperationsSubFeature()), + ], + [SecuritySubFeatureId.fileOperations, enableSpaceAwarenessIfNeeded(fileOperationsSubFeature())], + [SecuritySubFeatureId.executeAction, enableSpaceAwarenessIfNeeded(executeActionSubFeature())], + [SecuritySubFeatureId.scanAction, enableSpaceAwarenessIfNeeded(scanActionSubFeature())], + ]; + + // Use the following code to add feature based on feature flag + // if (experimentalFeatures.featureFlagName) { + // securitySubFeaturesList.push([SecuritySubFeatureId.featureId, featureSubFeature]); + // } + + if (experimentalFeatures.defendInsights) { + // place with other All/Read/None options + securitySubFeaturesList.splice(1, 0, [ + SecuritySubFeatureId.workflowInsights, + enableSpaceAwarenessIfNeeded(workflowInsightsSubFeature()), + ]); + } + + const securitySubFeaturesMap = new Map( + securitySubFeaturesList + ); + + return Object.freeze(securitySubFeaturesMap); +}; diff --git a/x-pack/solutions/security/plugins/security_solution/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/common/constants.ts index c4bb9290ddb64..a8e7c2c22d4b0 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/constants.ts @@ -26,7 +26,7 @@ export const CASES_FEATURE_ID = 'securitySolutionCasesV3' as const; export const TIMELINE_FEATURE_ID = 'securitySolutionTimeline' as const; export const NOTES_FEATURE_ID = 'securitySolutionNotes' as const; export const SERVER_APP_ID = 'siem' as const; -export const SECURITY_FEATURE_ID = 'siemV2' as const; +export const SECURITY_FEATURE_ID = 'siemV3' as const; export const APP_NAME = 'Security' as const; export const APP_ICON = 'securityAnalyticsApp' as const; export const APP_ICON_SOLUTION = 'logoSecurity' as const; diff --git a/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx b/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx index c22513a989a06..bb5a4d1a9e991 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/helper_hooks.tsx @@ -7,6 +7,7 @@ import { useCallback, useState } from 'react'; import { useKibana } from './common/lib/kibana'; +import { SECURITY_FEATURE_ID } from '../common'; export const useOnOpenCloseHandler = (): [boolean, () => void, () => void] => { const [isOpen, setIsOpen] = useState(false); @@ -27,5 +28,5 @@ export const useOnOpenCloseHandler = (): [boolean, () => void, () => void] => { */ export const useHasSecurityCapability = (capability: string): boolean => { const { capabilities } = useKibana().services.application; - return !!capabilities.siemV2[capability]; + return !!capabilities[SECURITY_FEATURE_ID][capability]; }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts b/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts index 608c663e753f0..6bfe10db67ad9 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/helpers_access.ts @@ -9,7 +9,6 @@ import { SECURITY_FEATURE_ID } from '../common/constants'; export function hasAccessToSecuritySolution(capabilities: Capabilities): boolean { return Boolean( - // Using `siemV2` capabilities[SECURITY_FEATURE_ID]?.show || capabilities.securitySolutionCasesV2?.read_cases || capabilities.securitySolutionAttackDiscovery?.['attack-discovery'] diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts index b6232dc052e3b..c900dc4175153 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts @@ -45,7 +45,7 @@ const getRoleWithoutArtifactPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV2: endpointSecurityPolicyManagerRole.kibana[0].feature.siemV2.filter( + siemV3: endpointSecurityPolicyManagerRole.kibana[0].feature.siemV3.filter( (privilege) => privilege !== `${privilegePrefix}all` ), }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts index 42874e420138c..434fd7f5e6a7b 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts @@ -36,8 +36,8 @@ describe('Endpoints RBAC', { tags: ['@ess'] }, () => { ...base.kibana[0], feature: { ...base.kibana[0].feature, - siemV2: [ - ...base.kibana[0].feature.siemV2, + siemV3: [ + ...base.kibana[0].feature.siemV3, `endpoint_list_all`, `policy_management_${endpointPolicyManagementPrivilege}`, ], diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx index c33e12cc49717..737e7f9ea3707 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx @@ -96,7 +96,7 @@ export const createFleetContextRendererMock = (): AppContextTestRender => { startServices.application.capabilities = deepFreeze({ ...startServices.application.capabilities, - siemV2: { show: true, crud: true }, + siemV3: { show: true, crud: true }, }); return ( diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index 819581273c640..b8493654d29ce 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -20,6 +20,7 @@ import { getCasesV2Feature, getCasesV3Feature, getSecurityV2Feature, + getSecurityV3Feature, getTimelineFeature, getNotesFeature, getSiemMigrationsFeature, @@ -40,6 +41,7 @@ import { casesApiTags, casesUiCapabilities } from './cases_privileges'; export class ProductFeaturesService { private securityProductFeatures: ProductFeatures; private securityV2ProductFeatures: ProductFeatures; + private securityV3ProductFeatures: ProductFeatures; private casesProductFeatures: ProductFeatures; private casesProductV2Features: ProductFeatures; private casesProductFeaturesV3: ProductFeatures; @@ -76,6 +78,17 @@ export class ProductFeaturesService { securityV2Feature.baseKibanaSubFeatureIds ); + const securityV3Feature = getSecurityV3Feature({ + savedObjects: securityDefaultSavedObjects, + experimentalFeatures: this.experimentalFeatures, + }); + this.securityV3ProductFeatures = new ProductFeatures( + this.logger, + securityV3Feature.subFeaturesMap, + securityV3Feature.baseKibanaFeature, + securityV3Feature.baseKibanaSubFeatureIds + ); + const casesFeature = getCasesFeature({ uiCapabilities: casesUiCapabilities, apiTags: casesApiTags, @@ -165,6 +178,7 @@ export class ProductFeaturesService { public init(featuresSetup: FeaturesPluginSetup) { this.securityProductFeatures.init(featuresSetup); this.securityV2ProductFeatures.init(featuresSetup); + this.securityV3ProductFeatures.init(featuresSetup); this.casesProductFeatures.init(featuresSetup); this.casesProductV2Features.init(featuresSetup); this.casesProductFeaturesV3.init(featuresSetup); @@ -179,6 +193,7 @@ export class ProductFeaturesService { const securityProductFeaturesConfig = configurator.security(); this.securityProductFeatures.setConfig(securityProductFeaturesConfig); this.securityV2ProductFeatures.setConfig(securityProductFeaturesConfig); + this.securityV3ProductFeatures.setConfig(securityProductFeaturesConfig); const casesProductFeaturesConfig = configurator.cases(); this.casesProductFeatures.setConfig(casesProductFeaturesConfig); @@ -227,6 +242,7 @@ export class ProductFeaturesService { return ( this.securityProductFeatures.isActionRegistered(action) || this.securityV2ProductFeatures.isActionRegistered(action) || + this.securityV3ProductFeatures.isActionRegistered(action) || this.casesProductFeatures.isActionRegistered(action) || this.casesProductV2Features.isActionRegistered(action) || this.securityAssistantProductFeatures.isActionRegistered(action) || From d3c523adefe46f2047a3793da51626dc08fdb655 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 29 Apr 2025 16:19:03 +0200 Subject: [PATCH 02/52] unify and migrate endpoint exceptions RBAC --- .../security/packages/features/privileges.ts | 10 ------- .../src/product_features_privileges.ts | 30 ------------------- .../src/security/product_feature_config.ts | 3 ++ .../packages/features/src/security/types.ts | 9 +++--- .../security/v1_features/kibana_features.ts | 5 ++-- .../v1_features/kibana_sub_features.ts | 12 ++++---- .../security/v2_features/kibana_features.ts | 5 ++-- .../v2_features/kibana_sub_features.ts | 12 ++++---- .../product_features_service.ts | 8 ++++- .../security_solution/server/plugin.ts | 5 +++- .../security_product_features_config.ts | 9 +----- .../security_product_features_config.ts | 7 ++--- 12 files changed, 38 insertions(+), 77 deletions(-) delete mode 100644 x-pack/solutions/security/packages/features/privileges.ts delete mode 100644 x-pack/solutions/security/packages/features/src/product_features_privileges.ts diff --git a/x-pack/solutions/security/packages/features/privileges.ts b/x-pack/solutions/security/packages/features/privileges.ts deleted file mode 100644 index 5cfe7b2d58d3b..0000000000000 --- a/x-pack/solutions/security/packages/features/privileges.ts +++ /dev/null @@ -1,10 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ -export { - ProductFeaturesPrivilegeId, - ProductFeaturesPrivileges, -} from './src/product_features_privileges'; diff --git a/x-pack/solutions/security/packages/features/src/product_features_privileges.ts b/x-pack/solutions/security/packages/features/src/product_features_privileges.ts deleted file mode 100644 index 22b4e858e4a55..0000000000000 --- a/x-pack/solutions/security/packages/features/src/product_features_privileges.ts +++ /dev/null @@ -1,30 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { APP_ID } from './constants'; - -export enum ProductFeaturesPrivilegeId { - endpointExceptions = 'endpoint_exceptions', -} - -/** - * This is the mapping of the privileges that are registered - * using a different Kibana feature configuration (sub-feature, main feature privilege, etc) - * in each offering type (ess, serverless) - */ -export const ProductFeaturesPrivileges = { - [ProductFeaturesPrivilegeId.endpointExceptions]: { - all: { - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], - }, - read: { - ui: ['showEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`], - }, - }, -}; diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 54617d8c0ec67..7192758d26135 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -135,6 +135,9 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature SecuritySubFeatureId.globalArtifactManagement, ], }, + [ProductFeatureSecurityKey.endpointExceptions]: { + subFeatureIds: [SecuritySubFeatureId.endpointExceptions], + }, // Endpoint Complete Tier: // Allows access to create/update HIEs diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index dda61b6e86b9a..42dc5feb32496 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -18,10 +18,11 @@ export interface SecurityFeatureParams { */ experimentalFeatures: Record; savedObjects: string[]; + isServerless: boolean; } -export type DefaultSecurityProductFeaturesConfig = Omit< - Record>, - ProductFeatureSecurityKey.endpointExceptions - // | add not generic security app features here +// Omit<> not generic security app features here +export type DefaultSecurityProductFeaturesConfig = Record< + ProductFeatureSecurityKey, + ProductFeatureKibanaConfig >; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index b4ae435863071..8b8ef2846806c 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -50,6 +50,7 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityBaseKibanaFeature = ({ savedObjects, + isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -100,7 +101,7 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all'], + privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], }, ], }, @@ -151,7 +152,7 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['read'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_read'], + privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 43c76e5d0f805..7b5440f12b414 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -8,10 +8,6 @@ import { i18n } from '@kbn/i18n'; import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; -import { - ProductFeaturesPrivilegeId, - ProductFeaturesPrivileges, -} from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; @@ -645,7 +641,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', { - defaultMessage: 'Use Endpoint Exceptions (this is a test sub-feature).', + defaultMessage: 'Manage Endpoint Exceptions.', } ), privilegeGroups: [ @@ -663,7 +659,8 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, + api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + ui: ['showEndpointExceptions', 'crudEndpointExceptions'], }, { replacedBy: [ @@ -676,7 +673,8 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, + api: [`${APP_ID}-showEndpointExceptions`], + ui: ['showEndpointExceptions'], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 344df71e86eb4..f95cb458e8a3c 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -51,6 +51,7 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, + isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -101,7 +102,7 @@ export const getSecurityV2BaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all'], + privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], }, ], }, @@ -133,7 +134,7 @@ export const getSecurityV2BaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['read'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_read'], + privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index d4d1527426704..b5e4e97a1390e 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -8,10 +8,6 @@ import { i18n } from '@kbn/i18n'; import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; -import { - ProductFeaturesPrivilegeId, - ProductFeaturesPrivileges, -} from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; @@ -713,7 +709,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', { - defaultMessage: 'Use Endpoint Exceptions (this is a test sub-feature).', + defaultMessage: 'Manage Endpoint Exceptions.', } ), privilegeGroups: [ @@ -731,7 +727,8 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, + api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + ui: ['showEndpointExceptions', 'crudEndpointExceptions'], }, { replacedBy: [ @@ -744,7 +741,8 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, + api: [`${APP_ID}-showEndpointExceptions`], + ui: ['showEndpointExceptions'], }, ], }, diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index b8493654d29ce..7f3165301021d 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -55,11 +55,13 @@ export class ProductFeaturesService { constructor( private readonly logger: Logger, - private readonly experimentalFeatures: ExperimentalFeatures + private readonly experimentalFeatures: ExperimentalFeatures, + isServerless: boolean ) { const securityFeature = getSecurityFeature({ savedObjects: securityV1SavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityProductFeatures = new ProductFeatures( this.logger, @@ -70,6 +72,7 @@ export class ProductFeaturesService { const securityV2Feature = getSecurityV2Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityV2ProductFeatures = new ProductFeatures( this.logger, @@ -81,6 +84,7 @@ export class ProductFeaturesService { const securityV3Feature = getSecurityV3Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityV3ProductFeatures = new ProductFeatures( this.logger, @@ -147,6 +151,7 @@ export class ProductFeaturesService { const timelineFeature = getTimelineFeature({ savedObjects: securityTimelineSavedObjects, experimentalFeatures: {}, + isServerless, }); this.timelineProductFeatures = new ProductFeatures( this.logger, @@ -158,6 +163,7 @@ export class ProductFeaturesService { const notesFeature = getNotesFeature({ savedObjects: securityNotesSavedObjects, experimentalFeatures: {}, + isServerless, }); this.notesProductFeatures = new ProductFeatures( this.logger, diff --git a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts index f51fee657bf4f..ecf94b7624fe6 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts @@ -169,9 +169,12 @@ export class Plugin implements ISecuritySolutionPlugin { this.config = serverConfig; this.logger = context.logger.get(); this.appClientFactory = new AppClientFactory(); + + const isServerless = this.pluginContext.env.packageInfo.buildFlavor === 'serverless'; this.productFeaturesService = new ProductFeaturesService( this.logger, - this.config.experimentalFeatures + this.config.experimentalFeatures, + isServerless ); this.siemMigrationsService = new SiemMigrationsService( this.config, diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts index 0cec48bda5e44..70ff0cfd1f95c 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts @@ -10,17 +10,13 @@ import type { ProductFeaturesSecurityConfig, } from '@kbn/security-solution-features'; import { - ProductFeatureSecurityKey, + type ProductFeatureSecurityKey, type SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import { securityDefaultProductFeaturesConfig, createEnabledProductFeaturesConfigMap, } from '@kbn/security-solution-features/config'; -import { - ProductFeaturesPrivilegeId, - ProductFeaturesPrivileges, -} from '@kbn/security-solution-features/privileges'; export const getSecurityProductFeaturesConfigurator = (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => { @@ -44,7 +40,4 @@ const securityProductFeaturesConfig: Record< ProductFeatureKibanaConfig > = { ...securityDefaultProductFeaturesConfig, - [ProductFeatureSecurityKey.endpointExceptions]: { - privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions], - }, }; diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts index caec038374c23..1390aff89b86b 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts @@ -14,8 +14,8 @@ import { createEnabledProductFeaturesConfigMap, } from '@kbn/security-solution-features/config'; import { - ProductFeatureSecurityKey, - SecuritySubFeatureId, + type ProductFeatureSecurityKey, + type SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import type { ExperimentalFeatures } from '../../common/experimental_features'; @@ -45,7 +45,4 @@ const securityProductFeaturesConfig: Record< ProductFeatureKibanaConfig > = { ...securityDefaultProductFeaturesConfig, - [ProductFeatureSecurityKey.endpointExceptions]: { - subFeatureIds: [SecuritySubFeatureId.endpointExceptions], - }, }; From c35e932374d10dfa99e38c6e94cbbd804fe59b40 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 30 Apr 2025 15:28:23 +0200 Subject: [PATCH 03/52] type fix + unit test --- .../lib/product_features_service/mocks.ts | 2 +- .../product_features_service.test.ts | 53 ++++++++++++++----- 2 files changed, 41 insertions(+), 14 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index 9122bc202e73b..a94a6668130ab 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -75,7 +75,7 @@ export const createProductFeaturesServiceMock = ( featuresPluginSetupContract: FeaturesPluginSetup = featuresPluginMock.createSetup(), logger: Logger = loggingSystemMock.create().get('productFeatureMock') ) => { - const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures); + const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures, false); productFeaturesService.init(featuresPluginSetupContract); diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index 32efcb32fd705..6ba327c0fc8e3 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -28,6 +28,7 @@ import type { LifecycleResponseFactory, OnPostAuthHandler, } from '@kbn/core-http-server'; +import type { SecurityFeatureParams } from '@kbn/security-solution-features/src/security/types'; jest.mock('./product_features'); const MockedProductFeatures = ProductFeatures as unknown as jest.MockedClass< @@ -40,9 +41,14 @@ const productFeature = { baseKibanaSubFeatureIds: [], }; const mockGetFeature = jest.fn().mockReturnValue(productFeature); +const mockGetSecurityFeature = jest + .fn() + .mockReturnValue(productFeature); + jest.mock('@kbn/security-solution-features/product_features', () => ({ - getSecurityFeature: () => mockGetFeature(), - getSecurityV2Feature: () => mockGetFeature(), + getSecurityFeature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityV2Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityV3Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), @@ -60,17 +66,31 @@ describe('ProductFeaturesService', () => { it('should create ProductFeatureService instance', () => { const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures); + new ProductFeaturesService(loggerMock.create(), experimentalFeatures, false); - expect(mockGetFeature).toHaveBeenCalledTimes(10); - expect(MockedProductFeatures).toHaveBeenCalledTimes(10); + expect(mockGetFeature).toHaveBeenCalledTimes(8); + expect(mockGetSecurityFeature).toHaveBeenCalledTimes(3); + expect(MockedProductFeatures).toHaveBeenCalledTimes(11); }); + it.each([false, true])( + 'should pass `isServerless = %s` param to security feature getters', + (isServerless) => { + const experimentalFeatures = {} as ExperimentalFeatures; + new ProductFeaturesService(loggerMock.create(), experimentalFeatures, isServerless); + + expect( + mockGetSecurityFeature.mock.calls.every((args) => args[0].isServerless === isServerless) + ).toBeTruthy(); + } + ); + it('should init all ProductFeatures when initialized', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -85,7 +105,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -135,7 +156,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -184,7 +206,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.isApiPrivilegeEnabled('writeEndpointExceptions'); @@ -218,7 +241,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -236,7 +260,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -253,7 +278,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -276,7 +302,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); mockIsActionRegistered = MockedProductFeatures.mock.instances[0] From 119b0b9b8df798e15864530a9673087498c5dcb1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 30 Apr 2025 18:01:26 +0200 Subject: [PATCH 04/52] i18n fix --- .../plugins/private/translations/translations/fr-FR.json | 4 ++-- .../plugins/private/translations/translations/ja-JP.json | 4 ++-- .../plugins/private/translations/translations/zh-CN.json | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/x-pack/platform/plugins/private/translations/translations/fr-FR.json b/x-pack/platform/plugins/private/translations/translations/fr-FR.json index b2e0473f5fff3..e296cdadfb027 100644 --- a/x-pack/platform/plugins/private/translations/translations/fr-FR.json +++ b/x-pack/platform/plugins/private/translations/translations/fr-FR.json @@ -7750,7 +7750,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "Cas", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "Cas (Déclassé)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "Notes", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "Les permissions {currentId} sont déclassées, veuillez consulter {idV2}.", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "Les permissions {currentId} sont déclassées, veuillez consulter {latestId}.", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "Migrations SIEM", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "Chronologie", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "Sécurité", @@ -48734,4 +48734,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "Ce champ est requis.", "xpack.watcher.watcherDescription": "Détectez les modifications survenant dans vos données en créant, gérant et monitorant des alertes." } -} +} \ No newline at end of file diff --git a/x-pack/platform/plugins/private/translations/translations/ja-JP.json b/x-pack/platform/plugins/private/translations/translations/ja-JP.json index a2e5841f492cf..5acebc9657fb9 100644 --- a/x-pack/platform/plugins/private/translations/translations/ja-JP.json +++ b/x-pack/platform/plugins/private/translations/translations/ja-JP.json @@ -7744,7 +7744,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "ケース", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "ケース(廃止予定)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "メモ", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId}権限は廃止予定です。{idV2}を参照してください。", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId}権限は廃止予定です。{latestId}を参照してください。", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "SIEM移行", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "Timeline", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "セキュリティ", @@ -48697,4 +48697,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "フィールドを選択してください。", "xpack.watcher.watcherDescription": "アラートの作成、管理、監視によりデータへの変更を検知します。" } -} +} \ No newline at end of file diff --git a/x-pack/platform/plugins/private/translations/translations/zh-CN.json b/x-pack/platform/plugins/private/translations/translations/zh-CN.json index 723503ac10b1a..a49d5b1227cb5 100644 --- a/x-pack/platform/plugins/private/translations/translations/zh-CN.json +++ b/x-pack/platform/plugins/private/translations/translations/zh-CN.json @@ -7755,7 +7755,7 @@ "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitle": "案例", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionCaseTitleDeprecated": "案例(已过时)", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionNotesTitle": "备注", - "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId} 权限已过时,请参阅 {idV2}。", + "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage": "{currentId} 权限已过时,请参阅 {latestId}。", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSiemMigrationsTitle": "SIEM 迁移", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTimelineTitle": "时间线", "securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle": "安全", @@ -48772,4 +48772,4 @@ "xpack.watcher.watchEdit.thresholdWatchExpression.aggType.fieldIsRequiredValidationMessage": "此字段必填。", "xpack.watcher.watcherDescription": "通过创建、管理和监测警报来检测数据中的更改。" } -} +} \ No newline at end of file From 1135b7dbc83a0653ddfeec4653eb221145388e24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 5 May 2025 14:56:05 +0200 Subject: [PATCH 05/52] update configs --- config/serverless.security.search_ai_lake.yml | 2 +- config/serverless.security.yml | 27 +++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index 577e240a3b2f7..f1ed6c3b5ed27 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -20,7 +20,7 @@ xpack.features.overrides: securitySolutionTimeline.hidden: true securitySolutionNotes.hidden: true siem.description: null - siemV2.description: null + siemV3.description: null securitySolutionSiemMigrations.hidden: true ## Fine-tune the security solution essentials feature privileges. These feature privilege overrides are set individually for each project type. Also, refer to `serverless.yml` for the project-agnostic overrides. diff --git a/config/serverless.security.yml b/config/serverless.security.yml index 0c4fd4886e4b9..1faea886fd2a2 100644 --- a/config/serverless.security.yml +++ b/config/serverless.security.yml @@ -23,6 +23,33 @@ xpack.features.overrides: category: "security" order: 1101 ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. + siemV3: + privileges: + ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and + ### Visualize features. + all.composedOf: + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "dashboard_v2" + privileges: [ "all" ] + - feature: "visualize_v2" + privileges: [ "all" ] + - feature: "maps_v2" + privileges: [ "all" ] + # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and + # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover, + ### Dashboard, and Visualize apps. + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "dashboard_v2" + privileges: [ "read" ] + - feature: "visualize_v2" + privileges: [ "read" ] + - feature: "maps_v2" + privileges: [ "read" ] + + ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. siemV2: privileges: ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and From 1d787b2565af1d3e28ce080158435c26f264c435 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 5 May 2025 14:57:00 +0200 Subject: [PATCH 06/52] update roles coming from elasticsearch-controller --- .../project_roles/security/roles.yml | 212 ++++++++--------- .../project_controller_security_roles.yml | 216 +++++++++--------- 2 files changed, 214 insertions(+), 214 deletions(-) diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index 8dfff70967683..4ea47ab14510e 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -43,9 +43,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -116,19 +116,19 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -181,9 +181,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -239,9 +239,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -302,21 +302,21 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -380,9 +380,9 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.blocklist_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -444,17 +444,17 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -516,22 +516,22 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -593,9 +593,9 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -648,17 +648,17 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -721,21 +721,21 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -806,16 +806,16 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml index 115efbb4439ce..383f5eccbe116 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml @@ -1,5 +1,5 @@ # ----- -# Source: https://github.com/elastic/project-controller/blob/main/internal/project/security/config/roles.yml +# Source: https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.yaml # modeled after the t1_analyst minus osquery run saved queries privilege viewer: @@ -42,9 +42,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -115,19 +115,19 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -181,9 +181,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -240,9 +240,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -304,21 +304,21 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -378,9 +378,9 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -444,17 +444,17 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -519,22 +519,22 @@ soc_manager: privileges: - feature_ml.read - feature_generalCases.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_observabilityCases.all - feature_securitySolutionAssistant.all @@ -598,9 +598,9 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -654,17 +654,17 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -728,21 +728,21 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response History - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all # Execute - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response History + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all # Execute + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -806,16 +806,16 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -833,4 +833,4 @@ endpoint_policy_manager: - feature_maps_v2.all - feature_visualize_v2.all - feature_savedQueryManagement.all - resources: '*' \ No newline at end of file + resources: '*' From 4a19f630064b71d3d8762195f4b6d3623256473c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 5 May 2025 15:01:04 +0200 Subject: [PATCH 07/52] update tests to work with `siemV3` --- .../plugins/shared/fleet/common/authz.test.ts | 6 +- .../apis/features/features/features.ts | 4 +- .../apis/security/privileges.ts | 33 +++ .../apis/security/privileges.ts | 34 +++ .../public/pages/rules/rules.test.tsx | 2 +- .../pages/rules/rules_container.test.tsx | 2 +- .../public/pages/rules/rules_table.test.tsx | 2 +- .../pages/rules/rules_table_header.test.tsx | 2 +- .../common/test/ess_roles.json | 12 +- .../attack_discovery/pages/index.test.tsx | 6 +- .../pages/results/index.test.tsx | 2 +- .../header_actions/actions.test.tsx | 2 +- .../endpoint/use_endpoint_privileges.test.ts | 2 +- .../public/common/mock/test_providers.tsx | 2 +- .../step_rule_actions/index.test.tsx | 2 +- .../alert_context_menu.test.tsx | 2 +- .../components/user_info/index.test.tsx | 7 +- .../pages/alerts/detection_engine.test.tsx | 4 +- .../explore/network/pages/network.test.tsx | 2 +- .../components/take_action_dropdown.test.tsx | 2 +- .../cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 2 +- ...point_role_rbac_with_space_awareness.cy.ts | 6 +- .../role_with_artifact_read_privilege.ts | 4 +- .../screens/stack_management/role_page.ts | 8 +- .../sourcerer/containers/hooks.test.tsx | 2 +- .../tabs/session/use_session_view.test.tsx | 2 +- .../common/roles_users/detections_engineer.ts | 2 +- .../endpoint_operations_analyst.ts | 2 +- .../endpoint_security_policy_manager.ts | 4 +- .../endpoint/common/roles_users/hunter.ts | 2 +- .../common/roles_users/platform_engineer.ts | 2 +- .../common/roles_users/rule_author.ts | 2 +- .../es_serverless_resources/roles.yml | 214 +++++++++--------- .../common/roles_users/soc_manager.ts | 2 +- .../endpoint/common/roles_users/t1_analyst.ts | 2 +- .../endpoint/common/roles_users/t2_analyst.ts | 2 +- .../endpoint/common/roles_users/t3_analyst.ts | 2 +- .../threat_intelligence_analyst.ts | 2 +- .../with_artifact_read_privileges_role.ts | 2 +- .../roles_users/with_response_actions_role.ts | 4 +- .../without_response_actions_role.ts | 2 +- .../lib/product_features_service/mocks.ts | 5 + .../apis/cloud_security_posture/helper.ts | 2 +- .../routes/helper/user_roles_utilites.ts | 6 +- .../fleet_api_integration/apis/test_users.ts | 10 +- .../config/privileges/roles.ts | 12 +- ...rity_solution_edr_workflows_roles_users.ts | 6 +- .../document_level_security.ts | 4 +- .../trial_license_complete_tier/artifacts.ts | 10 +- .../asset_criticality_privileges.ts | 2 +- .../risk_engine_privileges.ts | 2 +- .../entries/utils/auth/roles.ts | 16 +- .../lists/read_list_privileges.ts | 2 +- .../e2e/ai4dsoc/access/capabilities.cy.ts | 23 ++ .../custom_roles/assign_to_space_flyout.ts | 2 +- .../cypress/tasks/privileges.ts | 8 +- x-pack/test/session_view/basic/tests/index.ts | 2 +- .../common/suites/create.agnostic.ts | 2 +- .../common/suites/get.agnostic.ts | 2 +- .../common/suites/get_all.agnostic.ts | 2 +- .../spaces_only/telemetry/telemetry.ts | 2 +- .../platform_security/authorization.ts | 134 +++++------ 62 files changed, 376 insertions(+), 278 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts index abe2b8c8d22d2..3690a41624f40 100644 --- a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts +++ b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts @@ -69,7 +69,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointCapabilities, + siemV3: endpointCapabilities, transform: transformCapabilities, }); @@ -95,7 +95,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointExceptionsCapabilities, + siemV3: endpointExceptionsCapabilities, }); expect(actual).toEqual(expected); @@ -120,7 +120,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV2: endpointCapabilities, + siemV3: endpointCapabilities, }); expect(actual).toEqual(expected); diff --git a/x-pack/platform/test/api_integration/apis/features/features/features.ts b/x-pack/platform/test/api_integration/apis/features/features/features.ts index 631dc8ec769a6..2e00e9e531be8 100644 --- a/x-pack/platform/test/api_integration/apis/features/features/features.ts +++ b/x-pack/platform/test/api_integration/apis/features/features/features.ts @@ -135,7 +135,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchSynonyms', 'searchQueryRules', 'searchPlayground', - 'siemV2', + 'siemV3', 'slo', 'securitySolutionAssistant', 'securitySolutionAttackDiscovery', @@ -196,7 +196,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchQueryRules', 'searchPlayground', 'siem', - 'siemV2', + 'siemV3', 'slo', 'securitySolutionAssistant', 'securitySolutionAttackDiscovery', diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index fc84347e9a755..89bbf5ba9db67 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -110,6 +110,8 @@ export default function ({ getService }: FtrProviderContext) { 'minimal_read', 'endpoint_list_all', 'endpoint_list_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'trusted_applications_all', 'trusted_applications_read', 'host_isolation_exceptions_all', @@ -137,6 +139,37 @@ export default function ({ getService }: FtrProviderContext) { 'endpoint_list_read', 'workflow_insights_all', 'workflow_insights_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', + 'trusted_applications_all', + 'trusted_applications_read', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'blocklist_all', + 'blocklist_read', + 'event_filters_all', + 'event_filters_read', + 'policy_management_all', + 'policy_management_read', + 'actions_log_management_all', + 'actions_log_management_read', + 'host_isolation_all', + 'process_operations_all', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + ], + siemV3: [ + 'all', + 'read', + 'minimal_all', + 'minimal_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'workflow_insights_all', + 'workflow_insights_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'trusted_applications_all', 'trusted_applications_read', 'host_isolation_exceptions_all', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index 4b7eaa132f17f..49003b30ce9f4 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -55,6 +55,7 @@ export default function ({ getService }: FtrProviderContext) { ml: ['all', 'read', 'minimal_all', 'minimal_read'], siem: ['all', 'read', 'minimal_all', 'minimal_read'], siemV2: ['all', 'read', 'minimal_all', 'minimal_read'], + siemV3: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'], @@ -230,6 +231,8 @@ export default function ({ getService }: FtrProviderContext) { 'file_operations_all', 'execute_operations_all', 'scan_operations_all', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', ], siemV2: [ 'actions_log_management_all', @@ -257,6 +260,37 @@ export default function ({ getService }: FtrProviderContext) { 'scan_operations_all', 'workflow_insights_all', 'workflow_insights_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', + ], + siemV3: [ + 'actions_log_management_all', + 'actions_log_management_read', + 'all', + 'blocklist_all', + 'blocklist_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'event_filters_all', + 'event_filters_read', + 'host_isolation_all', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'minimal_all', + 'minimal_read', + 'policy_management_all', + 'policy_management_read', + 'process_operations_all', + 'read', + 'trusted_applications_all', + 'trusted_applications_read', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + 'workflow_insights_all', + 'workflow_insights_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', ], uptime: [ 'all', diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx index e65bee10243d6..f0385023e5b35 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx @@ -47,7 +47,7 @@ const getTestComponent = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: true }, + siemV3: { crud: true }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx index a5c5a534db189..8e9a4f7077a58 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx @@ -47,7 +47,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + siemV3: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx index ed9b45c88d55b..fdc1a412cc938 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx @@ -41,7 +41,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + siemV3: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx index 5226731ff2f0f..42f34adf2aa21 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx @@ -37,7 +37,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV2: { crud: canUpdate }, + siemV3: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json index 6259330cc2899..021901c413f61 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json +++ b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json @@ -27,7 +27,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["read", "read_alerts"], + "siemV3": ["read", "read_alerts"], "securitySolutionAssistant": ["none"], "securitySolutionAttackDiscovery": ["none"], "securitySolutionCasesV2": ["read"], @@ -78,7 +78,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -129,7 +129,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -152,7 +152,7 @@ "kibana": [ { "feature": { - "siemV2": ["read"] + "siemV3": ["read"] }, "spaces": ["*"], "base": [] @@ -200,7 +200,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -254,7 +254,7 @@ { "feature": { "ml": ["read"], - "siemV2": ["all", "read_alerts", "crud_alerts"], + "siemV3": ["all", "read_alerts", "crud_alerts"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx index c19d307d6334d..40c49f3e24a17 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx @@ -66,7 +66,7 @@ jest.mock( jest.mock('../../common/links', () => ({ useLinkInfo: jest.fn().mockReturnValue({ - capabilities: ['siemV2.show'], + capabilities: ['siemV3.show'], globalNavPosition: 4, globalSearchKeywords: ['Attack discovery'], id: 'attack_discovery', @@ -117,7 +117,7 @@ jest.mock('../../common/lib/kibana', () => { services: { application: { capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, }, navigateToUrl: jest.fn(), }, @@ -149,7 +149,7 @@ jest.mock('../../common/lib/kibana', () => { dataViews: mockDataViewsService, docLinks: { links: { - siemV2: { + siemV3: { privileges: 'link', }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx index 033261a1e0ab9..8b03d61e52786 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx @@ -101,7 +101,7 @@ describe('Results', () => { services: { application: { capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, }, navigateToUrl: jest.fn(), }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx index f4d264f9e3e3d..56160973af728 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx @@ -72,7 +72,7 @@ jest.mock('../../lib/kibana', () => { navigateToApp: jest.fn(), getUrlForApp: jest.fn(), capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, }, }, cases: mockCasesContract(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts index 1711e4f224411..3e9c1e5557393 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts @@ -53,7 +53,7 @@ describe('When using useEndpointPrivileges hook', () => { catalogue: {}, management: {}, navLinks: {}, - siemV2: { + siemV3: { crud: true, show: true, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx index 0783033495503..f08e150a72a3e 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx @@ -140,7 +140,7 @@ const TestProvidersWithPrivilegesComponent: React.FC = ({ ({ application: { getUrlForApp: jest.fn(), capabilities: { - siemV2: { + siemV3: { crud: true, }, actions: { diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx index e51dcb6f57cde..f2f3d537fc3bf 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx @@ -76,7 +76,7 @@ jest.mock('../../../../common/lib/kibana', () => { services: { timelines: { ...mockTimelines }, application: { - capabilities: { siemV2: { crud_alerts: true, read_alerts: true } }, + capabilities: { siemV3: { crud_alerts: true, read_alerts: true } }, }, cases: { ...mockCasesContract(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx index 2db975340ca4e..869cf875ea0aa 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx @@ -15,6 +15,7 @@ import * as api from '../../containers/detection_engine/alerts/api'; import { TestProviders } from '../../../common/mock/test_providers'; import { UserPrivilegesProvider } from '../../../common/components/user_privileges/user_privileges_context'; import { sourcererSelectors } from '../../../common/store'; +import { SECURITY_FEATURE_ID } from '../../../../common'; jest.mock('../../../common/lib/kibana'); jest.mock('../../containers/detection_engine/alerts/api'); @@ -26,7 +27,7 @@ describe('useUserInfo', () => { services: { application: { capabilities: { - siemV2: { + siemV3: { crud: true, }, }, @@ -68,7 +69,9 @@ describe('useUserInfo', () => { const wrapper = ({ children }: React.PropsWithChildren) => ( {children} diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx index 79ea0b2974b43..e38a477ac0d3d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx @@ -88,7 +88,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { navigateToUrl: jest.fn(), capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, }, }, dataViews: mockDataViewsService, @@ -103,7 +103,7 @@ jest.mock('../../../common/lib/kibana', () => { }, docLinks: { links: { - siemV2: { + siemV3: { privileges: 'link', }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx index 21f66ea713118..69f35bc06bfd8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx @@ -88,7 +88,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { ...original.useKibana().services.application, capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, maps_v2: mockMapVisibility(), }, navigateToApp: mockNavigateToApp, diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx index d862c6c09e62b..1b28f30c0ec4c 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx @@ -108,7 +108,7 @@ describe('take action dropdown', () => { isOsqueryAvailable: jest.fn().mockReturnValue(true), }, application: { - capabilities: { siemV2: { crud_alerts: true, read_alerts: true }, osquery: true }, + capabilities: { siemV3: { crud_alerts: true, read_alerts: true }, osquery: true }, }, }, }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 19cd08fce518c..8638e7e83a7bd 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -23,7 +23,7 @@ describe( () => { const getAllSubFeatureRows = (): Cypress.Chainable> => { return cy - .get('#featurePrivilegeControls_siemV2') + .get('#featurePrivilegeControls_siemV3') .findByTestSubj('mutexSubFeaturePrivilegeControl') .closest('.euiFlexGroup'); }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 3dbea89c49dc3..43fef363616b9 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -88,7 +88,7 @@ describe( .findByTestSubj(`space-avatar-${spaceId}`) .should('exist'); - cy.get('#row_siemV2_expansion') + cy.get('#row_siemV3_expansion') .findByTestSubj('subFeatureEntry') .then(($element) => { const features: string[] = []; @@ -120,14 +120,14 @@ describe( it('should not display the privilege tooltip', () => { ENDPOINT_SUB_FEATURE_PRIVILEGE_IDS.forEach((subFeaturePrivilegeId) => { - cy.getByTestSubj(`securitySolution_siemV2_${subFeaturePrivilegeId}_nameTooltip`).should( + cy.getByTestSubj(`securitySolution_siemV3_${subFeaturePrivilegeId}_nameTooltip`).should( 'not.exist' ); }); }); it('should include new Global Artifact Management privilege', () => { - cy.getByTestSubj('securitySolution_siemV2_global_artifact_management').should('exist'); + cy.getByTestSubj('securitySolution_siemV3_global_artifact_management').should('exist'); }); } ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts index 25bc5d2da1f8b..8ef79572124e5 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts @@ -17,8 +17,8 @@ export const getRoleWithArtifactReadPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV2: [ - ...endpointSecurityPolicyManagerRole.kibana[0].feature.siemV2.filter( + siemV3: [ + ...endpointSecurityPolicyManagerRole.kibana[0].feature.siemV3.filter( (privilege) => privilege !== `${privilegePrefix}all` ), `${privilegePrefix}read`, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts index 1b6d7e6c92548..50d066e9bf95b 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts @@ -66,12 +66,12 @@ export const getSecuritySolutionCategoryKibanaPrivileges = (): Cypress.Chainable */ export const expandEndpointSecurityFeaturePrivileges = (): Cypress.Chainable => { return cy - .getByTestSubj('featurePrivilegeControls_securitySolution_siemV2_accordionToggle') + .getByTestSubj('featurePrivilegeControls_securitySolution_siemV3_accordionToggle') .click(); }; export const getEndpointSecurityFeaturePrivileges = () => { - return cy.getByTestSubj('featureCategory_securitySolution_siemV2'); + return cy.getByTestSubj('featureCategory_securitySolution_siemV3'); }; /** @@ -104,7 +104,7 @@ export const setSecuritySolutionEndpointGroupPrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getSecuritySolutionCategoryKibanaPrivileges() - .findByTestSubj(`siemV2_${privilege}`) + .findByTestSubj(`siemV3_${privilege}`) .click(); }; @@ -148,7 +148,7 @@ export const setEndpointSubFeaturePrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getEndpointSecurityFeaturePrivileges() - .findByTestSubj(`securitySolution_siemV2_${feature}_privilegeGroup`) + .findByTestSubj(`securitySolution_siemV3_${feature}_privilegeGroup`) .find(`button[title="${privilegeMapToTitle[privilege]}"]`) .click(); }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx index 1cc1e49516364..5f2bd9b2b1cbf 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx @@ -81,7 +81,7 @@ jest.mock('../../common/lib/kibana', () => ({ services: { application: { capabilities: { - siemV2: { + siemV3: { crud: true, }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx index 4f6429356ee98..eb79300aa1b79 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx @@ -43,7 +43,7 @@ jest.mock('../../../../../common/lib/kibana', () => { navigateToApp: jest.fn(), getUrlForApp: jest.fn(), capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, + siemV3: { crud_alerts: true, read_alerts: true }, }, }, sessionView: { diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts index f2e0d5c72001d..50ba44a23dcf9 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts @@ -17,7 +17,7 @@ export const getDetectionsEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 8a72ec983bcdb..83c9dc66d5266 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -57,7 +57,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - siemV2: [ + siemV3: [ 'all', 'read_alerts', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 6535f42154a20..44ea65c678d9f 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -17,7 +17,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'policy_management_all', @@ -46,7 +46,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index ff6c9aaa82933..f6da9b671d159 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -17,7 +17,7 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index 2c32c21a1d521..edc6070a1175f 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -17,7 +17,7 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index 04cc11ad6d9a6..0829cd1ed8f55 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -61,9 +61,9 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -134,19 +134,19 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -198,9 +198,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -257,9 +257,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.read - - feature_siemV2.read_alerts - - feature_siemV2.endpoint_list_read + - feature_siemV3.read + - feature_siemV3.read_alerts + - feature_siemV3.endpoint_list_read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -320,21 +320,21 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.policy_management_read # Elastic Defend Policy Management - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response actions history - - feature_siemV2.file_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.policy_management_read # Elastic Defend Policy Management + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response actions history + - feature_siemV3.file_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -394,9 +394,9 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.endpoint_list_read - - feature_siemV2.blocklist_all + - feature_siemV3.all + - feature_siemV3.endpoint_list_read + - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -459,17 +459,17 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_read - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_read + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -532,22 +532,22 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -610,9 +610,9 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -666,17 +666,17 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.actions_log_management_read - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.actions_log_management_read + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -740,21 +740,21 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all - - feature_siemV2.host_isolation_all - - feature_siemV2.process_operations_all - - feature_siemV2.actions_log_management_all # Response History - - feature_siemV2.file_operations_all - - feature_siemV2.execute_operations_all # Execute - - feature_siemV2.scan_operations_all - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all + - feature_siemV3.host_isolation_all + - feature_siemV3.process_operations_all + - feature_siemV3.actions_log_management_all # Response History + - feature_siemV3.file_operations_all + - feature_siemV3.execute_operations_all # Execute + - feature_siemV3.scan_operations_all + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -818,16 +818,16 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV2.all - - feature_siemV2.read_alerts - - feature_siemV2.crud_alerts - - feature_siemV2.policy_management_all - - feature_siemV2.endpoint_list_all - - feature_siemV2.trusted_applications_all - - feature_siemV2.event_filters_all - - feature_siemV2.host_isolation_exceptions_all - - feature_siemV2.blocklist_all # Elastic Defend Policy Management - - feature_siemV2.workflow_insights_all + - feature_siemV3.all + - feature_siemV3.read_alerts + - feature_siemV3.crud_alerts + - feature_siemV3.policy_management_all + - feature_siemV3.endpoint_list_all + - feature_siemV3.trusted_applications_all + - feature_siemV3.event_filters_all + - feature_siemV3.host_isolation_exceptions_all + - feature_siemV3.blocklist_all # Elastic Defend Policy Management + - feature_siemV3.workflow_insights_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -845,4 +845,4 @@ endpoint_policy_manager: - feature_maps_v2.all - feature_visualize_v2.all - feature_savedQueryManagement.all - resources: '*' \ No newline at end of file + resources: '*' diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index 65d3327c8d000..c968a6d44c3cb 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -17,7 +17,7 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index 5bdb7c3883f26..82983d1a8355e 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -17,7 +17,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all'], + siemV3: ['minimal_all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index d99ceba8014f3..cde28984796d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -17,7 +17,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all', 'actions_log_management_read'], + siemV3: ['minimal_all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index b174994e04874..75d89545d371c 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -17,7 +17,7 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index 3707cbfb61bfd..fe71026909b8c 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -17,7 +17,7 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], + siemV3: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 5a168de59f5eb..3bfe312459023 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -17,7 +17,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ + siemV3: [ 'minimal_all', 'blocklist_read', 'trusted_applications_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index a8a4bb31b2089..2f7aeb7aed702 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -17,8 +17,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV2: [ - ...noResponseActionsRole.kibana[0].feature.siemV2, + siemV3: [ + ...noResponseActionsRole.kibana[0].feature.siemV3, 'file_operations_all', 'execute_operations_all', 'scan_operations_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 53d8003618266..07aee268123a5 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -42,7 +42,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - siemV2: [ + siemV3: [ 'minimal_all', 'endpoint_list_all', 'endpoint_list_read', diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index a94a6668130ab..0b646937eb175 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -26,6 +26,11 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ baseKibanaSubFeatureIds: [], subFeaturesMap: new Map(), })), + getSecurityV3Feature: jest.fn(() => ({ + baseKibanaFeature: {}, + baseKibanaSubFeatureIds: [], + subFeaturesMap: new Map(), + })), getCasesFeature: jest.fn(() => ({ baseKibanaFeature: {}, baseKibanaSubFeatureIds: [], diff --git a/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts b/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts index bcf15ff806fd5..051b47f6da92a 100644 --- a/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts +++ b/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts @@ -123,7 +123,7 @@ export const createCSPRole = async ( await security.role.create(roleName, { kibana: [ { - feature: { siemV2: ['read'], fleetv2: ['all'], fleet: ['read'] }, + feature: { siemV3: ['read'], fleetv2: ['all'], fleet: ['read'] }, spaces: ['*'], }, ], diff --git a/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts b/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts index c5b7b97d63e93..29b8bbfb3699d 100644 --- a/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts +++ b/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts @@ -89,7 +89,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['read'], + siemV3: ['read'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], @@ -107,7 +107,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['read'], + siemV3: ['read'], fleet: ['all'], fleetv2: ['all'], }, @@ -140,7 +140,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV2: ['all'], + siemV3: ['all'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], diff --git a/x-pack/test/fleet_api_integration/apis/test_users.ts b/x-pack/test/fleet_api_integration/apis/test_users.ts index ac944f0a1e669..c96e642d23ee1 100644 --- a/x-pack/test/fleet_api_integration/apis/test_users.ts +++ b/x-pack/test/fleet_api_integration/apis/test_users.ts @@ -179,7 +179,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV2: [ + siemV3: [ 'minimal_all', 'trusted_applications_read', 'host_isolation_exceptions_read', @@ -200,7 +200,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV2: ['minimal_all', 'policy_management_all'], + siemV3: ['minimal_all', 'policy_management_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -214,7 +214,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV2: ['minimal_all', 'policy_management_read'], + siemV3: ['minimal_all', 'policy_management_read'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -228,7 +228,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV2: ['minimal_all'], + siemV3: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -241,7 +241,7 @@ export const testUsers: { endpoint_integr_read_only_fleet_none: { permissions: { feature: { - siemV2: ['minimal_all'], + siemV3: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, diff --git a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts index 54e32092d05ed..eebead01ede46 100644 --- a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts +++ b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts @@ -88,7 +88,7 @@ export const secTimelineAllV2: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], }, spaces: ['*'], @@ -111,7 +111,7 @@ export const secTimelineReadV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionTimeline: ['read'], }, spaces: ['*'], @@ -134,7 +134,7 @@ export const secTimelineNoneV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionTimeline: ['none'], }, spaces: ['*'], @@ -157,7 +157,7 @@ export const secNotesAllV2: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionNotes: ['all'], }, spaces: ['*'], @@ -180,7 +180,7 @@ export const secNotesReadV2: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionNotes: ['read'], }, spaces: ['*'], @@ -203,7 +203,7 @@ export const secNotesNoneV2: Role = { kibana: [ { feature: { - siemV2: ['none'], + siemV3: ['none'], securitySolutionNotes: ['none'], }, spaces: ['*'], diff --git a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts index 51a9c887a562b..4ff4180f2f081 100644 --- a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts +++ b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts @@ -63,8 +63,8 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { if (predefinedRole) { const roleConfig = rolesMapping[predefinedRole]; if (extraPrivileges) { - roleConfig.kibana[0].feature.siemV2 = [ - ...roleConfig.kibana[0].feature.siemV2, + roleConfig.kibana[0].feature.siemV3 = [ + ...roleConfig.kibana[0].feature.siemV3, ...extraPrivileges, ]; } @@ -84,7 +84,7 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { spaces: ['*'], base: [], feature: { - siemV2: customRole.extraPrivileges, + siemV3: customRole.extraPrivileges, }, }, ], diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts index af35ceba994e5..219c9f35a222a 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts @@ -24,7 +24,7 @@ const roleToAccessSecuritySolution = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], }, spaces: ['*'], }, @@ -47,7 +47,7 @@ const roleToAccessSecuritySolutionWithDls = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], }, spaces: ['*'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts index 8034d098da1c6..a269cfc30c05e 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts @@ -62,9 +62,9 @@ export default function ({ getService }: FtrProviderContext) { { name: 'artifactManager' } ); - if (artifactManagerRole.kibana[0].feature.siemV2.includes('global_artifact_management_all')) { - artifactManagerRole.kibana[0].feature.siemV2 = - artifactManagerRole.kibana[0].feature.siemV2.filter( + if (artifactManagerRole.kibana[0].feature.siemV3.includes('global_artifact_management_all')) { + artifactManagerRole.kibana[0].feature.siemV3 = + artifactManagerRole.kibana[0].feature.siemV3.filter( (privilege) => privilege !== 'global_artifact_management_all' ); } @@ -75,11 +75,11 @@ export default function ({ getService }: FtrProviderContext) { ); if ( - !globalArtifactManagerRole.kibana[0].feature.siemV2.includes( + !globalArtifactManagerRole.kibana[0].feature.siemV3.includes( 'global_artifact_management_all' ) ) { - globalArtifactManagerRole.kibana[0].feature.siemV2.push('global_artifact_management_all'); + globalArtifactManagerRole.kibana[0].feature.siemV3.push('global_artifact_management_all'); } const [artifactManagerUser, globalArtifactManagerUser] = await Promise.all([ diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts index 24c5349691e4d..09bc5db0d797d 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts @@ -18,7 +18,7 @@ const ROLES = [ kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts index bb02dec475989..262ad6f0d8b27 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts @@ -16,7 +16,7 @@ const ROLES = [ kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts index 0d04c7b3f4fb0..e9fe181c42408 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts @@ -40,7 +40,7 @@ export const securitySolutionOnlyAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -60,7 +60,7 @@ export const securitySolutionOnlyAllSpace2: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -80,7 +80,7 @@ export const securitySolutionOnlyRead: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -100,7 +100,7 @@ export const securitySolutionOnlyReadSpace2: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -123,7 +123,7 @@ export const securitySolutionOnlyAllSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -148,7 +148,7 @@ export const securitySolutionOnlyAllSpacesAllWithReadESIndices: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -168,7 +168,7 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -188,7 +188,7 @@ export const securitySolutionOnlyAllSpacesAllAssistantMinimalAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionAssistant: ['minimal_all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], diff --git a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts index 22cfa186d6531..0fe9959c9c6c1 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts @@ -38,7 +38,7 @@ export default ({ getService }: FtrProviderContextWithSpaces) => { { feature: { dashboard: ['all'], - siemV2: ['all', 'read'], + siemV3: ['all', 'read'], }, spaces: [space1Id], }, diff --git a/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/access/capabilities.cy.ts b/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/access/capabilities.cy.ts index 6eac7a24ebbcb..f8602338ea00b 100644 --- a/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/access/capabilities.cy.ts +++ b/x-pack/test/security_solution_cypress/cypress/e2e/ai4dsoc/access/capabilities.cy.ts @@ -73,6 +73,29 @@ describe('Capabilities', { tags: '@serverless' }, () => { cy.task('deleteServerlessCustomRole', 'siemV2'); }, }, + { + name: 'User with siem v3 role', + loginAs: 'siemV3', + setup: () => { + cy.task('createServerlessCustomRole', { + roleDescriptor: { + elasticsearch: { + indices: [{ names: ['*'], privileges: ['all'] }], + }, + kibana: [ + { + feature: { siemV3: ['all'], fleet: ['all'] }, + spaces: ['*'], + }, + ], + }, + roleName: 'siemV3', + }); + }, + teardown: () => { + cy.task('deleteServerlessCustomRole', 'siemV3'); + }, + }, ]; // Iterate through each user role diff --git a/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts b/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts index e55bcdd6381cb..881576bd16a77 100644 --- a/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts +++ b/x-pack/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts @@ -11,7 +11,7 @@ export const SPACE_SELECTOR_COMBO_BOX = '[data-test-subj="spaceSelectorComboBox" export const SECURITY_CATEGORY = '[data-test-subj="featureCategory_securitySolution"]'; // Sub-privileges -export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV2"]'; +export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV3"]'; export const SECURITY_FEATURE_DESCRIPTION = '[aria-describedby="Security description text"]'; export const CASES_FEATURE = diff --git a/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts b/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts index 31eca3c55fc22..6b34fa0cdb397 100644 --- a/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts +++ b/x-pack/test/security_solution_cypress/cypress/tasks/privileges.ts @@ -62,7 +62,7 @@ export const secAll: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -99,7 +99,7 @@ export const secReadCasesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -136,7 +136,7 @@ export const secAllCasesOnlyReadDelete: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -173,7 +173,7 @@ export const secAllCasesNoDelete: Role = { kibana: [ { feature: { - siemV2: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], diff --git a/x-pack/test/session_view/basic/tests/index.ts b/x-pack/test/session_view/basic/tests/index.ts index d471882963566..38d84e8936ed4 100644 --- a/x-pack/test/session_view/basic/tests/index.ts +++ b/x-pack/test/session_view/basic/tests/index.ts @@ -57,7 +57,7 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV2: ['read'], + siemV3: ['read'], }, spaces: ['*'], }, diff --git a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts index 9bbde8eb36fe1..a2e47dc3e2419 100644 --- a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts @@ -100,7 +100,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', - 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts index 5691fff8d0381..ecd41953c8a99 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts @@ -104,7 +104,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', - 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts index a2ebcf2a2c62b..faad14888d36a 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts @@ -92,7 +92,7 @@ const ALL_SPACE_RESULTS: Space[] = [ 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', - 'siemV2', + 'siemV3', 'slo', 'streams', 'uptime', diff --git a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts index 3be649a4c07c3..d47ce055d9cfe 100644 --- a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts +++ b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts @@ -94,7 +94,7 @@ export default function ({ getService }: FtrProviderContext) { searchSynonyms: 0, searchQueryRules: 0, siem: 0, - siemV2: 0, + siemV3: 0, securitySolutionCases: 0, securitySolutionCasesV2: 0, securitySolutionCasesV3: 0, diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 05f6dfd91841e..1054d96c1dfb3 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -39,7 +39,7 @@ export default function ({ getService }: FtrProviderContext) { 'discover', 'discover_v2', 'reporting', - 'siemV2', + 'siemV3', ]; const features = Object.fromEntries( @@ -205,18 +205,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/close_point_in_time", ], }, - "siemV2": Object { + "siemV3": Object { "actions_log_management_all": Array [ "login:", "api:securitySolution-writeActionsLogManagement", "api:securitySolution-readActionsLogManagement", - "ui:siemV2/writeActionsLogManagement", - "ui:siemV2/readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", - "ui:siemV2/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", ], "all": Array [ "login:", @@ -483,15 +483,15 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/crud", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", - "ui:siemV2/showEndpointExceptions", - "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/getRuleState", "alerting:siem.notifications/siem/rule/getAlertSummary", @@ -961,39 +961,39 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeBlocklist", - "ui:siemV2/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", ], "blocklist_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readBlocklist", - "ui:siemV2/readBlocklist", + "ui:siemV3/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", - "ui:siemV2/showEndpointExceptions", - "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", "api:securitySolution-showEndpointExceptions", - "ui:siemV2/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", "api:securitySolution-writeEndpointList", "api:securitySolution-readEndpointList", - "ui:siemV2/writeEndpointList", - "ui:siemV2/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", - "ui:siemV2/readEndpointList", + "ui:siemV3/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -1014,32 +1014,32 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeEventFilters", - "ui:siemV2/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", ], "event_filters_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readEventFilters", - "ui:siemV2/readEventFilters", + "ui:siemV3/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", - "ui:siemV2/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", - "ui:siemV2/writeFileOperations", + "ui:siemV3/writeFileOperations", ], "host_isolation_all": Array [ "login:", "api:securitySolution-writeHostIsolationRelease", "api:securitySolution-writeHostIsolation", - "ui:siemV2/writeHostIsolationRelease", - "ui:siemV2/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -1062,10 +1062,10 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/readHostIsolationExceptions", - "ui:siemV2/deleteHostIsolationExceptions", - "ui:siemV2/accessHostIsolationExceptions", - "ui:siemV2/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", ], "host_isolation_exceptions_read": Array [ "login:", @@ -1073,8 +1073,8 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readHostIsolationExceptions", "api:securitySolution-accessHostIsolationExceptions", - "ui:siemV2/readHostIsolationExceptions", - "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -1339,13 +1339,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/crud", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/getRuleState", "alerting:siem.notifications/siem/rule/getAlertSummary", @@ -1924,12 +1924,12 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/getRuleState", "alerting:siem.notifications/siem/rule/getAlertSummary", @@ -2151,8 +2151,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/delete", "saved_object:policy-settings-protection-updates-note/bulk_delete", "saved_object:policy-settings-protection-updates-note/share_to_space", - "ui:siemV2/writePolicyManagement", - "ui:siemV2/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -2162,12 +2162,12 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/find", "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", - "ui:siemV2/readPolicyManagement", + "ui:siemV3/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", - "ui:siemV2/writeProcessOperations", + "ui:siemV3/writeProcessOperations", ], "read": Array [ "login:", @@ -2298,13 +2298,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/find", "saved_object:cloud/open_point_in_time", "saved_object:cloud/close_point_in_time", - "ui:siemV2/show", - "ui:siemV2/entity-analytics", - "ui:siemV2/detections", - "ui:siemV2/investigation-guide", - "ui:siemV2/investigation-guide-interactions", - "ui:siemV2/threat-intelligence", - "ui:siemV2/showEndpointExceptions", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/getRuleState", "alerting:siem.notifications/siem/rule/getAlertSummary", @@ -2513,7 +2513,7 @@ export default function ({ getService }: FtrProviderContext) { "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", - "ui:siemV2/writeScanOperations", + "ui:siemV3/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -2534,27 +2534,27 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/delete", "saved_object:exception-list-agnostic/bulk_delete", "saved_object:exception-list-agnostic/share_to_space", - "ui:siemV2/writeTrustedApplications", - "ui:siemV2/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", ], "trusted_applications_read": Array [ "login:", "api:lists-read", "api:lists-summary", "api:securitySolution-readTrustedApplications", - "ui:siemV2/readTrustedApplications", + "ui:siemV3/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", "api:securitySolution-writeWorkflowInsights", "api:securitySolution-readWorkflowInsights", - "ui:siemV2/writeWorkflowInsights", - "ui:siemV2/readWorkflowInsights", + "ui:siemV3/writeWorkflowInsights", + "ui:siemV3/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", - "ui:siemV2/readWorkflowInsights", + "ui:siemV3/readWorkflowInsights", ], }, } From b1f4b1563bd90e735795210a5a5a0c8d74607d9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 8 May 2025 10:42:31 +0200 Subject: [PATCH 08/52] parameterize `siemV3` in most places to ease next role migration --- .../plugins/shared/fleet/common/authz.test.ts | 8 ++++---- .../public/pages/rules/rules.test.tsx | 3 ++- .../public/pages/rules/rules_container.test.tsx | 3 ++- .../public/pages/rules/rules_table.test.tsx | 3 ++- .../pages/rules/rules_table_header.test.tsx | 3 ++- .../public/test/constants.ts | 8 ++++++++ .../attack_discovery/pages/index.test.tsx | 8 ++++---- .../pages/results/index.test.tsx | 3 ++- .../components/header_actions/actions.test.tsx | 3 ++- .../endpoint/use_endpoint_privileges.test.ts | 3 ++- .../public/common/mock/test_providers.tsx | 8 ++++++-- .../components/step_rule_actions/index.test.tsx | 3 ++- .../alert_context_menu.test.tsx | 3 ++- .../components/user_info/index.test.tsx | 2 +- .../pages/alerts/detection_engine.test.tsx | 5 +++-- .../explore/network/pages/network.test.tsx | 3 ++- .../components/take_action_dropdown.test.tsx | 6 +++++- .../artifact_tabs_in_policy_details.cy.ts | 7 ++++--- .../endpoints_rbac_mocked_data.cy.ts | 6 +++--- .../role_with_artifact_read_privilege.ts | 5 +++-- .../view/ingest_manager_integration/mocks.tsx | 3 ++- .../public/sourcerer/containers/hooks.test.tsx | 3 ++- .../tabs/session/use_session_view.test.tsx | 3 ++- .../common/roles_users/detections_engineer.ts | 3 ++- .../roles_users/endpoint_operations_analyst.ts | 3 ++- .../endpoint_security_policy_manager.ts | 5 +++-- .../endpoint/common/roles_users/hunter.ts | 3 ++- .../common/roles_users/platform_engineer.ts | 3 ++- .../endpoint/common/roles_users/rule_author.ts | 3 ++- .../endpoint/common/roles_users/soc_manager.ts | 3 ++- .../endpoint/common/roles_users/t1_analyst.ts | 3 ++- .../endpoint/common/roles_users/t2_analyst.ts | 3 ++- .../endpoint/common/roles_users/t3_analyst.ts | 3 ++- .../roles_users/threat_intelligence_analyst.ts | 3 ++- .../with_artifact_read_privileges_role.ts | 3 ++- .../roles_users/with_response_actions_role.ts | 5 +++-- .../without_response_actions_role.ts | 3 ++- .../apis/cloud_security_posture/helper.ts | 3 ++- .../routes/helper/user_roles_utilites.ts | 7 ++++--- .../fleet_api_integration/apis/test_users.ts | 11 ++++++----- .../config/privileges/roles.ts | 13 +++++++------ ...curity_solution_edr_workflows_roles_users.ts | 7 ++++--- .../document_level_security.ts | 9 ++++++--- .../trial_license_complete_tier/artifacts.ts | 17 ++++++++++++----- .../asset_criticality_privileges.ts | 3 ++- .../risk_engine_privileges.ts | 3 ++- .../knowledge_base/entries/utils/auth/roles.ts | 17 +++++++++-------- 47 files changed, 151 insertions(+), 87 deletions(-) create mode 100644 x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts diff --git a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts index 3690a41624f40..2bf8de9433548 100644 --- a/x-pack/platform/plugins/shared/fleet/common/authz.test.ts +++ b/x-pack/platform/plugins/shared/fleet/common/authz.test.ts @@ -16,7 +16,7 @@ import { calculatePackagePrivilegesFromKibanaPrivileges, getAuthorizationFromPrivileges, } from './authz'; -import { ENDPOINT_PRIVILEGES } from './constants'; +import { ENDPOINT_PRIVILEGES, SECURITY_SOLUTION_APP_ID } from './constants'; const SECURITY_SOLUTION_ID = DEFAULT_APP_CATEGORIES.security.id; @@ -69,7 +69,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV3: endpointCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointCapabilities, transform: transformCapabilities, }); @@ -95,7 +95,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV3: endpointExceptionsCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointExceptionsCapabilities, }); expect(actual).toEqual(expected); @@ -120,7 +120,7 @@ describe('fleet authz', () => { navLinks: {}, management: {}, catalogue: {}, - siemV3: endpointCapabilities, + [SECURITY_SOLUTION_APP_ID]: endpointCapabilities, }); expect(actual).toEqual(expected); diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx index f0385023e5b35..29310490b9c18 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules.test.tsx @@ -20,6 +20,7 @@ import { useCspIntegrationLink } from '../../common/navigation/use_csp_integrati import { useLicenseManagementLocatorApi } from '../../common/api/use_license_management_locator_api'; import { useCspBenchmarkIntegrationsV2 } from '../benchmarks/use_csp_benchmark_integrations'; import * as TEST_SUBJECTS from './test_subjects'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; jest.mock('@kbn/cloud-security-posture/src/hooks/use_csp_setup_status_api'); jest.mock('../../common/api/use_license_management_locator_api'); @@ -47,7 +48,7 @@ const getTestComponent = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV3: { crud: true }, + [SECURITY_FEATURE_ID]: { crud: true }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx index 8e9a4f7077a58..c89e259391c91 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_container.test.tsx @@ -16,6 +16,7 @@ import { TestProvider } from '../../test/test_provider'; import type { CspBenchmarkRule } from '@kbn/cloud-security-posture-common/schema/rules/latest'; import { useParams } from 'react-router-dom'; import { coreMock } from '@kbn/core/public/mocks'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; const chance = new Chance(); @@ -47,7 +48,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV3: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx index fdc1a412cc938..39f9d3eb0ed2c 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table.test.tsx @@ -22,6 +22,7 @@ import { import { useChangeCspRuleState } from './use_change_csp_rule_state'; import userEvent from '@testing-library/user-event'; import { RULES_TABLE } from './test_subjects'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; const queryClient = new QueryClient({ defaultOptions: { @@ -41,7 +42,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV3: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx index 42f34adf2aa21..6c1ed280a6da9 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/pages/rules/rules_table_header.test.tsx @@ -16,6 +16,7 @@ import userEvent from '@testing-library/user-event'; import { useChangeCspRuleState } from './use_change_csp_rule_state'; import { QueryClient, QueryClientProvider } from '@tanstack/react-query'; import { selectRulesMock } from './__mocks__'; +import { SECURITY_FEATURE_ID } from '../../test/constants'; jest.mock('./use_change_csp_rule_state'); @@ -37,7 +38,7 @@ const getWrapper = ...coreStart.application, capabilities: { ...coreStart.application.capabilities, - siemV3: { crud: canUpdate }, + [SECURITY_FEATURE_ID]: { crud: canUpdate }, }, }, }; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts new file mode 100644 index 0000000000000..b1b7f9298e31c --- /dev/null +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts @@ -0,0 +1,8 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +export const SECURITY_FEATURE_ID = 'siemV3'; diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx index 40c49f3e24a17..2ad5b46548db8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx @@ -16,7 +16,7 @@ import React from 'react'; import useLocalStorage from 'react-use/lib/useLocalStorage'; import { TestProviders } from '../../common/mock'; -import { ATTACK_DISCOVERY_PATH } from '../../../common/constants'; +import { ATTACK_DISCOVERY_PATH, SECURITY_FEATURE_ID } from '../../../common/constants'; import { mockHistory } from '../../common/utils/route/mocks'; import { AttackDiscoveryPage } from '.'; import { mockTimelines } from '../../common/mock/mock_timelines_plugin'; @@ -66,7 +66,7 @@ jest.mock( jest.mock('../../common/links', () => ({ useLinkInfo: jest.fn().mockReturnValue({ - capabilities: ['siemV3.show'], + capabilities: [`${SECURITY_FEATURE_ID}.show`], globalNavPosition: 4, globalSearchKeywords: ['Attack discovery'], id: 'attack_discovery', @@ -117,7 +117,7 @@ jest.mock('../../common/lib/kibana', () => { services: { application: { capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, navigateToUrl: jest.fn(), }, @@ -149,7 +149,7 @@ jest.mock('../../common/lib/kibana', () => { dataViews: mockDataViewsService, docLinks: { links: { - siemV3: { + [SECURITY_FEATURE_ID]: { privileges: 'link', }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx index 8b03d61e52786..d110a0c2b9495 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/index.test.tsx @@ -18,6 +18,7 @@ import { useKibana } from '../../../common/lib/kibana'; import { TestProviders } from '../../../common/mock'; import { mockAttackDiscovery } from '../mock/mock_attack_discovery'; import { Results } from '.'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; jest.mock('../../../common/lib/kibana'); @@ -101,7 +102,7 @@ describe('Results', () => { services: { application: { capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, navigateToUrl: jest.fn(), }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx index 56160973af728..9abe0309fcb70 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx @@ -20,6 +20,7 @@ import { Actions } from './actions'; import { initialUserPrivilegesState as mockInitialUserPrivilegesState } from '../user_privileges/user_privileges_context'; import { useUserPrivileges } from '../user_privileges'; import { useHiddenByFlyout } from '../guided_onboarding_tour/use_hidden_by_flyout'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; const useHiddenByFlyoutMock = useHiddenByFlyout as jest.Mock; jest.mock('../guided_onboarding_tour/use_hidden_by_flyout', () => ({ @@ -72,7 +73,7 @@ jest.mock('../../lib/kibana', () => { navigateToApp: jest.fn(), getUrlForApp: jest.fn(), capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, }, cases: mockCasesContract(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts index 3e9c1e5557393..116df0d93d260 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/user_privileges/endpoint/use_endpoint_privileges.test.ts @@ -18,6 +18,7 @@ import { licenseService } from '../../../hooks/use_license'; import { useEndpointPrivileges } from './use_endpoint_privileges'; import { getEndpointPrivilegesInitialStateMock } from './mocks'; import { getEndpointPrivilegesInitialState } from './utils'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../lib/kibana'); jest.mock('../../../hooks/use_license', () => { @@ -53,7 +54,7 @@ describe('When using useEndpointPrivileges hook', () => { catalogue: {}, management: {}, navLinks: {}, - siemV3: { + [SECURITY_FEATURE_ID]: { crud: true, show: true, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx index f08e150a72a3e..006bf80de8ef3 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/mock/test_providers.tsx @@ -31,7 +31,11 @@ import { } from '../lib/kibana/kibana_react.mock'; import type { FieldHook } from '../../shared_imports'; import { localStorageMock } from './mock_local_storage'; -import { ASSISTANT_FEATURE_ID, CASES_FEATURE_ID } from '../../../common/constants'; +import { + ASSISTANT_FEATURE_ID, + CASES_FEATURE_ID, + SECURITY_FEATURE_ID, +} from '../../../common/constants'; import { UserPrivilegesProvider } from '../components/user_privileges/user_privileges_context'; import { MockDiscoverInTimelineContext } from '../components/discover_in_timeline/mocks/discover_in_timeline_provider'; import { createMockStore } from './create_store'; @@ -140,7 +144,7 @@ const TestProvidersWithPrivilegesComponent: React.FC = ({ ({ useKibana: jest.fn().mockReturnValue({ @@ -28,7 +29,7 @@ jest.mock('../../../../common/lib/kibana', () => ({ application: { getUrlForApp: jest.fn(), capabilities: { - siemV3: { + [SECURITY_FEATURE_ID]: { crud: true, }, actions: { diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx index f2f3d537fc3bf..a2d7372777b89 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx @@ -16,6 +16,7 @@ import { initialUserPrivilegesState as mockInitialUserPrivilegesState } from '.. import { useUserPrivileges } from '../../../../common/components/user_privileges'; import { TableId } from '@kbn/securitysolution-data-table'; import { TimelineId } from '../../../../../common/types/timeline'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../../common/components/user_privileges'); @@ -76,7 +77,7 @@ jest.mock('../../../../common/lib/kibana', () => { services: { timelines: { ...mockTimelines }, application: { - capabilities: { siemV3: { crud_alerts: true, read_alerts: true } }, + capabilities: { [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true } }, }, cases: { ...mockCasesContract(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx index 869cf875ea0aa..af3d69508bc69 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/user_info/index.test.tsx @@ -27,7 +27,7 @@ describe('useUserInfo', () => { services: { application: { capabilities: { - siemV3: { + [SECURITY_FEATURE_ID]: { crud: true, }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx index e38a477ac0d3d..2aa4ebf121afa 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx @@ -24,6 +24,7 @@ import * as alertFilterControlsPackage from '@kbn/alerts-ui-shared/src/alert_fil import { DetectionEnginePage } from './detection_engine'; import { TableId } from '@kbn/securitysolution-data-table'; import { useUpsellingMessage } from '../../../common/hooks/use_upselling'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; // Test will fail because we will to need to mock some core services to make the test work // For now let's forget about SiemSearchBar and QueryBar @@ -88,7 +89,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { navigateToUrl: jest.fn(), capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, }, dataViews: mockDataViewsService, @@ -103,7 +104,7 @@ jest.mock('../../../common/lib/kibana', () => { }, docLinks: { links: { - siemV3: { + [SECURITY_FEATURE_ID]: { privileges: 'link', }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx index 69f35bc06bfd8..b1dcd94d27661 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx @@ -18,6 +18,7 @@ import { NetworkRoutes } from './navigation'; import { mockCasesContract } from '@kbn/cases-plugin/public/mocks'; import { InputsModelId } from '../../../common/store/inputs/constants'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; jest.mock('../../../common/components/empty_prompt'); jest.mock('../../../sourcerer/containers'); @@ -88,7 +89,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { ...original.useKibana().services.application, capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, maps_v2: mockMapVisibility(), }, navigateToApp: mockNavigateToApp, diff --git a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx index 1b28f30c0ec4c..92ccd0b51f65f 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/flyout/document_details/shared/components/take_action_dropdown.test.tsx @@ -28,6 +28,7 @@ import { ALERT_TAGS_CONTEXT_MENU_ITEM_TITLE, } from '../../../../common/components/toolbar/bulk_actions/translations'; import { FLYOUT_FOOTER_DROPDOWN_BUTTON_TEST_ID } from './test_ids'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; jest.mock('../../../../common/components/endpoint/host_isolation'); jest.mock('../../../../common/components/endpoint/responder'); @@ -108,7 +109,10 @@ describe('take action dropdown', () => { isOsqueryAvailable: jest.fn().mockReturnValue(true), }, application: { - capabilities: { siemV3: { crud_alerts: true, read_alerts: true }, osquery: true }, + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + osquery: true, + }, }, }, }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts index c900dc4175153..3903d82c1c830 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifact_tabs_in_policy_details.cy.ts @@ -20,6 +20,7 @@ import { login, ROLE } from '../../tasks/login'; import { performUserActions } from '../../tasks/perform_user_actions'; import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; import type { ReturnTypeFromChainable } from '../../types'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; const loginWithPrivilegeAll = () => { login(ROLE.endpoint_policy_manager); @@ -45,9 +46,9 @@ const getRoleWithoutArtifactPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV3: endpointSecurityPolicyManagerRole.kibana[0].feature.siemV3.filter( - (privilege) => privilege !== `${privilegePrefix}all` - ), + [SECURITY_FEATURE_ID]: endpointSecurityPolicyManagerRole.kibana[0].feature[ + SECURITY_FEATURE_ID + ].filter((privilege) => privilege !== `${privilegePrefix}all`), }, }, ], diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts index 434fd7f5e6a7b..b8c0ee5af42ae 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts @@ -8,7 +8,7 @@ import { PACKAGE_POLICY_API_ROUTES } from '@kbn/fleet-plugin/common/constants/routes'; import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy'; import { getT1Analyst } from '../../../../../scripts/endpoint/common/roles_users'; -import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; +import { APP_ENDPOINTS_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; import type { ReturnTypeFromChainable } from '../../types'; import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; import { login } from '../../tasks/login'; @@ -36,8 +36,8 @@ describe('Endpoints RBAC', { tags: ['@ess'] }, () => { ...base.kibana[0], feature: { ...base.kibana[0].feature, - siemV3: [ - ...base.kibana[0].feature.siemV3, + [SECURITY_FEATURE_ID]: [ + ...base.kibana[0].feature[SECURITY_FEATURE_ID], `endpoint_list_all`, `policy_management_${endpointPolicyManagementPrivilege}`, ], diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts index 8ef79572124e5..043967d8c3a29 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/role_with_artifact_read_privilege.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; import { getEndpointSecurityPolicyManager } from '../../../../scripts/endpoint/common/roles_users'; export const getRoleWithArtifactReadPrivilege = (privilegePrefix: string) => { @@ -17,8 +18,8 @@ export const getRoleWithArtifactReadPrivilege = (privilegePrefix: string) => { ...endpointSecurityPolicyManagerRole.kibana[0], feature: { ...endpointSecurityPolicyManagerRole.kibana[0].feature, - siemV3: [ - ...endpointSecurityPolicyManagerRole.kibana[0].feature.siemV3.filter( + [SECURITY_FEATURE_ID]: [ + ...endpointSecurityPolicyManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( (privilege) => privilege !== `${privilegePrefix}all` ), `${privilegePrefix}read`, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx index 737e7f9ea3707..e61ea3341bc53 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/management/pages/policy/view/ingest_manager_integration/mocks.tsx @@ -28,6 +28,7 @@ import { appReducer } from '../../../../../common/store/app'; import { ExperimentalFeaturesService } from '../../../../../common/experimental_features_service'; import { RenderContextProviders } from '../../../../../common/components/with_security_context/render_context_providers'; import type { AppAction } from '../../../../../common/store/actions'; +import { SECURITY_FEATURE_ID } from '../../../../../../common/constants'; // Defined a private custom reducer that reacts to an action that enables us to update the // store with new values for technical preview features/flags. Because the `action.type` is a `Symbol`, @@ -96,7 +97,7 @@ export const createFleetContextRendererMock = (): AppContextTestRender => { startServices.application.capabilities = deepFreeze({ ...startServices.application.capabilities, - siemV3: { show: true, crud: true }, + [SECURITY_FEATURE_ID]: { show: true, crud: true }, }); return ( diff --git a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx index 5f2bd9b2b1cbf..b1bfdff4e8ceb 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx @@ -16,6 +16,7 @@ import type { RouteSpyState } from '../../common/utils/route/types'; import { DEFAULT_DATA_VIEW_ID, DEFAULT_INDEX_PATTERN, + SECURITY_FEATURE_ID, SecurityPageName, } from '../../../common/constants'; import { useUserInfo, initialState as userInfoState } from '../../detections/components/user_info'; @@ -81,7 +82,7 @@ jest.mock('../../common/lib/kibana', () => ({ services: { application: { capabilities: { - siemV3: { + [SECURITY_FEATURE_ID]: { crud: true, }, }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx index eb79300aa1b79..16ce2700042df 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx @@ -19,6 +19,7 @@ import { } from '../../../../../common/containers/use_full_screen'; import { useSessionView, useSessionViewNavigation } from './use_session_view'; import { TableId } from '@kbn/securitysolution-data-table'; +import { SECURITY_FEATURE_ID } from '../../../../../../common/constants'; const mockDispatch = jest.fn(); jest.mock('../../../../../common/hooks/use_selector'); @@ -43,7 +44,7 @@ jest.mock('../../../../../common/lib/kibana', () => { navigateToApp: jest.fn(), getUrlForApp: jest.fn(), capabilities: { - siemV3: { crud_alerts: true, read_alerts: true }, + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, }, }, sessionView: { diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts index 50ba44a23dcf9..9f29b657435b4 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getDetectionsEngineer: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getDetectionsEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 83c9dc66d5266..e9d64b02c55cb 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -6,6 +6,7 @@ */ import type { Role } from '@kbn/security-plugin/common'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointOperationsAnalyst: () => Omit = () => { // IMPORTANT @@ -57,7 +58,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 44ea65c678d9f..65e5ff2ba5835 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointSecurityPolicyManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'policy_management_all', @@ -46,7 +47,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getHunter: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index f6da9b671d159..d498e2846761b 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getPlatformEngineer: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index edc6070a1175f..de063f442d8ea 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getRuleAuthor: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index c968a6d44c3cb..11eebeb0d6475 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getSocManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index 82983d1a8355e..bff6d87b6488f 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT1Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['minimal_all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index cde28984796d4..ea2564692ed0a 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT2Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: ['minimal_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 75d89545d371c..1a616fb9b6cc5 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT3Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index fe71026909b8c..f6eec979b5e86 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getThreatIntelligenceAnalyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 3bfe312459023..98f673d894e47 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithArtifactReadPrivilegesRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,7 +18,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'blocklist_read', 'trusted_applications_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index 2f7aeb7aed702..decc743d14592 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -7,6 +7,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithResponseActionsRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -17,8 +18,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV3: [ - ...noResponseActionsRole.kibana[0].feature.siemV3, + [SECURITY_FEATURE_ID]: [ + ...noResponseActionsRole.kibana[0].feature[SECURITY_FEATURE_ID], 'file_operations_all', 'execute_operations_all', 'scan_operations_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 07aee268123a5..a2755b31623c9 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -6,6 +6,7 @@ */ import type { Role } from '@kbn/security-plugin/common'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getNoResponseActionsRole: () => Omit = () => ({ elasticsearch: { @@ -42,7 +43,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'endpoint_list_all', 'endpoint_list_read', diff --git a/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts b/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts index 051b47f6da92a..01d948ecc7500 100644 --- a/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts +++ b/x-pack/test/api_integration/apis/cloud_security_posture/helper.ts @@ -10,6 +10,7 @@ import type { Agent as SuperTestAgent } from 'supertest'; import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import { CLOUD_SECURITY_PLUGIN_VERSION } from '@kbn/cloud-security-posture-plugin/common/constants'; import { RoleCredentials, SecurityService } from '@kbn/ftr-common-functional-services'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; export async function createPackagePolicy( supertest: SuperTestAgent, @@ -123,7 +124,7 @@ export const createCSPRole = async ( await security.role.create(roleName, { kibana: [ { - feature: { siemV3: ['read'], fleetv2: ['all'], fleet: ['read'] }, + feature: { [SECURITY_FEATURE_ID]: ['read'], fleetv2: ['all'], fleet: ['read'] }, spaces: ['*'], }, ], diff --git a/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts b/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts index 29b8bbfb3699d..93002ef954673 100644 --- a/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts +++ b/x-pack/test/cloud_security_posture_api/routes/helper/user_roles_utilites.ts @@ -14,6 +14,7 @@ import { BENCHMARK_SCORE_INDEX_PATTERN, ALERTS_INDEX_PATTERN, } from '@kbn/cloud-security-posture-plugin/common/constants'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { FtrProviderContext } from '../../ftr_provider_context'; const alertsSecurityUserIndices = [ @@ -89,7 +90,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], @@ -107,7 +108,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], fleet: ['all'], fleetv2: ['all'], }, @@ -140,7 +141,7 @@ export function CspSecurityCommonProvider(providerContext: FtrProviderContext) { { base: [], feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], fleet: ['all'], fleetv2: ['all'], savedObjectsManagement: ['all'], diff --git a/x-pack/test/fleet_api_integration/apis/test_users.ts b/x-pack/test/fleet_api_integration/apis/test_users.ts index c96e642d23ee1..2f350c69a57e4 100644 --- a/x-pack/test/fleet_api_integration/apis/test_users.ts +++ b/x-pack/test/fleet_api_integration/apis/test_users.ts @@ -6,6 +6,7 @@ */ import type { SecurityService } from '@kbn/ftr-common-functional-services'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; export const testUsers: { [rollName: string]: { username: string; password: string; permissions?: any }; @@ -179,7 +180,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV3: [ + [SECURITY_FEATURE_ID]: [ 'minimal_all', 'trusted_applications_read', 'host_isolation_exceptions_read', @@ -200,7 +201,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV3: ['minimal_all', 'policy_management_all'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'policy_management_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -214,7 +215,7 @@ export const testUsers: { permissions: { feature: { fleet: ['all'], - siemV3: ['minimal_all', 'policy_management_read'], + [SECURITY_FEATURE_ID]: ['minimal_all', 'policy_management_read'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -228,7 +229,7 @@ export const testUsers: { permissions: { feature: { fleet: ['read'], - siemV3: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, @@ -241,7 +242,7 @@ export const testUsers: { endpoint_integr_read_only_fleet_none: { permissions: { feature: { - siemV3: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['minimal_all'], securitySolutionNotes: ['all'], securitySolutionTimeline: ['all'], }, diff --git a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts index eebead01ede46..8e8611db9eb04 100644 --- a/x-pack/test/security_solution_api_integration/config/privileges/roles.ts +++ b/x-pack/test/security_solution_api_integration/config/privileges/roles.ts @@ -4,6 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { Role } from '../services/types'; /** @@ -88,7 +89,7 @@ export const secTimelineAllV2: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionTimeline: ['all'], }, spaces: ['*'], @@ -111,7 +112,7 @@ export const secTimelineReadV2: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionTimeline: ['read'], }, spaces: ['*'], @@ -134,7 +135,7 @@ export const secTimelineNoneV2: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionTimeline: ['none'], }, spaces: ['*'], @@ -157,7 +158,7 @@ export const secNotesAllV2: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionNotes: ['all'], }, spaces: ['*'], @@ -180,7 +181,7 @@ export const secNotesReadV2: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionNotes: ['read'], }, spaces: ['*'], @@ -203,7 +204,7 @@ export const secNotesNoneV2: Role = { kibana: [ { feature: { - siemV3: ['none'], + [SECURITY_FEATURE_ID]: ['none'], securitySolutionNotes: ['none'], }, spaces: ['*'], diff --git a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts index 4ff4180f2f081..9396689e4c260 100644 --- a/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts +++ b/x-pack/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts @@ -13,6 +13,7 @@ import { } from '@kbn/security-solution-plugin/scripts/endpoint/common/roles_users'; import { EndpointSecurityTestRolesLoader } from '@kbn/security-solution-plugin/scripts/endpoint/common/role_and_user_loader'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { FtrProviderContext } from '../../ftr_provider_context_edr_workflows'; export const ROLE = ENDPOINT_SECURITY_ROLE_NAMES; @@ -63,8 +64,8 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { if (predefinedRole) { const roleConfig = rolesMapping[predefinedRole]; if (extraPrivileges) { - roleConfig.kibana[0].feature.siemV3 = [ - ...roleConfig.kibana[0].feature.siemV3, + roleConfig.kibana[0].feature[SECURITY_FEATURE_ID] = [ + ...roleConfig.kibana[0].feature[SECURITY_FEATURE_ID], ...extraPrivileges, ]; } @@ -84,7 +85,7 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { spaces: ['*'], base: [], feature: { - siemV3: customRole.extraPrivileges, + [SECURITY_FEATURE_ID]: customRole.extraPrivileges, }, }, ], diff --git a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts index 219c9f35a222a..17b4bb43df228 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/detections_response/detection_engine/alerts/trial_license_complete_tier/document_level_security.ts @@ -7,7 +7,10 @@ import expect from '@kbn/expect'; -import { DETECTION_ENGINE_QUERY_SIGNALS_URL } from '@kbn/security-solution-plugin/common/constants'; +import { + DETECTION_ENGINE_QUERY_SIGNALS_URL, + SECURITY_FEATURE_ID, +} from '@kbn/security-solution-plugin/common/constants'; import { FtrProviderContext } from '../../../../../ftr_provider_context'; const roleToAccessSecuritySolution = { @@ -24,7 +27,7 @@ const roleToAccessSecuritySolution = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], }, spaces: ['*'], }, @@ -47,7 +50,7 @@ const roleToAccessSecuritySolutionWithDls = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], }, spaces: ['*'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts index a269cfc30c05e..7332e3c3dc148 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts @@ -26,6 +26,7 @@ import type { } from '@kbn/securitysolution-io-ts-list-types'; import { Role } from '@kbn/security-plugin-types-common'; import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { binaryToString } from '../../../detections_response/utils'; import { PolicyTestResourceInfo } from '../../../../../security_solution_endpoint/services/endpoint_policy'; import { createSupertestErrorLogger } from '../../utils'; @@ -62,9 +63,13 @@ export default function ({ getService }: FtrProviderContext) { { name: 'artifactManager' } ); - if (artifactManagerRole.kibana[0].feature.siemV3.includes('global_artifact_management_all')) { - artifactManagerRole.kibana[0].feature.siemV3 = - artifactManagerRole.kibana[0].feature.siemV3.filter( + if ( + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( + 'global_artifact_management_all' + ) + ) { + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID] = + artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( (privilege) => privilege !== 'global_artifact_management_all' ); } @@ -75,11 +80,13 @@ export default function ({ getService }: FtrProviderContext) { ); if ( - !globalArtifactManagerRole.kibana[0].feature.siemV3.includes( + !globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( 'global_artifact_management_all' ) ) { - globalArtifactManagerRole.kibana[0].feature.siemV3.push('global_artifact_management_all'); + globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].push( + 'global_artifact_management_all' + ); } const [artifactManagerUser, globalArtifactManagerUser] = await Promise.all([ diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts index 09bc5db0d797d..a2aec0bbbe0d4 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/asset_criticality_privileges.ts @@ -6,6 +6,7 @@ */ import expect from '@kbn/expect'; import { ROLES as SERVERLESS_USERNAMES } from '@kbn/security-solution-plugin/common/test'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { assetCriticalityRouteHelpersFactoryNoAuth } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; import { usersAndRolesFactory } from '../../utils/users_and_roles'; @@ -18,7 +19,7 @@ const ROLES = [ kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts index 262ad6f0d8b27..36ac273742f29 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/entity_analytics/risk_engine/trial_license_complete_tier/risk_engine_privileges.ts @@ -5,6 +5,7 @@ * 2.0. */ import expect from '@kbn/expect'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { riskEngineRouteHelpersFactoryNoAuth } from '../../utils'; import { FtrProviderContext } from '../../../../ftr_provider_context'; import { usersAndRolesFactory } from '../../utils/users_and_roles'; @@ -16,7 +17,7 @@ const ROLES = [ kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], }, spaces: ['default'], }, diff --git a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts index e9fe181c42408..d1d9e6ce7e314 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/genai/knowledge_base/entries/utils/auth/roles.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import { Role } from './types'; export const noKibanaPrivileges: Role = { @@ -40,7 +41,7 @@ export const securitySolutionOnlyAll: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -60,7 +61,7 @@ export const securitySolutionOnlyAllSpace2: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -80,7 +81,7 @@ export const securitySolutionOnlyRead: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -100,7 +101,7 @@ export const securitySolutionOnlyReadSpace2: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -123,7 +124,7 @@ export const securitySolutionOnlyAllSpacesAll: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -148,7 +149,7 @@ export const securitySolutionOnlyAllSpacesAllWithReadESIndices: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -168,7 +169,7 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV3: ['read'], + [SECURITY_FEATURE_ID]: ['read'], securitySolutionAssistant: ['all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], @@ -188,7 +189,7 @@ export const securitySolutionOnlyAllSpacesAllAssistantMinimalAll: Role = { kibana: [ { feature: { - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionAssistant: ['minimal_all'], securitySolutionAttackDiscovery: ['all'], aiAssistantManagementSelection: ['all'], From d09be387fcd3f4b1141f5ad3949725ca86c54451 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 8 May 2025 18:03:43 +0200 Subject: [PATCH 09/52] fix jest mock restrictions --- .../attack_discovery/pages/index.test.tsx | 160 +++++++++--------- .../header_actions/actions.test.tsx | 37 ++-- .../step_rule_actions/index.test.tsx | 33 ++-- .../alert_context_menu.test.tsx | 49 +++--- .../pages/alerts/detection_engine.test.tsx | 95 ++++++----- .../explore/network/pages/network.test.tsx | 5 +- .../sourcerer/containers/hooks.test.tsx | 145 ++++++++-------- .../tabs/session/use_session_view.test.tsx | 56 +++--- 8 files changed, 296 insertions(+), 284 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx index 2ad5b46548db8..16dd7cdc34f32 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/index.test.tsx @@ -64,15 +64,18 @@ jest.mock( }) ); +const mockSecurityCapabilities = [`${SECURITY_FEATURE_ID}.show`]; + jest.mock('../../common/links', () => ({ - useLinkInfo: jest.fn().mockReturnValue({ - capabilities: [`${SECURITY_FEATURE_ID}.show`], - globalNavPosition: 4, - globalSearchKeywords: ['Attack discovery'], - id: 'attack_discovery', - path: '/attack_discovery', - title: 'Attack discovery', - }), + useLinkInfo: () => + jest.fn().mockReturnValue({ + capabilities: mockSecurityCapabilities, + globalNavPosition: 4, + globalSearchKeywords: ['Attack discovery'], + id: 'attack_discovery', + path: '/attack_discovery', + title: 'Attack discovery', + }), })); jest.mock('./use_attack_discovery', () => ({ @@ -108,81 +111,82 @@ const mockDataViewsService = { const mockUpselling = new UpsellingService(); +const mockUseKibanaReturnValue = { + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + navigateToUrl: jest.fn(), + }, + cases: { + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + connectors: true, + create: true, + delete: true, + push: true, + read: true, + settings: true, + update: true, + }), + }, + hooks: { + useCasesAddToExistingCase: jest.fn(), + useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), + useCasesAddToNewCaseFlyout: jest.fn(), + }, + ui: { getCasesContext: mockCasesContext }, + }, + data: { + query: { + filterManager: mockFilterManager, + }, + }, + dataViews: mockDataViewsService, + docLinks: { + links: { + [SECURITY_FEATURE_ID]: { + privileges: 'link', + }, + }, + }, + featureFlags: { + getBooleanValue: jest.fn().mockReturnValue(false), // legacy view enabled + }, + notifications: jest.fn().mockReturnValue({ + addError: jest.fn(), + addSuccess: jest.fn(), + addWarning: jest.fn(), + remove: jest.fn(), + }), + sessionView: { + getSessionView: jest.fn(() =>
), + }, + storage: { + get: jest.fn(), + set: jest.fn(), + }, + theme: { + getTheme: jest.fn().mockReturnValue({ darkMode: false }), + }, + timelines: { ...mockTimelines }, + triggersActionsUi: { + alertsTableConfigurationRegistry: {}, + getAlertsStateTable: () => <>, + }, + uiSettings: { + get: jest.fn(), + }, + }, +}; jest.mock('../../common/lib/kibana', () => { const original = jest.requireActual('../../common/lib/kibana'); return { ...original, - useKibana: () => ({ - services: { - application: { - capabilities: { - [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, - }, - navigateToUrl: jest.fn(), - }, - cases: { - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - connectors: true, - create: true, - delete: true, - push: true, - read: true, - settings: true, - update: true, - }), - }, - hooks: { - useCasesAddToExistingCase: jest.fn(), - useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), - useCasesAddToNewCaseFlyout: jest.fn(), - }, - ui: { getCasesContext: mockCasesContext }, - }, - data: { - query: { - filterManager: mockFilterManager, - }, - }, - dataViews: mockDataViewsService, - docLinks: { - links: { - [SECURITY_FEATURE_ID]: { - privileges: 'link', - }, - }, - }, - featureFlags: { - getBooleanValue: jest.fn().mockReturnValue(false), // legacy view enabled - }, - notifications: jest.fn().mockReturnValue({ - addError: jest.fn(), - addSuccess: jest.fn(), - addWarning: jest.fn(), - remove: jest.fn(), - }), - sessionView: { - getSessionView: jest.fn(() =>
), - }, - storage: { - get: jest.fn(), - set: jest.fn(), - }, - theme: { - getTheme: jest.fn().mockReturnValue({ darkMode: false }), - }, - timelines: { ...mockTimelines }, - triggersActionsUi: { - alertsTableConfigurationRegistry: {}, - getAlertsStateTable: () => <>, - }, - uiSettings: { - get: jest.fn(), - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx index 9abe0309fcb70..ce55b0a446d53 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/common/components/header_actions/actions.test.tsx @@ -62,29 +62,30 @@ jest.mock('./add_note_icon_item', () => { }; }); +const mockUseKibanaReturnValue = { + services: { + application: { + navigateToApp: jest.fn(), + getUrlForApp: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + }, + cases: mockCasesContract(), + uiSettings: { + get: jest.fn(), + }, + savedObjects: { + client: {}, + }, + }, +}; jest.mock('../../lib/kibana', () => { const originalKibanaLib = jest.requireActual('../../lib/kibana'); return { ...originalKibanaLib, - useKibana: () => ({ - services: { - application: { - navigateToApp: jest.fn(), - getUrlForApp: jest.fn(), - capabilities: { - [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, - }, - }, - cases: mockCasesContract(), - uiSettings: { - get: jest.fn(), - }, - savedObjects: { - client: {}, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.test.tsx index 81eb3f154ad60..ae2bd970c626a 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.test.tsx @@ -23,25 +23,26 @@ import type { ActionsStepRule } from '../../../common/types'; import { FrequencyDescription } from './notification_action'; import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; -jest.mock('../../../../common/lib/kibana', () => ({ - useKibana: jest.fn().mockReturnValue({ - services: { - application: { - getUrlForApp: jest.fn(), - capabilities: { - [SECURITY_FEATURE_ID]: { - crud: true, - }, - actions: { - read: true, - }, +const mockUseKibana = jest.fn().mockReturnValue({ + services: { + application: { + getUrlForApp: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { + crud: true, + }, + actions: { + read: true, }, - }, - triggersActionsUi: { - actionTypeRegistry: jest.fn(), }, }, - }), + triggersActionsUi: { + actionTypeRegistry: jest.fn(), + }, + }, +}); +jest.mock('../../../../common/lib/kibana', () => ({ + useKibana: () => mockUseKibana(), })); jest.mock('../../../../common/hooks/use_experimental_features', () => ({ diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx index a2d7372777b89..d0fb84d9627c2 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/components/alerts_table/timeline_actions/alert_context_menu.test.tsx @@ -62,6 +62,30 @@ const props = { timelineId: 'alerts-page', }; +const mockUseKibanaReturnValue = { + services: { + timelines: { ...mockTimelines }, + application: { + capabilities: { [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true } }, + }, + cases: { + ...mockCasesContract(), + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + create: true, + read: true, + update: true, + delete: true, + push: true, + createComment: true, + reopenCase: true, + }), + getRuleIdFromEvent: jest.fn(), + }, + }, + }, +}; jest.mock('../../../../common/lib/kibana', () => { const original = jest.requireActual('../../../../common/lib/kibana'); @@ -73,30 +97,7 @@ jest.mock('../../../../common/lib/kibana', () => { addWarning: jest.fn(), remove: jest.fn(), }), - useKibana: () => ({ - services: { - timelines: { ...mockTimelines }, - application: { - capabilities: { [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true } }, - }, - cases: { - ...mockCasesContract(), - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - create: true, - read: true, - update: true, - delete: true, - push: true, - createComment: true, - reopenCase: true, - }), - getRuleIdFromEvent: jest.fn(), - }, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, }; }); diff --git a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx index 2aa4ebf121afa..25e34053f5e96 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/detections/pages/alerts/detection_engine.test.tsx @@ -78,59 +78,60 @@ const mockDataViewsService = { clearInstanceCache: () => Promise.resolve(), }; +const mockUseKibanaReturnValue = { + services: { + application: { + navigateToUrl: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + }, + dataViews: mockDataViewsService, + cases: { + ui: { getCasesContext: mockCasesContext }, + }, + timelines: { ...mockTimelines }, + data: { + query: { + filterManager: mockFilterManager, + }, + }, + docLinks: { + links: { + [SECURITY_FEATURE_ID]: { + privileges: 'link', + }, + }, + }, + storage: { + get: jest.fn(), + set: jest.fn(), + }, + triggersActionsUi: { + alertsTableConfigurationRegistry: {}, + getAlertsStateTable: () => <>, + }, + sessionView: { + getSessionView: jest.fn(() =>
), + }, + notifications: { + toasts: { + addWarning: jest.fn(), + addError: jest.fn(), + addSuccess: jest.fn(), + addDanger: jest.fn(), + remove: jest.fn(), + }, + }, + }, +}; jest.mock('../../../common/lib/kibana', () => { const original = jest.requireActual('../../../common/lib/kibana'); return { ...original, useUiSetting$: jest.fn().mockReturnValue([]), - useKibana: () => ({ - services: { - application: { - navigateToUrl: jest.fn(), - capabilities: { - [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, - }, - }, - dataViews: mockDataViewsService, - cases: { - ui: { getCasesContext: mockCasesContext }, - }, - timelines: { ...mockTimelines }, - data: { - query: { - filterManager: mockFilterManager, - }, - }, - docLinks: { - links: { - [SECURITY_FEATURE_ID]: { - privileges: 'link', - }, - }, - }, - storage: { - get: jest.fn(), - set: jest.fn(), - }, - triggersActionsUi: { - alertsTableConfigurationRegistry: {}, - getAlertsStateTable: () => <>, - }, - sessionView: { - getSessionView: jest.fn(() =>
), - }, - notifications: { - toasts: { - addWarning: jest.fn(), - addError: jest.fn(), - addSuccess: jest.fn(), - addDanger: jest.fn(), - remove: jest.fn(), - }, - }, - }, - }), + useKibana: () => mockUseKibanaReturnValue, useToasts: jest.fn().mockReturnValue({ addError: jest.fn(), addSuccess: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx index b1dcd94d27661..db2f192f59bb5 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/explore/network/pages/network.test.tsx @@ -78,6 +78,9 @@ const mockProps = { const mockMapVisibility = jest.fn(); const mockNavigateToApp = jest.fn(); +const mockSecurityCapabilities = { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, +}; jest.mock('../../../common/lib/kibana', () => { const original = jest.requireActual('../../../common/lib/kibana'); @@ -89,7 +92,7 @@ jest.mock('../../../common/lib/kibana', () => { application: { ...original.useKibana().services.application, capabilities: { - [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + ...mockSecurityCapabilities, maps_v2: mockMapVisibility(), }, navigateToApp: mockNavigateToApp, diff --git a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx index b1bfdff4e8ceb..b95e226a86ddf 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/sourcerer/containers/hooks.test.tsx @@ -70,6 +70,77 @@ const mockCreateSourcererDataView = jest.fn(() => { errToReturn.name = 'AbortError'; throw errToReturn; }); +const mockUseKibana = () => ({ + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { + crud: true, + }, + }, + }, + data: { + dataViews: { + get: mockSearch.mockImplementation( + async (dataViewId: string, displayErrors?: boolean, refreshFields = false) => + Promise.resolve({ + id: dataViewId, + matchedIndices: refreshFields ? ['hello', 'world', 'refreshed'] : ['hello', 'world'], + fields: [ + { + name: 'bytes', + type: 'number', + esTypes: ['long'], + aggregatable: true, + searchable: true, + count: 10, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + { + name: 'ssl', + type: 'boolean', + esTypes: ['boolean'], + aggregatable: true, + searchable: true, + count: 20, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + { + name: '@timestamp', + type: 'date', + esTypes: ['date'], + aggregatable: true, + searchable: true, + count: 30, + readFromDocValues: true, + scripted: false, + isMapped: true, + }, + ], + getIndexPattern: () => 'hello*,world*,refreshed*', + getRuntimeMappings: () => ({ + myfield: { + type: 'keyword', + }, + }), + toSpec: () => ({ + id: dataViewId, + }), + }) + ), + getExistingIndices: jest.fn(() => [] as string[]), + }, + indexPatterns: { + getTitles: jest.fn().mockImplementation(() => Promise.resolve(mockPatterns)), + }, + }, + notifications: {}, + }, +}); jest.mock('../../common/lib/kibana', () => ({ useToasts: () => ({ @@ -78,79 +149,7 @@ jest.mock('../../common/lib/kibana', () => ({ addWarning: mockAddWarning, remove: jest.fn(), }), - useKibana: () => ({ - services: { - application: { - capabilities: { - [SECURITY_FEATURE_ID]: { - crud: true, - }, - }, - }, - data: { - dataViews: { - get: mockSearch.mockImplementation( - async (dataViewId: string, displayErrors?: boolean, refreshFields = false) => - Promise.resolve({ - id: dataViewId, - matchedIndices: refreshFields - ? ['hello', 'world', 'refreshed'] - : ['hello', 'world'], - fields: [ - { - name: 'bytes', - type: 'number', - esTypes: ['long'], - aggregatable: true, - searchable: true, - count: 10, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - { - name: 'ssl', - type: 'boolean', - esTypes: ['boolean'], - aggregatable: true, - searchable: true, - count: 20, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - { - name: '@timestamp', - type: 'date', - esTypes: ['date'], - aggregatable: true, - searchable: true, - count: 30, - readFromDocValues: true, - scripted: false, - isMapped: true, - }, - ], - getIndexPattern: () => 'hello*,world*,refreshed*', - getRuntimeMappings: () => ({ - myfield: { - type: 'keyword', - }, - }), - toSpec: () => ({ - id: dataViewId, - }), - }) - ), - getExistingIndices: jest.fn(() => [] as string[]), - }, - indexPatterns: { - getTitles: jest.fn().mockImplementation(() => Promise.resolve(mockPatterns)), - }, - }, - notifications: {}, - }, - }), + useKibana: () => mockUseKibana(), useUiSetting$: jest.fn().mockImplementation(() => [mockPatterns]), })); diff --git a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx index 16ce2700042df..6b3ccf13e1639 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/timelines/components/timeline/tabs/session/use_session_view.test.tsx @@ -34,37 +34,39 @@ jest.mock('react-redux', () => { useDispatch: () => mockDispatch, }; }); + +const mockUseKibana = jest.fn().mockReturnValue({ + services: { + application: { + navigateToApp: jest.fn(), + getUrlForApp: jest.fn(), + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, + }, + }, + sessionView: { + getSessionView: jest.fn(() =>
), + }, + data: { + search: jest.fn(), + query: jest.fn(), + }, + uiSettings: { + get: jest.fn(), + }, + savedObjects: { + client: {}, + }, + timelines: { + getLastUpdated: jest.fn(), + }, + }, +}); jest.mock('../../../../../common/lib/kibana', () => { const originalModule = jest.requireActual('../../../../../common/lib/kibana'); return { ...originalModule, - useKibana: jest.fn().mockReturnValue({ - services: { - application: { - navigateToApp: jest.fn(), - getUrlForApp: jest.fn(), - capabilities: { - [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true }, - }, - }, - sessionView: { - getSessionView: jest.fn(() =>
), - }, - data: { - search: jest.fn(), - query: jest.fn(), - }, - uiSettings: { - get: jest.fn(), - }, - savedObjects: { - client: {}, - }, - timelines: { - getLastUpdated: jest.fn(), - }, - }, - }), + useKibana: () => mockUseKibana(), }; }); From a4758dd7947d88a147e41a8406f9d5cc1676a383 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 9 May 2025 11:01:27 +0200 Subject: [PATCH 10/52] fix cypress tests --- .../management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 1 + .../e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 8638e7e83a7bd..8ae11983787cc 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -52,6 +52,7 @@ describe( .should('deep.equal', [ 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', 'Automatic Troubleshooting Access to the automatic troubleshooting.Automatic Troubleshooting sub-feature privilegeAllReadNone', + 'Endpoint Exceptions Manage Endpoint Exceptions.Endpoint Exceptions sub-feature privilegeAllReadNone', 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 43fef363616b9..f8b1ddf984f78 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -99,10 +99,10 @@ describe( return features; }) - // Using `include.members` here because in serverless, an additional privilege shows - // up in this list - `Endpoint exceptions`. - .should('include.members', [ + .should('deep.equal', [ 'Endpoint ListAll', + 'Automatic TroubleshootingNone', + 'Endpoint ExceptionsAll', 'Trusted ApplicationsNone', 'Host Isolation ExceptionsNone', 'BlocklistNone', From b94861f49e23a8df04d29df0a6cdb0d7d754beda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 9 May 2025 11:01:52 +0200 Subject: [PATCH 11/52] fix ftrs --- .../tests/features/deprecated_features.ts | 1 + .../test/spaces_api_integration/common/suites/create.agnostic.ts | 1 + x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts | 1 + .../spaces_api_integration/common/suites/get_all.agnostic.ts | 1 + .../spaces_api_integration/spaces_only/telemetry/telemetry.ts | 1 + 5 files changed, 5 insertions(+) diff --git a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts index 4bf5acb6e9cdb..efebeace383bc 100644 --- a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts +++ b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts @@ -190,6 +190,7 @@ export default function ({ getService }: FtrProviderContext) { "securitySolutionCases", "securitySolutionCasesV2", "siem", + "siemV2", "visualize", ] `); diff --git a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts index a2e47dc3e2419..bb7f9d1a336f9 100644 --- a/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/create.agnostic.ts @@ -100,6 +100,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', + 'siemV2', 'siemV3', 'slo', 'streams', diff --git a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts index ecd41953c8a99..5d806fcd10a02 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get.agnostic.ts @@ -104,6 +104,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', + 'siemV2', 'siemV3', 'slo', 'streams', diff --git a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts index faad14888d36a..651bfd429e92d 100644 --- a/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts +++ b/x-pack/test/spaces_api_integration/common/suites/get_all.agnostic.ts @@ -92,6 +92,7 @@ const ALL_SPACE_RESULTS: Space[] = [ 'securitySolutionSiemMigrations', 'securitySolutionTimeline', 'siem', + 'siemV2', 'siemV3', 'slo', 'streams', diff --git a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts index d47ce055d9cfe..61a40490fad0e 100644 --- a/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts +++ b/x-pack/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts @@ -94,6 +94,7 @@ export default function ({ getService }: FtrProviderContext) { searchSynonyms: 0, searchQueryRules: 0, siem: 0, + siemV2: 0, siemV3: 0, securitySolutionCases: 0, securitySolutionCasesV2: 0, From fbd44e88b94f0e5000fd3685723b3d7d1da54a0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 9 May 2025 14:02:20 +0200 Subject: [PATCH 12/52] fix tests --- config/serverless.security.search_ai_lake.yml | 15 +++++++++++++++ .../endpoint_role_rbac_with_space_awareness.cy.ts | 2 +- .../tests/features/deprecated_features.ts | 1 + 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index f1ed6c3b5ed27..7e2a4ed744e5e 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -20,6 +20,7 @@ xpack.features.overrides: securitySolutionTimeline.hidden: true securitySolutionNotes.hidden: true siem.description: null + siemV2.description: null siemV3.description: null securitySolutionSiemMigrations.hidden: true @@ -36,6 +37,20 @@ xpack.features.overrides: ## We do not need to compose dashboard from maps and visualizations because these functionalities are disabled in this tier all.composedOf: [] read.composedOf: [] + siemV3: + privileges: + all.composedOf: + ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten + ## We do not need to compose siemV3 from maps and visualizations because these functionalities are disabled in this tier + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "dashboard_v2" + privileges: [ "all" ] + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "dashboard_v2" + privileges: [ "read" ] siemV2: privileges: all.composedOf: diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index f8b1ddf984f78..d3e6df67cb0d6 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -103,11 +103,11 @@ describe( 'Endpoint ListAll', 'Automatic TroubleshootingNone', 'Endpoint ExceptionsAll', + 'Global Artifact ManagementNone', 'Trusted ApplicationsNone', 'Host Isolation ExceptionsNone', 'BlocklistNone', 'Event FiltersNone', - 'Global Artifact ManagementNone', 'Elastic Defend Policy ManagementNone', 'Response Actions HistoryNone', 'Host IsolationAll', diff --git a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts index efebeace383bc..1842c512fcfd5 100644 --- a/x-pack/test/security_api_integration/tests/features/deprecated_features.ts +++ b/x-pack/test/security_api_integration/tests/features/deprecated_features.ts @@ -218,6 +218,7 @@ export default function ({ getService }: FtrProviderContext) { 'visualize', 'maps', 'siem', + 'siemV2', ]); for (const feature of features) { if ( From 426c418d9f62b52b07aefc7d1ff9222f8f6f697a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 9 May 2025 17:55:23 +0200 Subject: [PATCH 13/52] small test fix --- .../test/api_integration/apis/features/features/features.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/platform/test/api_integration/apis/features/features/features.ts b/x-pack/platform/test/api_integration/apis/features/features/features.ts index 2e00e9e531be8..cc1febc6ca3ce 100644 --- a/x-pack/platform/test/api_integration/apis/features/features/features.ts +++ b/x-pack/platform/test/api_integration/apis/features/features/features.ts @@ -196,6 +196,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchQueryRules', 'searchPlayground', 'siem', + 'siemV2', 'siemV3', 'slo', 'securitySolutionAssistant', From 6b7ae161916958f375eab31dda13748223197a69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 3 Jun 2025 15:55:29 +0200 Subject: [PATCH 14/52] add role migration for Global Artifact Management privilege --- .../v2_features/kibana_sub_features.ts | 74 ++++++++++++++++--- 1 file changed, 62 insertions(+), 12 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index b5e4e97a1390e..3c166e419a318 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -82,7 +82,9 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ], }); -const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ +const trustedApplicationsSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.privilegesTooltip', @@ -109,7 +111,15 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'trusted_applications_all', + ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? ['global_artifact_management_all'] + : []), + ], + }, ], api: [ 'lists-all', @@ -145,7 +155,9 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ }, ], }); -const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ +const hostIsolationExceptionsBasicSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip', @@ -172,7 +184,15 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'host_isolation_exceptions_all', + ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? ['global_artifact_management_all'] + : []), + ], + }, ], api: [ 'lists-all', @@ -208,7 +228,9 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ }, ], }); -const blocklistSubFeature = (): SubFeatureConfig => ({ +const blocklistSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.privilegesTooltip', @@ -231,7 +253,17 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'blocklist_all', + ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? ['global_artifact_management_all'] + : []), + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -264,7 +296,9 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ }, ], }); -const eventFiltersSubFeature = (): SubFeatureConfig => ({ +const eventFiltersSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.privilegesTooltip', @@ -290,7 +324,17 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'event_filters_all', + ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? ['global_artifact_management_all'] + : []), + ], + }, + ], api: [ 'lists-all', 'lists-read', @@ -833,14 +877,20 @@ export const getSecurityV2SubFeaturesMap = ({ [ SecuritySubFeatureId.trustedApplications, - enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()), + enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature(experimentalFeatures)), ], [ SecuritySubFeatureId.hostIsolationExceptionsBasic, - enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature()), + enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature(experimentalFeatures)), + ], + [ + SecuritySubFeatureId.blocklist, + enableSpaceAwarenessIfNeeded(blocklistSubFeature(experimentalFeatures)), + ], + [ + SecuritySubFeatureId.eventFilters, + enableSpaceAwarenessIfNeeded(eventFiltersSubFeature(experimentalFeatures)), ], - [SecuritySubFeatureId.blocklist, enableSpaceAwarenessIfNeeded(blocklistSubFeature())], - [SecuritySubFeatureId.eventFilters, enableSpaceAwarenessIfNeeded(eventFiltersSubFeature())], [ SecuritySubFeatureId.policyManagement, From 6f1fcadce27465540be8502c0c17dc27f6c10366 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 4 Jun 2025 14:33:40 +0200 Subject: [PATCH 15/52] add lists and SO privileges to Endpoint Exceptions so it works with Security READ --- .../src/security/v3_features/kibana_sub_features.ts | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 9764b8b78f90e..9dadafe0415e6 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -688,10 +688,16 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ includeIn: 'all', name: TRANSLATIONS.all, savedObject: { - all: [], + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-showEndpointExceptions`, + `${APP_ID}-crudEndpointExceptions`, + ], ui: ['showEndpointExceptions', 'crudEndpointExceptions'], }, { @@ -702,7 +708,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`], + api: ['lists-read', 'lists-summary', `${APP_ID}-showEndpointExceptions`], ui: ['showEndpointExceptions'], }, ], From 573322ba7231c9f960525f2873ada72530b262d5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 5 Jun 2025 13:40:08 +0200 Subject: [PATCH 16/52] fix: do not migrate to notes and timeline from siemV2 --- .../security/v2_features/kibana_features.ts | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index f95cb458e8a3c..9814abdb14115 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -26,8 +26,6 @@ import { CLOUD_POSTURE_APP_ID, SERVER_APP_ID, SECURITY_FEATURE_ID_V3, - TIMELINE_FEATURE_ID, - NOTES_FEATURE_ID, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -92,14 +90,8 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: { all: { replacedBy: { - default: [ - { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, - { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, - ], + default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], minimal: [ - { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, - { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], @@ -124,14 +116,8 @@ export const getSecurityV2BaseKibanaFeature = ({ }, read: { replacedBy: { - default: [ - { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, - { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, - ], + default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }], minimal: [ - { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, - { feature: NOTES_FEATURE_ID, privileges: ['read'] }, { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], From 3fe4dcaaed3e032ab05a931010aa8cd0accb63d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 5 Jun 2025 13:46:51 +0200 Subject: [PATCH 17/52] indicate that `isServerless` is temporary --- .../security/packages/features/src/security/types.ts | 4 ++++ .../features/src/security/v1_features/kibana_features.ts | 2 ++ .../features/src/security/v2_features/kibana_features.ts | 2 ++ 3 files changed, 8 insertions(+) diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index 42dc5feb32496..490a582a67d85 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -18,6 +18,10 @@ export interface SecurityFeatureParams { */ experimentalFeatures: Record; savedObjects: string[]; + /** + * Sort of temporary solution for merging diverged ESS/serverless offering Endpoint Exception privileges, + * it would be best not to use it for other things. + */ isServerless: boolean; } diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 8b8ef2846806c..b65d7f91270d8 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -101,6 +101,7 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, + // please do not use `isServerless` for other things privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], }, ], @@ -152,6 +153,7 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['read'] }, { feature: SECURITY_FEATURE_ID_V3, + // please do not use `isServerless` for other things privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], }, ], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 9814abdb14115..cca6b442279c4 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -94,6 +94,7 @@ export const getSecurityV2BaseKibanaFeature = ({ minimal: [ { feature: SECURITY_FEATURE_ID_V3, + // please do not use `isServerless` for other things privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], }, ], @@ -120,6 +121,7 @@ export const getSecurityV2BaseKibanaFeature = ({ minimal: [ { feature: SECURITY_FEATURE_ID_V3, + // please do not use `isServerless` for other things privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], }, ], From 22a2cb7af3c5b17b7ba81f88c7406f74900725b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 5 Jun 2025 14:00:35 +0200 Subject: [PATCH 18/52] indicate that `isServerless` is temporary VOL2 --- .../security/plugins/security_solution/server/plugin.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts index 9420b7c79bdbf..520523ac7765f 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts @@ -176,6 +176,7 @@ export class Plugin implements ISecuritySolutionPlugin { this.logger = context.logger.get(); this.appClientFactory = new AppClientFactory(); + /** sort of temporary solution, please do not use me elsewhere */ const isServerless = this.pluginContext.env.packageInfo.buildFlavor === 'serverless'; this.productFeaturesService = new ProductFeaturesService( this.logger, From f61fe5188cebf4eb99660172a238addfdabe5236 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 6 Jun 2025 09:56:46 +0200 Subject: [PATCH 19/52] update serverless api auth test --- .../platform_security/authorization.ts | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 1054d96c1dfb3..98634da1593e7 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -973,13 +973,30 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/showEndpointExceptions", "ui:siemV3/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV3/showEndpointExceptions", ], @@ -2179,6 +2196,7 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", From a55a21375ac4da07b9b4753ca9f8a550c272bb98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 6 Jun 2025 14:17:59 +0200 Subject: [PATCH 20/52] add Global Artifact Management privilege to predefined roles --- .../project_roles/security/roles.yml | 9 +++++++++ .../serverless/es_serverless_resources/roles.yml | 9 +++++++++ .../kibana_roles/project_controller_security_roles.yml | 9 +++++++++ 3 files changed, 27 insertions(+) diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index 2dcea9ed9eae6..472614d0fc176 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -123,6 +123,7 @@ editor: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -309,6 +310,7 @@ t3_analyst: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -385,6 +387,7 @@ threat_intelligence_analyst: - feature_ml.read - feature_siemV3.all - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all - feature_siemV3.blocklist_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all @@ -454,6 +457,7 @@ rule_author: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_read @@ -528,6 +532,7 @@ soc_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -605,6 +610,7 @@ detections_admin: - feature_siemV3.all - feature_siemV3.read_alerts - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -664,6 +670,7 @@ platform_engineer: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -738,6 +745,7 @@ endpoint_operations_analyst: - feature_siemV3.read_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -826,6 +834,7 @@ endpoint_policy_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index 1c23f759f87c6..c6ee749d69611 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -141,6 +141,7 @@ editor: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -327,6 +328,7 @@ t3_analyst: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -399,6 +401,7 @@ threat_intelligence_analyst: - feature_ml.read - feature_siemV3.all - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all @@ -469,6 +472,7 @@ rule_author: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_read @@ -544,6 +548,7 @@ soc_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -622,6 +627,7 @@ detections_admin: - feature_siemV3.all - feature_siemV3.read_alerts - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -682,6 +688,7 @@ platform_engineer: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -757,6 +764,7 @@ endpoint_operations_analyst: - feature_siemV3.read_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -838,6 +846,7 @@ endpoint_policy_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all diff --git a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml index 7aa95440bfc3c..47e1b5c215623 100644 --- a/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/test_serverless/shared/lib/security/kibana_roles/project_controller_security_roles.yml @@ -122,6 +122,7 @@ editor: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -311,6 +312,7 @@ t3_analyst: - feature_siemV3.read_alerts - feature_siemV3.crud_alerts - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -383,6 +385,7 @@ threat_intelligence_analyst: - feature_ml.read - feature_siemV3.all - feature_siemV3.endpoint_list_read + - feature_siemV3.global_artifact_management_all - feature_siemV3.blocklist_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all @@ -454,6 +457,7 @@ rule_author: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_read @@ -531,6 +535,7 @@ soc_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -610,6 +615,7 @@ detections_admin: - feature_siemV3.all - feature_siemV3.read_alerts - feature_siemV3.crud_alerts + - feature_siemV3.global_artifact_management_all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -670,6 +676,7 @@ platform_engineer: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -745,6 +752,7 @@ endpoint_operations_analyst: - feature_siemV3.read_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all @@ -826,6 +834,7 @@ endpoint_policy_manager: - feature_siemV3.crud_alerts - feature_siemV3.policy_management_all - feature_siemV3.endpoint_list_all + - feature_siemV3.global_artifact_management_all - feature_siemV3.trusted_applications_all - feature_siemV3.event_filters_all - feature_siemV3.host_isolation_exceptions_all From 8d0f9d1f48fb10bcc482ce52828e5ee71a860f72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 6 Jun 2025 16:27:32 +0200 Subject: [PATCH 21/52] update roles in endpoint scripts --- .../{detections_engineer.ts => detections_admin.ts} | 5 +++-- .../common/roles_users/endpoint_operations_analyst.ts | 1 + .../common/roles_users/endpoint_security_policy_manager.ts | 5 +++-- .../scripts/endpoint/common/roles_users/hunter.ts | 2 +- .../scripts/endpoint/common/roles_users/index.ts | 6 +++--- .../endpoint/common/roles_users/platform_engineer.ts | 3 ++- .../scripts/endpoint/common/roles_users/rule_author.ts | 1 + .../scripts/endpoint/common/roles_users/soc_manager.ts | 3 ++- .../scripts/endpoint/common/roles_users/t1_analyst.ts | 2 +- .../scripts/endpoint/common/roles_users/t2_analyst.ts | 2 +- .../scripts/endpoint/common/roles_users/t3_analyst.ts | 1 + .../common/roles_users/threat_intelligence_analyst.ts | 7 ++++++- .../roles_users/with_artifact_read_privileges_role.ts | 2 +- .../common/roles_users/without_response_actions_role.ts | 2 +- 14 files changed, 27 insertions(+), 15 deletions(-) rename x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/{detections_engineer.ts => detections_admin.ts} (89%) diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts similarity index 89% rename from x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts rename to x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts index 9f29b657435b4..8719fe03dee2c 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts @@ -9,7 +9,7 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; import { SECURITY_FEATURE_ID } from '../../../../common/constants'; -export const getDetectionsEngineer: () => Omit = () => { +export const getDetectionsAdmin: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); return { ...noResponseActionsRole, @@ -19,10 +19,11 @@ export const getDetectionsEngineer: () => Omit = () => { feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'policy_management_read', + 'global_artifact_management_all', 'trusted_applications_read', 'event_filters_read', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 00452561b7af3..586c99049f497 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -65,6 +65,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { 'read_alerts', 'policy_management_all', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 65e5ff2ba5835..22085aaeedb09 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -19,10 +19,11 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', @@ -47,7 +48,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts index 7861ee4d6e0d5..6b41177ec3ccf 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/index.ts @@ -19,7 +19,7 @@ import { getEndpointSecurityPolicyManagementReadRole, getEndpointSecurityPolicyManager, } from './endpoint_security_policy_manager'; -import { getDetectionsEngineer } from './detections_engineer'; +import { getDetectionsAdmin } from './detections_admin'; import { getWithResponseActionsRole } from './with_response_actions_role'; import { getNoResponseActionsRole } from './without_response_actions_role'; import { getWithArtifactReadPrivilegesRole } from './with_artifact_read_privileges_role'; @@ -35,7 +35,7 @@ export * from './soc_manager'; export * from './platform_engineer'; export * from './endpoint_operations_analyst'; export * from './endpoint_security_policy_manager'; -export * from './detections_engineer'; +export * from './detections_admin'; export type EndpointSecurityRoleNames = keyof typeof ENDPOINT_SECURITY_ROLE_NAMES; @@ -105,7 +105,7 @@ export const getAllEndpointSecurityRoles = (): EndpointSecurityRoleDefinitions = name: 'soc_manager', }, detections_admin: { - ...getDetectionsEngineer(), + ...getDetectionsAdmin(), name: 'detections_admin', }, platform_engineer: { diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index d498e2846761b..889abe32d5746 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -19,10 +19,11 @@ export const getPlatformEngineer: () => Omit = () => { feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index de063f442d8ea..aaa622113f21d 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -24,6 +24,7 @@ export const getRuleAuthor: () => Omit = () => { 'crud_alerts', 'policy_management_all', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index 11eebeb0d6475..9b4ac9913b5f1 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -19,10 +19,11 @@ export const getSocManager: () => Omit = () => { feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'policy_management_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index bff6d87b6488f..f2b5f2fb76d85 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -18,7 +18,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['minimal_all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index ea2564692ed0a..4e3b74fe2ddd2 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -18,7 +18,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['minimal_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: ['all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 1a616fb9b6cc5..219083cbebc7d 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -23,6 +23,7 @@ export const getT3Analyst: () => Omit = () => { 'read_alerts', 'crud_alerts', 'endpoint_list_all', + 'global_artifact_management_all', 'trusted_applications_all', 'event_filters_all', 'host_isolation_exceptions_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index f6eec979b5e86..193eed6484d8e 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -18,7 +18,12 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['minimal_all', 'blocklist_all', 'actions_log_management_read'], + [SECURITY_FEATURE_ID]: [ + 'all', + 'blocklist_all', + 'global_artifact_management_all', + 'actions_log_management_read', + ], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 98f673d894e47..d3fd073268136 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -19,7 +19,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => feature: { ...noResponseActionsRole.kibana[0].feature, [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'blocklist_read', 'trusted_applications_read', 'host_isolation_exceptions_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index a2755b31623c9..9a2ea9537f3a6 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -44,7 +44,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], [SECURITY_FEATURE_ID]: [ - 'minimal_all', + 'all', 'endpoint_list_all', 'endpoint_list_read', 'trusted_applications_all', From c8ff1962d07c18d35cc3f0747d1d433cd7c89f68 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 11 Jun 2025 14:07:18 +0200 Subject: [PATCH 22/52] unhide GlobalArtifactManagement privilege from feature flag in order to ensure proper role migration independently from feature flag --- .../v2_features/kibana_sub_features.ts | 58 +++-------- .../v3_features/kibana_sub_features.ts | 95 ++++++++++--------- 2 files changed, 64 insertions(+), 89 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index 3c166e419a318..508dc89ddc4f3 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -82,9 +82,7 @@ const endpointListSubFeature = (): SubFeatureConfig => ({ ], }); -const trustedApplicationsSubFeature = ( - experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] -): SubFeatureConfig => ({ +const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.trustedApplications.privilegesTooltip', @@ -113,12 +111,7 @@ const trustedApplicationsSubFeature = ( replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'trusted_applications_all', - ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled - ? ['global_artifact_management_all'] - : []), - ], + privileges: ['trusted_applications_all', 'global_artifact_management_all'], }, ], api: [ @@ -155,9 +148,7 @@ const trustedApplicationsSubFeature = ( }, ], }); -const hostIsolationExceptionsBasicSubFeature = ( - experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] -): SubFeatureConfig => ({ +const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.hostIsolationExceptions.privilegesTooltip', @@ -186,12 +177,7 @@ const hostIsolationExceptionsBasicSubFeature = ( replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'host_isolation_exceptions_all', - ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled - ? ['global_artifact_management_all'] - : []), - ], + privileges: ['host_isolation_exceptions_all', 'global_artifact_management_all'], }, ], api: [ @@ -228,9 +214,7 @@ const hostIsolationExceptionsBasicSubFeature = ( }, ], }); -const blocklistSubFeature = ( - experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] -): SubFeatureConfig => ({ +const blocklistSubFeature = (): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.blockList.privilegesTooltip', @@ -256,12 +240,7 @@ const blocklistSubFeature = ( replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'blocklist_all', - ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled - ? ['global_artifact_management_all'] - : []), - ], + privileges: ['blocklist_all', 'global_artifact_management_all'], }, ], api: [ @@ -296,9 +275,7 @@ const blocklistSubFeature = ( }, ], }); -const eventFiltersSubFeature = ( - experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] -): SubFeatureConfig => ({ +const eventFiltersSubFeature = (): SubFeatureConfig => ({ requireAllSpaces: true, privilegesTooltip: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.eventFilters.privilegesTooltip', @@ -327,12 +304,7 @@ const eventFiltersSubFeature = ( replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'event_filters_all', - ...(experimentalFeatures.endpointManagementSpaceAwarenessEnabled - ? ['global_artifact_management_all'] - : []), - ], + privileges: ['event_filters_all', 'global_artifact_management_all'], }, ], api: [ @@ -877,20 +849,14 @@ export const getSecurityV2SubFeaturesMap = ({ [ SecuritySubFeatureId.trustedApplications, - enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature(experimentalFeatures)), + enableSpaceAwarenessIfNeeded(trustedApplicationsSubFeature()), ], [ SecuritySubFeatureId.hostIsolationExceptionsBasic, - enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature(experimentalFeatures)), - ], - [ - SecuritySubFeatureId.blocklist, - enableSpaceAwarenessIfNeeded(blocklistSubFeature(experimentalFeatures)), - ], - [ - SecuritySubFeatureId.eventFilters, - enableSpaceAwarenessIfNeeded(eventFiltersSubFeature(experimentalFeatures)), + enableSpaceAwarenessIfNeeded(hostIsolationExceptionsBasicSubFeature()), ], + [SecuritySubFeatureId.blocklist, enableSpaceAwarenessIfNeeded(blocklistSubFeature())], + [SecuritySubFeatureId.eventFilters, enableSpaceAwarenessIfNeeded(eventFiltersSubFeature())], [ SecuritySubFeatureId.policyManagement, diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 9dadafe0415e6..3429b7470a5ed 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -716,43 +716,56 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ], }); -const globalArtifactManagementSubFeature = (): SubFeatureConfig => ({ - requireAllSpaces: false, - privilegesTooltip: undefined, - name: i18n.translate( +const globalArtifactManagementSubFeature = ( + experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] +): SubFeatureConfig => { + const GLOBAL_ARTIFACT_MANAGEMENT = i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement', - { - defaultMessage: 'Global Artifact Management', - } - ), - description: i18n.translate( - 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.description', - { - defaultMessage: - 'Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) ' + - 'across all policies. This privilege controls global assignment rights only; privileges for each ' + - 'artifact type are required for full artifact management.', - } - ), - privilegeGroups: [ - { - groupType: 'mutually_exclusive', - privileges: [ - { - api: [`${APP_ID}-writeGlobalArtifacts`], - id: 'global_artifact_management_all', - includeIn: 'none', - name: TRANSLATIONS.all, - savedObject: { - all: [], - read: [], + { defaultMessage: 'Global Artifact Management' } + ); + + const COMING_SOON = i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.comingSoon', + { defaultMessage: '(Coming Soon)' } + ); + + const name = experimentalFeatures.endpointManagementSpaceAwarenessEnabled + ? GLOBAL_ARTIFACT_MANAGEMENT + : `${GLOBAL_ARTIFACT_MANAGEMENT} ${COMING_SOON}`; + + return { + requireAllSpaces: false, + privilegesTooltip: undefined, + name, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.description', + { + defaultMessage: + 'Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) ' + + 'across all policies. This privilege controls global assignment rights only; privileges for each ' + + 'artifact type are required for full artifact management.', + } + ), + privilegeGroups: [ + { + groupType: 'mutually_exclusive', + privileges: [ + { + api: [`${APP_ID}-writeGlobalArtifacts`], + id: 'global_artifact_management_all', + includeIn: 'none', + name: TRANSLATIONS.all, + savedObject: { + all: [], + read: [], + }, + ui: ['writeGlobalArtifacts'], }, - ui: ['writeGlobalArtifacts'], - }, - ], - }, - ], -}); + ], + }, + ], + }; +}; /** * Sub-features that will always be available for Security @@ -786,14 +799,10 @@ export const getSecurityV3SubFeaturesMap = ({ enableSpaceAwarenessIfNeeded(endpointExceptionsSubFeature()), ], - ...((experimentalFeatures.endpointManagementSpaceAwarenessEnabled - ? [ - [ - SecuritySubFeatureId.globalArtifactManagement, - enableSpaceAwarenessIfNeeded(globalArtifactManagementSubFeature()), - ], - ] - : []) as Array<[SecuritySubFeatureId, SubFeatureConfig]>), + [ + SecuritySubFeatureId.globalArtifactManagement, + enableSpaceAwarenessIfNeeded(globalArtifactManagementSubFeature(experimentalFeatures)), + ], [ SecuritySubFeatureId.trustedApplications, From 6b6c75a722d5d57af3f5448f12f878e02b668af6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 11 Jun 2025 14:40:47 +0200 Subject: [PATCH 23/52] migrate to GlobalArtifactManagement privilege from security:ALL to keep Endpoint Exceptions working --- .../security/v2_features/kibana_features.ts | 20 ++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index cca6b442279c4..dc6a1105b8a9c 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -90,12 +90,26 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: { all: { replacedBy: { - default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], + default: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'minimal_all', + 'global_artifact_management_all', + // please do not use `isServerless` for other things + ...(isServerless ? [] : ['endpoint_exceptions_all']), + ], + }, + ], minimal: [ { feature: SECURITY_FEATURE_ID_V3, - // please do not use `isServerless` for other things - privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], + privileges: [ + 'minimal_all', + 'global_artifact_management_all', + // please do not use `isServerless` for other things + ...(isServerless ? [] : ['endpoint_exceptions_all']), + ], }, ], }, From 8c994ff3b5a7bc013c5d563be49bf137f323a58a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 13 Jun 2025 16:14:40 +0200 Subject: [PATCH 24/52] add Global Artifact Management migration to siemV1 as well --- .../security/v1_features/kibana_features.ts | 13 +++++++-- .../v1_features/kibana_sub_features.ts | 29 +++++++++++++++---- .../v2_features/kibana_sub_features.ts | 5 +++- 3 files changed, 38 insertions(+), 9 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index b65d7f91270d8..3e966362c6f5c 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -94,15 +94,22 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['minimal_all', 'global_artifact_management_all'], + }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - // please do not use `isServerless` for other things - privileges: ['minimal_all', ...(isServerless ? [] : ['endpoint_exceptions_all'])], + privileges: [ + 'minimal_all', + 'global_artifact_management_all', + // please do not use `isServerless` for other things + ...(isServerless ? [] : ['endpoint_exceptions_all']), + ], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 7b5440f12b414..7d8ed898d8db1 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -94,7 +94,10 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['trusted_applications_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['trusted_applications_all', 'global_artifact_management_all'], + }, ], api: [ 'lists-all', @@ -157,7 +160,10 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['host_isolation_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['host_isolation_exceptions_all', 'global_artifact_management_all'], + }, ], api: [ 'lists-all', @@ -216,7 +222,12 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['blocklist_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['blocklist_all', 'global_artifact_management_all'], + }, + ], api: [ 'lists-all', 'lists-read', @@ -275,7 +286,12 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ groupType: 'mutually_exclusive', privileges: [ { - replacedBy: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['event_filters_all'] }], + replacedBy: [ + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['event_filters_all', 'global_artifact_management_all'], + }, + ], api: [ 'lists-all', 'lists-read', @@ -650,7 +666,10 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['endpoint_exceptions_all', 'global_artifact_management_all'], + }, ], id: 'endpoint_exceptions_all', includeIn: 'all', diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index 508dc89ddc4f3..7af073e6beab5 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -734,7 +734,10 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { replacedBy: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['endpoint_exceptions_all'] }, + { + feature: SECURITY_FEATURE_ID_V3, + privileges: ['endpoint_exceptions_all', 'global_artifact_management_all'], + }, ], id: 'endpoint_exceptions_all', includeIn: 'all', From 3ac7be8c4aac0e3e2c8a3f01437c1cb127177023 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 13 Jun 2025 17:26:32 +0200 Subject: [PATCH 25/52] revert all Endpoint Exception privilege related modifications --- .../security/packages/features/privileges.ts | 10 ++++ .../src/product_features_privileges.ts | 30 +++++++++++ .../src/security/product_feature_config.ts | 3 -- .../packages/features/src/security/types.ts | 13 ++--- .../security/v1_features/kibana_features.ts | 14 +---- .../v1_features/kibana_sub_features.ts | 10 ++-- .../security/v2_features/kibana_features.ts | 23 ++------ .../v2_features/kibana_sub_features.ts | 10 ++-- .../v3_features/kibana_sub_features.ts | 18 +++---- .../cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 1 - ...point_role_rbac_with_space_awareness.cy.ts | 6 ++- .../lib/product_features_service/mocks.ts | 2 +- .../product_features_service.test.ts | 52 +++++-------------- .../product_features_service.ts | 8 +-- .../security_solution/server/plugin.ts | 6 +-- .../security_product_features_config.ts | 9 +++- .../security_product_features_config.ts | 7 ++- 17 files changed, 101 insertions(+), 121 deletions(-) create mode 100644 x-pack/solutions/security/packages/features/privileges.ts create mode 100644 x-pack/solutions/security/packages/features/src/product_features_privileges.ts diff --git a/x-pack/solutions/security/packages/features/privileges.ts b/x-pack/solutions/security/packages/features/privileges.ts new file mode 100644 index 0000000000000..5cfe7b2d58d3b --- /dev/null +++ b/x-pack/solutions/security/packages/features/privileges.ts @@ -0,0 +1,10 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +export { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from './src/product_features_privileges'; diff --git a/x-pack/solutions/security/packages/features/src/product_features_privileges.ts b/x-pack/solutions/security/packages/features/src/product_features_privileges.ts new file mode 100644 index 0000000000000..22b4e858e4a55 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/product_features_privileges.ts @@ -0,0 +1,30 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { APP_ID } from './constants'; + +export enum ProductFeaturesPrivilegeId { + endpointExceptions = 'endpoint_exceptions', +} + +/** + * This is the mapping of the privileges that are registered + * using a different Kibana feature configuration (sub-feature, main feature privilege, etc) + * in each offering type (ess, serverless) + */ +export const ProductFeaturesPrivileges = { + [ProductFeaturesPrivilegeId.endpointExceptions]: { + all: { + ui: ['showEndpointExceptions', 'crudEndpointExceptions'], + api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + }, + read: { + ui: ['showEndpointExceptions'], + api: [`${APP_ID}-showEndpointExceptions`], + }, + }, +}; diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 7192758d26135..54617d8c0ec67 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -135,9 +135,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature SecuritySubFeatureId.globalArtifactManagement, ], }, - [ProductFeatureSecurityKey.endpointExceptions]: { - subFeatureIds: [SecuritySubFeatureId.endpointExceptions], - }, // Endpoint Complete Tier: // Allows access to create/update HIEs diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index 490a582a67d85..dda61b6e86b9a 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -18,15 +18,10 @@ export interface SecurityFeatureParams { */ experimentalFeatures: Record; savedObjects: string[]; - /** - * Sort of temporary solution for merging diverged ESS/serverless offering Endpoint Exception privileges, - * it would be best not to use it for other things. - */ - isServerless: boolean; } -// Omit<> not generic security app features here -export type DefaultSecurityProductFeaturesConfig = Record< - ProductFeatureSecurityKey, - ProductFeatureKibanaConfig +export type DefaultSecurityProductFeaturesConfig = Omit< + Record>, + ProductFeatureSecurityKey.endpointExceptions + // | add not generic security app features here >; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 3e966362c6f5c..3bb6823bb4d36 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -50,7 +50,6 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityBaseKibanaFeature = ({ savedObjects, - isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -104,12 +103,7 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'minimal_all', - 'global_artifact_management_all', - // please do not use `isServerless` for other things - ...(isServerless ? [] : ['endpoint_exceptions_all']), - ], + privileges: ['minimal_all', 'global_artifact_management_all'], }, ], }, @@ -158,11 +152,7 @@ export const getSecurityBaseKibanaFeature = ({ minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { - feature: SECURITY_FEATURE_ID_V3, - // please do not use `isServerless` for other things - privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], - }, + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 7d8ed898d8db1..4ad49ec05eac1 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -8,6 +8,10 @@ import { i18n } from '@kbn/i18n'; import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; +import { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; @@ -678,8 +682,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, }, { replacedBy: [ @@ -692,8 +695,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`], - ui: ['showEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index dc6a1105b8a9c..a10f66bae40bc 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -49,7 +49,6 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, - isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -93,23 +92,13 @@ export const getSecurityV2BaseKibanaFeature = ({ default: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'minimal_all', - 'global_artifact_management_all', - // please do not use `isServerless` for other things - ...(isServerless ? [] : ['endpoint_exceptions_all']), - ], + privileges: ['minimal_all', 'global_artifact_management_all'], }, ], minimal: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'minimal_all', - 'global_artifact_management_all', - // please do not use `isServerless` for other things - ...(isServerless ? [] : ['endpoint_exceptions_all']), - ], + privileges: ['minimal_all', 'global_artifact_management_all'], }, ], }, @@ -132,13 +121,7 @@ export const getSecurityV2BaseKibanaFeature = ({ read: { replacedBy: { default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }], - minimal: [ - { - feature: SECURITY_FEATURE_ID_V3, - // please do not use `isServerless` for other things - privileges: ['minimal_read', ...(isServerless ? [] : ['endpoint_exceptions_read'])], - }, - ], + minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index 7af073e6beab5..e5d8770cd855a 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -8,6 +8,10 @@ import { i18n } from '@kbn/i18n'; import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; +import { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; import { APP_ID, SECURITY_FEATURE_ID_V3 } from '../../constants'; @@ -746,8 +750,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, }, { replacedBy: [ @@ -760,8 +763,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: [`${APP_ID}-showEndpointExceptions`], - ui: ['showEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 3429b7470a5ed..1dc29c8b43b5f 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -8,6 +8,10 @@ import { i18n } from '@kbn/i18n'; import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { EXCEPTION_LIST_NAMESPACE_AGNOSTIC } from '@kbn/securitysolution-list-constants'; +import { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from '../../product_features_privileges'; import { SecuritySubFeatureId } from '../../product_features_keys'; import { APP_ID } from '../../constants'; @@ -688,17 +692,10 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ includeIn: 'all', name: TRANSLATIONS.all, savedObject: { - all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], + all: [], read: [], }, - api: [ - 'lists-all', - 'lists-read', - 'lists-summary', - `${APP_ID}-showEndpointExceptions`, - `${APP_ID}-crudEndpointExceptions`, - ], - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].all, }, { id: 'endpoint_exceptions_read', @@ -708,8 +705,7 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ all: [], read: [], }, - api: ['lists-read', 'lists-summary', `${APP_ID}-showEndpointExceptions`], - ui: ['showEndpointExceptions'], + ...ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions].read, }, ], }, diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 8ae11983787cc..8638e7e83a7bd 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -52,7 +52,6 @@ describe( .should('deep.equal', [ 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', 'Automatic Troubleshooting Access to the automatic troubleshooting.Automatic Troubleshooting sub-feature privilegeAllReadNone', - 'Endpoint Exceptions Manage Endpoint Exceptions.Endpoint Exceptions sub-feature privilegeAllReadNone', 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index d3e6df67cb0d6..6c5fe03be49d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -43,8 +43,10 @@ describe( }, }, () => { + const isServerless = Cypress.env('CLOUD_SERVERLESS'); + // In Serverless MKI we use `admin` for the login user... other deployments use system indices superuser - const loginUser = Cypress.env('CLOUD_SERVERLESS') ? ROLE.admin : ROLE.system_indices_superuser; + const loginUser = isServerless ? ROLE.admin : ROLE.system_indices_superuser; const roleName = `test_${Math.random().toString().substring(2, 6)}`; let spaceId: string = ''; @@ -102,7 +104,7 @@ describe( .should('deep.equal', [ 'Endpoint ListAll', 'Automatic TroubleshootingNone', - 'Endpoint ExceptionsAll', + ...(isServerless ? ['Endpoint ExceptionsAll'] : []), 'Global Artifact ManagementNone', 'Trusted ApplicationsNone', 'Host Isolation ExceptionsNone', diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index 0b646937eb175..e9e03c62eb94d 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -80,7 +80,7 @@ export const createProductFeaturesServiceMock = ( featuresPluginSetupContract: FeaturesPluginSetup = featuresPluginMock.createSetup(), logger: Logger = loggingSystemMock.create().get('productFeatureMock') ) => { - const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures, false); + const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures); productFeaturesService.init(featuresPluginSetupContract); diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index 3ee73e89351df..b707630e100d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -28,7 +28,6 @@ import type { LifecycleResponseFactory, OnPostAuthHandler, } from '@kbn/core-http-server'; -import type { SecurityFeatureParams } from '@kbn/security-solution-features/src/security/types'; jest.mock('./product_features'); const MockedProductFeatures = ProductFeatures as unknown as jest.MockedClass< @@ -41,14 +40,10 @@ const productFeature = { baseKibanaSubFeatureIds: [], }; const mockGetFeature = jest.fn().mockReturnValue(productFeature); -const mockGetSecurityFeature = jest - .fn() - .mockReturnValue(productFeature); - jest.mock('@kbn/security-solution-features/product_features', () => ({ - getSecurityFeature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), - getSecurityV2Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), - getSecurityV3Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityFeature: () => mockGetFeature(), + getSecurityV2Feature: () => mockGetFeature(), + getSecurityV3Feature: () => mockGetFeature(), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), @@ -66,31 +61,17 @@ describe('ProductFeaturesService', () => { it('should create ProductFeatureService instance', () => { const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures, false); + new ProductFeaturesService(loggerMock.create(), experimentalFeatures); - expect(mockGetFeature).toHaveBeenCalledTimes(8); - expect(mockGetSecurityFeature).toHaveBeenCalledTimes(3); + expect(mockGetFeature).toHaveBeenCalledTimes(11); expect(MockedProductFeatures).toHaveBeenCalledTimes(11); }); - it.each([false, true])( - 'should pass `isServerless = %s` param to security feature getters', - (isServerless) => { - const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures, isServerless); - - expect( - mockGetSecurityFeature.mock.calls.every((args) => args[0].isServerless === isServerless) - ).toBeTruthy(); - } - ); - it('should init all ProductFeatures when initialized', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -105,8 +86,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -156,8 +136,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -206,8 +185,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.isApiPrivilegeEnabled('writeEndpointExceptions'); @@ -241,8 +219,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -260,8 +237,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -278,8 +254,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -302,8 +277,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); mockIsActionRegistered = MockedProductFeatures.mock.instances[0] diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index b8c0b1b35589b..9fbfd6d2572de 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -54,13 +54,11 @@ export class ProductFeaturesService { constructor( private readonly logger: Logger, - private readonly experimentalFeatures: ExperimentalFeatures, - isServerless: boolean + private readonly experimentalFeatures: ExperimentalFeatures ) { const securityFeature = getSecurityFeature({ savedObjects: securityV1SavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityProductFeatures = new ProductFeatures( this.logger, @@ -71,7 +69,6 @@ export class ProductFeaturesService { const securityV2Feature = getSecurityV2Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityV2ProductFeatures = new ProductFeatures( this.logger, @@ -83,7 +80,6 @@ export class ProductFeaturesService { const securityV3Feature = getSecurityV3Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityV3ProductFeatures = new ProductFeatures( this.logger, @@ -150,7 +146,6 @@ export class ProductFeaturesService { const timelineFeature = getTimelineFeature({ savedObjects: securityTimelineSavedObjects, experimentalFeatures: {}, - isServerless, }); this.timelineProductFeatures = new ProductFeatures( this.logger, @@ -162,7 +157,6 @@ export class ProductFeaturesService { const notesFeature = getNotesFeature({ savedObjects: securityNotesSavedObjects, experimentalFeatures: {}, - isServerless, }); this.notesProductFeatures = new ProductFeatures( this.logger, diff --git a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts index 520523ac7765f..da5c1d7d79f71 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts @@ -175,13 +175,9 @@ export class Plugin implements ISecuritySolutionPlugin { this.config = serverConfig; this.logger = context.logger.get(); this.appClientFactory = new AppClientFactory(); - - /** sort of temporary solution, please do not use me elsewhere */ - const isServerless = this.pluginContext.env.packageInfo.buildFlavor === 'serverless'; this.productFeaturesService = new ProductFeaturesService( this.logger, - this.config.experimentalFeatures, - isServerless + this.config.experimentalFeatures ); this.siemMigrationsService = new SiemMigrationsService( this.config, diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts index 70ff0cfd1f95c..0cec48bda5e44 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts @@ -10,13 +10,17 @@ import type { ProductFeaturesSecurityConfig, } from '@kbn/security-solution-features'; import { - type ProductFeatureSecurityKey, + ProductFeatureSecurityKey, type SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import { securityDefaultProductFeaturesConfig, createEnabledProductFeaturesConfigMap, } from '@kbn/security-solution-features/config'; +import { + ProductFeaturesPrivilegeId, + ProductFeaturesPrivileges, +} from '@kbn/security-solution-features/privileges'; export const getSecurityProductFeaturesConfigurator = (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => { @@ -40,4 +44,7 @@ const securityProductFeaturesConfig: Record< ProductFeatureKibanaConfig > = { ...securityDefaultProductFeaturesConfig, + [ProductFeatureSecurityKey.endpointExceptions]: { + privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions], + }, }; diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts index 1390aff89b86b..caec038374c23 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts @@ -14,8 +14,8 @@ import { createEnabledProductFeaturesConfigMap, } from '@kbn/security-solution-features/config'; import { - type ProductFeatureSecurityKey, - type SecuritySubFeatureId, + ProductFeatureSecurityKey, + SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import type { ExperimentalFeatures } from '../../common/experimental_features'; @@ -45,4 +45,7 @@ const securityProductFeaturesConfig: Record< ProductFeatureKibanaConfig > = { ...securityDefaultProductFeaturesConfig, + [ProductFeatureSecurityKey.endpointExceptions]: { + subFeatureIds: [SecuritySubFeatureId.endpointExceptions], + }, }; From fbbcf8b37dd9944c7978e0ae16846caab08f22dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 16 Jun 2025 13:25:32 +0200 Subject: [PATCH 26/52] update auth tests: remove endpoint exceptions (and SO), add global artifact management --- .../apis/security/privileges.ts | 7 +----- .../apis/security/privileges.ts | 7 +----- .../platform_security/authorization.ts | 23 ++++--------------- 3 files changed, 7 insertions(+), 30 deletions(-) diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index 681ea53561a5d..bcfd06452050a 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -111,8 +111,6 @@ export default function ({ getService }: FtrProviderContext) { 'minimal_read', 'endpoint_list_all', 'endpoint_list_read', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', 'trusted_applications_all', 'trusted_applications_read', 'host_isolation_exceptions_all', @@ -140,8 +138,6 @@ export default function ({ getService }: FtrProviderContext) { 'endpoint_list_read', 'workflow_insights_all', 'workflow_insights_read', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', 'trusted_applications_all', 'trusted_applications_read', 'host_isolation_exceptions_all', @@ -169,8 +165,7 @@ export default function ({ getService }: FtrProviderContext) { 'endpoint_list_read', 'workflow_insights_all', 'workflow_insights_read', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', + 'global_artifact_management_all', 'trusted_applications_all', 'trusted_applications_read', 'host_isolation_exceptions_all', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index ebbe2a3d79bbd..b5607f754ea27 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -233,8 +233,6 @@ export default function ({ getService }: FtrProviderContext) { 'file_operations_all', 'execute_operations_all', 'scan_operations_all', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', ], siemV2: [ 'actions_log_management_all', @@ -262,13 +260,12 @@ export default function ({ getService }: FtrProviderContext) { 'scan_operations_all', 'workflow_insights_all', 'workflow_insights_read', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', ], siemV3: [ 'actions_log_management_all', 'actions_log_management_read', 'all', + 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', 'endpoint_list_all', @@ -291,8 +288,6 @@ export default function ({ getService }: FtrProviderContext) { 'scan_operations_all', 'workflow_insights_all', 'workflow_insights_read', - 'endpoint_exceptions_all', - 'endpoint_exceptions_read', ], uptime: [ 'all', diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index fd73e20337900..72e39598f34d2 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -994,30 +994,13 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", - "api:lists-all", - "api:lists-read", - "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", - "saved_object:exception-list-agnostic/bulk_get", - "saved_object:exception-list-agnostic/get", - "saved_object:exception-list-agnostic/find", - "saved_object:exception-list-agnostic/open_point_in_time", - "saved_object:exception-list-agnostic/close_point_in_time", - "saved_object:exception-list-agnostic/create", - "saved_object:exception-list-agnostic/bulk_create", - "saved_object:exception-list-agnostic/update", - "saved_object:exception-list-agnostic/bulk_update", - "saved_object:exception-list-agnostic/delete", - "saved_object:exception-list-agnostic/bulk_delete", - "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/showEndpointExceptions", "ui:siemV3/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", - "api:lists-read", - "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV3/showEndpointExceptions", ], @@ -1072,6 +1055,11 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeFileOperations", "ui:siemV3/writeFileOperations", ], + "global_artifact_management_all": Array [ + "login:", + "api:securitySolution-writeGlobalArtifacts", + "ui:siemV3/writeGlobalArtifacts", + ], "host_isolation_all": Array [ "login:", "api:securitySolution-writeHostIsolationRelease", @@ -2252,7 +2240,6 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", - "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", From efe83e840b44a57d83a1143fe7f9843fe4c09915 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 16 Jun 2025 13:47:42 +0200 Subject: [PATCH 27/52] fix defend cy tests --- .../management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 1 + .../rbac/endpoint_role_rbac_with_space_awareness.cy.ts | 9 ++++----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 8638e7e83a7bd..95749acc9507e 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -52,6 +52,7 @@ describe( .should('deep.equal', [ 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', 'Automatic Troubleshooting Access to the automatic troubleshooting.Automatic Troubleshooting sub-feature privilegeAllReadNone', + 'Global Artifact Management (Coming Soon) Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) across all policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management.Global Artifact Management (Coming Soon) sub-feature privilegeAllNone', 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 6c5fe03be49d4..b2288566bd52c 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -43,10 +43,8 @@ describe( }, }, () => { - const isServerless = Cypress.env('CLOUD_SERVERLESS'); - // In Serverless MKI we use `admin` for the login user... other deployments use system indices superuser - const loginUser = isServerless ? ROLE.admin : ROLE.system_indices_superuser; + const loginUser = Cypress.env('CLOUD_SERVERLESS') ? ROLE.admin : ROLE.system_indices_superuser; const roleName = `test_${Math.random().toString().substring(2, 6)}`; let spaceId: string = ''; @@ -101,10 +99,11 @@ describe( return features; }) - .should('deep.equal', [ + // Using `include.members` here because in serverless, an additional privilege shows + // up in this list - `Endpoint exceptions`. + .should('include.members', [ 'Endpoint ListAll', 'Automatic TroubleshootingNone', - ...(isServerless ? ['Endpoint ExceptionsAll'] : []), 'Global Artifact ManagementNone', 'Trusted ApplicationsNone', 'Host Isolation ExceptionsNone', From 0f5b9a3a83f4801b13292199d20beec73da64058 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 16 Jun 2025 14:41:06 +0200 Subject: [PATCH 28/52] revert accidental formatting --- config/serverless.security.search_ai_lake.yml | 49 +++++++++---------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index e2bf19c781d48..513d6a2a07a6d 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -32,45 +32,44 @@ xpack.features.overrides: all.composedOf: ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten ## We do not need to compose siemV3 from maps and visualizations because these functionalities are disabled in this tier - - feature: 'discover_v2' - privileges: ['all'] + - feature: "discover_v2" + privileges: [ "all" ] ## We need limited read access to fleet (v1) in order to use integrations - - feature: 'fleet' - privileges: ['all'] + - feature: "fleet" + privileges: [ "all" ] read.composedOf: - - feature: 'discover_v2' - privileges: ['read'] - - feature: 'fleet' - privileges: ['read'] + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "fleet" + privileges: [ "read" ] siemV2: privileges: all.composedOf: ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten ## We do not need to compose siemV2 from maps and visualizations because these functionalities are disabled in this tier - - feature: 'discover_v2' - privileges: ['all'] - ## We need limited read access to fleet (v1) in order to use integrations - - feature: 'fleet' - privileges: ['all'] + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "savedQueryManagement" + privileges: [ "all" ] read.composedOf: - - feature: 'discover_v2' - privileges: ['read'] - - feature: 'fleet' - privileges: ['read'] + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "savedQueryManagement" + privileges: [ "read" ] siem: privileges: all.composedOf: ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten ## We do not need to compose siemV2 from maps and visualizations because these functionalities are disabled in this tier - - feature: 'discover_v2' - privileges: ['all'] - - feature: 'savedQueryManagement' - privileges: ['all'] + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "savedQueryManagement" + privileges: [ "all" ] read.composedOf: - - feature: 'discover_v2' - privileges: ['read'] - - feature: 'savedQueryManagement' - privileges: ['read'] + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "savedQueryManagement" + privileges: [ "read" ] # Custom integrations/fleet settings xpack.fleet.agentless.isDefault: true From 970674a90bb83af8aa81b7efa1c3caebb05b36c4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 16 Jun 2025 14:50:23 +0200 Subject: [PATCH 29/52] parameterize siemV3 --- .../trial_license_complete_tier/lists/read_list_privileges.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts index 0fe9959c9c6c1..44ace03e5b28c 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/lists_and_exception_lists/lists_items/trial_license_complete_tier/lists/read_list_privileges.ts @@ -9,6 +9,7 @@ import expect from '@kbn/expect'; import { LIST_PRIVILEGES_URL } from '@kbn/securitysolution-list-constants'; import { getReadPrivilegeMock } from '@kbn/lists-plugin/server/routes/list_privileges/read_list_privileges_route.mock'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { FtrProviderContextWithSpaces } from '../../../../../ftr_provider_context_with_spaces'; export default ({ getService }: FtrProviderContextWithSpaces) => { @@ -38,7 +39,7 @@ export default ({ getService }: FtrProviderContextWithSpaces) => { { feature: { dashboard: ['all'], - siemV3: ['all', 'read'], + [SECURITY_FEATURE_ID]: ['all', 'read'], }, spaces: [space1Id], }, From e40d923472f4f9410eea9cc35ef7dd5429c92984 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 17 Jun 2025 14:13:11 +0200 Subject: [PATCH 30/52] add explanatory comments for role migration --- .../security/v1_features/kibana_features.ts | 17 +++++++- .../v1_features/kibana_sub_features.ts | 41 ++++++++++++++++--- .../security/v2_features/kibana_features.ts | 17 +++++++- .../v2_features/kibana_sub_features.ts | 41 ++++++++++++++++--- .../v3_features/kibana_sub_features.ts | 12 ++++++ 5 files changed, 114 insertions(+), 14 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 3bb6823bb4d36..6dac83ba55bef 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -95,7 +95,15 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all', 'global_artifact_management_all'], + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], }, ], minimal: [ @@ -103,7 +111,12 @@ export const getSecurityBaseKibanaFeature = ({ { feature: NOTES_FEATURE_ID, privileges: ['all'] }, { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all', 'global_artifact_management_all'], + privileges: [ + 'minimal_all', + + // See above. + 'global_artifact_management_all', + ], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 4ad49ec05eac1..31f24b670752a 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -100,7 +100,13 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['trusted_applications_all', 'global_artifact_management_all'], + privileges: [ + 'trusted_applications_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -166,7 +172,13 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['host_isolation_exceptions_all', 'global_artifact_management_all'], + privileges: [ + 'host_isolation_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -229,7 +241,13 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['blocklist_all', 'global_artifact_management_all'], + privileges: [ + 'blocklist_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -293,7 +311,13 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['event_filters_all', 'global_artifact_management_all'], + privileges: [ + 'event_filters_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -672,7 +696,14 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['endpoint_exceptions_all', 'global_artifact_management_all'], + privileges: [ + 'endpoint_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for the serverless offering, where endpoint exception privilege exists. + 'global_artifact_management_all', + ], }, ], id: 'endpoint_exceptions_all', diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index a10f66bae40bc..147c51f1b2181 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -92,13 +92,26 @@ export const getSecurityV2BaseKibanaFeature = ({ default: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all', 'global_artifact_management_all'], + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], }, ], minimal: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['minimal_all', 'global_artifact_management_all'], + privileges: [ + 'minimal_all', + + // See above. + 'global_artifact_management_all', + ], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index e5d8770cd855a..613b52fb179cc 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -115,7 +115,13 @@ const trustedApplicationsSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['trusted_applications_all', 'global_artifact_management_all'], + privileges: [ + 'trusted_applications_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -181,7 +187,13 @@ const hostIsolationExceptionsBasicSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['host_isolation_exceptions_all', 'global_artifact_management_all'], + privileges: [ + 'host_isolation_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -244,7 +256,13 @@ const blocklistSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['blocklist_all', 'global_artifact_management_all'], + privileges: [ + 'blocklist_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -308,7 +326,13 @@ const eventFiltersSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['event_filters_all', 'global_artifact_management_all'], + privileges: [ + 'event_filters_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + 'global_artifact_management_all', + ], }, ], api: [ @@ -740,7 +764,14 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ replacedBy: [ { feature: SECURITY_FEATURE_ID_V3, - privileges: ['endpoint_exceptions_all', 'global_artifact_management_all'], + privileges: [ + 'endpoint_exceptions_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for the serverless offering, where endpoint exception privilege exists. + 'global_artifact_management_all', + ], }, ], id: 'endpoint_exceptions_all', diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 1dc29c8b43b5f..38087cece395d 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -712,6 +712,18 @@ const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ], }); +/** + * Writing global (i.e. not per-policy) Artifacts is gated with `Global Artifact Management: ALL`, starting with `siemV3`. + * + * **Role migration implemented:** + * Users, who have been able to write ANY artifact before, are now granted with this privilege to keep existing behavior. + * - for Trusted Apps, Event Filters, Host Isolation Exceptions, Blocklists: the new privilege is added based on `artifact:ALL` sub-feature privilege + * - for Endpoint Exceptions: + * - on Serverless offering, the new privilege is added for Endpoint Exceptions sub-privilege `ALL`, + * - on ESS offering, there is no EE sub-privilege, so the new privilege is added to `siem|siemV2:ALL|MINIMAL_ALL`, + * as these include the Endpoint Exceptions write privilege + * + */ const globalArtifactManagementSubFeature = ( experimentalFeatures: SecurityFeatureParams['experimentalFeatures'] ): SubFeatureConfig => { From 4d5dec8afce426d8d8f38cc00b327c5abc5347b8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 17 Jun 2025 14:18:25 +0200 Subject: [PATCH 31/52] update search ai lake config: comment, earlier accidental change --- config/serverless.security.search_ai_lake.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index 513d6a2a07a6d..6a1944d405f52 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -34,7 +34,7 @@ xpack.features.overrides: ## We do not need to compose siemV3 from maps and visualizations because these functionalities are disabled in this tier - feature: "discover_v2" privileges: [ "all" ] - ## We need limited read access to fleet (v1) in order to use integrations + ## We need limited access to fleet (v1) in order to use integrations - feature: "fleet" privileges: [ "all" ] read.composedOf: @@ -49,12 +49,13 @@ xpack.features.overrides: ## We do not need to compose siemV2 from maps and visualizations because these functionalities are disabled in this tier - feature: "discover_v2" privileges: [ "all" ] - - feature: "savedQueryManagement" + ## We need limited access to fleet (v1) in order to use integrations + - feature: "fleet" privileges: [ "all" ] read.composedOf: - feature: "discover_v2" privileges: [ "read" ] - - feature: "savedQueryManagement" + - feature: "fleet" privileges: [ "read" ] siem: privileges: From 1b37885f068598b7db87225b9ae1ad8b159ac259 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 17 Jun 2025 15:36:46 +0200 Subject: [PATCH 32/52] parameterize siemV3 in rbac cy tests --- .../cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 3 ++- .../endpoint_role_rbac_with_space_awareness.cy.ts | 13 ++++++++----- .../cypress/screens/stack_management/role_page.ts | 11 +++++++---- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 95749acc9507e..15ece7086767c 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -14,6 +14,7 @@ import { } from '../../screens/stack_management/role_page'; import { closeAllToasts } from '../../tasks/toasts'; import { login, ROLE } from '../../tasks/login'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'When defining a kibana role for Endpoint security access', @@ -23,7 +24,7 @@ describe( () => { const getAllSubFeatureRows = (): Cypress.Chainable> => { return cy - .get('#featurePrivilegeControls_siemV3') + .get(`#featurePrivilegeControls_${SECURITY_FEATURE_ID}`) .findByTestSubj('mutexSubFeaturePrivilegeControl') .closest('.euiFlexGroup'); }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index b2288566bd52c..e5f8c1bf4aad0 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -22,6 +22,7 @@ import { setRoleName, setSecuritySolutionEndpointGroupPrivilege, } from '../../screens/stack_management/role_page'; +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'When defining a kibana role for Endpoint security access with space awareness enabled', @@ -88,7 +89,7 @@ describe( .findByTestSubj(`space-avatar-${spaceId}`) .should('exist'); - cy.get('#row_siemV3_expansion') + cy.get(`#row_${SECURITY_FEATURE_ID}_expansion`) .findByTestSubj('subFeatureEntry') .then(($element) => { const features: string[] = []; @@ -121,14 +122,16 @@ describe( it('should not display the privilege tooltip', () => { ENDPOINT_SUB_FEATURE_PRIVILEGE_IDS.forEach((subFeaturePrivilegeId) => { - cy.getByTestSubj(`securitySolution_siemV3_${subFeaturePrivilegeId}_nameTooltip`).should( - 'not.exist' - ); + cy.getByTestSubj( + `securitySolution_${SECURITY_FEATURE_ID}_${subFeaturePrivilegeId}_nameTooltip` + ).should('not.exist'); }); }); it('should include new Global Artifact Management privilege', () => { - cy.getByTestSubj('securitySolution_siemV3_global_artifact_management').should('exist'); + cy.getByTestSubj(`securitySolution_${SECURITY_FEATURE_ID}_global_artifact_management`).should( + 'exist' + ); }); } ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts index 50d066e9bf95b..d38d6525a95ab 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/screens/stack_management/role_page.ts @@ -5,6 +5,7 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; import { loadPage } from '../../tasks/common'; /** @@ -66,12 +67,14 @@ export const getSecuritySolutionCategoryKibanaPrivileges = (): Cypress.Chainable */ export const expandEndpointSecurityFeaturePrivileges = (): Cypress.Chainable => { return cy - .getByTestSubj('featurePrivilegeControls_securitySolution_siemV3_accordionToggle') + .getByTestSubj( + `featurePrivilegeControls_securitySolution_${SECURITY_FEATURE_ID}_accordionToggle` + ) .click(); }; export const getEndpointSecurityFeaturePrivileges = () => { - return cy.getByTestSubj('featureCategory_securitySolution_siemV3'); + return cy.getByTestSubj(`featureCategory_securitySolution_${SECURITY_FEATURE_ID}`); }; /** @@ -104,7 +107,7 @@ export const setSecuritySolutionEndpointGroupPrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getSecuritySolutionCategoryKibanaPrivileges() - .findByTestSubj(`siemV3_${privilege}`) + .findByTestSubj(`${SECURITY_FEATURE_ID}_${privilege}`) .click(); }; @@ -148,7 +151,7 @@ export const setEndpointSubFeaturePrivilege = ( privilege: 'all' | 'read' | 'none' ): Cypress.Chainable> => { return getEndpointSecurityFeaturePrivileges() - .findByTestSubj(`securitySolution_siemV3_${feature}_privilegeGroup`) + .findByTestSubj(`securitySolution_${SECURITY_FEATURE_ID}_${feature}_privilegeGroup`) .find(`button[title="${privilegeMapToTitle[privilege]}"]`) .click(); }; From 88d0605b7b6112e2c380721cf78eaac1044e8cd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 17 Jun 2025 18:47:48 +0200 Subject: [PATCH 33/52] add snapshot test for deprecated `siem` and `siemV2` features --- .../platform_security/authorization.ts | 5153 ++++++++++++++++- 1 file changed, 5152 insertions(+), 1 deletion(-) diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 72e39598f34d2..502da1379f8d2 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -30,7 +30,7 @@ export default function ({ getService }: FtrProviderContext) { // The following features are composed of other features in a way that is // specific to the security solution. - // The deprecated dashboard and discover features are listed here because + // The deprecated features are listed here because // they are not explicitly hidden, and we can check them to confirm legacy // roles will still function correctly const compositeFeatureIds = [ @@ -39,6 +39,8 @@ export default function ({ getService }: FtrProviderContext) { 'discover', 'discover_v2', 'reporting', + 'siem', + 'siemV2', 'siemV3', ]; @@ -205,6 +207,5155 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:cloud/close_point_in_time", ], }, + "siem": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siem/writeActionsLogManagement", + "ui:siem/readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siem/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:rac", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:timeline_write", + "api:timeline_read", + "api:notes_write", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-note/create", + "saved_object:siem-ui-timeline-note/bulk_create", + "saved_object:siem-ui-timeline-note/update", + "saved_object:siem-ui-timeline-note/bulk_update", + "saved_object:siem-ui-timeline-note/delete", + "saved_object:siem-ui-timeline-note/bulk_delete", + "saved_object:siem-ui-timeline-note/share_to_space", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/create", + "saved_object:siem-ui-timeline-pinned-event/bulk_create", + "saved_object:siem-ui-timeline-pinned-event/update", + "saved_object:siem-ui-timeline-pinned-event/bulk_update", + "saved_object:siem-ui-timeline-pinned-event/delete", + "saved_object:siem-ui-timeline-pinned-event/bulk_delete", + "saved_object:siem-ui-timeline-pinned-event/share_to_space", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:siem-ui-timeline/create", + "saved_object:siem-ui-timeline/bulk_create", + "saved_object:siem-ui-timeline/update", + "saved_object:siem-ui-timeline/bulk_update", + "saved_object:siem-ui-timeline/delete", + "saved_object:siem-ui-timeline/bulk_delete", + "saved_object:siem-ui-timeline/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/crud", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "ui:siem/showEndpointExceptions", + "ui:siem/crudEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "api:savedQuery:manage", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "saved_object:query/create", + "saved_object:query/bulk_create", + "saved_object:query/update", + "saved_object:query/bulk_update", + "saved_object:query/delete", + "saved_object:query/bulk_delete", + "saved_object:query/share_to_space", + "ui:savedQueryManagement/showQueries", + "ui:savedQueryManagement/saveQuery", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:securitySolutionTimeline/crud", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:securitySolutionNotes/crud", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeBlocklist", + "ui:siem/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siem/readBlocklist", + "ui:siemV3/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "ui:siem/showEndpointExceptions", + "ui:siem/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "ui:siem/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siem/writeEndpointList", + "ui:siem/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siem/readEndpointList", + "ui:siemV3/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeEventFilters", + "ui:siem/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", + "ui:siemV3/writeGlobalArtifacts", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siem/readEventFilters", + "ui:siemV3/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siem/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siem/writeFileOperations", + "ui:siemV3/writeFileOperations", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siem/writeHostIsolationRelease", + "ui:siem/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/readHostIsolationExceptions", + "ui:siem/deleteHostIsolationExceptions", + "ui:siem/accessHostIsolationExceptions", + "ui:siem/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siem/readHostIsolationExceptions", + "ui:siem/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:rac", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:timeline_write", + "api:timeline_read", + "api:notes_write", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-note/create", + "saved_object:siem-ui-timeline-note/bulk_create", + "saved_object:siem-ui-timeline-note/update", + "saved_object:siem-ui-timeline-note/bulk_update", + "saved_object:siem-ui-timeline-note/delete", + "saved_object:siem-ui-timeline-note/bulk_delete", + "saved_object:siem-ui-timeline-note/share_to_space", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/create", + "saved_object:siem-ui-timeline-pinned-event/bulk_create", + "saved_object:siem-ui-timeline-pinned-event/update", + "saved_object:siem-ui-timeline-pinned-event/bulk_update", + "saved_object:siem-ui-timeline-pinned-event/delete", + "saved_object:siem-ui-timeline-pinned-event/bulk_delete", + "saved_object:siem-ui-timeline-pinned-event/share_to_space", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:siem-ui-timeline/create", + "saved_object:siem-ui-timeline/bulk_create", + "saved_object:siem-ui-timeline/update", + "saved_object:siem-ui-timeline/bulk_update", + "saved_object:siem-ui-timeline/delete", + "saved_object:siem-ui-timeline/bulk_delete", + "saved_object:siem-ui-timeline/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/crud", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "api:savedQuery:manage", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "saved_object:query/create", + "saved_object:query/bulk_create", + "saved_object:query/update", + "saved_object:query/bulk_update", + "saved_object:query/delete", + "saved_object:query/bulk_delete", + "saved_object:query/share_to_space", + "ui:savedQueryManagement/showQueries", + "ui:savedQueryManagement/saveQuery", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:securitySolutionTimeline/crud", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:securitySolutionNotes/crud", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:lists-read", + "api:rac", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:timeline_read", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "ui:savedQueryManagement/showQueries", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siem/writePolicyManagement", + "ui:siem/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siem/readPolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siem/writeProcessOperations", + "ui:siemV3/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:lists-read", + "api:rac", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:timeline_read", + "api:notes_read", + "api:bulkGetUserProfiles", + "api:securitySolution-entity-analytics", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:siem-ui-timeline-note/bulk_get", + "saved_object:siem-ui-timeline-note/get", + "saved_object:siem-ui-timeline-note/find", + "saved_object:siem-ui-timeline-note/open_point_in_time", + "saved_object:siem-ui-timeline-note/close_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/bulk_get", + "saved_object:siem-ui-timeline-pinned-event/get", + "saved_object:siem-ui-timeline-pinned-event/find", + "saved_object:siem-ui-timeline-pinned-event/open_point_in_time", + "saved_object:siem-ui-timeline-pinned-event/close_point_in_time", + "saved_object:siem-ui-timeline/bulk_get", + "saved_object:siem-ui-timeline/get", + "saved_object:siem-ui-timeline/find", + "saved_object:siem-ui-timeline/open_point_in_time", + "saved_object:siem-ui-timeline/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siem/show", + "ui:siem/entity-analytics", + "ui:siem/detections", + "ui:siem/investigation-guide", + "ui:siem/investigation-guide-interactions", + "ui:siem/threat-intelligence", + "ui:siem/showEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "api:savedQuery:read", + "saved_object:query/bulk_get", + "saved_object:query/get", + "saved_object:query/find", + "saved_object:query/open_point_in_time", + "saved_object:query/close_point_in_time", + "ui:savedQueryManagement/showQueries", + "ui:navLinks/securitySolutionTimeline", + "ui:securitySolutionTimeline/read", + "ui:navLinks/securitySolutionNotes", + "ui:securitySolutionNotes/read", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siem/writeScanOperations", + "ui:siemV3/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siem/writeTrustedApplications", + "ui:siem/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", + "ui:siemV3/writeGlobalArtifacts", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siem/readTrustedApplications", + "ui:siemV3/readTrustedApplications", + ], + }, + "siemV2": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siemV2/writeActionsLogManagement", + "ui:siemV2/readActionsLogManagement", + "ui:siemV3/writeActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siemV2/readActionsLogManagement", + "ui:siemV3/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/crud", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "ui:siemV2/showEndpointExceptions", + "ui:siemV2/crudEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeBlocklist", + "ui:siemV2/readBlocklist", + "ui:siemV3/writeBlocklist", + "ui:siemV3/readBlocklist", + "ui:siemV3/writeGlobalArtifacts", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siemV2/readBlocklist", + "ui:siemV3/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "ui:siemV2/showEndpointExceptions", + "ui:siemV2/crudEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + "ui:siemV3/crudEndpointExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "ui:siemV2/showEndpointExceptions", + "ui:siemV3/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siemV2/writeEndpointList", + "ui:siemV2/readEndpointList", + "ui:siemV3/writeEndpointList", + "ui:siemV3/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siemV2/readEndpointList", + "ui:siemV3/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeEventFilters", + "ui:siemV2/readEventFilters", + "ui:siemV3/writeEventFilters", + "ui:siemV3/readEventFilters", + "ui:siemV3/writeGlobalArtifacts", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siemV2/readEventFilters", + "ui:siemV3/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siemV2/writeExecuteOperations", + "ui:siemV3/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siemV2/writeFileOperations", + "ui:siemV3/writeFileOperations", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siemV2/writeHostIsolationRelease", + "ui:siemV2/writeHostIsolation", + "ui:siemV3/writeHostIsolationRelease", + "ui:siemV3/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/readHostIsolationExceptions", + "ui:siemV2/deleteHostIsolationExceptions", + "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV2/writeHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/deleteHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV3/writeGlobalArtifacts", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siemV2/readHostIsolationExceptions", + "ui:siemV2/accessHostIsolationExceptions", + "ui:siemV3/readHostIsolationExceptions", + "ui:siemV3/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/crud", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + "ui:siemV3/show", + "ui:siemV3/crud", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/writeGlobalArtifacts", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siemV2/writePolicyManagement", + "ui:siemV2/readPolicyManagement", + "ui:siemV3/writePolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siemV2/readPolicyManagement", + "ui:siemV3/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siemV2/writeProcessOperations", + "ui:siemV3/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV2/show", + "ui:siemV2/entity-analytics", + "ui:siemV2/detections", + "ui:siemV2/investigation-guide", + "ui:siemV2/investigation-guide-interactions", + "ui:siemV2/threat-intelligence", + "ui:siemV2/showEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + "ui:siemV3/show", + "ui:siemV3/entity-analytics", + "ui:siemV3/detections", + "ui:siemV3/investigation-guide", + "ui:siemV3/investigation-guide-interactions", + "ui:siemV3/threat-intelligence", + "ui:siemV3/showEndpointExceptions", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siemV2/writeScanOperations", + "ui:siemV3/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV2/writeTrustedApplications", + "ui:siemV2/readTrustedApplications", + "ui:siemV3/writeTrustedApplications", + "ui:siemV3/readTrustedApplications", + "ui:siemV3/writeGlobalArtifacts", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siemV2/readTrustedApplications", + "ui:siemV3/readTrustedApplications", + ], + "workflow_insights_all": Array [ + "login:", + "api:securitySolution-writeWorkflowInsights", + "api:securitySolution-readWorkflowInsights", + "ui:siemV2/writeWorkflowInsights", + "ui:siemV2/readWorkflowInsights", + "ui:siemV3/writeWorkflowInsights", + "ui:siemV3/readWorkflowInsights", + ], + "workflow_insights_read": Array [ + "login:", + "api:securitySolution-readWorkflowInsights", + "ui:siemV2/readWorkflowInsights", + "ui:siemV3/readWorkflowInsights", + ], + }, "siemV3": Object { "actions_log_management_all": Array [ "login:", From 4b4f49ea3dc5274ecb279efed5e10d327eaeb74b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Wed, 18 Jun 2025 16:01:20 +0200 Subject: [PATCH 34/52] test deprecated `siem` versions in some cy tests --- .../management/cypress/common/constants.ts | 16 + .../e2e/artifacts/artifacts_mocked_data.cy.ts | 324 +++++++++++------- .../endpoints_rbac_mocked_data.cy.ts | 285 +++++++-------- 3 files changed, 357 insertions(+), 268 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts index 0266914a17182..f7d402bdc4f62 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts @@ -20,3 +20,19 @@ export const KIBANA_KNOWN_DEFAULT_ACCOUNTS = { system_indices_superuser: 'system_indices_superuser', admin: 'admin', } as const; + +/** + * Siem feature versions to test. + * + * When a new `siem` version is implemented, please update the list below. + */ +export const SIEM_VERSIONS = [ + // deprecated siem versions + 'siem', + 'siemV2', + + // actual version, should equal to SECURITY_FEATURE_ID + 'siemV3', +] as const; + +export type SiemVersion = (typeof SIEM_VERSIONS)[number]; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts index b5c41d1e66faf..e199233d562b2 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts @@ -5,7 +5,6 @@ * 2.0. */ -import { getRoleWithArtifactReadPrivilege } from '../../fixtures/role_with_artifact_read_privilege'; import { login, ROLE } from '../../tasks/login'; import { loadPage } from '../../tasks/common'; @@ -18,26 +17,59 @@ import { import { performUserActions } from '../../tasks/perform_user_actions'; import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; import type { ReturnTypeFromChainable } from '../../types'; - -const loginWithWriteAccess = (url: string) => { - login(ROLE.endpoint_policy_manager); - loadPage(url); -}; - -const loginWithReadAccess = (privilegePrefix: string, url: string) => { - const roleWithArtifactReadPrivilege = getRoleWithArtifactReadPrivilege(privilegePrefix); - login.withCustomRole({ name: 'roleWithArtifactReadPrivilege', ...roleWithArtifactReadPrivilege }); - loadPage(url); -}; - -const loginWithoutAccess = (url: string) => { - login(ROLE.t1_analyst); - loadPage(url); +import { SIEM_VERSIONS, type SiemVersion } from '../../common/constants'; +import { SECURITY_FEATURE_ID } from '../../../../../common'; +import { getT1Analyst } from '../../../../../scripts/endpoint/common/roles_users'; + +const loginWithArtifactAccess = ( + siemVersion: SiemVersion, + privilegePrefix: string, + access: 'none' | 'read' | 'all' +) => { + const base = getT1Analyst(); + + const customRole: typeof base = { + ...base, + kibana: [ + { + ...base.kibana[0], + feature: { + [siemVersion]: [ + // siemVX: read + 'read', + // none/read/all for selected artifact + ...(access !== 'none' ? [`${privilegePrefix}${access}`] : []), + ], + }, + }, + ], + }; + + login.withCustomRole({ name: 'customRole', ...customRole }); }; +/** + * Notes: + * ESS: + * - testing NONE, READ, WRITE privileges with custom roles + * - also, all SIEM feature versions are tested to check backward compatibility + * + * Serverless: a subset of tests. + * - only NONE and WRITE privileges are tested with predefined roles + * - and only the latest SIEM feature (SECURITY_FEATURE_ID) + * + * Possible improvement: use custom roles on serverless to test the same as on ESS. + */ describe('Artifacts pages', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, () => { let endpointData: ReturnTypeFromChainable | undefined; + const isServerless = Cypress.env('IS_SERVERLESS'); + const siemVersionsToTest = isServerless ? [SECURITY_FEATURE_ID] : SIEM_VERSIONS; + + let loginWithoutAccess: () => void; + let loginWithReadAccess: () => void; + let loginWithWriteAccess: () => void; + before(() => { indexEndpointHosts().then((indexEndpoints) => { endpointData = indexEndpoints; @@ -55,126 +87,158 @@ describe('Artifacts pages', { tags: ['@ess', '@serverless', '@skipInServerlessMK endpointData = undefined; }); - for (const testData of getArtifactsListTestsData()) { - describe(`When on the ${testData.title} entries list`, () => { - describe('given there are no artifacts yet', () => { - it(`no access - should show no privileges callout`, () => { - loginWithoutAccess(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj('noPrivilegesPage').should('exist'); - cy.getByTestSubj('empty-page-feature-action').should('exist'); - cy.getByTestSubj(testData.emptyState).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - }); - - it( - `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` + for (const siemVersion of siemVersionsToTest) { + describe(siemVersion, () => { + for (const testData of getArtifactsListTestsData()) { + describe(`When on the ${testData.title} entries list`, () => { + beforeEach(() => { + const { privilegePrefix } = testData; + + loginWithWriteAccess = () => { + if (isServerless) { + login(ROLE.endpoint_policy_manager); + } else { + loginWithArtifactAccess(siemVersion, privilegePrefix, 'all'); + } + }; + + loginWithReadAccess = () => { + expect(isServerless, 'Testing read access is implemented only on ESS').to.equal( + false + ); + loginWithArtifactAccess(siemVersion, privilegePrefix, 'read'); + }; + + loginWithoutAccess = () => { + if (isServerless) { + login(ROLE.t1_analyst); + } else { + loginWithArtifactAccess(siemVersion, privilegePrefix, 'none'); + } + }; + }); + + describe('given there are no artifacts yet', () => { + it(`no access - should show no privileges callout`, () => { + loginWithoutAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('noPrivilegesPage').should('exist'); + cy.getByTestSubj('empty-page-feature-action').should('exist'); + cy.getByTestSubj(testData.emptyState).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); + }); + + it( + `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj(testData.emptyState).should('exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); + } ); - cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - } - ); - - it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); - }); - - it(`write - should create new ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Opens add flyout - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); - - performUserActions(testData.create.formActions); - - // Submit create artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - // Check new artifact is in the list - for (const checkResult of testData.create.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } - - // Title is shown after adding an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); - }); - - describe('given there is an existing artifact', () => { - beforeEach(() => { - createArtifactList(testData.createRequestBody.list_id); - createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); - }); - - it( - `read - should not be able to update/delete an existing ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` - ); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( - 'not.exist' - ); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should('not.exist'); - } - ); - - it( - `read - should not be able to create a new ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess( - testData.privilegePrefix, - `/app/security/administration/${testData.urlPath}` + it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj(testData.emptyState).should('exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); + }); + + it(`write - should create new ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens add flyout + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); + + performUserActions(testData.create.formActions); + + // Submit create artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + + // Check new artifact is in the list + for (const checkResult of testData.create.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } + + // Title is shown after adding an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + }); + + describe('given there is an existing artifact', () => { + beforeEach(() => { + createArtifactList(testData.createRequestBody.list_id); + createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); + }); + + it( + `read - should not be able to update/delete an existing ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( + 'not.exist' + ); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should( + 'not.exist' + ); + } ); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); - } - ); - it(`write - should be able to update an existing ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Opens edit flyout - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); - - performUserActions(testData.update.formActions); - - // Submit edit artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - - for (const checkResult of testData.update.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } - - // Title still shown after editing an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); + it( + `read - should not be able to create a new ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); + } + ); - it(`write - should be able to delete the existing ${testData.title} entry`, () => { - loginWithWriteAccess(`/app/security/administration/${testData.urlPath}`); - // Remove it - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); - // No card visible after removing it - cy.getByTestSubj(testData.delete.card).should('not.exist'); - // Empty state is displayed after removing last item - cy.getByTestSubj(testData.emptyState).should('exist'); + it(`write - should be able to update an existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens edit flyout + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); + + performUserActions(testData.update.formActions); + + // Submit edit artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + + for (const checkResult of testData.update.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } + + // Title still shown after editing an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + + it(`write - should be able to delete the existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Remove it + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); + // No card visible after removing it + cy.getByTestSubj(testData.delete.card).should('not.exist'); + // Empty state is displayed after removing last item + cy.getByTestSubj(testData.emptyState).should('exist'); + }); + }); }); - }); + } }); } }); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts index b8c0ee5af42ae..38f747f4feedf 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts @@ -13,19 +13,22 @@ import type { ReturnTypeFromChainable } from '../../types'; import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; import { login } from '../../tasks/login'; import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS, type SiemVersion } from '../../common/constants'; -describe('Endpoints RBAC', { tags: ['@ess'] }, () => { +describe('Endpoints page RBAC', { tags: ['@ess'] }, () => { type Privilege = 'all' | 'read' | 'none'; const PRIVILEGES: Privilege[] = ['none', 'read', 'all']; const loginWithCustomRole: (privileges: { - integrationsPrivilege?: Privilege; - fleetPrivilege?: Privilege; - endpointPolicyManagementPrivilege?: Privilege; + integrationsPrivilege: Privilege; + fleetPrivilege: Privilege; + endpointPolicyManagementPrivilege: Privilege; + siemVersion: SiemVersion; }) => void = ({ - integrationsPrivilege = 'none', - fleetPrivilege = 'none', - endpointPolicyManagementPrivilege = 'none', + integrationsPrivilege, + fleetPrivilege, + endpointPolicyManagementPrivilege, + siemVersion, }) => { const base = getT1Analyst(); @@ -35,9 +38,8 @@ describe('Endpoints RBAC', { tags: ['@ess'] }, () => { { ...base.kibana[0], feature: { - ...base.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ - ...base.kibana[0].feature[SECURITY_FEATURE_ID], + [siemVersion]: [ + 'all', `endpoint_list_all`, `policy_management_${endpointPolicyManagementPrivilege}`, ], @@ -51,151 +53,158 @@ describe('Endpoints RBAC', { tags: ['@ess'] }, () => { login.withCustomRole({ name: 'customRole', ...customRole }); }; - beforeEach(() => { - login(); + it('latest siem version should be in version list', () => { + expect(SIEM_VERSIONS.at(-1)).to.equal(SECURITY_FEATURE_ID); }); - describe('neither Defend policy nor hosts are present', () => { - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldAllowOnboarding = - fleetPrivilege === 'all' && integrationsPrivilege === 'all'; - - it(`should show onboarding screen ${ - shouldAllowOnboarding ? 'with' : 'without' - } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyOnboardingInstructions').should('exist'); - if (shouldAllowOnboarding) { - cy.getByTestSubj('onboardingStartButton').should('exist'); - } else { - cy.getByTestSubj('onboardingStartButton').should('not.exist'); + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + describe('neither Defend policy nor hosts are present', () => { + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldAllowOnboarding = + fleetPrivilege === 'all' && integrationsPrivilege === 'all'; + + it(`should show onboarding screen ${ + shouldAllowOnboarding ? 'with' : 'without' + } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + loginWithCustomRole({ + endpointPolicyManagementPrivilege, + fleetPrivilege, + integrationsPrivilege, + siemVersion, + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyOnboardingInstructions').should('exist'); + if (shouldAllowOnboarding) { + cy.getByTestSubj('onboardingStartButton').should('exist'); + } else { + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); } - }); - } + } + }); } }); - } - }); - describe('Defend policy is present, but no hosts', () => { - let loadedPolicyData: IndexedFleetEndpointPolicyResponse; - - before(() => { - cy.task( - 'indexFleetEndpointPolicy', - { policyName: 'tests-serverless' }, - { timeout: 5 * 60 * 1000 } - ).then((res) => { - const response = res as IndexedFleetEndpointPolicyResponse; - loadedPolicyData = response; - }); - }); + describe('Defend policy is present, but no hosts', () => { + let loadedPolicyData: IndexedFleetEndpointPolicyResponse; + + before(() => { + cy.task( + 'indexFleetEndpointPolicy', + { policyName: 'tests-serverless' }, + { timeout: 5 * 60 * 1000 } + ).then((res) => { + const response = res as IndexedFleetEndpointPolicyResponse; + loadedPolicyData = response; + }); + }); - after(() => { - if (loadedPolicyData) { - cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); - } - }); + after(() => { + if (loadedPolicyData) { + cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); + } + }); - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldShowOnboardingSteps = - (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || - (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); - - it(`should ${ - shouldShowOnboardingSteps ? '' : ' NOT ' - } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - if (shouldShowOnboardingSteps) { - cy.getByTestSubj('emptyHostsTable').should('exist'); - cy.getByTestSubj('onboardingSteps').should('exist'); - } else { - // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required - cy.getByTestSubj('emptyPolicyTable').should('exist'); - cy.getByTestSubj('onboardingStartButton').should('not.exist'); + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldShowOnboardingSteps = + (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || + (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); + + it(`should ${ + shouldShowOnboardingSteps ? '' : ' NOT ' + } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + loginWithCustomRole({ + endpointPolicyManagementPrivilege, + fleetPrivilege, + integrationsPrivilege, + siemVersion, + }); + + loadPage(APP_ENDPOINTS_PATH); + + if (shouldShowOnboardingSteps) { + cy.getByTestSubj('emptyHostsTable').should('exist'); + cy.getByTestSubj('onboardingSteps').should('exist'); + } else { + // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required + cy.getByTestSubj('emptyPolicyTable').should('exist'); + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); } - }); - } + } + }); } }); - } - }); - - describe('some hosts are enrolled', () => { - let endpointData: ReturnTypeFromChainable; - before(() => { - indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { - endpointData = indexEndpoints; - }); - }); + describe('some hosts are enrolled', () => { + let endpointData: ReturnTypeFromChainable; - after(() => { - if (endpointData) { - endpointData.cleanup(); - // @ts-expect-error ignore setting to undefined - endpointData = undefined; - } - }); + before(() => { + indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { + endpointData = indexEndpoints; + }); + }); - beforeEach(() => { - // if there is a request towards this API, it should return 200 - cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { - req.on('response', (res) => { - expect(res.statusCode).to.equal(200); + after(() => { + if (endpointData) { + endpointData.cleanup(); + // @ts-expect-error ignore setting to undefined + endpointData = undefined; + } }); - }); - }); - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; - - it(`should show Endpoint list ${ - shouldProvidePolicyLink ? 'with' : 'without' - } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyNameCellLink').should('exist'); - cy.getByTestSubj('policyNameCellLink').within(() => { - if (shouldProvidePolicyLink) { - cy.get('a').should('have.attr', 'href'); - } else { - cy.get('a').should('not.exist'); - } - }); + beforeEach(() => { + // if there is a request towards this API, it should return 200 + cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { + req.on('response', (res) => { + expect(res.statusCode).to.equal(200); }); - } + }); + }); + + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; + + it(`should show Endpoint list ${ + shouldProvidePolicyLink ? 'with' : 'without' + } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + loginWithCustomRole({ + endpointPolicyManagementPrivilege, + fleetPrivilege, + integrationsPrivilege, + siemVersion, + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyNameCellLink').should('exist'); + cy.getByTestSubj('policyNameCellLink').within(() => { + if (shouldProvidePolicyLink) { + cy.get('a').should('have.attr', 'href'); + } else { + cy.get('a').should('not.exist'); + } + }); + }); + } + } + }); } }); - } - }); + }); + } }); From ea215212dd51f2cb435d1a7b6d5c03c215686285 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 15:20:21 +0200 Subject: [PATCH 35/52] fix: serverless siem:MINIMAL_ALL does not mean Endpoint Exceptions ALL, no need to add Global Artifact Management --- .../packages/features/src/security/types.ts | 8 +++ .../security/v1_features/kibana_features.ts | 12 ++++- .../security/v2_features/kibana_features.ts | 12 ++++- .../product_features_service.test.ts | 52 ++++++++++++++----- .../product_features_service.ts | 8 ++- .../security_solution/server/plugin.ts | 6 ++- 6 files changed, 79 insertions(+), 19 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index dda61b6e86b9a..2cfc3f091158c 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -18,6 +18,14 @@ export interface SecurityFeatureParams { */ experimentalFeatures: Record; savedObjects: string[]; + + /** + * Sort of temporary solution to be able to migrate from Endpoint Exceptions (on Serverless) OR SIEM (on ESS) + * to global_artifact_management_all. + * + * It would be best not to use it for other things. + */ + isServerless: boolean; } export type DefaultSecurityProductFeaturesConfig = Omit< diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 6dac83ba55bef..02baf62e399c9 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -50,6 +50,7 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityBaseKibanaFeature = ({ savedObjects, + isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -114,8 +115,15 @@ export const getSecurityBaseKibanaFeature = ({ privileges: [ 'minimal_all', - // See above. - 'global_artifact_management_all', + ...(isServerless + ? [ + // Serverless MINIMAL_ALL means that Endpoint Exception is controlled by its sub-feature privilege. + // Therefore no need to replace by Global Artifact Management:ALL, it will be triggered by the Endpoint Exception privilege if needed. + ] + : [ + // See ALL privilege above. + 'global_artifact_management_all', + ]), ], }, ], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 147c51f1b2181..33061e52cc674 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -49,6 +49,7 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, + isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -109,8 +110,15 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: [ 'minimal_all', - // See above. - 'global_artifact_management_all', + ...(isServerless + ? [ + // Serverless MINIMAL_ALL means that Endpoint Exception is controlled by a sub-feature privilege. + // Therefore no need to replace by Global Artifact Management:ALL, it will be triggered by the Endpoint Exception privilege if needed. + ] + : [ + // See ALL privilege above. + 'global_artifact_management_all', + ]), ], }, ], diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index b707630e100d4..3ee73e89351df 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -28,6 +28,7 @@ import type { LifecycleResponseFactory, OnPostAuthHandler, } from '@kbn/core-http-server'; +import type { SecurityFeatureParams } from '@kbn/security-solution-features/src/security/types'; jest.mock('./product_features'); const MockedProductFeatures = ProductFeatures as unknown as jest.MockedClass< @@ -40,10 +41,14 @@ const productFeature = { baseKibanaSubFeatureIds: [], }; const mockGetFeature = jest.fn().mockReturnValue(productFeature); +const mockGetSecurityFeature = jest + .fn() + .mockReturnValue(productFeature); + jest.mock('@kbn/security-solution-features/product_features', () => ({ - getSecurityFeature: () => mockGetFeature(), - getSecurityV2Feature: () => mockGetFeature(), - getSecurityV3Feature: () => mockGetFeature(), + getSecurityFeature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityV2Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityV3Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), @@ -61,17 +66,31 @@ describe('ProductFeaturesService', () => { it('should create ProductFeatureService instance', () => { const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures); + new ProductFeaturesService(loggerMock.create(), experimentalFeatures, false); - expect(mockGetFeature).toHaveBeenCalledTimes(11); + expect(mockGetFeature).toHaveBeenCalledTimes(8); + expect(mockGetSecurityFeature).toHaveBeenCalledTimes(3); expect(MockedProductFeatures).toHaveBeenCalledTimes(11); }); + it.each([false, true])( + 'should pass `isServerless = %s` param to security feature getters', + (isServerless) => { + const experimentalFeatures = {} as ExperimentalFeatures; + new ProductFeaturesService(loggerMock.create(), experimentalFeatures, isServerless); + + expect( + mockGetSecurityFeature.mock.calls.every((args) => args[0].isServerless === isServerless) + ).toBeTruthy(); + } + ); + it('should init all ProductFeatures when initialized', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -86,7 +105,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -136,7 +156,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); const featuresSetup = featuresPluginMock.createSetup(); @@ -185,7 +206,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.isApiPrivilegeEnabled('writeEndpointExceptions'); @@ -219,7 +241,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -237,7 +260,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -254,7 +278,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -277,7 +302,8 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures + experimentalFeatures, + false ); productFeaturesService.registerApiAccessControl(mockHttpSetup); mockIsActionRegistered = MockedProductFeatures.mock.instances[0] diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index 9fbfd6d2572de..b8c0b1b35589b 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -54,11 +54,13 @@ export class ProductFeaturesService { constructor( private readonly logger: Logger, - private readonly experimentalFeatures: ExperimentalFeatures + private readonly experimentalFeatures: ExperimentalFeatures, + isServerless: boolean ) { const securityFeature = getSecurityFeature({ savedObjects: securityV1SavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityProductFeatures = new ProductFeatures( this.logger, @@ -69,6 +71,7 @@ export class ProductFeaturesService { const securityV2Feature = getSecurityV2Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityV2ProductFeatures = new ProductFeatures( this.logger, @@ -80,6 +83,7 @@ export class ProductFeaturesService { const securityV3Feature = getSecurityV3Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, + isServerless, }); this.securityV3ProductFeatures = new ProductFeatures( this.logger, @@ -146,6 +150,7 @@ export class ProductFeaturesService { const timelineFeature = getTimelineFeature({ savedObjects: securityTimelineSavedObjects, experimentalFeatures: {}, + isServerless, }); this.timelineProductFeatures = new ProductFeatures( this.logger, @@ -157,6 +162,7 @@ export class ProductFeaturesService { const notesFeature = getNotesFeature({ savedObjects: securityNotesSavedObjects, experimentalFeatures: {}, + isServerless, }); this.notesProductFeatures = new ProductFeatures( this.logger, diff --git a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts index da5c1d7d79f71..520523ac7765f 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts @@ -175,9 +175,13 @@ export class Plugin implements ISecuritySolutionPlugin { this.config = serverConfig; this.logger = context.logger.get(); this.appClientFactory = new AppClientFactory(); + + /** sort of temporary solution, please do not use me elsewhere */ + const isServerless = this.pluginContext.env.packageInfo.buildFlavor === 'serverless'; this.productFeaturesService = new ProductFeaturesService( this.logger, - this.config.experimentalFeatures + this.config.experimentalFeatures, + isServerless ); this.siemMigrationsService = new SiemMigrationsService( this.config, From b8d90d085f9d32a739cd9b95ec7cf5f0b201342c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 15:21:58 +0200 Subject: [PATCH 36/52] new role migration FTR added for global artifact management --- .buildkite/ftr_security_stateful_configs.yml | 2 + .../configs/ess.config.ts | 22 ++ .../configs/serverless.config.ts | 22 ++ .../trial_license_complete_tier/index.ts | 41 ++++ .../siem_v3_global_artifact_management.ts | 194 ++++++++++++++++++ 5 files changed, 281 insertions(+) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts diff --git a/.buildkite/ftr_security_stateful_configs.yml b/.buildkite/ftr_security_stateful_configs.yml index 84f65d1aa81f0..762b6474bfbe7 100644 --- a/.buildkite/ftr_security_stateful_configs.yml +++ b/.buildkite/ftr_security_stateful_configs.yml @@ -101,6 +101,8 @@ enabled: - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/policy/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/response_actions/trial_license_complete_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/siem_migrations/rules/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_endpoint/configs/endpoint.config.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts new file mode 100644 index 0000000000000..76c55bc7739b7 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/ess/config.base.edr_workflows.trial') + ); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows - Role Migration Tests - ESS Env - Trial License', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts new file mode 100644 index 0000000000000..f0686ff6a9d74 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts @@ -0,0 +1,22 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/serverless/config.base.edr_workflows') + ); + + return { + ...functionalConfig.getAll(), + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - Complete', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts new file mode 100644 index 0000000000000..ee335d3fedf3a --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -0,0 +1,41 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { getRegistryUrl as getRegistryUrlFromIngest } from '@kbn/fleet-plugin/server'; +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; +import { ROLE } from '../../../../config/services/security_solution_edr_workflows_roles_users'; + +export default function endpointAPIIntegrationTests(providerContext: FtrProviderContext) { + const { loadTestFile, getService } = providerContext; + + describe('Endpoint related user role migrations', function () { + const ingestManager = getService('ingestManager'); + const rolesUsersProvider = getService('rolesUsersProvider'); + const kbnClient = getService('kibanaServer'); + const log = getService('log'); + const endpointRegistryHelpers = getService('endpointRegistryHelpers'); + const endpointTestResources = getService('endpointTestResources'); + + const roles = Object.values(ROLE); + before(async () => { + if (!endpointRegistryHelpers.isRegistryEnabled()) { + log.warning('These tests are being run with an external package registry'); + } + + const registryUrl = + endpointRegistryHelpers.getRegistryUrlFromTestEnv() ?? getRegistryUrlFromIngest(); + log.info(`Package registry URL for tests: ${registryUrl}`); + + try { + await ingestManager.setup(); + } catch (err) { + log.warning(`Error setting up ingestManager: ${err}`); + } + }); + + loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts new file mode 100644 index 0000000000000..550e048258e6c --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts @@ -0,0 +1,194 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; +import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + + // these artifact privileges are shared between ESS and Serverless, while Endpoint Exceptions privilege exists only on Serverless + const ARTIFACTS = [ + 'trusted_applications', + 'event_filters', + 'blocklist', + 'host_isolation_exceptions', + ]; + + const ROLE_NAME = 'siem_v3_test_role'; + + const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => + supertest + .put(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .send({ + elasticsearch: { cluster: [], indices: [], run_as: [] }, + kibana: [ + { + base: [], + feature: { + [feature]: privileges, + }, + spaces: ['*'], + }, + ], + }) + .expect(204); + + const getMigratedSiemFeaturesFromRole = async (): Promise => { + const response = await supertest + .get(`/api/security/role/${ROLE_NAME}`) + .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect(200); + + const role = response.body as Role; + expect(role._transform_error).to.have.length( + 0, + `Role migration encountered an error, probably a non-existing privilege is added. + Transform error: ${JSON.stringify(role._transform_error)}` + ); + + // migrating from `siem` adds timeline and notes, but in this test it is irrelevant + return role.kibana[0].feature.siemV3; + }; + + describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => { + afterEach(async () => { + await supertest + .delete(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect([204, 404]); + }); + + for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + + describe(`${deprecatedSiem}:READ`, () => { + it('should keep READ privilege', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + for (const artifact of ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + } + + // Endpoint Exception privilege only exists on Serverless + it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `endpoint_exceptions_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `endpoint_exceptions_read`, + ]); + }); + + // adding Global Artifact Management to any artifact:WRITE privilege + for (const artifact of ARTIFACTS) { + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + + // Endpoint Exception privilege only exists on Serverless + it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:ALL`, () => { + // siem:ALL includes Endpoint Exceptions both on ESS and Serverless + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Global Artifact Management + 'minimal_all', + // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all + 'global_artifact_management_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + // on ESS, siem:MINIMAL_ALL includes Endpoint Exceptions ALL + describe('@skipInServerless ESS', () => { + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + ]); + }); + }); + + // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege, it can be NONE + describe('@skipInEss on Serverless', () => { + it('@skipInEss should NOT add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + for (const artifact of [...ARTIFACTS, 'endpoint_exceptions']) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + }); + }); + }); + } + }); +} From a26a1ca663c0456fbd4f7973fb985fef0bab2c32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 16:07:07 +0200 Subject: [PATCH 37/52] type fix --- .../server/lib/product_features_service/mocks.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index e9e03c62eb94d..0b646937eb175 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -80,7 +80,7 @@ export const createProductFeaturesServiceMock = ( featuresPluginSetupContract: FeaturesPluginSetup = featuresPluginMock.createSetup(), logger: Logger = loggingSystemMock.create().get('productFeatureMock') ) => { - const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures); + const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures, false); productFeaturesService.init(featuresPluginSetupContract); From 44d141dbc033fb499703f82d273dd9eb9419e75a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 17:02:52 +0200 Subject: [PATCH 38/52] no caps in coming soon --- .../features/src/security/v3_features/kibana_sub_features.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 38087cece395d..3dda2774804b5 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -734,7 +734,7 @@ const globalArtifactManagementSubFeature = ( const COMING_SOON = i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.globalArtifactManagement.comingSoon', - { defaultMessage: '(Coming Soon)' } + { defaultMessage: '(coming soon)' } ); const name = experimentalFeatures.endpointManagementSpaceAwarenessEnabled From a4dd40a8afdfa302d1466827b58375b3153c545d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 17:17:04 +0200 Subject: [PATCH 39/52] type fix: clean up test wrapper --- .../trial_license_complete_tier/index.ts | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts index ee335d3fedf3a..880f66a3185c8 100644 --- a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -4,38 +4,10 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { getRegistryUrl as getRegistryUrlFromIngest } from '@kbn/fleet-plugin/server'; import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; -import { ROLE } from '../../../../config/services/security_solution_edr_workflows_roles_users'; - -export default function endpointAPIIntegrationTests(providerContext: FtrProviderContext) { - const { loadTestFile, getService } = providerContext; +export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('Endpoint related user role migrations', function () { - const ingestManager = getService('ingestManager'); - const rolesUsersProvider = getService('rolesUsersProvider'); - const kbnClient = getService('kibanaServer'); - const log = getService('log'); - const endpointRegistryHelpers = getService('endpointRegistryHelpers'); - const endpointTestResources = getService('endpointTestResources'); - - const roles = Object.values(ROLE); - before(async () => { - if (!endpointRegistryHelpers.isRegistryEnabled()) { - log.warning('These tests are being run with an external package registry'); - } - - const registryUrl = - endpointRegistryHelpers.getRegistryUrlFromTestEnv() ?? getRegistryUrlFromIngest(); - log.info(`Package registry URL for tests: ${registryUrl}`); - - try { - await ingestManager.setup(); - } catch (err) { - log.warning(`Error setting up ingestManager: ${err}`); - } - }); - loadTestFile(require.resolve('./siem_v3_global_artifact_management')); }); } From 860d72cc1bb64aeadd545d2900371d1243360e79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 20:00:34 +0200 Subject: [PATCH 40/52] update snapshot test with changes from a409627765dfaf3d588c35a0d510b8d1857cd266 --- .../platform_security/authorization.ts | 116 ++++++++++++++++++ 1 file changed, 116 insertions(+) diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 05f0dc3c66665..788c17b79adb7 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -455,6 +455,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/delete", "saved_object:security-ai-prompt/bulk_delete", "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -936,6 +948,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:search-session/delete", "saved_object:search-session/bulk_delete", "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", "ui:discover_v2/show", "ui:discover_v2/save", "ui:discover_v2/createShortUrl", @@ -1428,6 +1452,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/delete", "saved_object:security-ai-prompt/bulk_delete", "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -1907,6 +1943,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:search-session/delete", "saved_object:search-session/bulk_delete", "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", "ui:discover_v2/show", "ui:discover_v2/save", "ui:discover_v2/createShortUrl", @@ -2123,6 +2171,11 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/find", "saved_object:security-ai-prompt/open_point_in_time", "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -2549,6 +2602,11 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/find", "saved_object:security-ai-prompt/open_point_in_time", "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -4043,6 +4101,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/delete", "saved_object:security-ai-prompt/bulk_delete", "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -4486,6 +4556,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:search-session/delete", "saved_object:search-session/bulk_delete", "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", "ui:discover_v2/show", "ui:discover_v2/save", "ui:discover_v2/createShortUrl", @@ -4678,6 +4760,11 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/find", "saved_object:security-ai-prompt/open_point_in_time", "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -5076,6 +5163,11 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/find", "saved_object:security-ai-prompt/open_point_in_time", "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -5621,6 +5713,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:security-ai-prompt/delete", "saved_object:security-ai-prompt/bulk_delete", "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", "saved_object:csp_rule/bulk_get", "saved_object:csp_rule/get", "saved_object:csp_rule/find", @@ -6066,6 +6170,18 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:search-session/delete", "saved_object:search-session/bulk_delete", "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", "ui:discover_v2/show", "ui:discover_v2/save", "ui:discover_v2/createShortUrl", From 90e4245dcbffd9547dbcfc68eb510d866542b9bd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 20:05:19 +0200 Subject: [PATCH 41/52] update snapshot test with fix, siem:MINIMAL_ALL does not migrate to global access --- .../test_suites/security/platform_security/authorization.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts index 788c17b79adb7..2db438f8dc20e 100644 --- a/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts +++ b/x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts @@ -2079,7 +2079,6 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV3/investigation-guide", "ui:siemV3/investigation-guide-interactions", "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", ], "minimal_read": Array [ "login:", @@ -4670,7 +4669,6 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV3/investigation-guide", "ui:siemV3/investigation-guide-interactions", "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", ], "minimal_read": Array [ "login:", From d57b5f250be760ab0351e3aedb62a37393a10438 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 19 Jun 2025 20:11:28 +0200 Subject: [PATCH 42/52] update coming soon text in cy test --- .../public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 15ece7086767c..ffd0caab70b83 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -53,7 +53,7 @@ describe( .should('deep.equal', [ 'Endpoint List Displays all hosts running Elastic Defend and their relevant integration details.Endpoint List sub-feature privilegeAllReadNone', 'Automatic Troubleshooting Access to the automatic troubleshooting.Automatic Troubleshooting sub-feature privilegeAllReadNone', - 'Global Artifact Management (Coming Soon) Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) across all policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management.Global Artifact Management (Coming Soon) sub-feature privilegeAllNone', + 'Global Artifact Management (coming soon) Manage global assignment of endpoint artifacts (e.g., Trusted Applications, Event Filters) across all policies. This privilege controls global assignment rights only; privileges for each artifact type are required for full artifact management.Global Artifact Management (coming soon) sub-feature privilegeAllNone', 'Trusted Applications Helps mitigate conflicts with other software, usually other antivirus or endpoint security applications.Trusted Applications sub-feature privilegeAllReadNone', 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', From 2ec632928778be174f4467f97ea5be908aaffe71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 00:40:21 +0200 Subject: [PATCH 43/52] Revert "fix: serverless siem:MINIMAL_ALL does not mean Endpoint Exceptions ALL, no need to add Global Artifact Management" This reverts commit ea215212dd51f2cb435d1a7b6d5c03c215686285. --- .../packages/features/src/security/types.ts | 8 --- .../security/v1_features/kibana_features.ts | 12 +---- .../security/v2_features/kibana_features.ts | 12 +---- .../product_features_service.test.ts | 52 +++++-------------- .../product_features_service.ts | 8 +-- .../security_solution/server/plugin.ts | 6 +-- 6 files changed, 19 insertions(+), 79 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index 2cfc3f091158c..dda61b6e86b9a 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -18,14 +18,6 @@ export interface SecurityFeatureParams { */ experimentalFeatures: Record; savedObjects: string[]; - - /** - * Sort of temporary solution to be able to migrate from Endpoint Exceptions (on Serverless) OR SIEM (on ESS) - * to global_artifact_management_all. - * - * It would be best not to use it for other things. - */ - isServerless: boolean; } export type DefaultSecurityProductFeaturesConfig = Omit< diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 02baf62e399c9..6dac83ba55bef 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -50,7 +50,6 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityBaseKibanaFeature = ({ savedObjects, - isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -115,15 +114,8 @@ export const getSecurityBaseKibanaFeature = ({ privileges: [ 'minimal_all', - ...(isServerless - ? [ - // Serverless MINIMAL_ALL means that Endpoint Exception is controlled by its sub-feature privilege. - // Therefore no need to replace by Global Artifact Management:ALL, it will be triggered by the Endpoint Exception privilege if needed. - ] - : [ - // See ALL privilege above. - 'global_artifact_management_all', - ]), + // See above. + 'global_artifact_management_all', ], }, ], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 33061e52cc674..147c51f1b2181 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -49,7 +49,6 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV2BaseKibanaFeature = ({ savedObjects, - isServerless, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ deprecated: { notice: i18n.translate( @@ -110,15 +109,8 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: [ 'minimal_all', - ...(isServerless - ? [ - // Serverless MINIMAL_ALL means that Endpoint Exception is controlled by a sub-feature privilege. - // Therefore no need to replace by Global Artifact Management:ALL, it will be triggered by the Endpoint Exception privilege if needed. - ] - : [ - // See ALL privilege above. - 'global_artifact_management_all', - ]), + // See above. + 'global_artifact_management_all', ], }, ], diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index 3ee73e89351df..b707630e100d4 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -28,7 +28,6 @@ import type { LifecycleResponseFactory, OnPostAuthHandler, } from '@kbn/core-http-server'; -import type { SecurityFeatureParams } from '@kbn/security-solution-features/src/security/types'; jest.mock('./product_features'); const MockedProductFeatures = ProductFeatures as unknown as jest.MockedClass< @@ -41,14 +40,10 @@ const productFeature = { baseKibanaSubFeatureIds: [], }; const mockGetFeature = jest.fn().mockReturnValue(productFeature); -const mockGetSecurityFeature = jest - .fn() - .mockReturnValue(productFeature); - jest.mock('@kbn/security-solution-features/product_features', () => ({ - getSecurityFeature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), - getSecurityV2Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), - getSecurityV3Feature: (params: SecurityFeatureParams) => mockGetSecurityFeature(params), + getSecurityFeature: () => mockGetFeature(), + getSecurityV2Feature: () => mockGetFeature(), + getSecurityV3Feature: () => mockGetFeature(), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), @@ -66,31 +61,17 @@ describe('ProductFeaturesService', () => { it('should create ProductFeatureService instance', () => { const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures, false); + new ProductFeaturesService(loggerMock.create(), experimentalFeatures); - expect(mockGetFeature).toHaveBeenCalledTimes(8); - expect(mockGetSecurityFeature).toHaveBeenCalledTimes(3); + expect(mockGetFeature).toHaveBeenCalledTimes(11); expect(MockedProductFeatures).toHaveBeenCalledTimes(11); }); - it.each([false, true])( - 'should pass `isServerless = %s` param to security feature getters', - (isServerless) => { - const experimentalFeatures = {} as ExperimentalFeatures; - new ProductFeaturesService(loggerMock.create(), experimentalFeatures, isServerless); - - expect( - mockGetSecurityFeature.mock.calls.every((args) => args[0].isServerless === isServerless) - ).toBeTruthy(); - } - ); - it('should init all ProductFeatures when initialized', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -105,8 +86,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -156,8 +136,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); const featuresSetup = featuresPluginMock.createSetup(); @@ -206,8 +185,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.isApiPrivilegeEnabled('writeEndpointExceptions'); @@ -241,8 +219,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -260,8 +237,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -278,8 +254,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; const productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); @@ -302,8 +277,7 @@ describe('ProductFeaturesService', () => { const experimentalFeatures = {} as ExperimentalFeatures; productFeaturesService = new ProductFeaturesService( loggerMock.create(), - experimentalFeatures, - false + experimentalFeatures ); productFeaturesService.registerApiAccessControl(mockHttpSetup); mockIsActionRegistered = MockedProductFeatures.mock.instances[0] diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index b8c0b1b35589b..9fbfd6d2572de 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -54,13 +54,11 @@ export class ProductFeaturesService { constructor( private readonly logger: Logger, - private readonly experimentalFeatures: ExperimentalFeatures, - isServerless: boolean + private readonly experimentalFeatures: ExperimentalFeatures ) { const securityFeature = getSecurityFeature({ savedObjects: securityV1SavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityProductFeatures = new ProductFeatures( this.logger, @@ -71,7 +69,6 @@ export class ProductFeaturesService { const securityV2Feature = getSecurityV2Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityV2ProductFeatures = new ProductFeatures( this.logger, @@ -83,7 +80,6 @@ export class ProductFeaturesService { const securityV3Feature = getSecurityV3Feature({ savedObjects: securityDefaultSavedObjects, experimentalFeatures: this.experimentalFeatures, - isServerless, }); this.securityV3ProductFeatures = new ProductFeatures( this.logger, @@ -150,7 +146,6 @@ export class ProductFeaturesService { const timelineFeature = getTimelineFeature({ savedObjects: securityTimelineSavedObjects, experimentalFeatures: {}, - isServerless, }); this.timelineProductFeatures = new ProductFeatures( this.logger, @@ -162,7 +157,6 @@ export class ProductFeaturesService { const notesFeature = getNotesFeature({ savedObjects: securityNotesSavedObjects, experimentalFeatures: {}, - isServerless, }); this.notesProductFeatures = new ProductFeatures( this.logger, diff --git a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts index 8655cf94e44f8..bf7a3358ee1a9 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/plugin.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/plugin.ts @@ -176,13 +176,9 @@ export class Plugin implements ISecuritySolutionPlugin { this.config = serverConfig; this.logger = context.logger.get(); this.appClientFactory = new AppClientFactory(); - - /** sort of temporary solution, please do not use me elsewhere */ - const isServerless = this.pluginContext.env.packageInfo.buildFlavor === 'serverless'; this.productFeaturesService = new ProductFeaturesService( this.logger, - this.config.experimentalFeatures, - isServerless + this.config.experimentalFeatures ); this.siemMigrationsService = new SiemMigrationsService( this.config, From bff5fc374850171a2b3fcf228fe7ccd5f4a4f851 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 00:40:47 +0200 Subject: [PATCH 44/52] Revert "type fix" This reverts commit a26a1ca663c0456fbd4f7973fb985fef0bab2c32. --- .../server/lib/product_features_service/mocks.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index 0b646937eb175..e9e03c62eb94d 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -80,7 +80,7 @@ export const createProductFeaturesServiceMock = ( featuresPluginSetupContract: FeaturesPluginSetup = featuresPluginMock.createSetup(), logger: Logger = loggingSystemMock.create().get('productFeatureMock') ) => { - const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures, false); + const productFeaturesService = new ProductFeaturesService(logger, experimentalFeatures); productFeaturesService.init(featuresPluginSetupContract); From de05a3b1675e6d00b703fafe12cd90b976cbef31 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 01:54:22 +0200 Subject: [PATCH 45/52] implement `baseFeatureConfigModifier()` for ProductFeatures --- .../security/packages/features/src/types.ts | 9 ++++ .../product_features_config_merger.test.ts | 44 +++++++++++++++++++ .../product_features_config_merger.ts | 14 ++++-- 3 files changed, 64 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/types.ts b/x-pack/solutions/security/packages/features/src/types.ts index b40cace936e20..1d7dd25455bf6 100644 --- a/x-pack/solutions/security/packages/features/src/types.ts +++ b/x-pack/solutions/security/packages/features/src/types.ts @@ -35,6 +35,15 @@ export type ProductFeatureKibanaConfig = RecursivePartial & { subFeatureIds?: T[]; subFeaturesPrivileges?: SubFeaturesPrivileges[]; + + /** An option for product features to modify the base kibana feature. + * + * @param baseFeatureConfig + * @returns modified baseFeatureConfig + */ + baseFeatureConfigModifier?: ( + baseFeatureConfig: BaseKibanaFeatureConfig + ) => BaseKibanaFeatureConfig; }; export type ProductFeaturesConfig = Map< ProductFeatureKeyType, diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts index b6925ed408a25..02ba9ee6e5869 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.test.ts @@ -352,6 +352,50 @@ describe('ProductFeaturesConfigMerger', () => { }); }); + it('should call baseFeatureConfigModifier() for all product features', () => { + const enabledProductFeaturesConfigs: ProductFeatureKibanaConfig[] = [ + { + subFeatureIds: ['subFeature3', 'subFeature1'], + baseFeatureConfigModifier: jest + .fn() + .mockImplementation((baseConfig: KibanaFeatureConfig): KibanaFeatureConfig => { + return { ...baseConfig, name: 'NEW NAME' }; + }), + }, + { + baseFeatureConfigModifier: jest + .fn() + .mockImplementation((baseConfig: KibanaFeatureConfig): KibanaFeatureConfig => { + return { ...baseConfig, order: 666 }; + }), + }, + ]; + + const merged = merger.mergeProductFeatureConfigs( + baseKibanaFeature, + [], + enabledProductFeaturesConfigs + ); + + expect(enabledProductFeaturesConfigs[0].baseFeatureConfigModifier).toBeCalledWith( + baseKibanaFeature + ); + expect(enabledProductFeaturesConfigs[1].baseFeatureConfigModifier).toBeCalledWith({ + ...baseKibanaFeature, + name: 'NEW NAME', + }); + + expect(merged).toEqual({ + ...baseKibanaFeature, + + // modifications: + name: 'NEW NAME', + order: 666, + + subFeatures: [subFeature1, subFeature3], + }); + }); + it('should merge everything at the same time', () => { const enabledProductFeaturesConfigs: ProductFeatureKibanaConfig[] = [ { diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts index e4f6a4df95f86..de8cef06445e3 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_config_merger.ts @@ -32,20 +32,28 @@ export class ProductFeaturesConfigMerger { kibanaSubFeatureIds: T[], productFeaturesConfigs: ProductFeatureKibanaConfig[] ): KibanaFeatureConfig { - const mergedKibanaFeatureConfig = cloneDeep(kibanaFeatureConfig) as KibanaFeatureConfig; + let mergedKibanaFeatureConfig = cloneDeep(kibanaFeatureConfig) as KibanaFeatureConfig; const subFeaturesPrivilegesToMerge: SubFeaturesPrivileges[] = []; const enabledSubFeaturesIndexed = Object.fromEntries( kibanaSubFeatureIds.map((id) => [id, true]) ); productFeaturesConfigs.forEach((productFeatureConfig) => { - const { subFeaturesPrivileges, subFeatureIds, ...productFeatureConfigToMerge } = - cloneDeep(productFeatureConfig); + const { + subFeaturesPrivileges, + subFeatureIds, + baseFeatureConfigModifier, + ...productFeatureConfigToMerge + } = cloneDeep(productFeatureConfig); subFeatureIds?.forEach((subFeatureId) => { enabledSubFeaturesIndexed[subFeatureId] = true; }); + if (baseFeatureConfigModifier) { + mergedKibanaFeatureConfig = baseFeatureConfigModifier(mergedKibanaFeatureConfig); + } + if (subFeaturesPrivileges) { subFeaturesPrivilegesToMerge.push(...subFeaturesPrivileges); } From 1c31f56b437ccd0a73ec288ef864faba7e461941 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 01:55:03 +0200 Subject: [PATCH 46/52] make endpointArtifactManagement product feature offer specific with own role migrations --- .../src/security/product_feature_config.ts | 10 --- .../packages/features/src/security/types.ts | 3 +- .../security/v1_features/kibana_features.ts | 25 +----- .../security/v2_features/kibana_features.ts | 25 +----- .../security_product_features_config.ts | 76 ++++++++++++++++++- .../security_product_features_config.ts | 60 +++++++++++++++ 6 files changed, 145 insertions(+), 54 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 54617d8c0ec67..d6ba5d5791428 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -126,16 +126,6 @@ export const securityDefaultProductFeaturesConfig: DefaultSecurityProductFeature // Adds no additional kibana feature controls [ProductFeatureSecurityKey.endpointPolicyProtections]: {}, - [ProductFeatureSecurityKey.endpointArtifactManagement]: { - subFeatureIds: [ - SecuritySubFeatureId.hostIsolationExceptionsBasic, - SecuritySubFeatureId.trustedApplications, - SecuritySubFeatureId.blocklist, - SecuritySubFeatureId.eventFilters, - SecuritySubFeatureId.globalArtifactManagement, - ], - }, - // Endpoint Complete Tier: // Allows access to create/update HIEs [ProductFeatureSecurityKey.endpointHostIsolationExceptions]: { diff --git a/x-pack/solutions/security/packages/features/src/security/types.ts b/x-pack/solutions/security/packages/features/src/security/types.ts index dda61b6e86b9a..7660b02866fc3 100644 --- a/x-pack/solutions/security/packages/features/src/security/types.ts +++ b/x-pack/solutions/security/packages/features/src/security/types.ts @@ -22,6 +22,7 @@ export interface SecurityFeatureParams { export type DefaultSecurityProductFeaturesConfig = Omit< Record>, - ProductFeatureSecurityKey.endpointExceptions + | ProductFeatureSecurityKey.endpointExceptions + | ProductFeatureSecurityKey.endpointArtifactManagement // | add not generic security app features here >; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 6dac83ba55bef..ce1e889b2d314 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -93,31 +93,14 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { - feature: SECURITY_FEATURE_ID_V3, - privileges: [ - // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. - 'minimal_all', - - // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. - // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. - // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. - 'global_artifact_management_all', - ], - }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - { - feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'minimal_all', - - // See above. - 'global_artifact_management_all', - ], - }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 147c51f1b2181..ef37fa35dd4f2 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -90,29 +90,12 @@ export const getSecurityV2BaseKibanaFeature = ({ all: { replacedBy: { default: [ - { - feature: SECURITY_FEATURE_ID_V3, - privileges: [ - // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. - 'minimal_all', - - // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. - // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. - // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. - 'global_artifact_management_all', - ], - }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, ], minimal: [ - { - feature: SECURITY_FEATURE_ID_V3, - privileges: [ - 'minimal_all', - - // See above. - 'global_artifact_management_all', - ], - }, + // note: overriden by product feature endpointArtifactManagement when enabled + { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts index 0cec48bda5e44..c3465bd5dd484 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/security_product_features_config.ts @@ -11,7 +11,7 @@ import type { } from '@kbn/security-solution-features'; import { ProductFeatureSecurityKey, - type SecuritySubFeatureId, + SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; import { securityDefaultProductFeaturesConfig, @@ -21,6 +21,7 @@ import { ProductFeaturesPrivilegeId, ProductFeaturesPrivileges, } from '@kbn/security-solution-features/privileges'; +import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; export const getSecurityProductFeaturesConfigurator = (enabledProductFeatureKeys: ProductFeatureKeys) => (): ProductFeaturesSecurityConfig => { @@ -47,4 +48,77 @@ const securityProductFeaturesConfig: Record< [ProductFeatureSecurityKey.endpointExceptions]: { privileges: ProductFeaturesPrivileges[ProductFeaturesPrivilegeId.endpointExceptions], }, + + [ProductFeatureSecurityKey.endpointArtifactManagement]: { + subFeatureIds: [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + SecuritySubFeatureId.trustedApplications, + SecuritySubFeatureId.blocklist, + SecuritySubFeatureId.eventFilters, + SecuritySubFeatureId.globalArtifactManagement, + ], + + baseFeatureConfigModifier: (baseFeatureConfig) => { + if ( + !['siem', 'siemV2'].includes(baseFeatureConfig.id) || + !baseFeatureConfig.privileges?.all.replacedBy || + !('default' in baseFeatureConfig.privileges.all.replacedBy) + ) { + return baseFeatureConfig; + } + + return { + ...baseFeatureConfig, + privileges: { + ...baseFeatureConfig.privileges, + + all: { + ...baseFeatureConfig.privileges.all, + + // overwriting siem:ALL role migration in siem and siemV2 + replacedBy: { + default: baseFeatureConfig.privileges.all.replacedBy.default.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in ESS offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + + minimal: baseFeatureConfig.privileges.all.replacedBy.minimal.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + 'minimal_all', + + // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + }, + }, + }, + }; + }, + }, }; diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts index caec038374c23..91c8fb966f944 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/security_product_features_config.ts @@ -17,6 +17,7 @@ import { ProductFeatureSecurityKey, SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; +import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; import type { ExperimentalFeatures } from '../../common/experimental_features'; export const getSecurityProductFeaturesConfigurator = @@ -48,4 +49,63 @@ const securityProductFeaturesConfig: Record< [ProductFeatureSecurityKey.endpointExceptions]: { subFeatureIds: [SecuritySubFeatureId.endpointExceptions], }, + + [ProductFeatureSecurityKey.endpointArtifactManagement]: { + subFeatureIds: [ + SecuritySubFeatureId.hostIsolationExceptionsBasic, + SecuritySubFeatureId.trustedApplications, + SecuritySubFeatureId.blocklist, + SecuritySubFeatureId.eventFilters, + SecuritySubFeatureId.globalArtifactManagement, + ], + + baseFeatureConfigModifier: (baseFeatureConfig) => { + if ( + !['siem', 'siemV2'].includes(baseFeatureConfig.id) || + !baseFeatureConfig.privileges?.all.replacedBy || + !('default' in baseFeatureConfig.privileges.all.replacedBy) + ) { + return baseFeatureConfig; + } + + return { + ...baseFeatureConfig, + privileges: { + ...baseFeatureConfig.privileges, + + all: { + ...baseFeatureConfig.privileges.all, + + // overwriting siem:ALL role migration in siem and siemV2 + replacedBy: { + ...baseFeatureConfig.privileges.all.replacedBy, + + default: baseFeatureConfig.privileges.all.replacedBy.default.map( + (privilegesPreference) => { + if (privilegesPreference.feature === SECURITY_FEATURE_ID_V3) { + return { + feature: SECURITY_FEATURE_ID_V3, + privileges: [ + // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. + 'minimal_all', + + // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. + // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. + // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege. + 'global_artifact_management_all', + ], + }; + } + + return privilegesPreference; + } + ), + }, + + // minimal_all is not overwritten, as it does not includes Endpoint Exceptions ALL. + }, + }, + }; + }, + }, }; From 309abb30a84c702ff136b1fbe4a933eeb21eb068 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 02:59:15 +0200 Subject: [PATCH 47/52] add role migration tests without Endpoint product line --- .buildkite/ftr_security_stateful_configs.yml | 1 + .../configs/serverless.config.ts | 32 ++++++ .../search_ai_lake_tier/index.ts | 13 +++ .../siem_v3_global_artifact_management.ts | 97 +++++++++++++++++++ 4 files changed, 143 insertions(+) create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts create mode 100644 x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts diff --git a/.buildkite/ftr_security_stateful_configs.yml b/.buildkite/ftr_security_stateful_configs.yml index 762b6474bfbe7..44056edc57828 100644 --- a/.buildkite/ftr_security_stateful_configs.yml +++ b/.buildkite/ftr_security_stateful_configs.yml @@ -101,6 +101,7 @@ enabled: - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/policy/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/resolver/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/response_actions/trial_license_complete_tier/configs/ess.config.ts + - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/ess.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/configs/serverless.config.ts - x-pack/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/configs/ess.config.ts diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts new file mode 100644 index 0000000000000..4a207eb099b10 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/configs/serverless.config.ts @@ -0,0 +1,32 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { FtrConfigProviderContext } from '@kbn/test'; + +export default async function ({ readConfigFile }: FtrConfigProviderContext) { + const functionalConfig = await readConfigFile( + require.resolve('../../../../../config/serverless/config.base.edr_workflows') + ); + + return { + ...functionalConfig.getAll(), + kbnTestServer: { + ...functionalConfig.get('kbnTestServer'), + serverArgs: [ + ...functionalConfig.get('kbnTestServer.serverArgs'), + + `--xpack.securitySolutionServerless.productTypes=${JSON.stringify([ + { product_line: 'ai_soc', product_tier: 'search_ai_lake' }, + ])}`, + ], + }, + testFiles: [require.resolve('..')], + junit: { + reportName: 'EDR Workflows API - Role Migration Tests - Serverless Env - search AI lake tier', + }, + }; +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts new file mode 100644 index 0000000000000..6104f56d6a501 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts @@ -0,0 +1,13 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { + describe('Endpoint related user role migrations without Endpoint product line', function () { + loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + }); +} diff --git a/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts new file mode 100644 index 0000000000000..fcd2ace39cfa3 --- /dev/null +++ b/x-pack/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts @@ -0,0 +1,97 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; +import { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + + const ROLE_NAME = 'siem_v3_test_role'; + + const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => + supertest + .put(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .send({ + elasticsearch: { cluster: [], indices: [], run_as: [] }, + kibana: [ + { + base: [], + feature: { + [feature]: privileges, + }, + spaces: ['*'], + }, + ], + }) + .expect(204); + + const getMigratedSiemFeaturesFromRole = async (): Promise => { + const response = await supertest + .get(`/api/security/role/${ROLE_NAME}`) + .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect(200); + + const role = response.body as Role; + expect(role._transform_error).to.have.length( + 0, + `Role migration encountered an error, probably a non-existing privilege is added. + Transform error: ${JSON.stringify(role._transform_error)}` + ); + + // migrating from `siem` adds timeline and notes, but in this test it is irrelevant + return role.kibana[0].feature.siemV3; + }; + + describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => { + afterEach(async () => { + await supertest + .delete(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect([204, 404]); + }); + + for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + + it(`should keep ${deprecatedSiem}:READ privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); + }); + + it(`should keep ${deprecatedSiem}:MINIMAL_READ privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); + + it(`should keep ${deprecatedSiem}:ALL privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['all']); + }); + + it(`should keep ${deprecatedSiem}:MINIMAL_ALL privilege`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + }); + } + }); +} From 93d872137167ddb311018e3bc37838ef45d09b25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 09:43:02 +0200 Subject: [PATCH 48/52] increase Defend Workflow cypress parallelism --- .buildkite/pipelines/chrome_forward_testing.yml | 2 +- .buildkite/pipelines/fleet/package_registry.yml | 2 +- .buildkite/pipelines/on_merge.yml | 5 ++--- .buildkite/pipelines/pointer_compression.yml | 2 +- .../pull_request/security_solution/defend_workflows.yml | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.buildkite/pipelines/chrome_forward_testing.yml b/.buildkite/pipelines/chrome_forward_testing.yml index adfea5d63fafc..7c8158929eb95 100644 --- a/.buildkite/pipelines/chrome_forward_testing.yml +++ b/.buildkite/pipelines/chrome_forward_testing.yml @@ -321,7 +321,7 @@ steps: depends_on: - build timeout_in_minutes: 60 - parallelism: 20 + parallelism: 22 retry: automatic: - exit_status: '-1' diff --git a/.buildkite/pipelines/fleet/package_registry.yml b/.buildkite/pipelines/fleet/package_registry.yml index 5343f87c9872f..703d3d3beb58b 100644 --- a/.buildkite/pipelines/fleet/package_registry.yml +++ b/.buildkite/pipelines/fleet/package_registry.yml @@ -55,7 +55,7 @@ steps: enableNestedVirtualization: true machineType: n2-standard-4 timeout_in_minutes: 60 - parallelism: 20 + parallelism: 22 key: defend-workflows-stateful depends_on: build retry: diff --git a/.buildkite/pipelines/on_merge.yml b/.buildkite/pipelines/on_merge.yml index 158fe2fbee424..c6236fb31deb6 100644 --- a/.buildkite/pipelines/on_merge.yml +++ b/.buildkite/pipelines/on_merge.yml @@ -457,7 +457,7 @@ steps: enableNestedVirtualization: true machineType: n2-standard-4 timeout_in_minutes: 60 - parallelism: 20 + parallelism: 22 retry: automatic: - exit_status: '-1' @@ -569,8 +569,7 @@ steps: provider: gcp machineType: n2-standard-4 preemptible: true - artifact_paths: - "target/plugin_so_types_snapshot.json" + artifact_paths: 'target/plugin_so_types_snapshot.json' timeout_in_minutes: 30 retry: automatic: diff --git a/.buildkite/pipelines/pointer_compression.yml b/.buildkite/pipelines/pointer_compression.yml index 8a9dda84def5d..ac9c698425d85 100644 --- a/.buildkite/pipelines/pointer_compression.yml +++ b/.buildkite/pipelines/pointer_compression.yml @@ -366,7 +366,7 @@ steps: depends_on: - build timeout_in_minutes: 60 - parallelism: 20 + parallelism: 22 retry: automatic: - exit_status: '-1' diff --git a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml index a8ac3e742c23c..768db9c88b50c 100644 --- a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml +++ b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml @@ -13,7 +13,7 @@ steps: - check_types - check_oas_snapshot timeout_in_minutes: 60 - parallelism: 20 + parallelism: 22 retry: automatic: - exit_status: '-1' From a7f0bd87c2035be6b91de632c7fa129ed6dccb2b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 17:21:11 +0200 Subject: [PATCH 49/52] Revert "increase Defend Workflow cypress parallelism" This reverts commit 93d872137167ddb311018e3bc37838ef45d09b25. --- .buildkite/pipelines/chrome_forward_testing.yml | 2 +- .buildkite/pipelines/fleet/package_registry.yml | 2 +- .buildkite/pipelines/on_merge.yml | 5 +++-- .buildkite/pipelines/pointer_compression.yml | 2 +- .../pull_request/security_solution/defend_workflows.yml | 2 +- 5 files changed, 7 insertions(+), 6 deletions(-) diff --git a/.buildkite/pipelines/chrome_forward_testing.yml b/.buildkite/pipelines/chrome_forward_testing.yml index 7c8158929eb95..adfea5d63fafc 100644 --- a/.buildkite/pipelines/chrome_forward_testing.yml +++ b/.buildkite/pipelines/chrome_forward_testing.yml @@ -321,7 +321,7 @@ steps: depends_on: - build timeout_in_minutes: 60 - parallelism: 22 + parallelism: 20 retry: automatic: - exit_status: '-1' diff --git a/.buildkite/pipelines/fleet/package_registry.yml b/.buildkite/pipelines/fleet/package_registry.yml index 703d3d3beb58b..5343f87c9872f 100644 --- a/.buildkite/pipelines/fleet/package_registry.yml +++ b/.buildkite/pipelines/fleet/package_registry.yml @@ -55,7 +55,7 @@ steps: enableNestedVirtualization: true machineType: n2-standard-4 timeout_in_minutes: 60 - parallelism: 22 + parallelism: 20 key: defend-workflows-stateful depends_on: build retry: diff --git a/.buildkite/pipelines/on_merge.yml b/.buildkite/pipelines/on_merge.yml index c6236fb31deb6..158fe2fbee424 100644 --- a/.buildkite/pipelines/on_merge.yml +++ b/.buildkite/pipelines/on_merge.yml @@ -457,7 +457,7 @@ steps: enableNestedVirtualization: true machineType: n2-standard-4 timeout_in_minutes: 60 - parallelism: 22 + parallelism: 20 retry: automatic: - exit_status: '-1' @@ -569,7 +569,8 @@ steps: provider: gcp machineType: n2-standard-4 preemptible: true - artifact_paths: 'target/plugin_so_types_snapshot.json' + artifact_paths: + "target/plugin_so_types_snapshot.json" timeout_in_minutes: 30 retry: automatic: diff --git a/.buildkite/pipelines/pointer_compression.yml b/.buildkite/pipelines/pointer_compression.yml index ac9c698425d85..8a9dda84def5d 100644 --- a/.buildkite/pipelines/pointer_compression.yml +++ b/.buildkite/pipelines/pointer_compression.yml @@ -366,7 +366,7 @@ steps: depends_on: - build timeout_in_minutes: 60 - parallelism: 22 + parallelism: 20 retry: automatic: - exit_status: '-1' diff --git a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml index 768db9c88b50c..a8ac3e742c23c 100644 --- a/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml +++ b/.buildkite/pipelines/pull_request/security_solution/defend_workflows.yml @@ -13,7 +13,7 @@ steps: - check_types - check_oas_snapshot timeout_in_minutes: 60 - parallelism: 22 + parallelism: 20 retry: automatic: - exit_status: '-1' From 1dadbf650697c02dc22b84bd56e7db711d007b33 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 18:18:35 +0200 Subject: [PATCH 50/52] rbac cy test to smaller tests #1: move original test file to support files --- .../artifacts_rbac_runner.ts} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename x-pack/solutions/security/plugins/security_solution/public/management/cypress/{e2e/artifacts/artifacts_mocked_data.cy.ts => support/artifacts_rbac_runner.ts} (100%) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts similarity index 100% rename from x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/artifacts_mocked_data.cy.ts rename to x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts From b88c777948d8dd061812be328ba72076c42837a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 20 Jun 2025 18:19:56 +0200 Subject: [PATCH 51/52] rbac cy test to smaller tests #1: create an own test file for each artifact --- .../e2e/artifacts/blocklist_rbac.cy.ts | 16 + .../e2e/artifacts/event_filters_rbac.cy.ts | 16 + .../host_isolation_exceptions_rbac.cy.ts | 16 + .../e2e/artifacts/trusted_apps_rbac.cy.ts | 16 + .../cypress/fixtures/artifacts_page.ts | 6 +- .../cypress/support/artifacts_rbac_runner.ts | 280 +++++++++--------- 6 files changed, 206 insertions(+), 144 deletions(-) create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts new file mode 100644 index 0000000000000..a71104f41af05 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/blocklist_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Blocklist RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('blocklists')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts new file mode 100644 index 0000000000000..12d31adadc11c --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/event_filters_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Event filters RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('eventFilters')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts new file mode 100644 index 0000000000000..880ea031924f9 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/host_isolation_exceptions_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Host Isolation Exceptions RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('hostIsolationExceptions')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts new file mode 100644 index 0000000000000..a00fbf52a7bda --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_apps_rbac.cy.ts @@ -0,0 +1,16 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { getArtifactsListTestDataForArtifact } from '../../fixtures/artifacts_page'; +import { getArtifactMockedDataTests } from '../../support/artifacts_rbac_runner'; + +describe( + 'Trusted apps RBAC', + { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, + + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedApps')) +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts index 088f6780faec9..2630a64cdb794 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/fixtures/artifacts_page.ts @@ -21,7 +21,7 @@ interface FormEditingDescription { export interface ArtifactsFixtureType { title: string; pagePrefix: string; - tabId: string; + tabId: keyof typeof ENDPOINT_ARTIFACT_LISTS; nextTabId: string; artifactName: string; privilegePrefix: string; @@ -43,6 +43,10 @@ export interface ArtifactsFixtureType { }; } +export const getArtifactsListTestDataForArtifact = ( + artifact: keyof typeof ENDPOINT_ARTIFACT_LISTS +) => getArtifactsListTestsData().find(({ tabId }) => tabId === artifact) as ArtifactsFixtureType; + export const getArtifactsListTestsData = (): ArtifactsFixtureType[] => [ { title: 'Trusted applications', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts index e199233d562b2..5369a13dffa0c 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts @@ -5,21 +5,21 @@ * 2.0. */ -import { login, ROLE } from '../../tasks/login'; -import { loadPage } from '../../tasks/common'; +import { login, ROLE } from '../tasks/login'; +import { loadPage } from '../tasks/common'; -import { getArtifactsListTestsData } from '../../fixtures/artifacts_page'; +import { type ArtifactsFixtureType } from '../fixtures/artifacts_page'; import { createArtifactList, createPerPolicyArtifact, removeAllArtifacts, -} from '../../tasks/artifacts'; -import { performUserActions } from '../../tasks/perform_user_actions'; -import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; -import type { ReturnTypeFromChainable } from '../../types'; -import { SIEM_VERSIONS, type SiemVersion } from '../../common/constants'; -import { SECURITY_FEATURE_ID } from '../../../../../common'; -import { getT1Analyst } from '../../../../../scripts/endpoint/common/roles_users'; +} from '../tasks/artifacts'; +import { performUserActions } from '../tasks/perform_user_actions'; +import { indexEndpointHosts } from '../tasks/index_endpoint_hosts'; +import type { ReturnTypeFromChainable } from '../types'; +import { SIEM_VERSIONS, type SiemVersion } from '../common/constants'; +import { SECURITY_FEATURE_ID } from '../../../../common'; +import { getT1Analyst } from '../../../../scripts/endpoint/common/roles_users'; const loginWithArtifactAccess = ( siemVersion: SiemVersion, @@ -60,7 +60,7 @@ const loginWithArtifactAccess = ( * * Possible improvement: use custom roles on serverless to test the same as on ESS. */ -describe('Artifacts pages', { tags: ['@ess', '@serverless', '@skipInServerlessMKI'] }, () => { +export const getArtifactMockedDataTests = (testData: ArtifactsFixtureType) => () => { let endpointData: ReturnTypeFromChainable | undefined; const isServerless = Cypress.env('IS_SERVERLESS'); @@ -89,156 +89,150 @@ describe('Artifacts pages', { tags: ['@ess', '@serverless', '@skipInServerlessMK for (const siemVersion of siemVersionsToTest) { describe(siemVersion, () => { - for (const testData of getArtifactsListTestsData()) { - describe(`When on the ${testData.title} entries list`, () => { - beforeEach(() => { - const { privilegePrefix } = testData; - - loginWithWriteAccess = () => { - if (isServerless) { - login(ROLE.endpoint_policy_manager); - } else { - loginWithArtifactAccess(siemVersion, privilegePrefix, 'all'); - } - }; - - loginWithReadAccess = () => { - expect(isServerless, 'Testing read access is implemented only on ESS').to.equal( - false - ); - loginWithArtifactAccess(siemVersion, privilegePrefix, 'read'); - }; - - loginWithoutAccess = () => { - if (isServerless) { - login(ROLE.t1_analyst); - } else { - loginWithArtifactAccess(siemVersion, privilegePrefix, 'none'); - } - }; + describe(`When on the ${testData.title} entries list`, () => { + beforeEach(() => { + const { privilegePrefix } = testData; + + loginWithWriteAccess = () => { + if (isServerless) { + login(ROLE.endpoint_policy_manager); + } else { + loginWithArtifactAccess(siemVersion, privilegePrefix, 'all'); + } + }; + + loginWithReadAccess = () => { + expect(isServerless, 'Testing read access is implemented only on ESS').to.equal(false); + loginWithArtifactAccess(siemVersion, privilegePrefix, 'read'); + }; + + loginWithoutAccess = () => { + if (isServerless) { + login(ROLE.t1_analyst); + } else { + loginWithArtifactAccess(siemVersion, privilegePrefix, 'none'); + } + }; + }); + + describe('given there are no artifacts yet', () => { + it(`no access - should show no privileges callout`, () => { + loginWithoutAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('noPrivilegesPage').should('exist'); + cy.getByTestSubj('empty-page-feature-action').should('exist'); + cy.getByTestSubj(testData.emptyState).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); }); - describe('given there are no artifacts yet', () => { - it(`no access - should show no privileges callout`, () => { - loginWithoutAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj('noPrivilegesPage').should('exist'); - cy.getByTestSubj('empty-page-feature-action').should('exist'); - cy.getByTestSubj(testData.emptyState).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - }); - - it( - `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); - } - ); - - it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { - loginWithWriteAccess(); + it( + `read - should show empty state page if there is no ${testData.title} entry and the add button does not exist`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); loadPage(`/app/security/administration/${testData.urlPath}`); cy.getByTestSubj(testData.emptyState).should('exist'); - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); - }); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('not.exist'); + } + ); + + it(`write - should show empty state page if there is no ${testData.title} entry and the add button exists`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj(testData.emptyState).should('exist'); + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).should('exist'); + }); - it(`write - should create new ${testData.title} entry`, () => { - loginWithWriteAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - // Opens add flyout - cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); + it(`write - should create new ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens add flyout + cy.getByTestSubj(`${testData.pagePrefix}-emptyState-addButton`).click(); - performUserActions(testData.create.formActions); + performUserActions(testData.create.formActions); - // Submit create artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + // Submit create artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - // Check new artifact is in the list - for (const checkResult of testData.create.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } + // Check new artifact is in the list + for (const checkResult of testData.create.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } - // Title is shown after adding an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); + // Title is shown after adding an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + }); + + describe('given there is an existing artifact', () => { + beforeEach(() => { + createArtifactList(testData.createRequestBody.list_id); + createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); }); - describe('given there is an existing artifact', () => { - beforeEach(() => { - createArtifactList(testData.createRequestBody.list_id); - createPerPolicyArtifact(testData.artifactName, testData.createRequestBody); - }); - - it( - `read - should not be able to update/delete an existing ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( - 'not.exist' - ); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should( - 'not.exist' - ); - } - ); - - it( - `read - should not be able to create a new ${testData.title} entry`, - // there is no such role in Serverless environment that only reads artifacts - { tags: ['@skipInServerless'] }, - () => { - loginWithReadAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - cy.getByTestSubj('header-page-title').contains(testData.title); - cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); - } - ); - - it(`write - should be able to update an existing ${testData.title} entry`, () => { - loginWithWriteAccess(); + it( + `read - should not be able to update/delete an existing ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).should( + 'not.exist' + ); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).should('not.exist'); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).should('not.exist'); + } + ); + + it( + `read - should not be able to create a new ${testData.title} entry`, + // there is no such role in Serverless environment that only reads artifacts + { tags: ['@skipInServerless'] }, + () => { + loginWithReadAccess(); loadPage(`/app/security/administration/${testData.urlPath}`); - // Opens edit flyout - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); + cy.getByTestSubj('header-page-title').contains(testData.title); + cy.getByTestSubj(`${testData.pagePrefix}-pageAddButton`).should('not.exist'); + } + ); - performUserActions(testData.update.formActions); + it(`write - should be able to update an existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Opens edit flyout + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardEditAction`).click(); - // Submit edit artifact form - cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); + performUserActions(testData.update.formActions); - for (const checkResult of testData.update.checkResults) { - cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); - } + // Submit edit artifact form + cy.getByTestSubj(`${testData.pagePrefix}-flyout-submitButton`).click(); - // Title still shown after editing an item - cy.getByTestSubj('header-page-title').contains(testData.title); - }); + for (const checkResult of testData.update.checkResults) { + cy.getByTestSubj(checkResult.selector).should('have.text', checkResult.value); + } - it(`write - should be able to delete the existing ${testData.title} entry`, () => { - loginWithWriteAccess(); - loadPage(`/app/security/administration/${testData.urlPath}`); - // Remove it - cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); - cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); - // No card visible after removing it - cy.getByTestSubj(testData.delete.card).should('not.exist'); - // Empty state is displayed after removing last item - cy.getByTestSubj(testData.emptyState).should('exist'); - }); + // Title still shown after editing an item + cy.getByTestSubj('header-page-title').contains(testData.title); + }); + + it(`write - should be able to delete the existing ${testData.title} entry`, () => { + loginWithWriteAccess(); + loadPage(`/app/security/administration/${testData.urlPath}`); + // Remove it + cy.getByTestSubj(`${testData.pagePrefix}-card-header-actions-button`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-card-cardDeleteAction`).click(); + cy.getByTestSubj(`${testData.pagePrefix}-deleteModal-submitButton`).click(); + // No card visible after removing it + cy.getByTestSubj(testData.delete.card).should('not.exist'); + // Empty state is displayed after removing last item + cy.getByTestSubj(testData.emptyState).should('exist'); }); }); - } + }); }); } -}); +}; From cee449ab49af1d082838001e97f5c6922d96136c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 23 Jun 2025 10:55:23 +0200 Subject: [PATCH 52/52] split up endpoint list RBAC cy test to smaller chunks --- .../endpoints_rbac_mocked_data.cy.ts | 210 ------------------ ...dpoints_rbac_mocked_data_empty_state.cy.ts | 61 +++++ ...dpoints_rbac_mocked_data_hosts_exist.cy.ts | 82 +++++++ ...ints_rbac_mocked_data_policies_exist.cy.ts | 76 +++++++ .../cypress/support/artifacts_rbac_runner.ts | 38 +--- .../public/management/cypress/tasks/login.ts | 32 ++- 6 files changed, 255 insertions(+), 244 deletions(-) delete mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts create mode 100644 x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts deleted file mode 100644 index 38f747f4feedf..0000000000000 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data.cy.ts +++ /dev/null @@ -1,210 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import { PACKAGE_POLICY_API_ROUTES } from '@kbn/fleet-plugin/common/constants/routes'; -import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy'; -import { getT1Analyst } from '../../../../../scripts/endpoint/common/roles_users'; -import { APP_ENDPOINTS_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; -import type { ReturnTypeFromChainable } from '../../types'; -import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; -import { login } from '../../tasks/login'; -import { loadPage } from '../../tasks/common'; -import { SIEM_VERSIONS, type SiemVersion } from '../../common/constants'; - -describe('Endpoints page RBAC', { tags: ['@ess'] }, () => { - type Privilege = 'all' | 'read' | 'none'; - const PRIVILEGES: Privilege[] = ['none', 'read', 'all']; - - const loginWithCustomRole: (privileges: { - integrationsPrivilege: Privilege; - fleetPrivilege: Privilege; - endpointPolicyManagementPrivilege: Privilege; - siemVersion: SiemVersion; - }) => void = ({ - integrationsPrivilege, - fleetPrivilege, - endpointPolicyManagementPrivilege, - siemVersion, - }) => { - const base = getT1Analyst(); - - const customRole: typeof base = { - ...base, - kibana: [ - { - ...base.kibana[0], - feature: { - [siemVersion]: [ - 'all', - `endpoint_list_all`, - `policy_management_${endpointPolicyManagementPrivilege}`, - ], - fleet: [integrationsPrivilege], - fleetv2: [fleetPrivilege], - }, - }, - ], - }; - - login.withCustomRole({ name: 'customRole', ...customRole }); - }; - - it('latest siem version should be in version list', () => { - expect(SIEM_VERSIONS.at(-1)).to.equal(SECURITY_FEATURE_ID); - }); - - for (const siemVersion of SIEM_VERSIONS) { - describe(siemVersion, () => { - describe('neither Defend policy nor hosts are present', () => { - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldAllowOnboarding = - fleetPrivilege === 'all' && integrationsPrivilege === 'all'; - - it(`should show onboarding screen ${ - shouldAllowOnboarding ? 'with' : 'without' - } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - siemVersion, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyOnboardingInstructions').should('exist'); - if (shouldAllowOnboarding) { - cy.getByTestSubj('onboardingStartButton').should('exist'); - } else { - cy.getByTestSubj('onboardingStartButton').should('not.exist'); - } - }); - } - } - }); - } - }); - - describe('Defend policy is present, but no hosts', () => { - let loadedPolicyData: IndexedFleetEndpointPolicyResponse; - - before(() => { - cy.task( - 'indexFleetEndpointPolicy', - { policyName: 'tests-serverless' }, - { timeout: 5 * 60 * 1000 } - ).then((res) => { - const response = res as IndexedFleetEndpointPolicyResponse; - loadedPolicyData = response; - }); - }); - - after(() => { - if (loadedPolicyData) { - cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); - } - }); - - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldShowOnboardingSteps = - (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || - (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); - - it(`should ${ - shouldShowOnboardingSteps ? '' : ' NOT ' - } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - siemVersion, - }); - - loadPage(APP_ENDPOINTS_PATH); - - if (shouldShowOnboardingSteps) { - cy.getByTestSubj('emptyHostsTable').should('exist'); - cy.getByTestSubj('onboardingSteps').should('exist'); - } else { - // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required - cy.getByTestSubj('emptyPolicyTable').should('exist'); - cy.getByTestSubj('onboardingStartButton').should('not.exist'); - } - }); - } - } - }); - } - }); - - describe('some hosts are enrolled', () => { - let endpointData: ReturnTypeFromChainable; - - before(() => { - indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { - endpointData = indexEndpoints; - }); - }); - - after(() => { - if (endpointData) { - endpointData.cleanup(); - // @ts-expect-error ignore setting to undefined - endpointData = undefined; - } - }); - - beforeEach(() => { - // if there is a request towards this API, it should return 200 - cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { - req.on('response', (res) => { - expect(res.statusCode).to.equal(200); - }); - }); - }); - - for (const endpointPolicyManagementPrivilege of PRIVILEGES) { - describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { - for (const fleetPrivilege of PRIVILEGES) { - for (const integrationsPrivilege of PRIVILEGES) { - const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; - - it(`should show Endpoint list ${ - shouldProvidePolicyLink ? 'with' : 'without' - } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { - loginWithCustomRole({ - endpointPolicyManagementPrivilege, - fleetPrivilege, - integrationsPrivilege, - siemVersion, - }); - - loadPage(APP_ENDPOINTS_PATH); - - cy.getByTestSubj('policyNameCellLink').should('exist'); - cy.getByTestSubj('policyNameCellLink').within(() => { - if (shouldProvidePolicyLink) { - cy.get('a').should('have.attr', 'href'); - } else { - cy.get('a').should('not.exist'); - } - }); - }); - } - } - }); - } - }); - }); - } -}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts new file mode 100644 index 0000000000000..d5f1152d77c72 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_empty_state.cy.ts @@ -0,0 +1,61 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { APP_ENDPOINTS_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe( + 'Endpoints page RBAC - neither Defend policy nor hosts are present', + { tags: ['@ess'] }, + () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + it('latest siem version should be in version list', () => { + expect(SIEM_VERSIONS.at(-1)).to.equal(SECURITY_FEATURE_ID); + }); + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldAllowOnboarding = + fleetPrivilege === 'all' && integrationsPrivilege === 'all'; + + it(`should show onboarding screen ${ + shouldAllowOnboarding ? 'with' : 'without' + } 'Add Elastic Defend' button with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyOnboardingInstructions').should('exist'); + if (shouldAllowOnboarding) { + cy.getByTestSubj('onboardingStartButton').should('exist'); + } else { + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); + } + } + }); + } + }); + } + } +); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts new file mode 100644 index 0000000000000..bf5e1c9e9e407 --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_hosts_exist.cy.ts @@ -0,0 +1,82 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { PACKAGE_POLICY_API_ROUTES } from '@kbn/fleet-plugin/common/constants/routes'; +import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; +import type { ReturnTypeFromChainable } from '../../types'; +import { indexEndpointHosts } from '../../tasks/index_endpoint_hosts'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe('Endpoints page RBAC - some hosts are enrolled', { tags: ['@ess'] }, () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + let endpointData: ReturnTypeFromChainable; + + before(() => { + indexEndpointHosts({ count: 1 }).then((indexEndpoints) => { + endpointData = indexEndpoints; + }); + }); + + after(() => { + if (endpointData) { + endpointData.cleanup(); + // @ts-expect-error ignore setting to undefined + endpointData = undefined; + } + }); + + beforeEach(() => { + // if there is a request towards this API, it should return 200 + cy.intercept(PACKAGE_POLICY_API_ROUTES.BULK_GET_PATTERN, (req) => { + req.on('response', (res) => { + expect(res.statusCode).to.equal(200); + }); + }); + }); + + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldProvidePolicyLink = endpointPolicyManagementPrivilege !== 'none'; + + it(`should show Endpoint list ${ + shouldProvidePolicyLink ? 'with' : 'without' + } link to Endpoint Policy with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + cy.getByTestSubj('policyNameCellLink').should('exist'); + cy.getByTestSubj('policyNameCellLink').within(() => { + if (shouldProvidePolicyLink) { + cy.get('a').should('have.attr', 'href'); + } else { + cy.get('a').should('not.exist'); + } + }); + }); + } + } + }); + } + }); + } +}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts new file mode 100644 index 0000000000000..0705d43e3416b --- /dev/null +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/endpoint_list/endpoints_rbac_mocked_data_policies_exist.cy.ts @@ -0,0 +1,76 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { IndexedFleetEndpointPolicyResponse } from '../../../../../common/endpoint/data_loaders/index_fleet_endpoint_policy'; +import { APP_ENDPOINTS_PATH } from '../../../../../common/constants'; +import { login } from '../../tasks/login'; +import { loadPage } from '../../tasks/common'; +import { SIEM_VERSIONS } from '../../common/constants'; + +describe('Endpoints page RBAC - Defend policy is present, but no hosts', { tags: ['@ess'] }, () => { + const PRIVILEGES = ['none', 'read', 'all'] as const; + + for (const siemVersion of SIEM_VERSIONS) { + describe(siemVersion, () => { + let loadedPolicyData: IndexedFleetEndpointPolicyResponse; + + before(() => { + cy.task( + 'indexFleetEndpointPolicy', + { policyName: 'tests-serverless' }, + { timeout: 5 * 60 * 1000 } + ).then((res) => { + const response = res as IndexedFleetEndpointPolicyResponse; + loadedPolicyData = response; + }); + }); + + after(() => { + if (loadedPolicyData) { + cy.task('deleteIndexedFleetEndpointPolicies', loadedPolicyData); + } + }); + + for (const endpointPolicyManagementPrivilege of PRIVILEGES) { + describe(`endpoint policy management privilege is ${endpointPolicyManagementPrivilege}`, () => { + for (const fleetPrivilege of PRIVILEGES) { + for (const integrationsPrivilege of PRIVILEGES) { + const shouldShowOnboardingSteps = + (fleetPrivilege === 'all' && integrationsPrivilege === 'read') || + (fleetPrivilege === 'all' && integrationsPrivilege === 'all'); + + it(`should ${ + shouldShowOnboardingSteps ? '' : ' NOT ' + } show onboarding steps with fleet:${fleetPrivilege} and integrations:${integrationsPrivilege}`, () => { + login.withCustomKibanaPrivileges({ + [siemVersion]: [ + 'all', + `endpoint_list_all`, + `policy_management_${endpointPolicyManagementPrivilege}`, + ], + fleet: [integrationsPrivilege], + fleetv2: [fleetPrivilege], + }); + + loadPage(APP_ENDPOINTS_PATH); + + if (shouldShowOnboardingSteps) { + cy.getByTestSubj('emptyHostsTable').should('exist'); + cy.getByTestSubj('onboardingSteps').should('exist'); + } else { + // without correct privileges, fall back to empty policy table note showing that Fleet privilege is required + cy.getByTestSubj('emptyPolicyTable').should('exist'); + cy.getByTestSubj('onboardingStartButton').should('not.exist'); + } + }); + } + } + }); + } + }); + } +}); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts index 5369a13dffa0c..5095699e79a57 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/support/artifacts_rbac_runner.ts @@ -17,36 +17,8 @@ import { import { performUserActions } from '../tasks/perform_user_actions'; import { indexEndpointHosts } from '../tasks/index_endpoint_hosts'; import type { ReturnTypeFromChainable } from '../types'; -import { SIEM_VERSIONS, type SiemVersion } from '../common/constants'; +import { SIEM_VERSIONS } from '../common/constants'; import { SECURITY_FEATURE_ID } from '../../../../common'; -import { getT1Analyst } from '../../../../scripts/endpoint/common/roles_users'; - -const loginWithArtifactAccess = ( - siemVersion: SiemVersion, - privilegePrefix: string, - access: 'none' | 'read' | 'all' -) => { - const base = getT1Analyst(); - - const customRole: typeof base = { - ...base, - kibana: [ - { - ...base.kibana[0], - feature: { - [siemVersion]: [ - // siemVX: read - 'read', - // none/read/all for selected artifact - ...(access !== 'none' ? [`${privilegePrefix}${access}`] : []), - ], - }, - }, - ], - }; - - login.withCustomRole({ name: 'customRole', ...customRole }); -}; /** * Notes: @@ -97,20 +69,22 @@ export const getArtifactMockedDataTests = (testData: ArtifactsFixtureType) => () if (isServerless) { login(ROLE.endpoint_policy_manager); } else { - loginWithArtifactAccess(siemVersion, privilegePrefix, 'all'); + login.withCustomKibanaPrivileges({ + [siemVersion]: ['read', `${privilegePrefix}all`], + }); } }; loginWithReadAccess = () => { expect(isServerless, 'Testing read access is implemented only on ESS').to.equal(false); - loginWithArtifactAccess(siemVersion, privilegePrefix, 'read'); + login.withCustomKibanaPrivileges({ [siemVersion]: ['read', `${privilegePrefix}read`] }); }; loginWithoutAccess = () => { if (isServerless) { login(ROLE.t1_analyst); } else { - loginWithArtifactAccess(siemVersion, privilegePrefix, 'none'); + login.withCustomKibanaPrivileges({ [siemVersion]: ['read'] }); } }; }); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts index 019b441e3173c..39e4121a2115d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/tasks/login.ts @@ -6,8 +6,11 @@ */ import type { LoginState } from '@kbn/security-plugin/common/login_state'; -import type { Role } from '@kbn/security-plugin/common'; -import { ENDPOINT_SECURITY_ROLE_NAMES } from '../../../../scripts/endpoint/common/roles_users'; +import type { FeaturesPrivileges, Role } from '@kbn/security-plugin/common'; +import { + ENDPOINT_SECURITY_ROLE_NAMES, + getT1Analyst, +} from '../../../../scripts/endpoint/common/roles_users'; import type { SecurityTestUser } from '../common/constants'; import { KIBANA_KNOWN_DEFAULT_ACCOUNTS } from '../common/constants'; import { COMMON_API_HEADERS, request } from './common'; @@ -33,6 +36,15 @@ interface CyLoginTask { * @param role */ withCustomRole(role: Role): ReturnType; + + /** + * Creates a role with the provided Kibana privileges, and basic ES/index privileges, + * then creates a user and logs in with the new user. + * @param kibanaPrivileges + */ + withCustomKibanaPrivileges( + kibanaPrivileges: FeaturesPrivileges + ): ReturnType; } /** @@ -103,6 +115,22 @@ login.withCustomRole = (role: Role): ReturnType => { }); }; +login.withCustomKibanaPrivileges = (kibanaPrivileges: FeaturesPrivileges) => { + const base = getT1Analyst(); + + const customRole: typeof base = { + ...base, + kibana: [ + { + ...base.kibana[0], + feature: kibanaPrivileges, + }, + ], + }; + + return login.withCustomRole({ name: 'customRole', ...customRole }); +}; + /** * Send login via API * @param username