diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index 0917168e47ae2..bab6e64a97554 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -27,9 +27,25 @@ xpack.features.overrides: siem.description: null siemV2.description: null siemV3.description: null + siemV4.description: null securitySolutionSiemMigrations.hidden: true ## Fine-tune the security solution essentials feature privileges. These feature privilege overrides are set individually for each project type. Also, refer to `serverless.yml` for the project-agnostic overrides. + siemV4: + privileges: + all.composedOf: + ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten + ## We do not need to compose siemV4 from maps and visualizations because these functionalities are disabled in this tier + - feature: "discover_v2" + privileges: [ "all" ] + ## We need limited access to fleet (v1) in order to use integrations + - feature: "fleet" + privileges: [ "all" ] + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "fleet" + privileges: [ "read" ] siemV3: privileges: all.composedOf: diff --git a/config/serverless.security.yml b/config/serverless.security.yml index 8606a47c27b57..eb3839c0fec01 100644 --- a/config/serverless.security.yml +++ b/config/serverless.security.yml @@ -29,6 +29,33 @@ xpack.features.overrides: category: "security" order: 1102 ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. + siemV4: + privileges: + ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and + ### Visualize features. + all.composedOf: + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "dashboard_v2" + privileges: [ "all" ] + - feature: "visualize_v2" + privileges: [ "all" ] + - feature: "maps_v2" + privileges: [ "all" ] + # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and + # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover, + ### Dashboard, and Visualize apps. + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "dashboard_v2" + privileges: [ "read" ] + - feature: "visualize_v2" + privileges: [ "read" ] + - feature: "maps_v2" + privileges: [ "read" ] + + ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. siemV3: privileges: ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and diff --git a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts index 58a5bcb2307d7..8dc675eb277a5 100644 --- a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts @@ -8,7 +8,7 @@ import { deepFreeze } from '@kbn/std'; import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; -export const SECURITY_SOLUTION_APP_ID = 'siemV3'; +export const SECURITY_SOLUTION_APP_ID = 'siemV4'; export interface PrivilegeMapObject { appId: string; diff --git a/x-pack/platform/test/api_integration/apis/features/features/features.ts b/x-pack/platform/test/api_integration/apis/features/features/features.ts index b4c1fa73c8d19..5e266a4349564 100644 --- a/x-pack/platform/test/api_integration/apis/features/features/features.ts +++ b/x-pack/platform/test/api_integration/apis/features/features/features.ts @@ -134,7 +134,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchSynonyms', 'searchQueryRules', 'searchPlayground', - 'siemV3', + 'siemV4', 'slo', 'streams', 'securitySolutionAssistant', diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index 294e4f21a7d1b..72f479c3847bf 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -120,6 +120,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', @@ -148,6 +150,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', @@ -176,6 +180,38 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', + 'policy_management_all', + 'policy_management_read', + 'actions_log_management_all', + 'actions_log_management_read', + 'host_isolation_all', + 'process_operations_all', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + ], + siemV4: [ + 'all', + 'read', + 'minimal_all', + 'minimal_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'workflow_insights_all', + 'workflow_insights_read', + 'global_artifact_management_all', + 'trusted_applications_all', + 'trusted_applications_read', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'blocklist_all', + 'blocklist_read', + 'event_filters_all', + 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index 9107e35f934f9..7a1278cf60f77 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -59,6 +59,7 @@ export default function ({ getService }: FtrProviderContext) { siem: ['all', 'read', 'minimal_all', 'minimal_read'], siemV2: ['all', 'read', 'minimal_all', 'minimal_read'], siemV3: ['all', 'read', 'minimal_all', 'minimal_read'], + siemV4: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'], @@ -222,6 +223,8 @@ export default function ({ getService }: FtrProviderContext) { 'all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', @@ -248,6 +251,8 @@ export default function ({ getService }: FtrProviderContext) { 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', @@ -276,6 +281,38 @@ export default function ({ getService }: FtrProviderContext) { 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'event_filters_all', + 'event_filters_read', + 'host_isolation_all', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'minimal_all', + 'minimal_read', + 'policy_management_all', + 'policy_management_read', + 'process_operations_all', + 'read', + 'trusted_applications_all', + 'trusted_applications_read', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + 'workflow_insights_all', + 'workflow_insights_read', + ], + siemV4: [ + 'actions_log_management_all', + 'actions_log_management_read', + 'all', + 'global_artifact_management_all', + 'blocklist_all', + 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', diff --git a/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts index 3f5f7cb413933..aa98363bab740 100644 --- a/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts +++ b/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts @@ -191,6 +191,7 @@ export default function ({ getService }: FtrProviderContext) { "securitySolutionCasesV2", "siem", "siemV2", + "siemV3", "visualize", ] `); diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts index e5874255d6eaa..fc1b84a37f807 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts @@ -94,7 +94,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts index c019639aa6102..01231eeab81b3 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts @@ -98,7 +98,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts index 3b32398e3c544..218051462a6ef 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts @@ -86,7 +86,7 @@ const ALL_SPACE_RESULTS: Space[] = [ 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts b/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts index d6de7da504a2a..b96a82a904479 100644 --- a/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts +++ b/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts @@ -96,6 +96,7 @@ export default function ({ getService }: FtrProviderContext) { siem: 0, siemV2: 0, siemV3: 0, + siemV4: 0, securitySolutionCases: 0, securitySolutionCasesV2: 0, securitySolutionCasesV3: 0, diff --git a/x-pack/solutions/security/packages/features/product_features.ts b/x-pack/solutions/security/packages/features/product_features.ts index 1649458e866d1..c830fdbb3d456 100644 --- a/x-pack/solutions/security/packages/features/product_features.ts +++ b/x-pack/solutions/security/packages/features/product_features.ts @@ -6,7 +6,12 @@ */ export { getCasesFeature, getCasesV2Feature, getCasesV3Feature } from './src/cases'; -export { getSecurityFeature, getSecurityV2Feature, getSecurityV3Feature } from './src/security'; +export { + getSecurityFeature, + getSecurityV2Feature, + getSecurityV3Feature, + getSecurityV4Feature, +} from './src/security'; export { getAssistantFeature } from './src/assistant'; export { getAttackDiscoveryFeature } from './src/attack_discovery'; export { getTimelineFeature } from './src/timeline'; diff --git a/x-pack/solutions/security/packages/features/src/constants.ts b/x-pack/solutions/security/packages/features/src/constants.ts index 059e3f3162200..782054a3157c5 100644 --- a/x-pack/solutions/security/packages/features/src/constants.ts +++ b/x-pack/solutions/security/packages/features/src/constants.ts @@ -13,6 +13,8 @@ export const SERVER_APP_ID = 'siem' as const; export const SECURITY_FEATURE_ID_V2 = 'siemV2' as const; // New version for 9.1. export const SECURITY_FEATURE_ID_V3 = 'siemV3' as const; +// New version for 9.2. +export const SECURITY_FEATURE_ID_V4 = 'siemV4' as const; /** * @deprecated deprecated in 8.17. Use CASE_FEATURE_ID_V2 instead diff --git a/x-pack/solutions/security/packages/features/src/security/index.ts b/x-pack/solutions/security/packages/features/src/security/index.ts index b0a01d9e9b5b5..90d72f4ef50a5 100644 --- a/x-pack/solutions/security/packages/features/src/security/index.ts +++ b/x-pack/solutions/security/packages/features/src/security/index.ts @@ -25,6 +25,11 @@ import { import { securityDefaultProductFeaturesConfig } from './product_feature_config'; import { securityV1ProductFeaturesConfig } from './v1_features/product_feature_config'; import { securityV2ProductFeaturesConfig } from './v2_features/product_feature_config'; +import { getSecurityV4BaseKibanaFeature } from './v4_features/kibana_features'; +import { + getSecurityV4BaseKibanaSubFeatureIds, + getSecurityV4SubFeaturesMap, +} from './v4_features/kibana_sub_features'; export const getSecurityFeature = ( params: SecurityFeatureParams @@ -52,3 +57,12 @@ export const getSecurityV3Feature = ( subFeaturesMap: getSecurityV3SubFeaturesMap(params), productFeatureConfig: securityDefaultProductFeaturesConfig, }); + +export const getSecurityV4Feature = ( + params: SecurityFeatureParams +): ProductFeatureParams => ({ + baseKibanaFeature: getSecurityV4BaseKibanaFeature(params), + baseKibanaSubFeatureIds: getSecurityV4BaseKibanaSubFeatureIds(params), + subFeaturesMap: getSecurityV4SubFeaturesMap(params), + productFeatureConfig: securityDefaultProductFeaturesConfig, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts index 7627297beef89..428d1a066d92d 100644 --- a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts @@ -663,7 +663,10 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ), description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', - { defaultMessage: 'Manage Endpoint Exceptions.' } + { + defaultMessage: + 'Reduce false positive alerts, and keep Elastic Defend from blocking standard processes.', + } ), privilegeGroups: [ { @@ -671,25 +674,31 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { id: 'endpoint_exceptions_all', - includeIn: 'all', + includeIn: 'none', name: TRANSLATIONS.all, savedObject: { - all: [], + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], read: [], }, ui: ['showEndpointExceptions', 'crudEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-showEndpointExceptions`, + `${APP_ID}-crudEndpointExceptions`, + ], }, { id: 'endpoint_exceptions_read', - includeIn: 'read', + includeIn: 'none', name: TRANSLATIONS.read, savedObject: { all: [], read: [], }, ui: ['showEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`], + api: ['lists-read', 'lists-summary', `${APP_ID}-showEndpointExceptions`], }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 73a95b1ff4f30..e7a80965433d7 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -167,4 +167,8 @@ export const securityDefaultProductFeaturesConfig: SecurityProductFeaturesConfig SecuritySubFeatureId.globalArtifactManagement, ], }, + + [ProductFeatureSecurityKey.endpointExceptions]: { + subFeatureIds: [SecuritySubFeatureId.endpointExceptions], + }, }; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index ffaccf854768a..675fb543847cc 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -23,7 +23,7 @@ import { SERVER_APP_ID, LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, - SECURITY_FEATURE_ID_V3, + SECURITY_FEATURE_ID_V4, TIMELINE_FEATURE_ID, NOTES_FEATURE_ID, } from '../../constants'; @@ -57,7 +57,7 @@ export const getSecurityBaseKibanaFeature = ({ defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SERVER_APP_ID, - latestId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, }, } ), @@ -91,14 +91,14 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + { feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -141,12 +141,14 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + { feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 7739b850aff79..a0303ed1c53c0 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -6,7 +6,7 @@ */ import type { SubFeatureConfig } from '@kbn/features-plugin/common'; -import { SECURITY_FEATURE_ID_V3 } from '../../../constants'; +import { SECURITY_FEATURE_ID_V4 } from '../../../constants'; import { SecuritySubFeatureId } from '../../product_features_keys'; import type { SecurityFeatureParams } from '../types'; import type { SubFeatureReplacements } from '../../types'; @@ -28,44 +28,44 @@ import { } from '../kibana_sub_features'; const replacements: Partial> = { - [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.endpointExceptions]: [ - { - feature: SECURITY_FEATURE_ID_V3, - additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, - }, - ], + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedApplications]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { trusted_applications_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { host_isolation_exceptions_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.blocklist]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { blocklist_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.eventFilters]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], - [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.endpointExceptions]: [ + { + feature: SECURITY_FEATURE_ID_V4, + additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, + }, + ], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], }; /** @@ -85,11 +85,11 @@ export const getSecuritySubFeaturesMap = ({ }: SecurityFeatureParams): Map => { const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature()], [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 990d4c6189939..aaf390b96b83b 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -24,7 +24,7 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, - SECURITY_FEATURE_ID_V3, + SECURITY_FEATURE_ID_V4, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -56,7 +56,7 @@ export const getSecurityV2BaseKibanaFeature = ({ defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SECURITY_FEATURE_ID_V2, - latestId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, }, } ), @@ -87,14 +87,10 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: { all: { replacedBy: { - default: [ - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, - ], - minimal: [ - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, - ], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], @@ -114,8 +110,10 @@ export const getSecurityV2BaseKibanaFeature = ({ }, read: { replacedBy: { - default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index a1429816440a1..1c1cec77f56af 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -8,7 +8,7 @@ import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { SECURITY_FEATURE_ID_V3 } from '../../constants'; +import { SECURITY_FEATURE_ID_V4 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import { endpointListSubFeature, @@ -31,46 +31,46 @@ import type { SubFeatureReplacements } from '../../types'; import { addSubFeatureReplacements } from '../../utils'; const replacements: Partial> = { - [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.endpointExceptions]: [ - { - feature: SECURITY_FEATURE_ID_V3, - additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, - }, - ], - [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedApplications]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { trusted_applications_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { host_isolation_exceptions_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.blocklist]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { blocklist_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.eventFilters]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], - [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.endpointExceptions]: [ + { + feature: SECURITY_FEATURE_ID_V4, + additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, + }, + ], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], }; /** @@ -91,7 +91,6 @@ export const getSecurityV2SubFeaturesMap = ({ const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [ SecuritySubFeatureId.globalArtifactManagement, globalArtifactManagementSubFeature(experimentalFeatures), @@ -100,6 +99,7 @@ export const getSecurityV2SubFeaturesMap = ({ [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts index dd55680a2caa9..cfd69bc230411 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts @@ -24,6 +24,7 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, + SECURITY_FEATURE_ID_V4, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -48,6 +49,19 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV3BaseKibanaFeature = ({ savedObjects, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + deprecated: { + notice: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', + { + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', + values: { + currentId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, + }, + } + ), + }, + id: SECURITY_FEATURE_ID_V3, name: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', @@ -72,6 +86,12 @@ export const getSecurityV3BaseKibanaFeature = ({ ), privileges: { all: { + replacedBy: { + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], @@ -89,6 +109,12 @@ export const getSecurityV3BaseKibanaFeature = ({ ui: ['show', 'crud'], }, read: { + replacedBy: { + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-read'], diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index d8533d425b4e9..ce86cc4aa933e 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -26,6 +26,28 @@ import { workflowInsightsSubFeature, trustedDevicesSubFeature, } from '../kibana_sub_features'; +import type { SubFeatureReplacements } from '../../types'; +import { SECURITY_FEATURE_ID_V4 } from '../../constants'; +import { addSubFeatureReplacements } from '../../utils'; + +const replacements: Partial> = { + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.trustedApplications]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.trustedDevices]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.blocklist]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.eventFilters]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.endpointExceptions]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], +}; /** * Sub-features that will always be available for Security @@ -45,7 +67,6 @@ export const getSecurityV3SubFeaturesMap = ({ const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [ SecuritySubFeatureId.globalArtifactManagement, globalArtifactManagementSubFeature(experimentalFeatures), @@ -55,6 +76,7 @@ export const getSecurityV3SubFeaturesMap = ({ [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], @@ -68,6 +90,11 @@ export const getSecurityV3SubFeaturesMap = ({ securitySubFeaturesList.map(([id, originalSubFeature]) => { let subFeature = originalSubFeature; + const featureReplacements = replacements[id]; + if (featureReplacements) { + subFeature = addSubFeatureReplacements(subFeature, featureReplacements); + } + // If the feature is space-aware, we need to set false to the requireAllSpaces flag and remove the privilegesTooltip if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { subFeature = { ...subFeature, requireAllSpaces: false, privilegesTooltip: undefined }; diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts new file mode 100644 index 0000000000000..315d01066ddfe --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts @@ -0,0 +1,113 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; + +import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; +import { + EQL_RULE_TYPE_ID, + ESQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, +} from '@kbn/securitysolution-rules'; +import { + APP_ID, + SECURITY_FEATURE_ID_V4, + LEGACY_NOTIFICATIONS_ID, + CLOUD_POSTURE_APP_ID, + SERVER_APP_ID, +} from '../../constants'; +import type { SecurityFeatureParams } from '../types'; +import type { BaseKibanaFeatureConfig } from '../../types'; + +const SECURITY_RULE_TYPES = [ + LEGACY_NOTIFICATIONS_ID, + ESQL_RULE_TYPE_ID, + EQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, +]; + +const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ + ruleTypeId, + consumers: [SERVER_APP_ID], +})); + +export const getSecurityV4BaseKibanaFeature = ({ + savedObjects, +}: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + id: SECURITY_FEATURE_ID_V4, + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', + { + defaultMessage: 'Security', + } + ), + order: 1100, + category: DEFAULT_APP_CATEGORIES.security, + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + management: { + insightsAndAlerting: ['triggersActions'], + }, + alerting: alertingFeatures, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.securityGroupDescription', + { + defaultMessage: + "Each sub-feature privilege in this group must be assigned individually. Global assignment is only supported if your pricing plan doesn't allow individual feature privileges.", + } + ), + privileges: { + all: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], + savedObject: { + all: ['alert', ...savedObjects], + read: [], + }, + alerting: { + rule: { all: alertingFeatures }, + alert: { all: alertingFeatures }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show', 'crud'], + }, + read: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-read'], + savedObject: { + all: [], + read: [...savedObjects], + }, + alerting: { + rule: { + read: alertingFeatures, + }, + alert: { + all: alertingFeatures, + }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show'], + }, + }, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts new file mode 100644 index 0000000000000..04bb8c69afc31 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts @@ -0,0 +1,86 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { SubFeatureConfig } from '@kbn/features-plugin/common'; +import { SecuritySubFeatureId } from '../../product_features_keys'; +import type { SecurityFeatureParams } from '../types'; +import { + endpointListSubFeature, + endpointExceptionsSubFeature, + globalArtifactManagementSubFeature, + trustedApplicationsSubFeature, + hostIsolationExceptionsBasicSubFeature, + blocklistSubFeature, + eventFiltersSubFeature, + policyManagementSubFeature, + responseActionsHistorySubFeature, + hostIsolationSubFeature, + processOperationsSubFeature, + fileOperationsSubFeature, + executeActionSubFeature, + scanActionSubFeature, + workflowInsightsSubFeature, + trustedDevicesSubFeature, +} from '../kibana_sub_features'; + +/** + * Sub-features that will always be available for Security + * regardless of the product type. + */ +export const getSecurityV4BaseKibanaSubFeatureIds = ( + { experimentalFeatures }: SecurityFeatureParams // currently un-used, but left here as a convenience for possible future use +): SecuritySubFeatureId[] => []; + +/** + * Defines all the Security Assistant subFeatures available. + * The order of the subFeatures is the order they will be displayed + */ +export const getSecurityV4SubFeaturesMap = ({ + experimentalFeatures, +}: SecurityFeatureParams): Map => { + const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ + [SecuritySubFeatureId.endpointList, endpointListSubFeature()], + [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], + [ + SecuritySubFeatureId.globalArtifactManagement, + globalArtifactManagementSubFeature(experimentalFeatures), + ], + [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature()], + [SecuritySubFeatureId.trustedDevices, trustedDevicesSubFeature()], + [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], + [SecuritySubFeatureId.blocklist, blocklistSubFeature()], + [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], + [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], + [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], + [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], + [SecuritySubFeatureId.processOperations, processOperationsSubFeature()], + [SecuritySubFeatureId.fileOperations, fileOperationsSubFeature()], + [SecuritySubFeatureId.executeAction, executeActionSubFeature()], + [SecuritySubFeatureId.scanAction, scanActionSubFeature()], + ]; + + const securitySubFeaturesMap = new Map( + securitySubFeaturesList.map(([id, originalSubFeature]) => { + let subFeature = originalSubFeature; + + // If the feature is space-aware, we need to set false to the requireAllSpaces flag and remove the privilegesTooltip + if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { + subFeature = { ...subFeature, requireAllSpaces: false, privilegesTooltip: undefined }; + } + + return [id, subFeature]; + }) + ); + + // Remove disabled experimental features + if (!experimentalFeatures.trustedDevices) { + securitySubFeaturesMap.delete(SecuritySubFeatureId.trustedDevices); + } + + return Object.freeze(securitySubFeaturesMap); +}; diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts index b1b7f9298e31c..9178df8e5b867 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts @@ -5,4 +5,4 @@ * 2.0. */ -export const SECURITY_FEATURE_ID = 'siemV3'; +export const SECURITY_FEATURE_ID = 'siemV4'; diff --git a/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts b/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts index 7fb7a82d5368f..66081eec3c2fa 100755 --- a/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts +++ b/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts @@ -6,7 +6,7 @@ */ export { - SECURITY_FEATURE_ID_V3 as SECURITY_FEATURE_ID, + SECURITY_FEATURE_ID_V4 as SECURITY_FEATURE_ID, CASES_FEATURE_ID_V3 as CASES_FEATURE_ID, } from '@kbn/security-solution-features/constants'; diff --git a/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js b/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js index 19fdd23c067e9..ba9d479c66111 100644 --- a/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js +++ b/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js @@ -15,6 +15,7 @@ const axios = require('axios'); const puppeteer = require('puppeteer'); const { faker } = require('@faker-js/faker'); +const { SECURITY_FEATURE_ID } = require('../common/constants'); // CLI args: number of users to create and optional --no-assistant flag const args = process.argv.slice(2); @@ -96,7 +97,7 @@ const createRestrictedRole = async (roleName) => { onechat: ['all'], uptime: ['all'], observabilityCasesV3: ['all'], - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionCasesV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], diff --git a/x-pack/solutions/security/plugins/security_solution/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/common/constants.ts index d8e64cbbd4fdb..7f82e5d9ecb2f 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/constants.ts @@ -25,7 +25,7 @@ export const CASES_FEATURE_ID = 'securitySolutionCasesV3' as const; export const TIMELINE_FEATURE_ID = 'securitySolutionTimeline' as const; export const NOTES_FEATURE_ID = 'securitySolutionNotes' as const; export const SERVER_APP_ID = 'siem' as const; -export const SECURITY_FEATURE_ID = 'siemV3' as const; +export const SECURITY_FEATURE_ID = 'siemV4' as const; export const APP_NAME = 'Security' as const; export const APP_ICON_SOLUTION = 'logoSecurity' as const; export const APP_PATH = `/app/security` as const; diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx index 3af84ce87fa51..580568ca94d63 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx @@ -11,12 +11,13 @@ import { fireEvent, render, screen, waitFor } from '@testing-library/react'; import React from 'react'; import { History } from '.'; -import { ATTACK_DISCOVERY_PATH } from '../../../../../common/constants'; +import { ATTACK_DISCOVERY_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; import { TestProviders } from '../../../../common/mock'; import { mockHistory } from '../../../../common/utils/route/mocks'; import { getMockAttackDiscoveryAlerts } from '../../mock/mock_attack_discovery_alerts'; import { useFindAttackDiscoveries } from '../../use_find_attack_discoveries'; import { useGetAttackDiscoveryGenerations } from '../../use_get_attack_discovery_generations'; +import { useKibana as mockUseKibana } from '../../../../common/lib/kibana'; jest.mock('react-router-dom', () => ({ ...jest.requireActual('react-router-dom'), @@ -34,40 +35,7 @@ jest.mock('react-router-dom-v5-compat', () => ({ jest.mock('../../../../common/lib/kibana', () => ({ useDateFormat: jest.fn(), - useKibana: jest.fn(() => ({ - services: { - application: { - capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, - siemV3: { configurations: true }, - }, - navigateToUrl: jest.fn(), - }, - cases: { - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - connectors: true, - create: true, - delete: true, - push: true, - read: true, - settings: true, - update: true, - }), - }, - hooks: { - useCasesAddToExistingCase: jest.fn(), - useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), - useCasesAddToNewCaseFlyout: jest.fn(), - }, - ui: { getCasesContext: mockCasesContext }, - }, - theme: { - getTheme: jest.fn().mockReturnValue({ darkMode: false }), - }, - }, - })), + useKibana: jest.fn(), useToasts: jest.fn(() => ({ addError: jest.fn(), addSuccess: jest.fn(), @@ -77,6 +45,40 @@ jest.mock('../../../../common/lib/kibana', () => ({ })), })); +(mockUseKibana as jest.Mock).mockReturnValue({ + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true, configurations: true }, + }, + navigateToUrl: jest.fn(), + }, + cases: { + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + connectors: true, + create: true, + delete: true, + push: true, + read: true, + settings: true, + update: true, + }), + }, + hooks: { + useCasesAddToExistingCase: jest.fn(), + useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), + useCasesAddToNewCaseFlyout: jest.fn(), + }, + ui: { getCasesContext: mockCasesContext }, + }, + theme: { + getTheme: jest.fn().mockReturnValue({ darkMode: false }), + }, + }, +}); + jest.mock('../../use_dismiss_attack_discovery_generations', () => ({ useDismissAttackDiscoveryGeneration: jest.fn().mockReturnValue({ dismiss: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts index f7d402bdc4f62..2855db950522b 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts @@ -30,9 +30,10 @@ export const SIEM_VERSIONS = [ // deprecated siem versions 'siem', 'siemV2', + 'siemV3', // actual version, should equal to SECURITY_FEATURE_ID - 'siemV3', + 'siemV4', ] as const; export type SiemVersion = (typeof SIEM_VERSIONS)[number]; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts index 1fd8fa1ca0685..0e57b9fa786f8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts @@ -21,5 +21,8 @@ describe( }, }, - getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedDevices'), ['siemV3']) + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedDevices'), [ + 'siemV3', + 'siemV4', + ]) ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index c5b25dab080a5..2f719b8bafcb5 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -66,6 +66,7 @@ describe( 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', 'Event Filters Filter out endpoint events that you do not need or want stored in Elasticsearch.Event Filters sub-feature privilegeAllReadNone', + 'Endpoint Exceptions Reduce false positive alerts, and keep Elastic Defend from blocking standard processes.Endpoint Exceptions sub-feature privilegeAllReadNone', 'Elastic Defend Policy Management Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.Elastic Defend Policy Management sub-feature privilegeAllReadNone', 'Response Actions History Access the history of response actions performed on endpoints.Response Actions History sub-feature privilegeAllReadNone', 'Host Isolation Perform the "isolate" and "release" response actions.Host Isolation sub-feature privilegeAllNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 80871ec94a4c1..fbc34c3660975 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -101,9 +101,7 @@ describe( return features; }) - // Using `include.members` here because in serverless, an additional privilege shows - // up in this list - `Endpoint exceptions`. - .should('include.members', [ + .should('deep.equal', [ 'Endpoint ListAll', 'Automatic TroubleshootingNone', 'Global Artifact ManagementNone', @@ -112,6 +110,7 @@ describe( 'Host Isolation ExceptionsNone', 'BlocklistNone', 'Event FiltersNone', + 'Endpoint ExceptionsNone', 'Elastic Defend Policy ManagementNone', 'Response Actions HistoryNone', 'Host IsolationAll', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts index ccc2c1468aa8e..d4bb91b250427 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts @@ -11,7 +11,6 @@ import { login, ROLE } from '../../tasks/login'; import { loadPage } from '../../tasks/common'; import type { SiemVersion } from '../../common/constants'; import { SIEM_VERSIONS } from '../../common/constants'; -import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'Navigation RBAC', @@ -52,7 +51,7 @@ describe( name: 'Trusted devices', privilegePrefix: 'trusted_devices_', selector: Selectors.TRUSTED_DEVICES, - siemVersions: [SECURITY_FEATURE_ID as SiemVersion], // Only available in siemV3 + siemVersions: ['siemV3', 'siemV4'], // Only available starting siemV3 }, { name: 'Event filters', diff --git a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/service/capabilities.ts b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/service/capabilities.ts index b023141c421e0..a7803c41b0433 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/service/capabilities.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/common/service/capabilities.ts @@ -6,12 +6,10 @@ */ import type { Capabilities } from '@kbn/core/public'; -import { - SECURITY_FEATURE_ID_V3, - SIEM_MIGRATIONS_FEATURE_ID, -} from '@kbn/security-solution-features/constants'; +import { SIEM_MIGRATIONS_FEATURE_ID } from '@kbn/security-solution-features/constants'; import { i18n } from '@kbn/i18n'; import { CapabilitiesChecker } from '../../../common/lib/capabilities'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export interface MissingCapability { capability: string; @@ -20,7 +18,7 @@ export interface MissingCapability { const minimumCapabilities: MissingCapability[] = [ { - capability: `${SECURITY_FEATURE_ID_V3}.show`, + capability: `${SECURITY_FEATURE_ID}.show`, description: i18n.translate( 'xpack.securitySolution.siemMigrations.service.capabilities.securityAll', { defaultMessage: 'Security > Security: Read' } @@ -37,7 +35,7 @@ const minimumCapabilities: MissingCapability[] = [ const allCapabilities: MissingCapability[] = [ { - capability: `${SECURITY_FEATURE_ID_V3}.crud`, + capability: `${SECURITY_FEATURE_ID}.crud`, description: i18n.translate( 'xpack.securitySolution.siemMigrations.service.capabilities.securityAll', { defaultMessage: 'Security > Security: All' } diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts index 61e4bc9e0d667..31b50395e3852 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getDetectionsAdmin: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getDetectionsAdmin: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all', 'global_artifact_management_all'], + siemV3: ['all', 'global_artifact_management_all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 2b34518df8179..54096048b330b 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -6,7 +6,6 @@ */ import type { Role } from '@kbn/security-plugin/common'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointOperationsAnalyst: () => Omit = () => { // IMPORTANT @@ -60,7 +59,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 825d20bc992db..82de13966b770 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointSecurityPolicyManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', @@ -49,7 +48,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getHunter: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index 3c9a4205e23ff..3f181c4c1fad3 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getPlatformEngineer: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index c4fcd7592bbb7..64f5af2cc590a 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getRuleAuthor: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index 50d3dc5694a65..8fe19c71412a5 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getSocManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index f2b5f2fb76d85..d4d82b1004a98 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT1Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index 4e3b74fe2ddd2..3f382f6ba1009 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT2Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all', 'actions_log_management_read'], + siemV3: ['all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 6fdd359a99503..076a42b86fc5b 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT3Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index 193eed6484d8e..23c23f224a29a 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getThreatIntelligenceAnalyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'blocklist_all', 'global_artifact_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 16327c6a1a91d..83e19bff446df 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithArtifactReadPrivilegesRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'blocklist_read', 'trusted_applications_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index decc743d14592..2f7aeb7aed702 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithResponseActionsRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,8 +17,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ - ...noResponseActionsRole.kibana[0].feature[SECURITY_FEATURE_ID], + siemV3: [ + ...noResponseActionsRole.kibana[0].feature.siemV3, 'file_operations_all', 'execute_operations_all', 'scan_operations_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 96b012ccac9fa..3ce1d80e43a61 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -6,7 +6,6 @@ */ import type { Role } from '@kbn/security-plugin/common'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getNoResponseActionsRole: () => Omit = () => ({ elasticsearch: { @@ -43,7 +42,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'endpoint_list_all', 'endpoint_list_read', diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index b72d6562a99f5..f641f85e48038 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -33,6 +33,11 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ baseKibanaSubFeatureIds: [], subFeaturesMap: new Map(), })), + getSecurityV4Feature: jest.fn(() => ({ + baseKibanaFeature: {}, + baseKibanaSubFeatureIds: [], + subFeaturesMap: new Map(), + })), getCasesFeature: jest.fn(() => ({ baseKibanaFeature: {}, baseKibanaSubFeatureIds: [], diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index fecf35431c8c0..eed604167f1a9 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -40,6 +40,7 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ getSecurityFeature: () => mockGetFeature(), getSecurityV2Feature: () => mockGetFeature(), getSecurityV3Feature: () => mockGetFeature(), + getSecurityV4Feature: () => mockGetFeature(), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index 4464920351ce0..88b637fe2c5e6 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -19,6 +19,7 @@ import { getCasesV3Feature, getSecurityV2Feature, getSecurityV3Feature, + getSecurityV4Feature, getTimelineFeature, getNotesFeature, getSiemMigrationsFeature, @@ -53,6 +54,7 @@ export class ProductFeaturesService { getSecurityFeature({ ...securityFeatureParams, savedObjects: securityV1SavedObjects }), getSecurityV2Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), getSecurityV3Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), + getSecurityV4Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), ]); this.productFeaturesRegistry.create('cases', [ getCasesFeature(casesProductFeatureParams), diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts index ae0a7ced79d7f..d2b70d158484f 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts @@ -4,8 +4,14 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; +import { + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + addGlobalArtifactManagementToAll, + addGlobalArtifactManagementToMinimalAll, + enableSecuritySubfeaturesToggle, +} from './product_features_extensions'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -21,7 +27,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['all'], - api: [`${SECURITY_FEATURE_ID_V3}-all`], + api: [`${SECURITY_FEATURE_ID}-all`], }, read: { savedObject: { @@ -29,88 +35,249 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['read'], - api: [`${SECURITY_FEATURE_ID_V3}-read`], + api: [`${SECURITY_FEATURE_ID}-read`], }, }, }; -describe('updateGlobalArtifactManageReplacements', () => { - let featureConfig: MutableKibanaFeatureConfig; +describe('ESS product feature extensions - feature config modifiers', () => { + let configWithoutReplacedBy: MutableKibanaFeatureConfig; + let configWithReplacedBy: MutableKibanaFeatureConfig; beforeEach(() => { - featureConfig = cloneDeep(baseFeatureConfig); - }); - - it('should do nothing if replacedBy is not present', () => { - const originalConfig = JSON.parse(JSON.stringify(featureConfig)); - - updateGlobalArtifactManageReplacements(featureConfig as MutableKibanaFeatureConfig); - - expect(featureConfig).toEqual(originalConfig); - }); - - it('should modify privileges for SECURITY_FEATURE_ID_V3 in both default and minimal', () => { - const testFeatureConfig = { - ...featureConfig, + configWithoutReplacedBy = cloneDeep(baseFeatureConfig); + configWithReplacedBy = cloneDeep({ + ...configWithoutReplacedBy, privileges: { - ...featureConfig.privileges, + ...configWithoutReplacedBy.privileges, all: { - ...featureConfig.privileges?.all, + ...configWithoutReplacedBy.privileges?.all, replacedBy: { default: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }, + }, + read: { + ...configWithoutReplacedBy.privileges?.read, + replacedBy: { + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], }, }, }, - }; + }) as MutableKibanaFeatureConfig; + }); + + describe('addGlobalArtifactManagementToMinimalAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + addGlobalArtifactManagementToMinimalAll(testConfig); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - // Default privileges modified - const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 - ); - expect(v3Default?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); + it('should add global artifact management privilege to siem.minimal_all', () => { + const testConfig = cloneDeep(configWithReplacedBy); - // Minimal privileges modified - const v3Minimal = replacedBy.minimal.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 - ); - expect(v3Minimal?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); + addGlobalArtifactManagementToMinimalAll(testConfig); - // Ensure other features remain unchanged - const otherFeature = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === 'other_feature' - ); - expect(otherFeature?.privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'minimal_all', + 'global_artifact_management_all', // <- global artifact management is added + ], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); }); - it('should only modify existing SECURITY_FEATURE_ID_V3 entries', () => { - const testFeatureConfig = { - ...featureConfig, - privileges: { - ...featureConfig.privileges, - all: { - ...featureConfig.privileges?.all, - replacedBy: { - default: [{ feature: 'other_feature', privileges: ['all'] }], - minimal: [{ feature: 'other_feature', privileges: ['all'] }], + describe('addGlobalArtifactManagementToAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add global artifact management privilege to siem.all', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'global_artifact_management_all', // <- global artifact management is added + ], }, - }, - }, - }; + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); + }); + + describe('addEndpointExceptionsToMinimalReadAndMinimalAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToMinimalReadAndMinimalAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.minimal_all and siem.minimal_read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToMinimalReadAndMinimalAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all', 'endpoint_exceptions_all'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('addEndpointExceptionsToReadAndAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.all and siem.read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'endpoint_exceptions_all', // <- endpoint exception is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all'], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('enableSecuritySubfeaturesToggle', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + enableSecuritySubfeaturesToggle(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + it('should change `all` and `read` to `minimal_all` and `minimal_read`', () => { + const testConfig = cloneDeep(configWithReplacedBy); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + enableSecuritySubfeaturesToggle(testConfig); - // No SECURITY_FEATURE_ID_V3, so no changes - expect(replacedBy.default[0].privileges).toEqual(['all']); - expect(replacedBy.minimal[0].privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); }); }); diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts index 8e177b0a5b6a9..0e79795be13ba 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts @@ -4,8 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; -import { APP_ID } from '@kbn/security-solution-plugin/common'; +import { APP_ID, SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; import type { MutableKibanaFeatureConfig, @@ -14,65 +13,161 @@ import type { export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = { security: { - allVersions: { - [ProductFeatureSecurityKey.endpointExceptions]: { - privileges: { - all: { - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], - }, - read: { - ui: ['showEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`], - }, - }, - }, - }, + allVersions: {}, version: { siem: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToMinimalAll, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], + // On ESS, there has been no Endpoint Exceptions sub-feature privilege, but was included in security 'read' and 'all', + // as well as in security 'minimal_read' and 'minimal_all'. + // Using api privileges below provides the required backwards compatibility. + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, }, }, siemV2: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToMinimalAll, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, + }, + }, + siemV3: { + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, }, }, }, }, }; -// When endpointArtifactManagement PLI is enabled, the replacedBy to the siemV3 feature needs to +// When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. -// This needs to be done here because the replacements of serverless and ESS are different. -export function updateGlobalArtifactManageReplacements( +// This needs to be done here because some the replacements of serverless and ESS are different, other +// replacements are tied to endpointArtifactManagement PLI - hence PLI related privileges cannot be added to +// the shared base config in `kibana_features.ts`. +export function addGlobalArtifactManagementToMinimalAll( + featureConfig: MutableKibanaFeatureConfig +): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + + if (allReplacedBy && 'minimal' in allReplacedBy) { + const siemMinimalAll = allReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID + ); + + // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL, hence we're adding global artifact management to preserve behaviour + siemMinimalAll?.privileges.push('global_artifact_management_all'); + } +} + +export function addGlobalArtifactManagementToAll(featureConfig: MutableKibanaFeatureConfig): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + // on ESS, Endpoint Exception ALL is included in siem:ALL, hence we're adding global artifact management to preserve behaviour + siemAll?.privileges.push('global_artifact_management_all'); + } +} + +// When Endpoint Exceptions sub-feature privilege is harmonized between ESS and Serverless (from siemV4), +// the privileges needed to be added to users with specific security privileges. +// On ESS, Endpoint exceptions were included in siem:MINIMAL_READ and siem:MINIMAL_ALL. +export function addEndpointExceptionsToMinimalReadAndMinimalAll( featureConfig: MutableKibanaFeatureConfig ): void { - const replacedBy = featureConfig.privileges?.all?.replacedBy; - if (!replacedBy) { - return; + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'minimal' in allReplacedBy) { + const siemMinimalAll = allReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID + ); + + siemMinimalAll?.privileges.push('endpoint_exceptions_all'); } - if ('default' in replacedBy) { - const v3Default = replacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID_V3); - if (v3Default) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Default.privileges = [ - 'minimal_all', - 'global_artifact_management_all', // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. - ]; + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'minimal' in readReplacedBy) { + const siemMinimalRead = readReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID + ); + + siemMinimalRead?.privileges.push('endpoint_exceptions_read'); + } +} + +// On ESS, Endpoint exceptions were included in siem:READ and siem:ALL. +export function addEndpointExceptionsToReadAndAll(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemRead?.privileges.push('endpoint_exceptions_read'); + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemAll?.privileges.push('endpoint_exceptions_all'); + } +} + +export function enableSecuritySubfeaturesToggle(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemRead) { + siemRead.privileges = siemRead.privileges.map((privilege) => + privilege === 'read' ? 'minimal_read' : privilege + ); } } - if ('minimal' in replacedBy) { - const v3Minimal = replacedBy.minimal.find(({ feature }) => feature === SECURITY_FEATURE_ID_V3); - if (v3Minimal) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Minimal.privileges = [ - 'minimal_all', - 'global_artifact_management_all', // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL - ]; + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemAll) { + siemAll.privileges = siemAll.privileges.map((privilege) => + privilege === 'all' ? 'minimal_all' : privilege + ); } } } diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts index d6d5318776b90..a26e7646fb2b5 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts @@ -4,8 +4,12 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; +import { + addEndpointExceptionsToReadAndAll, + addGlobalArtifactManagementToAll, + enableSecuritySubfeaturesToggle, +} from './product_features_extensions'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -21,7 +25,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['all'], - api: [`${SECURITY_FEATURE_ID_V3}-all`], + api: [`${SECURITY_FEATURE_ID}-all`], }, read: { savedObject: { @@ -29,86 +33,170 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['read'], - api: [`${SECURITY_FEATURE_ID_V3}-read`], + api: [`${SECURITY_FEATURE_ID}-read`], }, }, }; -describe('updateGlobalArtifactManageReplacements', () => { - let featureConfig: MutableKibanaFeatureConfig; +describe('ESS product feature extensions - feature config modifiers', () => { + let configWithoutReplacedBy: MutableKibanaFeatureConfig; + let configWithReplacedBy: MutableKibanaFeatureConfig; beforeEach(() => { - featureConfig = cloneDeep(baseFeatureConfig); - }); - - it('should do nothing if replacedBy is not present', () => { - const originalConfig = JSON.parse(JSON.stringify(featureConfig)); - - updateGlobalArtifactManageReplacements(featureConfig as MutableKibanaFeatureConfig); - - expect(featureConfig).toEqual(originalConfig); - }); - - it('should modify privileges for SECURITY_FEATURE_ID_V3 in both default and minimal', () => { - const testFeatureConfig = { - ...featureConfig, + configWithoutReplacedBy = cloneDeep(baseFeatureConfig); + configWithReplacedBy = cloneDeep({ + ...configWithoutReplacedBy, privileges: { - ...featureConfig.privileges, + ...configWithoutReplacedBy.privileges, all: { - ...featureConfig.privileges?.all, + ...configWithoutReplacedBy.privileges?.all, replacedBy: { default: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], }, }, - }, - }; - - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); - - const replacedBy = testFeatureConfig.privileges.all.replacedBy; - - // Default privileges modified - const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 - ); - expect(v3Default?.privileges).toEqual([ - 'minimal_all', - 'global_artifact_management_all', - 'endpoint_exceptions_all', - ]); - - // Ensure other features remain unchanged - const otherFeature = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === 'other_feature' - ); - expect(otherFeature?.privileges).toEqual(['all']); - }); - - it('should only modify existing SECURITY_FEATURE_ID_V3 entries', () => { - const testFeatureConfig = { - ...featureConfig, - privileges: { - ...featureConfig.privileges, - all: { - ...featureConfig.privileges?.all, + read: { + ...configWithoutReplacedBy.privileges?.read, replacedBy: { - default: [{ feature: 'other_feature', privileges: ['all'] }], - minimal: [{ feature: 'other_feature', privileges: ['all'] }], + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], }, }, }, - }; + }) as MutableKibanaFeatureConfig; + }); + + describe('addGlobalArtifactManagementToAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add global artifact management privilege to siem.all', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'global_artifact_management_all', // <- global artifact management is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); + }); + + describe('addEndpointExceptionsToReadAndAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.all and siem.read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'endpoint_exceptions_all', // <- endpoint exception is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all'], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('enableSecuritySubfeaturesToggle', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + enableSecuritySubfeaturesToggle(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + it('should change `all` and `read` to `minimal_all` and `minimal_read`', () => { + const testConfig = cloneDeep(configWithReplacedBy); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + enableSecuritySubfeaturesToggle(testConfig); - // No SECURITY_FEATURE_ID_V3, so no changes - expect(replacedBy.default[0].privileges).toEqual(['all']); - expect(replacedBy.minimal[0].privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); }); }); diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts index d856a37769061..56e8b6c34d5a7 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts @@ -8,59 +8,123 @@ import type { MutableKibanaFeatureConfig, ProductFeaturesConfiguratorExtensions, } from '@kbn/security-solution-features'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; -import { - ProductFeatureSecurityKey, - SecuritySubFeatureId, -} from '@kbn/security-solution-features/keys'; +import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = { security: { - allVersions: { - [ProductFeatureSecurityKey.endpointExceptions]: { - subFeatureIds: [SecuritySubFeatureId.endpointExceptions], - }, - }, + allVersions: {}, version: { siem: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], + // On Serverless, endpoint exception was a sub-feature privilege, but was included in security 'read' and 'all'. + // Using `includeIn` here will provide backwards compatibility, without adding endpoint exceptions api privileges + // to security 'minimal_read' and 'minimal_all'. + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], }, }, siemV2: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], + }, + }, + siemV3: { + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], }, }, }, }, }; -// When endpointArtifactManagement PLI is enabled, the replacedBy to the siemV3 feature needs to +// When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. -// This needs to be done here because the replacements of serverless and ESS are different. -export function updateGlobalArtifactManageReplacements( - featureConfig: MutableKibanaFeatureConfig -): void { - const replacedBy = featureConfig.privileges?.all?.replacedBy; - if (!replacedBy || !('default' in replacedBy)) { - return; +// This needs to be done here because some the replacements of serverless and ESS are different, other +// replacements are tied to endpointArtifactManagement PLI - hence PLI related privileges cannot be added to +// the shared base config in `kibana_features.ts`. +export function addGlobalArtifactManagementToAll(featureConfig: MutableKibanaFeatureConfig): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + // on ESS, Endpoint Exception ALL is included in siem:ALL, hence we're adding global artifact management to preserve behaviour + siemAll?.privileges.push('global_artifact_management_all'); } - // only "default" is overwritten, "minimal" is not as it does not includes Endpoint Exceptions ALL. - const v3Default = replacedBy.default.find( - ({ feature }) => feature === SECURITY_FEATURE_ID_V3 // Only for features that are replaced by siemV3 (siem and siemV2) - ); - if (v3Default) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Default.privileges = [ - 'minimal_all', - // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. - // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. - // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege. - 'global_artifact_management_all', - // As we are switching from `all` to `minimal_all`, Endpoint Exceptions is needed to be added, as it was included in `all`, - // but not in `minimal_all`. - 'endpoint_exceptions_all', - ]; +} + +// When Endpoint Exceptions sub-feature privilege is harmonized between ESS and Serverless (from siemV4), +// the privileges needed to be added to users with specific security privileges. +// On ESS, Endpoint exceptions were included in siem:MINIMAL_READ and siem:MINIMAL_ALL. +export function addEndpointExceptionsToReadAndAll(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemRead?.privileges.push('endpoint_exceptions_read'); + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemAll?.privileges.push('endpoint_exceptions_all'); + } +} + +export function enableSecuritySubfeaturesToggle(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemRead) { + siemRead.privileges = siemRead.privileges.map((privilege) => + privilege === 'read' ? 'minimal_read' : privilege + ); + } + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemAll) { + siemAll.privileges = siemAll.privileges.map((privilege) => + privilege === 'all' ? 'minimal_all' : privilege + ); + } } } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts b/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts index e333ccdb6cedb..e895531b181cd 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts @@ -64,8 +64,11 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { if (predefinedRole) { const roleConfig = rolesMapping[predefinedRole]; if (extraPrivileges) { - roleConfig.kibana[0].feature[SECURITY_FEATURE_ID] = [ - ...roleConfig.kibana[0].feature[SECURITY_FEATURE_ID], + const actualSiem = Object.keys(roleConfig.kibana[0].feature).find((feature) => + feature.startsWith('siem') + ); + roleConfig.kibana[0].feature[actualSiem!] = [ + ...roleConfig.kibana[0].feature[actualSiem!], ...extraPrivileges, ]; } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts index c53c20a5dd067..bb2bd792ff8ee 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts @@ -8,6 +8,6 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_wo export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('Endpoint related user role migrations without Endpoint product line', function () { - loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + loadTestFile(require.resolve('./siem_base_privileges')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts similarity index 85% rename from x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts rename to x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts index 03d942a504901..c38161f64b33f 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts @@ -8,14 +8,15 @@ import expect from '@kbn/expect'; import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import type { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertest'); - const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3']; - const ROLE_NAME = 'siem_v3_test_role'; + const ROLE_NAME = 'siem_test_role'; const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => supertest @@ -52,10 +53,10 @@ export default function ({ getService }: FtrProviderContext) { ); // migrating from `siem` adds timeline and notes, but in this test it is irrelevant - return role.kibana[0].feature.siemV3; + return role.kibana[0].feature[SECURITY_FEATURE_ID]; }; - describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => { + describe('@serverless @skipInServerlessMKI Role migrations without Endpoint product line', () => { afterEach(async () => { await supertest .delete(`/api/security/role/${ROLE_NAME}`) @@ -68,7 +69,7 @@ export default function ({ getService }: FtrProviderContext) { describe(`from ${deprecatedSiem}`, () => { const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); - it(`should keep ${deprecatedSiem}:READ privilege`, async () => { + it(`should keep ${deprecatedSiem}:READ privilege without switching to MINIMAL_READ`, async () => { await putDeprecatedSiemPrivilegesInRole(['read']); expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); @@ -80,7 +81,7 @@ export default function ({ getService }: FtrProviderContext) { expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); }); - it(`should keep ${deprecatedSiem}:ALL privilege`, async () => { + it(`should keep ${deprecatedSiem}:ALL privilege without switching to MINIMAL_ALL`, async () => { await putDeprecatedSiemPrivilegesInRole(['all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql(['all']); diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts index dab519112f24b..1b7d01f1ca009 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -7,7 +7,8 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { - describe('Endpoint related user role migrations', function () { - loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + describe('Endpoint related user role migrations, feature deprecations', function () { + loadTestFile(require.resolve('./siem_artifact_api_actions')); + loadTestFile(require.resolve('./siem_artifact_sub_privileges')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts new file mode 100644 index 0000000000000..9117b859cc15d --- /dev/null +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts @@ -0,0 +1,293 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type TestAgent from 'supertest/lib/agent'; +import type { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; +import type { Role } from '@kbn/security-plugin-types-common'; +import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; +import type { ArtifactTestData } from '../../../../../security_solution_endpoint/services/endpoint_artifacts'; +import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +type ArtifactListsWithRequiredPrivileges = Array<{ + listId: (typeof ENDPOINT_ARTIFACT_LIST_IDS)[number]; + privileges: string[]; +}>; + +export default function ({ getService }: FtrProviderContext) { + const utils = getService('securitySolutionUtils'); + const rolesUsersProvider = getService('rolesUsersProvider'); + const endpointArtifactTestResources = getService('endpointArtifactTestResources'); + + const formatPrivileges = (privileges: string[]) => privileges.map((p) => `'${p}'`).join(', '); + + describe('@ess @skipInServerless, @skipInServerlessMKI Endpoint Artifacts role backwards compatibility', function () { + const afterEachDataCleanup: Array> = []; + + const SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3', 'siemV4'] as const; + + let globalArtifactManagerRole: Role; + + const createUserWithSiemPrivileges = async ( + siemVersion: (typeof SIEM_VERSIONS)[number], + siemPrivileges: string[] + ): Promise => { + globalArtifactManagerRole = Object.assign( + rolesUsersProvider.loader.getPreDefinedRole('t1_analyst'), + { name: 'globalArtifactManager' } + ); + + // remove actual siem + const actualSiem = Object.keys(globalArtifactManagerRole.kibana[0].feature).find((feature) => + feature.startsWith('siem') + ); + delete globalArtifactManagerRole.kibana[0].feature[actualSiem!]; + + // add (deprecated) siem feature + globalArtifactManagerRole.kibana[0].feature[siemVersion] = siemPrivileges; + + rolesUsersProvider.loader.create(globalArtifactManagerRole); + const globalArtifactManagerUser = await rolesUsersProvider.loader.create( + globalArtifactManagerRole + ); + + return utils.createSuperTest( + globalArtifactManagerUser.username, + globalArtifactManagerUser.password + ); + }; + + after(async () => { + if (globalArtifactManagerRole) { + await rolesUsersProvider.loader.delete(globalArtifactManagerRole.name); + // @ts-expect-error + globalArtifactManagerRole = undefined; + } + }); + + afterEach(async () => { + await Promise.allSettled(afterEachDataCleanup.splice(0).map((data) => data.cleanup())); + }); + + describe('From siemV4', () => { + const siemVersion = 'siemV4'; + const siemV4ArtifactPrivileges: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['read', 'endpoint_exceptions_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all', 'global_artifact_management_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_read', 'endpoint_exceptions_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: [ + 'minimal_read', + 'trusted_applications_all', + 'global_artifact_management_all', + ], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: [ + 'minimal_read', + 'host_isolation_exceptions_all', + 'global_artifact_management_all', + ], + }, + ]; + + for (const { listId, privileges } of siemV4ArtifactPrivileges) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + + describe('From siemV3: EndpointExceptions migration', () => { + const siemVersion = 'siemV3'; + const siemV3ArtifactPrivileges: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all', 'global_artifact_management_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: [ + 'minimal_read', + 'trusted_applications_all', + 'global_artifact_management_all', + ], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: [ + 'minimal_read', + 'host_isolation_exceptions_all', + 'global_artifact_management_all', + ], + }, + ]; + + for (const { listId, privileges } of siemV3ArtifactPrivileges) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + + describe('From siem/siemV2: GlobalArtifactManagement and EndpointExceptions migration ', () => { + for (const siemVersion of ['siemV2', 'siem'] as const) { + describe(`with ${siemVersion} feature version`, () => { + const artifactTypes: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['minimal_read', 'trusted_applications_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['minimal_read', 'host_isolation_exceptions_all'], + }, + ]; + + for (const { listId, privileges } of artifactTypes) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + } + }); + }); +} diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts new file mode 100644 index 0000000000000..2e3bc342793b8 --- /dev/null +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts @@ -0,0 +1,422 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import expect from '@kbn/expect'; +import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; +import type { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; +import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; + +export default function ({ getService }: FtrProviderContext) { + const supertest = getService('supertest'); + + const PRE_SIEM_V4_ESS_ARTIFACTS = [ + 'trusted_applications', + 'event_filters', + 'blocklist', + 'host_isolation_exceptions', + ]; + const ALL_ARTIFACTS = [...PRE_SIEM_V4_ESS_ARTIFACTS, 'endpoint_exceptions']; + const ROLE_NAME = 'siem_test_role'; + + const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => + supertest + .put(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .send({ + elasticsearch: { cluster: [], indices: [], run_as: [] }, + kibana: [ + { + base: [], + feature: { + [feature]: privileges, + }, + spaces: ['*'], + }, + ], + }) + .expect(204); + + const getMigratedSiemFeaturesFromRole = async (): Promise => { + const response = await supertest + .get(`/api/security/role/${ROLE_NAME}`) + .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect(200); + + const role = response.body as Role; + expect(role._transform_error).to.have.length( + 0, + `Role migration encountered an error, probably a non-existing privilege is added. + Transform error: ${JSON.stringify(role._transform_error)}` + ); + + // migrating from `siem` adds timeline and notes, but in this test it is irrelevant + return role.kibana[0].feature[SECURITY_FEATURE_ID]; + }; + + describe('@ess @serverless @skipInServerlessMKI `siem` role migrations for Artifact sub-privileges', () => { + after(async () => { + await supertest + .delete(`/api/security/role/${ROLE_NAME}`) + .set('kbn-xsrf', 'true') + .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') + .expect([204, 404]); + }); + + describe(`From siemV3 - adding Endpoint exceptions`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole('siemV3'); + + describe(`siemV3:READ`, () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Endpoint exceptions + 'minimal_read', + // Endpoint Exceptions were included in siem:READ, so we need to enable it explicitly + 'endpoint_exceptions_read', + ]); + }); + }); + + describe(`siemV3:MINIMAL_READ`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + // Endpoint Exceptions were included in siem:MINIMAL_READ, so we need to enable it explicitly + 'endpoint_exceptions_read', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + ]); + }); + }); + }); + + describe(`siemV3:ALL`, () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Endpoint exceptions + 'minimal_all', + // Endpoint Exceptions were included in siem:ALL, so we need to enable it explicitly + 'endpoint_exceptions_all', + ]); + }); + }); + + describe('siemV3:MINIMAL_ALL', () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + // Endpoint Exceptions were included in siem:MINIMAL_ALL, so we need to enable it explicitly + 'endpoint_exceptions_all', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all', 'endpoint_exceptions_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all', 'endpoint_exceptions_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_all', + ]); + }); + }); + }); + }); + + describe('From `siem` and `siemV2` - adding Endpoint exceptions and Global artifact management', () => { + for (const deprecatedSiem of ['siemV2', 'siem'] as const) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + + describe(`Sub-feature 1: adding Endpoint Exceptions`, () => { + describe(`${deprecatedSiem}:READ`, () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_all', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + }); + + describe(`${deprecatedSiem}:ALL`, () => { + it('should add endpoint_exceptions:ALL and global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_all', + 'endpoint_exceptions_read', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_all', + 'endpoint_exceptions_all', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + }); + }); + + describe('Sub-feature 2: adding Global Artifact Management', () => { + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + for (const artifact of PRE_SIEM_V4_ESS_ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + const migratedPrivilages = await getMigratedSiemFeaturesFromRole(); + // testing existence/absence instead of strict equality as Endpoint exceptions are added on ESS, see above test cases + expect(migratedPrivilages).to.contain('minimal_read'); + expect(migratedPrivilages).to.contain(`${artifact}_read`); + expect(migratedPrivilages).not.to.contain('global_artifact_management_all'); + }); + } + + // Endpoint Exception privilege only existed on Serverless pre siemV4 + it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + `endpoint_exceptions_read`, + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `endpoint_exceptions_read`, + ]); + }); + + // adding Global Artifact Management to any artifact:WRITE privilege + for (const artifact of PRE_SIEM_V4_ESS_ARTIFACTS) { + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + const migratedPrivilages = await getMigratedSiemFeaturesFromRole(); + // testing existence instead of strict equality as Endpoint exceptions are added on ESS, see above test cases + expect(migratedPrivilages).to.contain('minimal_read'); + expect(migratedPrivilages).to.contain(`${artifact}_all`); + expect(migratedPrivilages).to.contain('global_artifact_management_all'); + }); + } + + // Endpoint Exception privilege only existed on Serverless pre siemV4 + it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_all', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:ALL`, () => { + // siem:ALL includes Endpoint Exceptions both on ESS and Serverless + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show new sub-features + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + // on ESS, siem:MINIMAL_ALL included Endpoint Exceptions ALL + it('@skipInServerless should add global_artifact_management:ALL on ESS', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + + // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege + describe('@skipInEss on Serverless', () => { + it('@skipInEss should NOT add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + for (const artifact of ALL_ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + }); + }); + }); + }); + } + }); + }); +} diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts deleted file mode 100644 index 8edb99d014604..0000000000000 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts +++ /dev/null @@ -1,207 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import expect from '@kbn/expect'; -import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; -import type { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; -import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; - -export default function ({ getService }: FtrProviderContext) { - const supertest = getService('supertest'); - - const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; - - // these artifact privileges are shared between ESS and Serverless, while Endpoint Exceptions privilege exists only on Serverless - const ARTIFACTS = [ - 'trusted_applications', - 'event_filters', - 'blocklist', - 'host_isolation_exceptions', - ]; - - const ROLE_NAME = 'siem_v3_test_role'; - - const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => - supertest - .put(`/api/security/role/${ROLE_NAME}`) - .set('kbn-xsrf', 'true') - .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') - .send({ - elasticsearch: { cluster: [], indices: [], run_as: [] }, - kibana: [ - { - base: [], - feature: { - [feature]: privileges, - }, - spaces: ['*'], - }, - ], - }) - .expect(204); - - const getMigratedSiemFeaturesFromRole = async (): Promise => { - const response = await supertest - .get(`/api/security/role/${ROLE_NAME}`) - .query({ replaceDeprecatedPrivileges: true }) // triggering on-the-fly role migration - .set('kbn-xsrf', 'true') - .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') - .expect(200); - - const role = response.body as Role; - expect(role._transform_error).to.have.length( - 0, - `Role migration encountered an error, probably a non-existing privilege is added. - Transform error: ${JSON.stringify(role._transform_error)}` - ); - - // migrating from `siem` adds timeline and notes, but in this test it is irrelevant - return role.kibana[0].feature.siemV3; - }; - - describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => { - afterEach(async () => { - await supertest - .delete(`/api/security/role/${ROLE_NAME}`) - .set('kbn-xsrf', 'true') - .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') - .expect([204, 404]); - }); - - for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { - describe(`from ${deprecatedSiem}`, () => { - const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); - - describe(`${deprecatedSiem}:READ`, () => { - it('should keep READ privilege', async () => { - await putDeprecatedSiemPrivilegesInRole(['read']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); - }); - }); - - describe(`${deprecatedSiem}:MINIMAL_READ`, () => { - for (const artifact of ARTIFACTS) { - it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_read`, - ]); - }); - } - - // Endpoint Exception privilege only exists on Serverless - it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `endpoint_exceptions_read`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `endpoint_exceptions_read`, - ]); - }); - - // adding Global Artifact Management to any artifact:WRITE privilege - for (const artifact of ARTIFACTS) { - it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_all`, - 'global_artifact_management_all', - ]); - }); - } - - // Endpoint Exception privilege only exists on Serverless - it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - 'endpoint_exceptions_all', - 'global_artifact_management_all', - ]); - }); - }); - - describe(`${deprecatedSiem}:ALL`, () => { - // siem:ALL includes Endpoint Exceptions both on ESS and Serverless - it('@skipInServerless should add global_artifact_management:ALL on ESS', async () => { - await putDeprecatedSiemPrivilegesInRole(['all']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - // sub-features toggle enabled to show Global Artifact Management - 'minimal_all', - // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour - 'global_artifact_management_all', - ]); - }); - - it('@skipInEss should add global_artifact_management:ALL and endpoint_exceptions:ALL on serverless', async () => { - await putDeprecatedSiemPrivilegesInRole(['all']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - // sub-features toggle enabled to show Global Artifact Management - 'minimal_all', - // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour - 'global_artifact_management_all', - // Enpdoint Exceptions were included in siem:ALL, so we need to include them in siem:MINIMAL_ALL - 'endpoint_exceptions_all', - ]); - }); - }); - - describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { - // on ESS, siem:MINIMAL_ALL includes Endpoint Exceptions ALL - describe('@skipInServerless ESS', () => { - it('should add global_artifact_management:ALL', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_all']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_all', - 'global_artifact_management_all', - ]); - }); - }); - - // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege, it can be NONE - describe('@skipInEss on Serverless', () => { - it('@skipInEss should NOT add global_artifact_management:ALL', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_all']); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); - }); - - for (const artifact of [...ARTIFACTS, 'endpoint_exceptions']) { - it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_read`, - ]); - }); - - it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_all`, - 'global_artifact_management_all', - ]); - }); - } - }); - }); - }); - } - }); -} diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts index 91470ba9e35b7..7594b293baa6a 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts @@ -64,16 +64,14 @@ export default function ({ getService }: FtrProviderContext) { { name: 'artifactManager' } ); - if ( - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( - 'global_artifact_management_all' - ) - ) { - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID] = - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( - (privilege) => privilege !== 'global_artifact_management_all' - ); - } + const siemFeatureId = + Object.keys(artifactManagerRole.kibana[0].feature).find((featureId) => + featureId.startsWith('siem') + ) ?? SECURITY_FEATURE_ID; + + artifactManagerRole.kibana[0].feature[siemFeatureId] = artifactManagerRole.kibana[0].feature[ + siemFeatureId + ].filter((privilege) => privilege !== 'global_artifact_management_all'); globalArtifactManagerRole = Object.assign( rolesUsersProvider.loader.getPreDefinedRole('t3_analyst'), @@ -81,11 +79,11 @@ export default function ({ getService }: FtrProviderContext) { ); if ( - !globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( + !globalArtifactManagerRole.kibana[0].feature[siemFeatureId].includes( 'global_artifact_management_all' ) ) { - globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].push( + globalArtifactManagerRole.kibana[0].feature[siemFeatureId].push( 'global_artifact_management_all' ); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts index db42ca4b377fc..e838ddf9c724b 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts @@ -62,7 +62,6 @@ export default function endpointAPIIntegrationTests(providerContext: FtrProvider loadTestFile(require.resolve('./space_awareness')); loadTestFile(require.resolve('./artifacts')); - loadTestFile(require.resolve('./role_backwards_compatibility')); loadTestFile(require.resolve('./response_actions')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts deleted file mode 100644 index 4aa3915ee6e3b..0000000000000 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts +++ /dev/null @@ -1,140 +0,0 @@ -/* - * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one - * or more contributor license agreements. Licensed under the Elastic License - * 2.0; you may not use this file except in compliance with the Elastic License - * 2.0. - */ - -import type TestAgent from 'supertest/lib/agent'; -import type { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants'; -import { ENDPOINT_ARTIFACT_LISTS, ENDPOINT_LIST_ID } from '@kbn/securitysolution-list-constants'; -import type { Role } from '@kbn/security-plugin-types-common'; -import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; -import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; -import type { ArtifactTestData } from '../../../../../security_solution_endpoint/services/endpoint_artifacts'; -import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; - -export default function ({ getService }: FtrProviderContext) { - const utils = getService('securitySolutionUtils'); - const rolesUsersProvider = getService('rolesUsersProvider'); - const endpointArtifactTestResources = getService('endpointArtifactTestResources'); - - describe('@ess @skipInServerless, @skipInServerlessMKI Endpoint Artifacts space awareness user role backwards compatibility until siemV3', function () { - const afterEachDataCleanup: Array> = []; - - const SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3'] as const; - - let globalArtifactManagerRole: Role; - - const createUserWithSiemPrivileges = async ( - siemVersion: (typeof SIEM_VERSIONS)[number], - siemPrivileges: string[] - ): Promise => { - globalArtifactManagerRole = Object.assign( - rolesUsersProvider.loader.getPreDefinedRole('t1_analyst'), - { name: 'globalArtifactManager' } - ); - - // remove actual siem - delete globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID]; - - // add (deprecated) siem feature - globalArtifactManagerRole.kibana[0].feature[siemVersion] = siemPrivileges; - - rolesUsersProvider.loader.create(globalArtifactManagerRole); - const globalArtifactManagerUser = await rolesUsersProvider.loader.create( - globalArtifactManagerRole - ); - - return utils.createSuperTest( - globalArtifactManagerUser.username, - globalArtifactManagerUser.password - ); - }; - - after(async () => { - if (globalArtifactManagerRole) { - await rolesUsersProvider.loader.delete(globalArtifactManagerRole.name); - // @ts-expect-error - globalArtifactManagerRole = undefined; - } - }); - - afterEach(async () => { - await Promise.allSettled(afterEachDataCleanup.splice(0).map((data) => data.cleanup())); - }); - - // testing with all SIEM versions for backward compatibility - for (const siemVersion of SIEM_VERSIONS) { - describe(`with ${siemVersion} feature version`, () => { - const artifactTypes: Array<{ - listId: (typeof ENDPOINT_ARTIFACT_LIST_IDS)[number] | typeof ENDPOINT_LIST_ID; - privileges: string[]; - }> = [ - { - listId: ENDPOINT_LIST_ID, - privileges: ['all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, - privileges: ['read', 'trusted_applications_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, - privileges: ['read', 'event_filters_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, - privileges: ['read', 'blocklist_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, - privileges: ['read', 'host_isolation_exceptions_all'], - }, - - { - listId: ENDPOINT_LIST_ID, - privileges: ['minimal_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, - privileges: ['minimal_read', 'trusted_applications_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, - privileges: ['minimal_read', 'event_filters_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, - privileges: ['minimal_read', 'blocklist_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, - privileges: ['minimal_read', 'host_isolation_exceptions_all'], - }, - ]; - - for (const artifactType of artifactTypes) { - it(`should allow creating a global artifact on ${ - artifactType.listId - } list with original privileges ${artifactType.privileges.join(', ')}`, async () => { - const supertestGlobalArtifactManager = await createUserWithSiemPrivileges(siemVersion, [ - ...artifactType.privileges, - - // adding global access to current version, old version should receive it during rule migration - ...(siemVersion === SECURITY_FEATURE_ID ? ['global_artifact_management_all'] : []), - ]); - - const createdArtifact = await endpointArtifactTestResources.createArtifact( - artifactType.listId, - { tags: [GLOBAL_ARTIFACT_TAG] }, - { supertest: supertestGlobalArtifactManager } - ); - - afterEachDataCleanup.push(createdArtifact); - }); - } - }); - } - }); -} diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts index ac7c492fdce7f..b72433f329a2f 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts @@ -96,6 +96,29 @@ describe('Capabilities', { tags: '@serverless' }, () => { cy.task('deleteServerlessCustomRole', 'siemV3'); }, }, + { + name: 'User with siem v4 role', + loginAs: 'siemV4', + setup: () => { + cy.task('createServerlessCustomRole', { + roleDescriptor: { + elasticsearch: { + indices: [{ names: ['*'], privileges: ['all'] }], + }, + kibana: [ + { + feature: { siemV4: ['all'], fleet: ['all'] }, + spaces: ['*'], + }, + ], + }, + roleName: 'siemV4', + }); + }, + teardown: () => { + cy.task('deleteServerlessCustomRole', 'siemV4'); + }, + }, ]; // Iterate through each user role diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts index 881576bd16a77..4fefa00f9532a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts @@ -5,13 +5,15 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; + export const SPACE_SELECTOR_COMBO_BOX = '[data-test-subj="spaceSelectorComboBox"]'; // Privileges export const SECURITY_CATEGORY = '[data-test-subj="featureCategory_securitySolution"]'; // Sub-privileges -export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV3"]'; +export const SECURITY_FEATURE = `[data-test-subj="featureCategory_securitySolution_${SECURITY_FEATURE_ID}"]`; export const SECURITY_FEATURE_DESCRIPTION = '[aria-describedby="Security description text"]'; export const CASES_FEATURE = diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts index 4149aee69063f..32e1978689e25 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts @@ -62,7 +62,7 @@ export const secAll: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -100,7 +100,7 @@ export const secReadCasesAll: Role = { kibana: [ { feature: { - siemV3: ['read'], + siemV4: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -137,7 +137,7 @@ export const secAllCasesOnlyReadDelete: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -174,7 +174,7 @@ export const secAllCasesNoDelete: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index 9ccbdf6139bad..ae059f76c24b7 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -42,6 +42,7 @@ export default function ({ getService }: FtrProviderContext) { 'siem', 'siemV2', 'siemV3', + 'siemV4', ]; const features = Object.fromEntries( @@ -238,14 +239,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siem/writeActionsLogManagement", "ui:siem/readActionsLogManagement", - "ui:siemV3/writeActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siem/readActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -1099,16 +1100,16 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", "ui:securitySolutionNotes/crud", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -1132,9 +1133,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeBlocklist", "ui:siem/readBlocklist", - "ui:siemV3/writeBlocklist", - "ui:siemV3/readBlocklist", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + "ui:siemV4/writeGlobalArtifacts", ], "blocklist_read": Array [ "login:", @@ -1142,24 +1143,41 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siem/readBlocklist", - "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", "api:securitySolution-writeGlobalArtifacts", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siem/showEndpointExceptions", "ui:siem/crudEndpointExceptions", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siem/showEndpointExceptions", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -1167,14 +1185,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siem/writeEndpointList", "ui:siem/readEndpointList", - "ui:siemV3/writeEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siem/readEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -1198,9 +1216,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeEventFilters", "ui:siem/readEventFilters", - "ui:siemV3/writeEventFilters", - "ui:siemV3/readEventFilters", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + "ui:siemV4/writeGlobalArtifacts", ], "event_filters_read": Array [ "login:", @@ -1208,19 +1226,19 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siem/readEventFilters", - "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siem/writeExecuteOperations", - "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siem/writeFileOperations", - "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "host_isolation_all": Array [ "login:", @@ -1228,8 +1246,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siem/writeHostIsolationRelease", "ui:siem/writeHostIsolation", - "ui:siemV3/writeHostIsolationRelease", - "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -1257,11 +1275,11 @@ export default function ({ getService }: FtrProviderContext) { "ui:siem/deleteHostIsolationExceptions", "ui:siem/accessHostIsolationExceptions", "ui:siem/writeHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/deleteHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", - "ui:siemV3/writeHostIsolationExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_exceptions_read": Array [ "login:", @@ -1271,8 +1289,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siem/readHostIsolationExceptions", "ui:siem/accessHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -2122,13 +2140,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", "ui:securitySolutionNotes/crud", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -2529,12 +2547,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:securitySolutionTimeline/read", "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -2554,8 +2572,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siem/writePolicyManagement", "ui:siem/readPolicyManagement", - "ui:siemV3/writePolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -2566,13 +2584,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siem/readPolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siem/writeProcessOperations", - "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -2586,6 +2604,7 @@ export default function ({ getService }: FtrProviderContext) { "api:bulkGetUserProfiles", "api:securitySolution-entity-analytics", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -2975,19 +2994,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:securitySolutionTimeline/read", "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siem/writeScanOperations", - "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -3011,9 +3030,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeTrustedApplications", "ui:siem/readTrustedApplications", - "ui:siemV3/writeTrustedApplications", - "ui:siemV3/readTrustedApplications", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + "ui:siemV4/writeGlobalArtifacts", ], "trusted_applications_read": Array [ "login:", @@ -3021,7 +3040,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siem/readTrustedApplications", - "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], }, "siemV2": Object { @@ -3031,14 +3050,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siemV2/writeActionsLogManagement", "ui:siemV2/readActionsLogManagement", - "ui:siemV3/writeActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siemV2/readActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -3830,16 +3849,16 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -3863,9 +3882,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeBlocklist", "ui:siemV2/readBlocklist", - "ui:siemV3/writeBlocklist", - "ui:siemV3/readBlocklist", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + "ui:siemV4/writeGlobalArtifacts", ], "blocklist_read": Array [ "login:", @@ -3873,24 +3892,41 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siemV2/readBlocklist", - "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", "api:securitySolution-writeGlobalArtifacts", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/showEndpointExceptions", "ui:siemV2/crudEndpointExceptions", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV2/showEndpointExceptions", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -3898,14 +3934,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siemV2/writeEndpointList", "ui:siemV2/readEndpointList", - "ui:siemV3/writeEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siemV2/readEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -3929,9 +3965,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeEventFilters", "ui:siemV2/readEventFilters", - "ui:siemV3/writeEventFilters", - "ui:siemV3/readEventFilters", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + "ui:siemV4/writeGlobalArtifacts", ], "event_filters_read": Array [ "login:", @@ -3939,25 +3975,25 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siemV2/readEventFilters", - "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siemV2/writeExecuteOperations", - "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siemV2/writeFileOperations", - "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "global_artifact_management_all": Array [ "login:", "api:securitySolution-writeGlobalArtifacts", "ui:siemV2/writeGlobalArtifacts", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_all": Array [ "login:", @@ -3965,8 +4001,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siemV2/writeHostIsolationRelease", "ui:siemV2/writeHostIsolation", - "ui:siemV3/writeHostIsolationRelease", - "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -3994,11 +4030,11 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV2/deleteHostIsolationExceptions", "ui:siemV2/accessHostIsolationExceptions", "ui:siemV2/writeHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/deleteHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", - "ui:siemV3/writeHostIsolationExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_exceptions_read": Array [ "login:", @@ -4008,8 +4044,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siemV2/readHostIsolationExceptions", "ui:siemV2/accessHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -4797,13 +4833,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -5176,12 +5212,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -5201,8 +5237,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siemV2/writePolicyManagement", "ui:siemV2/readPolicyManagement", - "ui:siemV3/writePolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -5213,13 +5249,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siemV2/readPolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siemV2/writeProcessOperations", - "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -5231,6 +5267,7 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -5594,19 +5631,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siemV2/writeScanOperations", - "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -5630,9 +5667,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeTrustedApplications", "ui:siemV2/readTrustedApplications", - "ui:siemV3/writeTrustedApplications", - "ui:siemV3/readTrustedApplications", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + "ui:siemV4/writeGlobalArtifacts", ], "trusted_applications_read": Array [ "login:", @@ -5640,7 +5677,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siemV2/readTrustedApplications", - "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", @@ -5648,14 +5685,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readWorkflowInsights", "ui:siemV2/writeWorkflowInsights", "ui:siemV2/readWorkflowInsights", - "ui:siemV3/writeWorkflowInsights", - "ui:siemV3/readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", "ui:siemV2/readWorkflowInsights", - "ui:siemV3/readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], }, "siemV3": Object { @@ -5665,11 +5702,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siemV3/writeActionsLogManagement", "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -6460,6 +6500,15 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -6482,6 +6531,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeBlocklist", "ui:siemV3/readBlocklist", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", ], "blocklist_read": Array [ "login:", @@ -6489,18 +6540,39 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/showEndpointExceptions", "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -6508,11 +6580,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siemV3/writeEndpointList", "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -6535,6 +6610,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeEventFilters", "ui:siemV3/readEventFilters", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", ], "event_filters_read": Array [ "login:", @@ -6542,21 +6619,25 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "global_artifact_management_all": Array [ "login:", "api:securitySolution-writeGlobalArtifacts", "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_all": Array [ "login:", @@ -6564,6 +6645,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siemV3/writeHostIsolationRelease", "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -6590,6 +6673,10 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV3/deleteHostIsolationExceptions", "ui:siemV3/accessHostIsolationExceptions", "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", ], "host_isolation_exceptions_read": Array [ "login:", @@ -6599,6 +6686,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siemV3/readHostIsolationExceptions", "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -7385,6 +7474,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -7757,6 +7853,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -7776,6 +7878,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siemV3/writePolicyManagement", "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -7786,11 +7890,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -7802,6 +7908,7 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -8165,11 +8272,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -8192,6 +8307,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeTrustedApplications", "ui:siemV3/readTrustedApplications", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "trusted_applications_read": Array [ "login:", @@ -8199,6 +8316,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", @@ -8206,11 +8324,2580 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readWorkflowInsights", "ui:siemV3/writeWorkflowInsights", "ui:siemV3/readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", "ui:siemV3/readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", + ], + }, + "siemV4": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:privmon-api-key/create", + "saved_object:privmon-api-key/bulk_create", + "saved_object:privmon-api-key/update", + "saved_object:privmon-api-key/bulk_update", + "saved_object:privmon-api-key/delete", + "saved_object:privmon-api-key/bulk_delete", + "saved_object:privmon-api-key/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siemV4/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siemV4/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siemV4/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siemV4/writeFileOperations", + ], + "global_artifact_management_all": Array [ + "login:", + "api:securitySolution-writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:privmon-api-key/create", + "saved_object:privmon-api-key/bulk_create", + "saved_object:privmon-api-key/update", + "saved_object:privmon-api-key/bulk_update", + "saved_object:privmon-api-key/delete", + "saved_object:privmon-api-key/bulk_delete", + "saved_object:privmon-api-key/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siemV4/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siemV4/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siemV4/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siemV4/readTrustedApplications", + ], + "workflow_insights_all": Array [ + "login:", + "api:securitySolution-writeWorkflowInsights", + "api:securitySolution-readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", + ], + "workflow_insights_read": Array [ + "login:", + "api:securitySolution-readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], }, }