From 122e7e76ab5519c7b22aebf1f9cb54b1894b6269 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 10:03:04 +0200 Subject: [PATCH 01/33] add `siemV4` definition files --- .../packages/features/product_features.ts | 7 +- .../packages/features/src/constants.ts | 2 + .../packages/features/src/security/index.ts | 14 +++ .../security/v4_features/kibana_features.ts | 115 ++++++++++++++++++ .../v4_features/kibana_sub_features.ts | 89 ++++++++++++++ .../lib/product_features_service/mocks.ts | 5 + .../product_features_service.ts | 2 + 7 files changed, 233 insertions(+), 1 deletion(-) create mode 100644 x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts create mode 100644 x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts diff --git a/x-pack/solutions/security/packages/features/product_features.ts b/x-pack/solutions/security/packages/features/product_features.ts index 1649458e866d1..c830fdbb3d456 100644 --- a/x-pack/solutions/security/packages/features/product_features.ts +++ b/x-pack/solutions/security/packages/features/product_features.ts @@ -6,7 +6,12 @@ */ export { getCasesFeature, getCasesV2Feature, getCasesV3Feature } from './src/cases'; -export { getSecurityFeature, getSecurityV2Feature, getSecurityV3Feature } from './src/security'; +export { + getSecurityFeature, + getSecurityV2Feature, + getSecurityV3Feature, + getSecurityV4Feature, +} from './src/security'; export { getAssistantFeature } from './src/assistant'; export { getAttackDiscoveryFeature } from './src/attack_discovery'; export { getTimelineFeature } from './src/timeline'; diff --git a/x-pack/solutions/security/packages/features/src/constants.ts b/x-pack/solutions/security/packages/features/src/constants.ts index 059e3f3162200..782054a3157c5 100644 --- a/x-pack/solutions/security/packages/features/src/constants.ts +++ b/x-pack/solutions/security/packages/features/src/constants.ts @@ -13,6 +13,8 @@ export const SERVER_APP_ID = 'siem' as const; export const SECURITY_FEATURE_ID_V2 = 'siemV2' as const; // New version for 9.1. export const SECURITY_FEATURE_ID_V3 = 'siemV3' as const; +// New version for 9.2. +export const SECURITY_FEATURE_ID_V4 = 'siemV4' as const; /** * @deprecated deprecated in 8.17. Use CASE_FEATURE_ID_V2 instead diff --git a/x-pack/solutions/security/packages/features/src/security/index.ts b/x-pack/solutions/security/packages/features/src/security/index.ts index b0a01d9e9b5b5..90d72f4ef50a5 100644 --- a/x-pack/solutions/security/packages/features/src/security/index.ts +++ b/x-pack/solutions/security/packages/features/src/security/index.ts @@ -25,6 +25,11 @@ import { import { securityDefaultProductFeaturesConfig } from './product_feature_config'; import { securityV1ProductFeaturesConfig } from './v1_features/product_feature_config'; import { securityV2ProductFeaturesConfig } from './v2_features/product_feature_config'; +import { getSecurityV4BaseKibanaFeature } from './v4_features/kibana_features'; +import { + getSecurityV4BaseKibanaSubFeatureIds, + getSecurityV4SubFeaturesMap, +} from './v4_features/kibana_sub_features'; export const getSecurityFeature = ( params: SecurityFeatureParams @@ -52,3 +57,12 @@ export const getSecurityV3Feature = ( subFeaturesMap: getSecurityV3SubFeaturesMap(params), productFeatureConfig: securityDefaultProductFeaturesConfig, }); + +export const getSecurityV4Feature = ( + params: SecurityFeatureParams +): ProductFeatureParams => ({ + baseKibanaFeature: getSecurityV4BaseKibanaFeature(params), + baseKibanaSubFeatureIds: getSecurityV4BaseKibanaSubFeatureIds(params), + subFeaturesMap: getSecurityV4SubFeaturesMap(params), + productFeatureConfig: securityDefaultProductFeaturesConfig, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts new file mode 100644 index 0000000000000..daa1f42609af9 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts @@ -0,0 +1,115 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import { i18n } from '@kbn/i18n'; +import { KibanaFeatureScope } from '@kbn/features-plugin/common'; + +import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; +import { + EQL_RULE_TYPE_ID, + ESQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, +} from '@kbn/securitysolution-rules'; +import { + APP_ID, + SECURITY_FEATURE_ID_V4, + LEGACY_NOTIFICATIONS_ID, + CLOUD_POSTURE_APP_ID, + SERVER_APP_ID, +} from '../../constants'; +import type { SecurityFeatureParams } from '../types'; +import type { BaseKibanaFeatureConfig } from '../../types'; + +const SECURITY_RULE_TYPES = [ + LEGACY_NOTIFICATIONS_ID, + ESQL_RULE_TYPE_ID, + EQL_RULE_TYPE_ID, + INDICATOR_RULE_TYPE_ID, + ML_RULE_TYPE_ID, + QUERY_RULE_TYPE_ID, + SAVED_QUERY_RULE_TYPE_ID, + THRESHOLD_RULE_TYPE_ID, + NEW_TERMS_RULE_TYPE_ID, +]; + +const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ + ruleTypeId, + consumers: [SERVER_APP_ID], +})); + +export const getSecurityV4BaseKibanaFeature = ({ + savedObjects, +}: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + id: SECURITY_FEATURE_ID_V4, + name: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', + { + defaultMessage: 'Security', + } + ), + order: 1100, + category: DEFAULT_APP_CATEGORIES.security, + scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security], + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + management: { + insightsAndAlerting: ['triggersActions'], + }, + alerting: alertingFeatures, + description: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.securityGroupDescription', + { + defaultMessage: + "Each sub-feature privilege in this group must be assigned individually. Global assignment is only supported if your pricing plan doesn't allow individual feature privileges.", + } + ), + privileges: { + all: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], + savedObject: { + all: ['alert', ...savedObjects], + read: [], + }, + alerting: { + rule: { all: alertingFeatures }, + alert: { all: alertingFeatures }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show', 'crud'], + }, + read: { + app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], + catalogue: [APP_ID], + api: [APP_ID, 'rac', 'lists-read'], + savedObject: { + all: [], + read: [...savedObjects], + }, + alerting: { + rule: { + read: alertingFeatures, + }, + alert: { + all: alertingFeatures, + }, + }, + management: { + insightsAndAlerting: ['triggersActions'], + }, + ui: ['show'], + }, + }, +}); diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts new file mode 100644 index 0000000000000..c0890a6297c68 --- /dev/null +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts @@ -0,0 +1,89 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0; you may not use this file except in compliance with the Elastic License + * 2.0. + */ + +import type { SubFeatureConfig } from '@kbn/features-plugin/common'; +import { SecuritySubFeatureId } from '../../product_features_keys'; +import type { SecurityFeatureParams } from '../types'; +import { + endpointListSubFeature, + endpointExceptionsSubFeature, + globalArtifactManagementSubFeature, + trustedApplicationsSubFeature, + hostIsolationExceptionsBasicSubFeature, + blocklistSubFeature, + eventFiltersSubFeature, + policyManagementSubFeature, + responseActionsHistorySubFeature, + hostIsolationSubFeature, + processOperationsSubFeature, + fileOperationsSubFeature, + executeActionSubFeature, + scanActionSubFeature, + workflowInsightsSubFeature, + trustedDevicesSubFeature, +} from '../kibana_sub_features'; + +/** + * Sub-features that will always be available for Security + * regardless of the product type. + */ +export const getSecurityV4BaseKibanaSubFeatureIds = ( + { experimentalFeatures }: SecurityFeatureParams // currently un-used, but left here as a convenience for possible future use +): SecuritySubFeatureId[] => []; + +/** + * Defines all the Security Assistant subFeatures available. + * The order of the subFeatures is the order they will be displayed + */ +export const getSecurityV4SubFeaturesMap = ({ + experimentalFeatures, +}: SecurityFeatureParams): Map => { + const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ + [SecuritySubFeatureId.endpointList, endpointListSubFeature()], + [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], + [ + SecuritySubFeatureId.globalArtifactManagement, + globalArtifactManagementSubFeature(experimentalFeatures), + ], + [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature()], + [SecuritySubFeatureId.trustedDevices, trustedDevicesSubFeature()], + [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], + [SecuritySubFeatureId.blocklist, blocklistSubFeature()], + [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], + [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], + [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], + [SecuritySubFeatureId.processOperations, processOperationsSubFeature()], + [SecuritySubFeatureId.fileOperations, fileOperationsSubFeature()], + [SecuritySubFeatureId.executeAction, executeActionSubFeature()], + [SecuritySubFeatureId.scanAction, scanActionSubFeature()], + ]; + + const securitySubFeaturesMap = new Map( + securitySubFeaturesList.map(([id, originalSubFeature]) => { + let subFeature = originalSubFeature; + + // If the feature is space-aware, we need to set false to the requireAllSpaces flag and remove the privilegesTooltip + if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { + subFeature = { ...subFeature, requireAllSpaces: false, privilegesTooltip: undefined }; + } + + return [id, subFeature]; + }) + ); + + // Remove disabled experimental features + if (!experimentalFeatures.defendInsights) { + securitySubFeaturesMap.delete(SecuritySubFeatureId.workflowInsights); + } + if (!experimentalFeatures.trustedDevices) { + securitySubFeaturesMap.delete(SecuritySubFeatureId.trustedDevices); + } + + return Object.freeze(securitySubFeaturesMap); +}; diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts index b72d6562a99f5..f641f85e48038 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/mocks.ts @@ -33,6 +33,11 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ baseKibanaSubFeatureIds: [], subFeaturesMap: new Map(), })), + getSecurityV4Feature: jest.fn(() => ({ + baseKibanaFeature: {}, + baseKibanaSubFeatureIds: [], + subFeaturesMap: new Map(), + })), getCasesFeature: jest.fn(() => ({ baseKibanaFeature: {}, baseKibanaSubFeatureIds: [], diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts index cab0172d6e02d..6f71105890948 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.ts @@ -19,6 +19,7 @@ import { getCasesV3Feature, getSecurityV2Feature, getSecurityV3Feature, + getSecurityV4Feature, getTimelineFeature, getNotesFeature, getSiemMigrationsFeature, @@ -53,6 +54,7 @@ export class ProductFeaturesService { getSecurityFeature({ ...securityFeatureParams, savedObjects: securityV1SavedObjects }), getSecurityV2Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), getSecurityV3Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), + getSecurityV4Feature({ ...securityFeatureParams, savedObjects: securityDefaultSavedObjects }), ]); this.productFeaturesRegistry.create('cases', [ getCasesFeature(casesProductFeatureParams), From 94c7e9f931b13199a0e57d5356532728c3abba71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 10:26:10 +0200 Subject: [PATCH 02/33] replace `siem` and `siemV2` by `siemV4` --- .../security/v1_features/kibana_features.ts | 12 +++---- .../v1_features/kibana_sub_features.ts | 28 ++++++++-------- .../security/v2_features/kibana_features.ts | 12 +++---- .../v2_features/kibana_sub_features.ts | 32 +++++++++---------- 4 files changed, 42 insertions(+), 42 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index ce1e889b2d314..36eba1f14b612 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -24,7 +24,7 @@ import { SERVER_APP_ID, LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, - SECURITY_FEATURE_ID_V3, + SECURITY_FEATURE_ID_V4, TIMELINE_FEATURE_ID, NOTES_FEATURE_ID, } from '../../constants'; @@ -58,7 +58,7 @@ export const getSecurityBaseKibanaFeature = ({ defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SERVER_APP_ID, - latestId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, }, } ), @@ -94,13 +94,13 @@ export const getSecurityBaseKibanaFeature = ({ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -143,12 +143,12 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 7739b850aff79..8c12b3758a9f5 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -6,7 +6,7 @@ */ import type { SubFeatureConfig } from '@kbn/features-plugin/common'; -import { SECURITY_FEATURE_ID_V3 } from '../../../constants'; +import { SECURITY_FEATURE_ID_V4 } from '../../../constants'; import { SecuritySubFeatureId } from '../../product_features_keys'; import type { SecurityFeatureParams } from '../types'; import type { SubFeatureReplacements } from '../../types'; @@ -28,44 +28,44 @@ import { } from '../kibana_sub_features'; const replacements: Partial> = { - [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.endpointExceptions]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.trustedApplications]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { trusted_applications_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { host_isolation_exceptions_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.blocklist]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { blocklist_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.eventFilters]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], - [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], }; /** diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index ef37fa35dd4f2..5f3920b325a19 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -25,7 +25,7 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, - SECURITY_FEATURE_ID_V3, + SECURITY_FEATURE_ID_V4, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -57,7 +57,7 @@ export const getSecurityV2BaseKibanaFeature = ({ defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', values: { currentId: SECURITY_FEATURE_ID_V2, - latestId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, }, } ), @@ -91,11 +91,11 @@ export const getSecurityV2BaseKibanaFeature = ({ replacedBy: { default: [ // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }, ], minimal: [ // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_all'] }, + { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }, ], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -116,8 +116,8 @@ export const getSecurityV2BaseKibanaFeature = ({ }, read: { replacedBy: { - default: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['read'] }], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['minimal_read'] }], + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index 9642ea7d9dfe4..2d6de60c00221 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -8,7 +8,7 @@ import type { SubFeatureConfig } from '@kbn/features-plugin/common'; import { SecuritySubFeatureId } from '../../product_features_keys'; -import { SECURITY_FEATURE_ID_V3 } from '../../constants'; +import { SECURITY_FEATURE_ID_V4 } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import { endpointListSubFeature, @@ -31,46 +31,46 @@ import type { SubFeatureReplacements } from '../../types'; import { addSubFeatureReplacements } from '../../utils'; const replacements: Partial> = { - [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.endpointExceptions]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, }, ], - [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedApplications]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { trusted_applications_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { host_isolation_exceptions_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.blocklist]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { blocklist_all: ['global_artifact_management_all'] }, }, ], [SecuritySubFeatureId.eventFilters]: [ { - feature: SECURITY_FEATURE_ID_V3, + feature: SECURITY_FEATURE_ID_V4, additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], - [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], - [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V3 }], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], }; /** From 637d03a06b52bc316207655f6c5a11af74844d96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 10:26:37 +0200 Subject: [PATCH 03/33] deprecate `siemV3` and replace by `siemV4` --- .../security/v3_features/kibana_features.ts | 22 +++++++++++++++ .../v3_features/kibana_sub_features.ts | 27 +++++++++++++++++++ 2 files changed, 49 insertions(+) diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts index 0a6041919ae53..7c003f656d4eb 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts @@ -25,6 +25,7 @@ import { LEGACY_NOTIFICATIONS_ID, CLOUD_POSTURE_APP_ID, SERVER_APP_ID, + SECURITY_FEATURE_ID_V4, } from '../../constants'; import type { SecurityFeatureParams } from '../types'; import type { BaseKibanaFeatureConfig } from '../../types'; @@ -49,6 +50,19 @@ const alertingFeatures = SECURITY_RULE_TYPES.map((ruleTypeId) => ({ export const getSecurityV3BaseKibanaFeature = ({ savedObjects, }: SecurityFeatureParams): BaseKibanaFeatureConfig => ({ + deprecated: { + notice: i18n.translate( + 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionSecurity.deprecationMessage', + { + defaultMessage: 'The {currentId} permissions are deprecated, please see {latestId}.', + values: { + currentId: SECURITY_FEATURE_ID_V3, + latestId: SECURITY_FEATURE_ID_V4, + }, + } + ), + }, + id: SECURITY_FEATURE_ID_V3, name: i18n.translate( 'securitySolutionPackages.features.featureRegistry.linkSecuritySolutionTitle', @@ -74,6 +88,10 @@ export const getSecurityV3BaseKibanaFeature = ({ ), privileges: { all: { + replacedBy: { + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }], + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-all', 'lists-read', 'lists-summary'], @@ -91,6 +109,10 @@ export const getSecurityV3BaseKibanaFeature = ({ ui: ['show', 'crud'], }, read: { + replacedBy: { + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], + }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], api: [APP_ID, 'rac', 'lists-read'], diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 6174a5c9ab25b..448d1fc58b3bc 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -26,6 +26,28 @@ import { workflowInsightsSubFeature, trustedDevicesSubFeature, } from '../kibana_sub_features'; +import type { SubFeatureReplacements } from '../../types'; +import { SECURITY_FEATURE_ID_V4 } from '../../constants'; +import { addSubFeatureReplacements } from '../../utils'; + +const replacements: Partial> = { + [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.endpointExceptions]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.trustedApplications]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.trustedDevices]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.blocklist]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.eventFilters]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.processOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.fileOperations]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.executeAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.scanAction]: [{ feature: SECURITY_FEATURE_ID_V4 }], +}; /** * Sub-features that will always be available for Security @@ -68,6 +90,11 @@ export const getSecurityV3SubFeaturesMap = ({ securitySubFeaturesList.map(([id, originalSubFeature]) => { let subFeature = originalSubFeature; + const featureReplacements = replacements[id]; + if (featureReplacements) { + subFeature = addSubFeatureReplacements(subFeature, featureReplacements); + } + // If the feature is space-aware, we need to set false to the requireAllSpaces flag and remove the privilegesTooltip if (experimentalFeatures.endpointManagementSpaceAwarenessEnabled) { subFeature = { ...subFeature, requireAllSpaces: false, privilegesTooltip: undefined }; From bae040f8c7abf47b3f533c1f7fa9faf11eab16e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 11:38:26 +0200 Subject: [PATCH 04/33] add `siemV4` to security project configs --- config/serverless.security.search_ai_lake.yml | 16 +++++++++++ config/serverless.security.yml | 27 +++++++++++++++++++ 2 files changed, 43 insertions(+) diff --git a/config/serverless.security.search_ai_lake.yml b/config/serverless.security.search_ai_lake.yml index 0917168e47ae2..bab6e64a97554 100644 --- a/config/serverless.security.search_ai_lake.yml +++ b/config/serverless.security.search_ai_lake.yml @@ -27,9 +27,25 @@ xpack.features.overrides: siem.description: null siemV2.description: null siemV3.description: null + siemV4.description: null securitySolutionSiemMigrations.hidden: true ## Fine-tune the security solution essentials feature privileges. These feature privilege overrides are set individually for each project type. Also, refer to `serverless.yml` for the project-agnostic overrides. + siemV4: + privileges: + all.composedOf: + ## Limited values so the fields from serverless.yml or serverless.security.yml are overwritten + ## We do not need to compose siemV4 from maps and visualizations because these functionalities are disabled in this tier + - feature: "discover_v2" + privileges: [ "all" ] + ## We need limited access to fleet (v1) in order to use integrations + - feature: "fleet" + privileges: [ "all" ] + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "fleet" + privileges: [ "read" ] siemV3: privileges: all.composedOf: diff --git a/config/serverless.security.yml b/config/serverless.security.yml index f5ded6def45c8..bc0bc776059de 100644 --- a/config/serverless.security.yml +++ b/config/serverless.security.yml @@ -25,6 +25,33 @@ xpack.features.overrides: category: "security" order: 1101 ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. + siemV4: + privileges: + ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and + ### Visualize features. + all.composedOf: + - feature: "discover_v2" + privileges: [ "all" ] + - feature: "dashboard_v2" + privileges: [ "all" ] + - feature: "visualize_v2" + privileges: [ "all" ] + - feature: "maps_v2" + privileges: [ "all" ] + # Security's `Read` feature privilege should implicitly grant `Read` access to Discover, Dashboard, Maps, and + # Visualize features. Additionally, it should implicitly grant privilege to create short URLs in Discover, + ### Dashboard, and Visualize apps. + read.composedOf: + - feature: "discover_v2" + privileges: [ "read" ] + - feature: "dashboard_v2" + privileges: [ "read" ] + - feature: "visualize_v2" + privileges: [ "read" ] + - feature: "maps_v2" + privileges: [ "read" ] + + ### Security's feature privileges are fine-tuned to grant access to Discover, Dashboard, Maps, and Visualize apps. siemV3: privileges: ### Security's `All` feature privilege should implicitly grant `All` access to Discover, Dashboard, Maps, and From 99f23b66283681d92ae06bf1c09f3f39d19587a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 12:07:15 +0200 Subject: [PATCH 05/33] switch to `siemV4` in plugins --- .../plugins/shared/fleet/common/constants/authz.ts | 2 +- .../plugins/elastic_assistant/common/constants.ts | 2 +- .../scripts/create_and_login_users.js | 3 ++- .../plugins/security_solution/common/constants.ts | 2 +- .../siem_migrations/rules/service/capabilities.ts | 10 ++++------ 5 files changed, 9 insertions(+), 10 deletions(-) diff --git a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts index 58a5bcb2307d7..8dc675eb277a5 100644 --- a/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts +++ b/x-pack/platform/plugins/shared/fleet/common/constants/authz.ts @@ -8,7 +8,7 @@ import { deepFreeze } from '@kbn/std'; import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; -export const SECURITY_SOLUTION_APP_ID = 'siemV3'; +export const SECURITY_SOLUTION_APP_ID = 'siemV4'; export interface PrivilegeMapObject { appId: string; diff --git a/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts b/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts index 7fb7a82d5368f..66081eec3c2fa 100755 --- a/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts +++ b/x-pack/solutions/security/plugins/elastic_assistant/common/constants.ts @@ -6,7 +6,7 @@ */ export { - SECURITY_FEATURE_ID_V3 as SECURITY_FEATURE_ID, + SECURITY_FEATURE_ID_V4 as SECURITY_FEATURE_ID, CASES_FEATURE_ID_V3 as CASES_FEATURE_ID, } from '@kbn/security-solution-features/constants'; diff --git a/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js b/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js index 19fdd23c067e9..ba9d479c66111 100644 --- a/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js +++ b/x-pack/solutions/security/plugins/elastic_assistant/scripts/create_and_login_users.js @@ -15,6 +15,7 @@ const axios = require('axios'); const puppeteer = require('puppeteer'); const { faker } = require('@faker-js/faker'); +const { SECURITY_FEATURE_ID } = require('../common/constants'); // CLI args: number of users to create and optional --no-assistant flag const args = process.argv.slice(2); @@ -96,7 +97,7 @@ const createRestrictedRole = async (roleName) => { onechat: ['all'], uptime: ['all'], observabilityCasesV3: ['all'], - siemV3: ['all'], + [SECURITY_FEATURE_ID]: ['all'], securitySolutionCasesV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], diff --git a/x-pack/solutions/security/plugins/security_solution/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/common/constants.ts index e8a2beefa30b5..751623edc6133 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/constants.ts @@ -25,7 +25,7 @@ export const CASES_FEATURE_ID = 'securitySolutionCasesV3' as const; export const TIMELINE_FEATURE_ID = 'securitySolutionTimeline' as const; export const NOTES_FEATURE_ID = 'securitySolutionNotes' as const; export const SERVER_APP_ID = 'siem' as const; -export const SECURITY_FEATURE_ID = 'siemV3' as const; +export const SECURITY_FEATURE_ID = 'siemV4' as const; export const APP_NAME = 'Security' as const; export const APP_ICON_SOLUTION = 'logoSecurity' as const; export const APP_PATH = `/app/security` as const; diff --git a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/service/capabilities.ts b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/service/capabilities.ts index 168e4df718505..62566b7511cef 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/service/capabilities.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/siem_migrations/rules/service/capabilities.ts @@ -6,12 +6,10 @@ */ import type { Capabilities } from '@kbn/core/public'; -import { - SECURITY_FEATURE_ID_V3, - SIEM_MIGRATIONS_FEATURE_ID, -} from '@kbn/security-solution-features/constants'; +import { SIEM_MIGRATIONS_FEATURE_ID } from '@kbn/security-solution-features/constants'; import { i18n } from '@kbn/i18n'; import { CapabilitiesChecker } from '../../../common/lib/capabilities'; +import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export interface MissingCapability { capability: string; @@ -20,7 +18,7 @@ export interface MissingCapability { const minimumCapabilities: MissingCapability[] = [ { - capability: `${SECURITY_FEATURE_ID_V3}.show`, + capability: `${SECURITY_FEATURE_ID}.show`, description: i18n.translate( 'xpack.securitySolution.siemMigrations.service.capabilities.securityAll', { defaultMessage: 'Security > Security: Read' } @@ -37,7 +35,7 @@ const minimumCapabilities: MissingCapability[] = [ const allCapabilities: MissingCapability[] = [ { - capability: `${SECURITY_FEATURE_ID_V3}.crud`, + capability: `${SECURITY_FEATURE_ID}.crud`, description: i18n.translate( 'xpack.securitySolution.siemMigrations.service.capabilities.securityAll', { defaultMessage: 'Security > Security: All' } From c607b73e879b5ee50dabcd3e12b7aba465ebf717 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 12:38:07 +0200 Subject: [PATCH 06/33] update slightly relevant ftrs and cy tests --- .../apis/features/features/features.ts | 3 +- .../apis/security/privileges.ts | 28 ++++++++++++++++++ .../apis/security/privileges.ts | 29 +++++++++++++++++++ .../common/suites/create.agnostic.ts | 2 +- .../common/suites/get.agnostic.ts | 2 +- .../common/suites/get_all.agnostic.ts | 2 +- .../spaces_only/telemetry/telemetry.ts | 1 + .../public/test/constants.ts | 2 +- .../management/cypress/common/constants.ts | 3 +- .../e2e/artifacts/trusted_devices_rbac.cy.ts | 5 +++- .../cypress/e2e/rbac/navigation.cy.ts | 3 +- .../e2e/ai4dsoc/capabilities/access.cy.ts | 23 +++++++++++++++ .../cypress/tasks/privileges.ts | 8 ++--- 13 files changed, 98 insertions(+), 13 deletions(-) diff --git a/x-pack/platform/test/api_integration/apis/features/features/features.ts b/x-pack/platform/test/api_integration/apis/features/features/features.ts index 43274401ed6e0..4078d3fd135fc 100644 --- a/x-pack/platform/test/api_integration/apis/features/features/features.ts +++ b/x-pack/platform/test/api_integration/apis/features/features/features.ts @@ -135,7 +135,7 @@ export default function ({ getService }: FtrProviderContext) { 'searchSynonyms', 'searchQueryRules', 'searchPlayground', - 'siemV3', + 'siemV4', 'slo', 'streams', 'securitySolutionAssistant', @@ -197,6 +197,7 @@ export default function ({ getService }: FtrProviderContext) { 'siem', 'siemV2', 'siemV3', + 'siemV4', 'slo', 'streams', 'securitySolutionAssistant', diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index 6757b061966bf..f158514dc3f6a 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -186,6 +186,34 @@ export default function ({ getService }: FtrProviderContext) { 'execute_operations_all', 'scan_operations_all', ], + siemV4: [ + 'all', + 'read', + 'minimal_all', + 'minimal_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'workflow_insights_all', + 'workflow_insights_read', + 'global_artifact_management_all', + 'trusted_applications_all', + 'trusted_applications_read', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'blocklist_all', + 'blocklist_read', + 'event_filters_all', + 'event_filters_read', + 'policy_management_all', + 'policy_management_read', + 'actions_log_management_all', + 'actions_log_management_read', + 'host_isolation_all', + 'process_operations_all', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + ], uptime: [ 'all', 'read', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index 3179810c63d49..f96a1ed4f44c3 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -58,6 +58,7 @@ export default function ({ getService }: FtrProviderContext) { siem: ['all', 'read', 'minimal_all', 'minimal_read'], siemV2: ['all', 'read', 'minimal_all', 'minimal_read'], siemV3: ['all', 'read', 'minimal_all', 'minimal_read'], + siemV4: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAssistant: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionAttackDiscovery: ['all', 'read', 'minimal_all', 'minimal_read'], securitySolutionCases: ['all', 'read', 'minimal_all', 'minimal_read'], @@ -296,6 +297,34 @@ export default function ({ getService }: FtrProviderContext) { 'workflow_insights_all', 'workflow_insights_read', ], + siemV4: [ + 'actions_log_management_all', + 'actions_log_management_read', + 'all', + 'global_artifact_management_all', + 'blocklist_all', + 'blocklist_read', + 'endpoint_list_all', + 'endpoint_list_read', + 'event_filters_all', + 'event_filters_read', + 'host_isolation_all', + 'host_isolation_exceptions_all', + 'host_isolation_exceptions_read', + 'minimal_all', + 'minimal_read', + 'policy_management_all', + 'policy_management_read', + 'process_operations_all', + 'read', + 'trusted_applications_all', + 'trusted_applications_read', + 'file_operations_all', + 'execute_operations_all', + 'scan_operations_all', + 'workflow_insights_all', + 'workflow_insights_read', + ], uptime: [ 'all', 'can_manage_private_locations', diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts index e5874255d6eaa..fc1b84a37f807 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/create.agnostic.ts @@ -94,7 +94,7 @@ export function createTestSuiteFactory({ getService }: DeploymentAgnosticFtrProv 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts index c019639aa6102..01231eeab81b3 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/get.agnostic.ts @@ -98,7 +98,7 @@ export function getTestSuiteFactory(context: DeploymentAgnosticFtrProviderContex 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts b/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts index 3b32398e3c544..218051462a6ef 100644 --- a/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts +++ b/x-pack/platform/test/spaces_api_integration/common/suites/get_all.agnostic.ts @@ -86,7 +86,7 @@ const ALL_SPACE_RESULTS: Space[] = [ 'securitySolutionNotes', 'securitySolutionSiemMigrations', 'securitySolutionTimeline', - 'siemV3', + 'siemV4', 'slo', 'streams', 'uptime', diff --git a/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts b/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts index 0fafc337a6677..8dac146ccea8b 100644 --- a/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts +++ b/x-pack/platform/test/spaces_api_integration/spaces_only/telemetry/telemetry.ts @@ -96,6 +96,7 @@ export default function ({ getService }: FtrProviderContext) { siem: 0, siemV2: 0, siemV3: 0, + siemV4: 0, securitySolutionCases: 0, securitySolutionCasesV2: 0, securitySolutionCasesV3: 0, diff --git a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts index b1b7f9298e31c..9178df8e5b867 100644 --- a/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts +++ b/x-pack/solutions/security/plugins/cloud_security_posture/public/test/constants.ts @@ -5,4 +5,4 @@ * 2.0. */ -export const SECURITY_FEATURE_ID = 'siemV3'; +export const SECURITY_FEATURE_ID = 'siemV4'; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts index f7d402bdc4f62..2855db950522b 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/common/constants.ts @@ -30,9 +30,10 @@ export const SIEM_VERSIONS = [ // deprecated siem versions 'siem', 'siemV2', + 'siemV3', // actual version, should equal to SECURITY_FEATURE_ID - 'siemV3', + 'siemV4', ] as const; export type SiemVersion = (typeof SIEM_VERSIONS)[number]; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts index 1fd8fa1ca0685..0e57b9fa786f8 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/trusted_devices_rbac.cy.ts @@ -21,5 +21,8 @@ describe( }, }, - getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedDevices'), ['siemV3']) + getArtifactMockedDataTests(getArtifactsListTestDataForArtifact('trustedDevices'), [ + 'siemV3', + 'siemV4', + ]) ); diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts index ccc2c1468aa8e..d4bb91b250427 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/navigation.cy.ts @@ -11,7 +11,6 @@ import { login, ROLE } from '../../tasks/login'; import { loadPage } from '../../tasks/common'; import type { SiemVersion } from '../../common/constants'; import { SIEM_VERSIONS } from '../../common/constants'; -import { SECURITY_FEATURE_ID } from '../../../../../common/constants'; describe( 'Navigation RBAC', @@ -52,7 +51,7 @@ describe( name: 'Trusted devices', privilegePrefix: 'trusted_devices_', selector: Selectors.TRUSTED_DEVICES, - siemVersions: [SECURITY_FEATURE_ID as SiemVersion], // Only available in siemV3 + siemVersions: ['siemV3', 'siemV4'], // Only available starting siemV3 }, { name: 'Event filters', diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts index ac7c492fdce7f..b72433f329a2f 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/e2e/ai4dsoc/capabilities/access.cy.ts @@ -96,6 +96,29 @@ describe('Capabilities', { tags: '@serverless' }, () => { cy.task('deleteServerlessCustomRole', 'siemV3'); }, }, + { + name: 'User with siem v4 role', + loginAs: 'siemV4', + setup: () => { + cy.task('createServerlessCustomRole', { + roleDescriptor: { + elasticsearch: { + indices: [{ names: ['*'], privileges: ['all'] }], + }, + kibana: [ + { + feature: { siemV4: ['all'], fleet: ['all'] }, + spaces: ['*'], + }, + ], + }, + roleName: 'siemV4', + }); + }, + teardown: () => { + cy.task('deleteServerlessCustomRole', 'siemV4'); + }, + }, ]; // Iterate through each user role diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts index 4149aee69063f..32e1978689e25 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/tasks/privileges.ts @@ -62,7 +62,7 @@ export const secAll: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -100,7 +100,7 @@ export const secReadCasesAll: Role = { kibana: [ { feature: { - siemV3: ['read'], + siemV4: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -137,7 +137,7 @@ export const secAllCasesOnlyReadDelete: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], @@ -174,7 +174,7 @@ export const secAllCasesNoDelete: Role = { kibana: [ { feature: { - siemV3: ['all'], + siemV4: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], securitySolutionAssistant: ['all'], From e5c35761b51006c329c1c127803cf70c5571070a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 12:57:53 +0200 Subject: [PATCH 07/33] update role backwards compatibility test (optional) --- .../role_backwards_compatibility.ts | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts index 4aa3915ee6e3b..df584ad2c1b1e 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts @@ -22,7 +22,7 @@ export default function ({ getService }: FtrProviderContext) { describe('@ess @skipInServerless, @skipInServerlessMKI Endpoint Artifacts space awareness user role backwards compatibility until siemV3', function () { const afterEachDataCleanup: Array> = []; - const SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3'] as const; + const SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3', 'siemV4'] as const; let globalArtifactManagerRole: Role; @@ -121,8 +121,10 @@ export default function ({ getService }: FtrProviderContext) { const supertestGlobalArtifactManager = await createUserWithSiemPrivileges(siemVersion, [ ...artifactType.privileges, - // adding global access to current version, old version should receive it during rule migration - ...(siemVersion === SECURITY_FEATURE_ID ? ['global_artifact_management_all'] : []), + // adding global access to newer than siemV2, old version should receive it during rule migration + ...(siemVersion !== 'siem' && siemVersion !== 'siemV2' + ? ['global_artifact_management_all'] + : []), ]); const createdArtifact = await endpointArtifactTestResources.createArtifact( From 01b1cbd8b2b2bfc279b3b17cc6942d2a95de0eb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 14:57:55 +0200 Subject: [PATCH 08/33] fix jest test --- .../pages/results/history/index.test.tsx | 72 ++++++++++--------- .../product_features_service.test.ts | 1 + 2 files changed, 38 insertions(+), 35 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx index 3af84ce87fa51..580568ca94d63 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx +++ b/x-pack/solutions/security/plugins/security_solution/public/attack_discovery/pages/results/history/index.test.tsx @@ -11,12 +11,13 @@ import { fireEvent, render, screen, waitFor } from '@testing-library/react'; import React from 'react'; import { History } from '.'; -import { ATTACK_DISCOVERY_PATH } from '../../../../../common/constants'; +import { ATTACK_DISCOVERY_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; import { TestProviders } from '../../../../common/mock'; import { mockHistory } from '../../../../common/utils/route/mocks'; import { getMockAttackDiscoveryAlerts } from '../../mock/mock_attack_discovery_alerts'; import { useFindAttackDiscoveries } from '../../use_find_attack_discoveries'; import { useGetAttackDiscoveryGenerations } from '../../use_get_attack_discovery_generations'; +import { useKibana as mockUseKibana } from '../../../../common/lib/kibana'; jest.mock('react-router-dom', () => ({ ...jest.requireActual('react-router-dom'), @@ -34,40 +35,7 @@ jest.mock('react-router-dom-v5-compat', () => ({ jest.mock('../../../../common/lib/kibana', () => ({ useDateFormat: jest.fn(), - useKibana: jest.fn(() => ({ - services: { - application: { - capabilities: { - siemV2: { crud_alerts: true, read_alerts: true }, - siemV3: { configurations: true }, - }, - navigateToUrl: jest.fn(), - }, - cases: { - helpers: { - canUseCases: jest.fn().mockReturnValue({ - all: true, - connectors: true, - create: true, - delete: true, - push: true, - read: true, - settings: true, - update: true, - }), - }, - hooks: { - useCasesAddToExistingCase: jest.fn(), - useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), - useCasesAddToNewCaseFlyout: jest.fn(), - }, - ui: { getCasesContext: mockCasesContext }, - }, - theme: { - getTheme: jest.fn().mockReturnValue({ darkMode: false }), - }, - }, - })), + useKibana: jest.fn(), useToasts: jest.fn(() => ({ addError: jest.fn(), addSuccess: jest.fn(), @@ -77,6 +45,40 @@ jest.mock('../../../../common/lib/kibana', () => ({ })), })); +(mockUseKibana as jest.Mock).mockReturnValue({ + services: { + application: { + capabilities: { + [SECURITY_FEATURE_ID]: { crud_alerts: true, read_alerts: true, configurations: true }, + }, + navigateToUrl: jest.fn(), + }, + cases: { + helpers: { + canUseCases: jest.fn().mockReturnValue({ + all: true, + connectors: true, + create: true, + delete: true, + push: true, + read: true, + settings: true, + update: true, + }), + }, + hooks: { + useCasesAddToExistingCase: jest.fn(), + useCasesAddToExistingCaseModal: jest.fn().mockReturnValue({ open: jest.fn() }), + useCasesAddToNewCaseFlyout: jest.fn(), + }, + ui: { getCasesContext: mockCasesContext }, + }, + theme: { + getTheme: jest.fn().mockReturnValue({ darkMode: false }), + }, + }, +}); + jest.mock('../../use_dismiss_attack_discovery_generations', () => ({ useDismissAttackDiscoveryGeneration: jest.fn().mockReturnValue({ dismiss: jest.fn(), diff --git a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts index fecf35431c8c0..eed604167f1a9 100644 --- a/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts +++ b/x-pack/solutions/security/plugins/security_solution/server/lib/product_features_service/product_features_service.test.ts @@ -40,6 +40,7 @@ jest.mock('@kbn/security-solution-features/product_features', () => ({ getSecurityFeature: () => mockGetFeature(), getSecurityV2Feature: () => mockGetFeature(), getSecurityV3Feature: () => mockGetFeature(), + getSecurityV4Feature: () => mockGetFeature(), getCasesFeature: () => mockGetFeature(), getCasesV2Feature: () => mockGetFeature(), getCasesV3Feature: () => mockGetFeature(), From a3443556afc14aa1c42ac44ffb8db49ccc84e76e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 15:20:07 +0200 Subject: [PATCH 09/33] fix api integration tests --- .../tests/features/deprecated_features.ts | 1 + .../search_ai_lake_tier/siem_v3_global_artifact_management.ts | 3 ++- .../siem_v3_global_artifact_management.ts | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts b/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts index 3f5f7cb413933..aa98363bab740 100644 --- a/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts +++ b/x-pack/platform/test/security_api_integration/tests/features/deprecated_features.ts @@ -191,6 +191,7 @@ export default function ({ getService }: FtrProviderContext) { "securitySolutionCasesV2", "siem", "siemV2", + "siemV3", "visualize", ] `); diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts index 03d942a504901..fa2d61793a22a 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts @@ -8,6 +8,7 @@ import expect from '@kbn/expect'; import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import type { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; export default function ({ getService }: FtrProviderContext) { @@ -52,7 +53,7 @@ export default function ({ getService }: FtrProviderContext) { ); // migrating from `siem` adds timeline and notes, but in this test it is irrelevant - return role.kibana[0].feature.siemV3; + return role.kibana[0].feature[SECURITY_FEATURE_ID]; }; describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => { diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts index 8edb99d014604..aaa1f16c8077a 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts @@ -8,6 +8,7 @@ import expect from '@kbn/expect'; import { ELASTIC_HTTP_VERSION_HEADER } from '@kbn/core-http-common'; import type { FeaturesPrivileges, Role } from '@kbn/security-plugin-types-common'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; export default function ({ getService }: FtrProviderContext) { @@ -60,7 +61,7 @@ export default function ({ getService }: FtrProviderContext) { ); // migrating from `siem` adds timeline and notes, but in this test it is irrelevant - return role.kibana[0].feature.siemV3; + return role.kibana[0].feature[SECURITY_FEATURE_ID]; }; describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => { From 0c8ccc558a6e9fd065db58559f30161daa5ffef5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 15:50:07 +0200 Subject: [PATCH 10/33] fix hidden bug in siemV3 featureConfigModifiers --- .../product_features_extensions.ts | 19 ++++++++++--------- .../product_features_extensions.ts | 13 +++++++------ 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts index 8e177b0a5b6a9..1c48a1da36174 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts @@ -4,8 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; -import { APP_ID } from '@kbn/security-solution-plugin/common'; +import { APP_ID, SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; import type { MutableKibanaFeatureConfig, @@ -43,7 +42,7 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = }, }; -// When endpointArtifactManagement PLI is enabled, the replacedBy to the siemV3 feature needs to +// When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. // This needs to be done here because the replacements of serverless and ESS are different. export function updateGlobalArtifactManageReplacements( @@ -55,10 +54,12 @@ export function updateGlobalArtifactManageReplacements( } if ('default' in replacedBy) { - const v3Default = replacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID_V3); - if (v3Default) { + const siemDefault = replacedBy.default.find( + ({ feature }) => feature === SECURITY_FEATURE_ID // Only for SIEM feature replacements + ); + if (siemDefault) { // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Default.privileges = [ + siemDefault.privileges = [ 'minimal_all', 'global_artifact_management_all', // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. ]; @@ -66,10 +67,10 @@ export function updateGlobalArtifactManageReplacements( } if ('minimal' in replacedBy) { - const v3Minimal = replacedBy.minimal.find(({ feature }) => feature === SECURITY_FEATURE_ID_V3); - if (v3Minimal) { + const siemMinimal = replacedBy.minimal.find(({ feature }) => feature === SECURITY_FEATURE_ID); // only for SIEM feature replacements + if (siemMinimal) { // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Minimal.privileges = [ + siemMinimal.privileges = [ 'minimal_all', 'global_artifact_management_all', // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL ]; diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts index d856a37769061..099487677b22d 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts @@ -8,11 +8,11 @@ import type { MutableKibanaFeatureConfig, ProductFeaturesConfiguratorExtensions, } from '@kbn/security-solution-features'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; import { ProductFeatureSecurityKey, SecuritySubFeatureId, } from '@kbn/security-solution-features/keys'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = { security: { @@ -36,7 +36,7 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = }, }; -// When endpointArtifactManagement PLI is enabled, the replacedBy to the siemV3 feature needs to +// When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. // This needs to be done here because the replacements of serverless and ESS are different. export function updateGlobalArtifactManageReplacements( @@ -46,13 +46,14 @@ export function updateGlobalArtifactManageReplacements( if (!replacedBy || !('default' in replacedBy)) { return; } + // only "default" is overwritten, "minimal" is not as it does not includes Endpoint Exceptions ALL. - const v3Default = replacedBy.default.find( - ({ feature }) => feature === SECURITY_FEATURE_ID_V3 // Only for features that are replaced by siemV3 (siem and siemV2) + const siemDefault = replacedBy.default.find( + ({ feature }) => feature === SECURITY_FEATURE_ID // Only for SIEM feature replacements ); - if (v3Default) { + if (siemDefault) { // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - v3Default.privileges = [ + siemDefault.privileges = [ 'minimal_all', // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. From 62edb7c7740f005078635070c837abfb9d25709b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 16:07:16 +0200 Subject: [PATCH 11/33] update feature snapshot test for existing siem versions --- .../platform_security/authorization.ts | 346 +++++++++++------- 1 file changed, 206 insertions(+), 140 deletions(-) diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index a93094ac4192e..36f2dcd1faf26 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -238,14 +238,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siem/writeActionsLogManagement", "ui:siem/readActionsLogManagement", - "ui:siemV3/writeActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siem/readActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -1090,16 +1090,16 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", "ui:securitySolutionNotes/crud", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -1123,9 +1123,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeBlocklist", "ui:siem/readBlocklist", - "ui:siemV3/writeBlocklist", - "ui:siemV3/readBlocklist", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + "ui:siemV4/writeGlobalArtifacts", ], "blocklist_read": Array [ "login:", @@ -1133,7 +1133,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siem/readBlocklist", - "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", @@ -1142,15 +1142,15 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeGlobalArtifacts", "ui:siem/showEndpointExceptions", "ui:siem/crudEndpointExceptions", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "endpoint_exceptions_read": Array [ "login:", "api:securitySolution-showEndpointExceptions", "ui:siem/showEndpointExceptions", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -1158,14 +1158,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siem/writeEndpointList", "ui:siem/readEndpointList", - "ui:siemV3/writeEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siem/readEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -1189,9 +1189,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeEventFilters", "ui:siem/readEventFilters", - "ui:siemV3/writeEventFilters", - "ui:siemV3/readEventFilters", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + "ui:siemV4/writeGlobalArtifacts", ], "event_filters_read": Array [ "login:", @@ -1199,19 +1199,19 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siem/readEventFilters", - "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siem/writeExecuteOperations", - "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siem/writeFileOperations", - "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "host_isolation_all": Array [ "login:", @@ -1219,8 +1219,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siem/writeHostIsolationRelease", "ui:siem/writeHostIsolation", - "ui:siemV3/writeHostIsolationRelease", - "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -1248,11 +1248,11 @@ export default function ({ getService }: FtrProviderContext) { "ui:siem/deleteHostIsolationExceptions", "ui:siem/accessHostIsolationExceptions", "ui:siem/writeHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/deleteHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", - "ui:siemV3/writeHostIsolationExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_exceptions_read": Array [ "login:", @@ -1262,8 +1262,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siem/readHostIsolationExceptions", "ui:siem/accessHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -2104,13 +2104,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", "ui:securitySolutionNotes/crud", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -2502,12 +2502,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:securitySolutionTimeline/read", "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -2527,8 +2527,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siem/writePolicyManagement", "ui:siem/readPolicyManagement", - "ui:siemV3/writePolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -2539,13 +2539,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siem/readPolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siem/writeProcessOperations", - "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -2939,19 +2939,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:securitySolutionTimeline/read", "ui:navLinks/securitySolutionNotes", "ui:securitySolutionNotes/read", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siem/writeScanOperations", - "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -2975,9 +2975,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siem/writeTrustedApplications", "ui:siem/readTrustedApplications", - "ui:siemV3/writeTrustedApplications", - "ui:siemV3/readTrustedApplications", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + "ui:siemV4/writeGlobalArtifacts", ], "trusted_applications_read": Array [ "login:", @@ -2985,7 +2985,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siem/readTrustedApplications", - "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], }, "siemV2": Object { @@ -2995,14 +2995,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siemV2/writeActionsLogManagement", "ui:siemV2/readActionsLogManagement", - "ui:siemV3/writeActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siemV2/readActionsLogManagement", - "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -3785,16 +3785,16 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/writeGlobalArtifacts", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -3818,9 +3818,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeBlocklist", "ui:siemV2/readBlocklist", - "ui:siemV3/writeBlocklist", - "ui:siemV3/readBlocklist", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + "ui:siemV4/writeGlobalArtifacts", ], "blocklist_read": Array [ "login:", @@ -3828,7 +3828,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siemV2/readBlocklist", - "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", @@ -3837,15 +3837,15 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeGlobalArtifacts", "ui:siemV2/showEndpointExceptions", "ui:siemV2/crudEndpointExceptions", - "ui:siemV3/showEndpointExceptions", - "ui:siemV3/crudEndpointExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "endpoint_exceptions_read": Array [ "login:", "api:securitySolution-showEndpointExceptions", "ui:siemV2/showEndpointExceptions", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -3853,14 +3853,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siemV2/writeEndpointList", "ui:siemV2/readEndpointList", - "ui:siemV3/writeEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siemV2/readEndpointList", - "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -3884,9 +3884,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeEventFilters", "ui:siemV2/readEventFilters", - "ui:siemV3/writeEventFilters", - "ui:siemV3/readEventFilters", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + "ui:siemV4/writeGlobalArtifacts", ], "event_filters_read": Array [ "login:", @@ -3894,25 +3894,25 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siemV2/readEventFilters", - "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siemV2/writeExecuteOperations", - "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siemV2/writeFileOperations", - "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "global_artifact_management_all": Array [ "login:", "api:securitySolution-writeGlobalArtifacts", "ui:siemV2/writeGlobalArtifacts", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_all": Array [ "login:", @@ -3920,8 +3920,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siemV2/writeHostIsolationRelease", "ui:siemV2/writeHostIsolation", - "ui:siemV3/writeHostIsolationRelease", - "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -3949,11 +3949,11 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV2/deleteHostIsolationExceptions", "ui:siemV2/accessHostIsolationExceptions", "ui:siemV2/writeHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/deleteHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", - "ui:siemV3/writeHostIsolationExceptions", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_exceptions_read": Array [ "login:", @@ -3963,8 +3963,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siemV2/readHostIsolationExceptions", "ui:siemV2/accessHostIsolationExceptions", - "ui:siemV3/readHostIsolationExceptions", - "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -4743,13 +4743,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", - "ui:siemV3/show", - "ui:siemV3/crud", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -5113,12 +5113,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -5138,8 +5138,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siemV2/writePolicyManagement", "ui:siemV2/readPolicyManagement", - "ui:siemV3/writePolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -5150,13 +5150,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siemV2/readPolicyManagement", - "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siemV2/writeProcessOperations", - "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -5522,19 +5522,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", - "ui:siemV3/show", - "ui:siemV3/entity-analytics", - "ui:siemV3/detections", - "ui:siemV3/investigation-guide", - "ui:siemV3/investigation-guide-interactions", - "ui:siemV3/threat-intelligence", - "ui:siemV3/showEndpointExceptions", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siemV2/writeScanOperations", - "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -5558,9 +5558,9 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/writeTrustedApplications", "ui:siemV2/readTrustedApplications", - "ui:siemV3/writeTrustedApplications", - "ui:siemV3/readTrustedApplications", - "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + "ui:siemV4/writeGlobalArtifacts", ], "trusted_applications_read": Array [ "login:", @@ -5568,7 +5568,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siemV2/readTrustedApplications", - "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", @@ -5576,14 +5576,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readWorkflowInsights", "ui:siemV2/writeWorkflowInsights", "ui:siemV2/readWorkflowInsights", - "ui:siemV3/writeWorkflowInsights", - "ui:siemV3/readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", "ui:siemV2/readWorkflowInsights", - "ui:siemV3/readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], }, "siemV3": Object { @@ -5593,11 +5593,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readActionsLogManagement", "ui:siemV3/writeActionsLogManagement", "ui:siemV3/readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "actions_log_management_read": Array [ "login:", "api:securitySolution-readActionsLogManagement", "ui:siemV3/readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", ], "all": Array [ "login:", @@ -6379,6 +6382,15 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "blocklist_all": Array [ "login:", @@ -6401,6 +6413,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeBlocklist", "ui:siemV3/readBlocklist", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", ], "blocklist_read": Array [ "login:", @@ -6408,6 +6422,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readBlocklist", "ui:siemV3/readBlocklist", + "ui:siemV4/readBlocklist", ], "endpoint_exceptions_all": Array [ "login:", @@ -6415,11 +6430,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-crudEndpointExceptions", "ui:siemV3/showEndpointExceptions", "ui:siemV3/crudEndpointExceptions", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", "api:securitySolution-showEndpointExceptions", "ui:siemV3/showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", ], "endpoint_list_all": Array [ "login:", @@ -6427,11 +6445,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readEndpointList", "ui:siemV3/writeEndpointList", "ui:siemV3/readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", ], "endpoint_list_read": Array [ "login:", "api:securitySolution-readEndpointList", "ui:siemV3/readEndpointList", + "ui:siemV4/readEndpointList", ], "event_filters_all": Array [ "login:", @@ -6454,6 +6475,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeEventFilters", "ui:siemV3/readEventFilters", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", ], "event_filters_read": Array [ "login:", @@ -6461,21 +6484,25 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readEventFilters", "ui:siemV3/readEventFilters", + "ui:siemV4/readEventFilters", ], "execute_operations_all": Array [ "login:", "api:securitySolution-writeExecuteOperations", "ui:siemV3/writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", ], "file_operations_all": Array [ "login:", "api:securitySolution-writeFileOperations", "ui:siemV3/writeFileOperations", + "ui:siemV4/writeFileOperations", ], "global_artifact_management_all": Array [ "login:", "api:securitySolution-writeGlobalArtifacts", "ui:siemV3/writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", ], "host_isolation_all": Array [ "login:", @@ -6483,6 +6510,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-writeHostIsolation", "ui:siemV3/writeHostIsolationRelease", "ui:siemV3/writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", ], "host_isolation_exceptions_all": Array [ "login:", @@ -6509,6 +6538,10 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV3/deleteHostIsolationExceptions", "ui:siemV3/accessHostIsolationExceptions", "ui:siemV3/writeHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", ], "host_isolation_exceptions_read": Array [ "login:", @@ -6518,6 +6551,8 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-accessHostIsolationExceptions", "ui:siemV3/readHostIsolationExceptions", "ui:siemV3/accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", ], "minimal_all": Array [ "login:", @@ -7295,6 +7330,13 @@ export default function ({ getService }: FtrProviderContext) { "ui:visualize_v2/save", "ui:visualize_v2/createShortUrl", "ui:visualize_v2/generateScreenshot", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "minimal_read": Array [ "login:", @@ -7658,6 +7700,12 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", ], "policy_management_all": Array [ "login:", @@ -7677,6 +7725,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/share_to_space", "ui:siemV3/writePolicyManagement", "ui:siemV3/readPolicyManagement", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", ], "policy_management_read": Array [ "login:", @@ -7687,11 +7737,13 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:policy-settings-protection-updates-note/open_point_in_time", "saved_object:policy-settings-protection-updates-note/close_point_in_time", "ui:siemV3/readPolicyManagement", + "ui:siemV4/readPolicyManagement", ], "process_operations_all": Array [ "login:", "api:securitySolution-writeProcessOperations", "ui:siemV3/writeProcessOperations", + "ui:siemV4/writeProcessOperations", ], "read": Array [ "login:", @@ -8057,11 +8109,19 @@ export default function ({ getService }: FtrProviderContext) { "ui:navLinks/lens", "ui:visualize_v2/show", "ui:visualize_v2/createShortUrl", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", ], "scan_operations_all": Array [ "login:", "api:securitySolution-writeScanOperations", "ui:siemV3/writeScanOperations", + "ui:siemV4/writeScanOperations", ], "trusted_applications_all": Array [ "login:", @@ -8084,6 +8144,8 @@ export default function ({ getService }: FtrProviderContext) { "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/writeTrustedApplications", "ui:siemV3/readTrustedApplications", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "trusted_applications_read": Array [ "login:", @@ -8091,6 +8153,7 @@ export default function ({ getService }: FtrProviderContext) { "api:lists-summary", "api:securitySolution-readTrustedApplications", "ui:siemV3/readTrustedApplications", + "ui:siemV4/readTrustedApplications", ], "workflow_insights_all": Array [ "login:", @@ -8098,11 +8161,14 @@ export default function ({ getService }: FtrProviderContext) { "api:securitySolution-readWorkflowInsights", "ui:siemV3/writeWorkflowInsights", "ui:siemV3/readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], "workflow_insights_read": Array [ "login:", "api:securitySolution-readWorkflowInsights", "ui:siemV3/readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", ], }, } From 08a05c1d670fa7f278e16b368b3502c424e7aba4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 29 Aug 2025 16:12:45 +0200 Subject: [PATCH 12/33] update feature snapshot test with siemV4 (same as V3 for now) --- .../platform_security/authorization.ts | 2520 +++++++++++++++++ 1 file changed, 2520 insertions(+) diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index 36f2dcd1faf26..1973cf9f8d02f 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -42,6 +42,7 @@ export default function ({ getService }: FtrProviderContext) { 'siem', 'siemV2', 'siemV3', + 'siemV4', ]; const features = Object.fromEntries( @@ -8171,6 +8172,2525 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV4/readWorkflowInsights", ], }, + "siemV4": Object { + "actions_log_management_all": Array [ + "login:", + "api:securitySolution-writeActionsLogManagement", + "api:securitySolution-readActionsLogManagement", + "ui:siemV4/writeActionsLogManagement", + "ui:siemV4/readActionsLogManagement", + ], + "actions_log_management_read": Array [ + "login:", + "api:securitySolution-readActionsLogManagement", + "ui:siemV4/readActionsLogManagement", + ], + "all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:privmon-api-key/create", + "saved_object:privmon-api-key/bulk_create", + "saved_object:privmon-api-key/update", + "saved_object:privmon-api-key/bulk_update", + "saved_object:privmon-api-key/delete", + "saved_object:privmon-api-key/bulk_delete", + "saved_object:privmon-api-key/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + ], + "blocklist_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeBlocklist", + "api:securitySolution-readBlocklist", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeBlocklist", + "ui:siemV4/readBlocklist", + ], + "blocklist_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readBlocklist", + "ui:siemV4/readBlocklist", + ], + "endpoint_exceptions_all": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "api:securitySolution-crudEndpointExceptions", + "ui:siemV4/showEndpointExceptions", + "ui:siemV4/crudEndpointExceptions", + ], + "endpoint_exceptions_read": Array [ + "login:", + "api:securitySolution-showEndpointExceptions", + "ui:siemV4/showEndpointExceptions", + ], + "endpoint_list_all": Array [ + "login:", + "api:securitySolution-writeEndpointList", + "api:securitySolution-readEndpointList", + "ui:siemV4/writeEndpointList", + "ui:siemV4/readEndpointList", + ], + "endpoint_list_read": Array [ + "login:", + "api:securitySolution-readEndpointList", + "ui:siemV4/readEndpointList", + ], + "event_filters_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeEventFilters", + "api:securitySolution-readEventFilters", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeEventFilters", + "ui:siemV4/readEventFilters", + ], + "event_filters_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readEventFilters", + "ui:siemV4/readEventFilters", + ], + "execute_operations_all": Array [ + "login:", + "api:securitySolution-writeExecuteOperations", + "ui:siemV4/writeExecuteOperations", + ], + "file_operations_all": Array [ + "login:", + "api:securitySolution-writeFileOperations", + "ui:siemV4/writeFileOperations", + ], + "global_artifact_management_all": Array [ + "login:", + "api:securitySolution-writeGlobalArtifacts", + "ui:siemV4/writeGlobalArtifacts", + ], + "host_isolation_all": Array [ + "login:", + "api:securitySolution-writeHostIsolationRelease", + "api:securitySolution-writeHostIsolation", + "ui:siemV4/writeHostIsolationRelease", + "ui:siemV4/writeHostIsolation", + ], + "host_isolation_exceptions_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-deleteHostIsolationExceptions", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "api:securitySolution-writeHostIsolationExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/deleteHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + "ui:siemV4/writeHostIsolationExceptions", + ], + "host_isolation_exceptions_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readHostIsolationExceptions", + "api:securitySolution-accessHostIsolationExceptions", + "ui:siemV4/readHostIsolationExceptions", + "ui:siemV4/accessHostIsolationExceptions", + ], + "minimal_all": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-all", + "api:cloud-security-posture-read", + "api:cloud-defend-all", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:alert/bulk_get", + "saved_object:alert/get", + "saved_object:alert/find", + "saved_object:alert/open_point_in_time", + "saved_object:alert/close_point_in_time", + "saved_object:alert/create", + "saved_object:alert/bulk_create", + "saved_object:alert/update", + "saved_object:alert/bulk_update", + "saved_object:alert/delete", + "saved_object:alert/bulk_delete", + "saved_object:alert/share_to_space", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list/create", + "saved_object:exception-list/bulk_create", + "saved_object:exception-list/update", + "saved_object:exception-list/bulk_update", + "saved_object:exception-list/delete", + "saved_object:exception-list/bulk_delete", + "saved_object:exception-list/share_to_space", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:index-pattern/create", + "saved_object:index-pattern/bulk_create", + "saved_object:index-pattern/update", + "saved_object:index-pattern/bulk_update", + "saved_object:index-pattern/delete", + "saved_object:index-pattern/bulk_delete", + "saved_object:index-pattern/share_to_space", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/create", + "saved_object:siem-detection-engine-rule-actions/bulk_create", + "saved_object:siem-detection-engine-rule-actions/update", + "saved_object:siem-detection-engine-rule-actions/bulk_update", + "saved_object:siem-detection-engine-rule-actions/delete", + "saved_object:siem-detection-engine-rule-actions/bulk_delete", + "saved_object:siem-detection-engine-rule-actions/share_to_space", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:security-rule/create", + "saved_object:security-rule/bulk_create", + "saved_object:security-rule/update", + "saved_object:security-rule/bulk_update", + "saved_object:security-rule/delete", + "saved_object:security-rule/bulk_delete", + "saved_object:security-rule/share_to_space", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/create", + "saved_object:endpoint:user-artifact-manifest/bulk_create", + "saved_object:endpoint:user-artifact-manifest/update", + "saved_object:endpoint:user-artifact-manifest/bulk_update", + "saved_object:endpoint:user-artifact-manifest/delete", + "saved_object:endpoint:user-artifact-manifest/bulk_delete", + "saved_object:endpoint:user-artifact-manifest/share_to_space", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/create", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_create", + "saved_object:endpoint:unified-user-artifact-manifest/update", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_update", + "saved_object:endpoint:unified-user-artifact-manifest/delete", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_delete", + "saved_object:endpoint:unified-user-artifact-manifest/share_to_space", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:security-solution-signals-migration/create", + "saved_object:security-solution-signals-migration/bulk_create", + "saved_object:security-solution-signals-migration/update", + "saved_object:security-solution-signals-migration/bulk_update", + "saved_object:security-solution-signals-migration/delete", + "saved_object:security-solution-signals-migration/bulk_delete", + "saved_object:security-solution-signals-migration/share_to_space", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:risk-engine-configuration/create", + "saved_object:risk-engine-configuration/bulk_create", + "saved_object:risk-engine-configuration/update", + "saved_object:risk-engine-configuration/bulk_update", + "saved_object:risk-engine-configuration/delete", + "saved_object:risk-engine-configuration/bulk_delete", + "saved_object:risk-engine-configuration/share_to_space", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:entity-engine-status/create", + "saved_object:entity-engine-status/bulk_create", + "saved_object:entity-engine-status/update", + "saved_object:entity-engine-status/bulk_update", + "saved_object:entity-engine-status/delete", + "saved_object:entity-engine-status/bulk_delete", + "saved_object:entity-engine-status/share_to_space", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privilege-monitoring-status/create", + "saved_object:privilege-monitoring-status/bulk_create", + "saved_object:privilege-monitoring-status/update", + "saved_object:privilege-monitoring-status/bulk_update", + "saved_object:privilege-monitoring-status/delete", + "saved_object:privilege-monitoring-status/bulk_delete", + "saved_object:privilege-monitoring-status/share_to_space", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:privmon-api-key/create", + "saved_object:privmon-api-key/bulk_create", + "saved_object:privmon-api-key/update", + "saved_object:privmon-api-key/bulk_update", + "saved_object:privmon-api-key/delete", + "saved_object:privmon-api-key/bulk_delete", + "saved_object:privmon-api-key/share_to_space", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/create", + "saved_object:entity-analytics-monitoring-entity-source/bulk_create", + "saved_object:entity-analytics-monitoring-entity-source/update", + "saved_object:entity-analytics-monitoring-entity-source/bulk_update", + "saved_object:entity-analytics-monitoring-entity-source/delete", + "saved_object:entity-analytics-monitoring-entity-source/bulk_delete", + "saved_object:entity-analytics-monitoring-entity-source/share_to_space", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security-ai-prompt/create", + "saved_object:security-ai-prompt/bulk_create", + "saved_object:security-ai-prompt/update", + "saved_object:security-ai-prompt/bulk_update", + "saved_object:security-ai-prompt/delete", + "saved_object:security-ai-prompt/bulk_delete", + "saved_object:security-ai-prompt/share_to_space", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:security:reference-data/create", + "saved_object:security:reference-data/bulk_create", + "saved_object:security:reference-data/update", + "saved_object:security:reference-data/bulk_update", + "saved_object:security:reference-data/delete", + "saved_object:security:reference-data/bulk_delete", + "saved_object:security:reference-data/share_to_space", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:csp_rule/create", + "saved_object:csp_rule/bulk_create", + "saved_object:csp_rule/update", + "saved_object:csp_rule/bulk_update", + "saved_object:csp_rule/delete", + "saved_object:csp_rule/bulk_delete", + "saved_object:csp_rule/share_to_space", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:cloud-security-posture-settings/create", + "saved_object:cloud-security-posture-settings/bulk_create", + "saved_object:cloud-security-posture-settings/update", + "saved_object:cloud-security-posture-settings/bulk_update", + "saved_object:cloud-security-posture-settings/delete", + "saved_object:cloud-security-posture-settings/bulk_delete", + "saved_object:cloud-security-posture-settings/share_to_space", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:csp-rule-template/create", + "saved_object:csp-rule-template/bulk_create", + "saved_object:csp-rule-template/update", + "saved_object:csp-rule-template/bulk_update", + "saved_object:csp-rule-template/delete", + "saved_object:csp-rule-template/bulk_delete", + "saved_object:csp-rule-template/share_to_space", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:telemetry/create", + "saved_object:telemetry/bulk_create", + "saved_object:telemetry/update", + "saved_object:telemetry/bulk_update", + "saved_object:telemetry/delete", + "saved_object:telemetry/bulk_delete", + "saved_object:telemetry/share_to_space", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/crud", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/create", + "alerting:siem.notifications/siem/rule/delete", + "alerting:siem.notifications/siem/rule/update", + "alerting:siem.notifications/siem/rule/updateApiKey", + "alerting:siem.notifications/siem/rule/enable", + "alerting:siem.notifications/siem/rule/disable", + "alerting:siem.notifications/siem/rule/muteAll", + "alerting:siem.notifications/siem/rule/unmuteAll", + "alerting:siem.notifications/siem/rule/muteAlert", + "alerting:siem.notifications/siem/rule/unmuteAlert", + "alerting:siem.notifications/siem/rule/snooze", + "alerting:siem.notifications/siem/rule/bulkEdit", + "alerting:siem.notifications/siem/rule/bulkDelete", + "alerting:siem.notifications/siem/rule/bulkEnable", + "alerting:siem.notifications/siem/rule/bulkDisable", + "alerting:siem.notifications/siem/rule/unsnooze", + "alerting:siem.notifications/siem/rule/runSoon", + "alerting:siem.notifications/siem/rule/scheduleBackfill", + "alerting:siem.notifications/siem/rule/deleteBackfill", + "alerting:siem.notifications/siem/rule/fillGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/create", + "alerting:siem.esqlRule/siem/rule/delete", + "alerting:siem.esqlRule/siem/rule/update", + "alerting:siem.esqlRule/siem/rule/updateApiKey", + "alerting:siem.esqlRule/siem/rule/enable", + "alerting:siem.esqlRule/siem/rule/disable", + "alerting:siem.esqlRule/siem/rule/muteAll", + "alerting:siem.esqlRule/siem/rule/unmuteAll", + "alerting:siem.esqlRule/siem/rule/muteAlert", + "alerting:siem.esqlRule/siem/rule/unmuteAlert", + "alerting:siem.esqlRule/siem/rule/snooze", + "alerting:siem.esqlRule/siem/rule/bulkEdit", + "alerting:siem.esqlRule/siem/rule/bulkDelete", + "alerting:siem.esqlRule/siem/rule/bulkEnable", + "alerting:siem.esqlRule/siem/rule/bulkDisable", + "alerting:siem.esqlRule/siem/rule/unsnooze", + "alerting:siem.esqlRule/siem/rule/runSoon", + "alerting:siem.esqlRule/siem/rule/scheduleBackfill", + "alerting:siem.esqlRule/siem/rule/deleteBackfill", + "alerting:siem.esqlRule/siem/rule/fillGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/create", + "alerting:siem.eqlRule/siem/rule/delete", + "alerting:siem.eqlRule/siem/rule/update", + "alerting:siem.eqlRule/siem/rule/updateApiKey", + "alerting:siem.eqlRule/siem/rule/enable", + "alerting:siem.eqlRule/siem/rule/disable", + "alerting:siem.eqlRule/siem/rule/muteAll", + "alerting:siem.eqlRule/siem/rule/unmuteAll", + "alerting:siem.eqlRule/siem/rule/muteAlert", + "alerting:siem.eqlRule/siem/rule/unmuteAlert", + "alerting:siem.eqlRule/siem/rule/snooze", + "alerting:siem.eqlRule/siem/rule/bulkEdit", + "alerting:siem.eqlRule/siem/rule/bulkDelete", + "alerting:siem.eqlRule/siem/rule/bulkEnable", + "alerting:siem.eqlRule/siem/rule/bulkDisable", + "alerting:siem.eqlRule/siem/rule/unsnooze", + "alerting:siem.eqlRule/siem/rule/runSoon", + "alerting:siem.eqlRule/siem/rule/scheduleBackfill", + "alerting:siem.eqlRule/siem/rule/deleteBackfill", + "alerting:siem.eqlRule/siem/rule/fillGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/create", + "alerting:siem.indicatorRule/siem/rule/delete", + "alerting:siem.indicatorRule/siem/rule/update", + "alerting:siem.indicatorRule/siem/rule/updateApiKey", + "alerting:siem.indicatorRule/siem/rule/enable", + "alerting:siem.indicatorRule/siem/rule/disable", + "alerting:siem.indicatorRule/siem/rule/muteAll", + "alerting:siem.indicatorRule/siem/rule/unmuteAll", + "alerting:siem.indicatorRule/siem/rule/muteAlert", + "alerting:siem.indicatorRule/siem/rule/unmuteAlert", + "alerting:siem.indicatorRule/siem/rule/snooze", + "alerting:siem.indicatorRule/siem/rule/bulkEdit", + "alerting:siem.indicatorRule/siem/rule/bulkDelete", + "alerting:siem.indicatorRule/siem/rule/bulkEnable", + "alerting:siem.indicatorRule/siem/rule/bulkDisable", + "alerting:siem.indicatorRule/siem/rule/unsnooze", + "alerting:siem.indicatorRule/siem/rule/runSoon", + "alerting:siem.indicatorRule/siem/rule/scheduleBackfill", + "alerting:siem.indicatorRule/siem/rule/deleteBackfill", + "alerting:siem.indicatorRule/siem/rule/fillGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/create", + "alerting:siem.mlRule/siem/rule/delete", + "alerting:siem.mlRule/siem/rule/update", + "alerting:siem.mlRule/siem/rule/updateApiKey", + "alerting:siem.mlRule/siem/rule/enable", + "alerting:siem.mlRule/siem/rule/disable", + "alerting:siem.mlRule/siem/rule/muteAll", + "alerting:siem.mlRule/siem/rule/unmuteAll", + "alerting:siem.mlRule/siem/rule/muteAlert", + "alerting:siem.mlRule/siem/rule/unmuteAlert", + "alerting:siem.mlRule/siem/rule/snooze", + "alerting:siem.mlRule/siem/rule/bulkEdit", + "alerting:siem.mlRule/siem/rule/bulkDelete", + "alerting:siem.mlRule/siem/rule/bulkEnable", + "alerting:siem.mlRule/siem/rule/bulkDisable", + "alerting:siem.mlRule/siem/rule/unsnooze", + "alerting:siem.mlRule/siem/rule/runSoon", + "alerting:siem.mlRule/siem/rule/scheduleBackfill", + "alerting:siem.mlRule/siem/rule/deleteBackfill", + "alerting:siem.mlRule/siem/rule/fillGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/create", + "alerting:siem.queryRule/siem/rule/delete", + "alerting:siem.queryRule/siem/rule/update", + "alerting:siem.queryRule/siem/rule/updateApiKey", + "alerting:siem.queryRule/siem/rule/enable", + "alerting:siem.queryRule/siem/rule/disable", + "alerting:siem.queryRule/siem/rule/muteAll", + "alerting:siem.queryRule/siem/rule/unmuteAll", + "alerting:siem.queryRule/siem/rule/muteAlert", + "alerting:siem.queryRule/siem/rule/unmuteAlert", + "alerting:siem.queryRule/siem/rule/snooze", + "alerting:siem.queryRule/siem/rule/bulkEdit", + "alerting:siem.queryRule/siem/rule/bulkDelete", + "alerting:siem.queryRule/siem/rule/bulkEnable", + "alerting:siem.queryRule/siem/rule/bulkDisable", + "alerting:siem.queryRule/siem/rule/unsnooze", + "alerting:siem.queryRule/siem/rule/runSoon", + "alerting:siem.queryRule/siem/rule/scheduleBackfill", + "alerting:siem.queryRule/siem/rule/deleteBackfill", + "alerting:siem.queryRule/siem/rule/fillGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/create", + "alerting:siem.savedQueryRule/siem/rule/delete", + "alerting:siem.savedQueryRule/siem/rule/update", + "alerting:siem.savedQueryRule/siem/rule/updateApiKey", + "alerting:siem.savedQueryRule/siem/rule/enable", + "alerting:siem.savedQueryRule/siem/rule/disable", + "alerting:siem.savedQueryRule/siem/rule/muteAll", + "alerting:siem.savedQueryRule/siem/rule/unmuteAll", + "alerting:siem.savedQueryRule/siem/rule/muteAlert", + "alerting:siem.savedQueryRule/siem/rule/unmuteAlert", + "alerting:siem.savedQueryRule/siem/rule/snooze", + "alerting:siem.savedQueryRule/siem/rule/bulkEdit", + "alerting:siem.savedQueryRule/siem/rule/bulkDelete", + "alerting:siem.savedQueryRule/siem/rule/bulkEnable", + "alerting:siem.savedQueryRule/siem/rule/bulkDisable", + "alerting:siem.savedQueryRule/siem/rule/unsnooze", + "alerting:siem.savedQueryRule/siem/rule/runSoon", + "alerting:siem.savedQueryRule/siem/rule/scheduleBackfill", + "alerting:siem.savedQueryRule/siem/rule/deleteBackfill", + "alerting:siem.savedQueryRule/siem/rule/fillGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/create", + "alerting:siem.thresholdRule/siem/rule/delete", + "alerting:siem.thresholdRule/siem/rule/update", + "alerting:siem.thresholdRule/siem/rule/updateApiKey", + "alerting:siem.thresholdRule/siem/rule/enable", + "alerting:siem.thresholdRule/siem/rule/disable", + "alerting:siem.thresholdRule/siem/rule/muteAll", + "alerting:siem.thresholdRule/siem/rule/unmuteAll", + "alerting:siem.thresholdRule/siem/rule/muteAlert", + "alerting:siem.thresholdRule/siem/rule/unmuteAlert", + "alerting:siem.thresholdRule/siem/rule/snooze", + "alerting:siem.thresholdRule/siem/rule/bulkEdit", + "alerting:siem.thresholdRule/siem/rule/bulkDelete", + "alerting:siem.thresholdRule/siem/rule/bulkEnable", + "alerting:siem.thresholdRule/siem/rule/bulkDisable", + "alerting:siem.thresholdRule/siem/rule/unsnooze", + "alerting:siem.thresholdRule/siem/rule/runSoon", + "alerting:siem.thresholdRule/siem/rule/scheduleBackfill", + "alerting:siem.thresholdRule/siem/rule/deleteBackfill", + "alerting:siem.thresholdRule/siem/rule/fillGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/create", + "alerting:siem.newTermsRule/siem/rule/delete", + "alerting:siem.newTermsRule/siem/rule/update", + "alerting:siem.newTermsRule/siem/rule/updateApiKey", + "alerting:siem.newTermsRule/siem/rule/enable", + "alerting:siem.newTermsRule/siem/rule/disable", + "alerting:siem.newTermsRule/siem/rule/muteAll", + "alerting:siem.newTermsRule/siem/rule/unmuteAll", + "alerting:siem.newTermsRule/siem/rule/muteAlert", + "alerting:siem.newTermsRule/siem/rule/unmuteAlert", + "alerting:siem.newTermsRule/siem/rule/snooze", + "alerting:siem.newTermsRule/siem/rule/bulkEdit", + "alerting:siem.newTermsRule/siem/rule/bulkDelete", + "alerting:siem.newTermsRule/siem/rule/bulkEnable", + "alerting:siem.newTermsRule/siem/rule/bulkDisable", + "alerting:siem.newTermsRule/siem/rule/unsnooze", + "alerting:siem.newTermsRule/siem/rule/runSoon", + "alerting:siem.newTermsRule/siem/rule/scheduleBackfill", + "alerting:siem.newTermsRule/siem/rule/deleteBackfill", + "alerting:siem.newTermsRule/siem/rule/fillGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "api:fileUpload:analyzeFile", + "api:store_search_session", + "api:generateReport", + "app:discover", + "ui:catalogue/discover", + "ui:management/kibana/search_sessions", + "ui:management/insightsAndAlerting/reporting", + "ui:navLinks/discover", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "saved_object:search/create", + "saved_object:search/bulk_create", + "saved_object:search/update", + "saved_object:search/bulk_update", + "saved_object:search/delete", + "saved_object:search/bulk_delete", + "saved_object:search/share_to_space", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search-session/bulk_get", + "saved_object:search-session/get", + "saved_object:search-session/find", + "saved_object:search-session/open_point_in_time", + "saved_object:search-session/close_point_in_time", + "saved_object:search-session/create", + "saved_object:search-session/bulk_create", + "saved_object:search-session/update", + "saved_object:search-session/bulk_update", + "saved_object:search-session/delete", + "saved_object:search-session/bulk_delete", + "saved_object:search-session/share_to_space", + "saved_object:scheduled_report/bulk_get", + "saved_object:scheduled_report/get", + "saved_object:scheduled_report/find", + "saved_object:scheduled_report/open_point_in_time", + "saved_object:scheduled_report/close_point_in_time", + "saved_object:scheduled_report/create", + "saved_object:scheduled_report/bulk_create", + "saved_object:scheduled_report/update", + "saved_object:scheduled_report/bulk_update", + "saved_object:scheduled_report/delete", + "saved_object:scheduled_report/bulk_delete", + "saved_object:scheduled_report/share_to_space", + "ui:discover_v2/show", + "ui:discover_v2/save", + "ui:discover_v2/createShortUrl", + "ui:discover_v2/storeSearchSession", + "ui:discover_v2/generateCsv", + "api:dashboardUsageStats", + "api:downloadCsv", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "saved_object:dashboard/create", + "saved_object:dashboard/bulk_create", + "saved_object:dashboard/update", + "saved_object:dashboard/bulk_update", + "saved_object:dashboard/delete", + "saved_object:dashboard/bulk_delete", + "saved_object:dashboard/share_to_space", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "ui:dashboard_v2/createNew", + "ui:dashboard_v2/show", + "ui:dashboard_v2/showWriteControls", + "ui:dashboard_v2/createShortUrl", + "ui:dashboard_v2/storeSearchSession", + "ui:dashboard_v2/generateScreenshot", + "ui:dashboard_v2/downloadCsv", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "saved_object:map/create", + "saved_object:map/bulk_create", + "saved_object:map/update", + "saved_object:map/bulk_update", + "saved_object:map/delete", + "saved_object:map/bulk_delete", + "saved_object:map/share_to_space", + "ui:maps_v2/save", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "saved_object:visualization/create", + "saved_object:visualization/bulk_create", + "saved_object:visualization/update", + "saved_object:visualization/bulk_update", + "saved_object:visualization/delete", + "saved_object:visualization/bulk_delete", + "saved_object:visualization/share_to_space", + "saved_object:lens/create", + "saved_object:lens/bulk_create", + "saved_object:lens/update", + "saved_object:lens/bulk_update", + "saved_object:lens/delete", + "saved_object:lens/bulk_delete", + "saved_object:lens/share_to_space", + "ui:visualize_v2/show", + "ui:visualize_v2/delete", + "ui:visualize_v2/save", + "ui:visualize_v2/createShortUrl", + "ui:visualize_v2/generateScreenshot", + ], + "minimal_read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + ], + "policy_management_all": Array [ + "login:", + "api:securitySolution-writePolicyManagement", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/create", + "saved_object:policy-settings-protection-updates-note/bulk_create", + "saved_object:policy-settings-protection-updates-note/update", + "saved_object:policy-settings-protection-updates-note/bulk_update", + "saved_object:policy-settings-protection-updates-note/delete", + "saved_object:policy-settings-protection-updates-note/bulk_delete", + "saved_object:policy-settings-protection-updates-note/share_to_space", + "ui:siemV4/writePolicyManagement", + "ui:siemV4/readPolicyManagement", + ], + "policy_management_read": Array [ + "login:", + "api:securitySolution-readPolicyManagement", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "ui:siemV4/readPolicyManagement", + ], + "process_operations_all": Array [ + "login:", + "api:securitySolution-writeProcessOperations", + "ui:siemV4/writeProcessOperations", + ], + "read": Array [ + "login:", + "api:securitySolution", + "api:rac", + "api:lists-read", + "api:securitySolution-entity-analytics", + "api:cloud-security-posture-read", + "api:cloud-defend-read", + "api:bulkGetUserProfiles", + "api:securitySolution-threat-intelligence", + "api:securitySolution-showEndpointExceptions", + "app:securitySolution", + "app:csp", + "app:kibana", + "ui:catalogue/securitySolution", + "ui:management/insightsAndAlerting/triggersActions", + "ui:navLinks/securitySolution", + "ui:navLinks/csp", + "ui:navLinks/kibana", + "saved_object:exception-list/bulk_get", + "saved_object:exception-list/get", + "saved_object:exception-list/find", + "saved_object:exception-list/open_point_in_time", + "saved_object:exception-list/close_point_in_time", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:index-pattern/bulk_get", + "saved_object:index-pattern/get", + "saved_object:index-pattern/find", + "saved_object:index-pattern/open_point_in_time", + "saved_object:index-pattern/close_point_in_time", + "saved_object:siem-detection-engine-rule-actions/bulk_get", + "saved_object:siem-detection-engine-rule-actions/get", + "saved_object:siem-detection-engine-rule-actions/find", + "saved_object:siem-detection-engine-rule-actions/open_point_in_time", + "saved_object:siem-detection-engine-rule-actions/close_point_in_time", + "saved_object:security-rule/bulk_get", + "saved_object:security-rule/get", + "saved_object:security-rule/find", + "saved_object:security-rule/open_point_in_time", + "saved_object:security-rule/close_point_in_time", + "saved_object:endpoint:user-artifact-manifest/bulk_get", + "saved_object:endpoint:user-artifact-manifest/get", + "saved_object:endpoint:user-artifact-manifest/find", + "saved_object:endpoint:user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:user-artifact-manifest/close_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/bulk_get", + "saved_object:endpoint:unified-user-artifact-manifest/get", + "saved_object:endpoint:unified-user-artifact-manifest/find", + "saved_object:endpoint:unified-user-artifact-manifest/open_point_in_time", + "saved_object:endpoint:unified-user-artifact-manifest/close_point_in_time", + "saved_object:security-solution-signals-migration/bulk_get", + "saved_object:security-solution-signals-migration/get", + "saved_object:security-solution-signals-migration/find", + "saved_object:security-solution-signals-migration/open_point_in_time", + "saved_object:security-solution-signals-migration/close_point_in_time", + "saved_object:risk-engine-configuration/bulk_get", + "saved_object:risk-engine-configuration/get", + "saved_object:risk-engine-configuration/find", + "saved_object:risk-engine-configuration/open_point_in_time", + "saved_object:risk-engine-configuration/close_point_in_time", + "saved_object:entity-engine-status/bulk_get", + "saved_object:entity-engine-status/get", + "saved_object:entity-engine-status/find", + "saved_object:entity-engine-status/open_point_in_time", + "saved_object:entity-engine-status/close_point_in_time", + "saved_object:privilege-monitoring-status/bulk_get", + "saved_object:privilege-monitoring-status/get", + "saved_object:privilege-monitoring-status/find", + "saved_object:privilege-monitoring-status/open_point_in_time", + "saved_object:privilege-monitoring-status/close_point_in_time", + "saved_object:privmon-api-key/bulk_get", + "saved_object:privmon-api-key/get", + "saved_object:privmon-api-key/find", + "saved_object:privmon-api-key/open_point_in_time", + "saved_object:privmon-api-key/close_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/bulk_get", + "saved_object:entity-analytics-monitoring-entity-source/get", + "saved_object:entity-analytics-monitoring-entity-source/find", + "saved_object:entity-analytics-monitoring-entity-source/open_point_in_time", + "saved_object:entity-analytics-monitoring-entity-source/close_point_in_time", + "saved_object:policy-settings-protection-updates-note/bulk_get", + "saved_object:policy-settings-protection-updates-note/get", + "saved_object:policy-settings-protection-updates-note/find", + "saved_object:policy-settings-protection-updates-note/open_point_in_time", + "saved_object:policy-settings-protection-updates-note/close_point_in_time", + "saved_object:security-ai-prompt/bulk_get", + "saved_object:security-ai-prompt/get", + "saved_object:security-ai-prompt/find", + "saved_object:security-ai-prompt/open_point_in_time", + "saved_object:security-ai-prompt/close_point_in_time", + "saved_object:security:reference-data/bulk_get", + "saved_object:security:reference-data/get", + "saved_object:security:reference-data/find", + "saved_object:security:reference-data/open_point_in_time", + "saved_object:security:reference-data/close_point_in_time", + "saved_object:csp_rule/bulk_get", + "saved_object:csp_rule/get", + "saved_object:csp_rule/find", + "saved_object:csp_rule/open_point_in_time", + "saved_object:csp_rule/close_point_in_time", + "saved_object:cloud-security-posture-settings/bulk_get", + "saved_object:cloud-security-posture-settings/get", + "saved_object:cloud-security-posture-settings/find", + "saved_object:cloud-security-posture-settings/open_point_in_time", + "saved_object:cloud-security-posture-settings/close_point_in_time", + "saved_object:csp-rule-template/bulk_get", + "saved_object:csp-rule-template/get", + "saved_object:csp-rule-template/find", + "saved_object:csp-rule-template/open_point_in_time", + "saved_object:csp-rule-template/close_point_in_time", + "saved_object:config/bulk_get", + "saved_object:config/get", + "saved_object:config/find", + "saved_object:config/open_point_in_time", + "saved_object:config/close_point_in_time", + "saved_object:config-global/bulk_get", + "saved_object:config-global/get", + "saved_object:config-global/find", + "saved_object:config-global/open_point_in_time", + "saved_object:config-global/close_point_in_time", + "saved_object:telemetry/bulk_get", + "saved_object:telemetry/get", + "saved_object:telemetry/find", + "saved_object:telemetry/open_point_in_time", + "saved_object:telemetry/close_point_in_time", + "saved_object:url/bulk_get", + "saved_object:url/get", + "saved_object:url/find", + "saved_object:url/open_point_in_time", + "saved_object:url/close_point_in_time", + "saved_object:tag/bulk_get", + "saved_object:tag/get", + "saved_object:tag/find", + "saved_object:tag/open_point_in_time", + "saved_object:tag/close_point_in_time", + "saved_object:cloud/bulk_get", + "saved_object:cloud/get", + "saved_object:cloud/find", + "saved_object:cloud/open_point_in_time", + "saved_object:cloud/close_point_in_time", + "ui:siemV4/show", + "ui:siemV4/entity-analytics", + "ui:siemV4/detections", + "ui:siemV4/investigation-guide", + "ui:siemV4/investigation-guide-interactions", + "ui:siemV4/threat-intelligence", + "ui:siemV4/showEndpointExceptions", + "alerting:siem.notifications/siem/rule/get", + "alerting:siem.notifications/siem/rule/bulkGet", + "alerting:siem.notifications/siem/rule/getRuleState", + "alerting:siem.notifications/siem/rule/getAlertSummary", + "alerting:siem.notifications/siem/rule/getExecutionLog", + "alerting:siem.notifications/siem/rule/getActionErrorLog", + "alerting:siem.notifications/siem/rule/find", + "alerting:siem.notifications/siem/rule/getRuleExecutionKPI", + "alerting:siem.notifications/siem/rule/getBackfill", + "alerting:siem.notifications/siem/rule/findBackfill", + "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/get", + "alerting:siem.esqlRule/siem/rule/bulkGet", + "alerting:siem.esqlRule/siem/rule/getRuleState", + "alerting:siem.esqlRule/siem/rule/getAlertSummary", + "alerting:siem.esqlRule/siem/rule/getExecutionLog", + "alerting:siem.esqlRule/siem/rule/getActionErrorLog", + "alerting:siem.esqlRule/siem/rule/find", + "alerting:siem.esqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.esqlRule/siem/rule/getBackfill", + "alerting:siem.esqlRule/siem/rule/findBackfill", + "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/get", + "alerting:siem.eqlRule/siem/rule/bulkGet", + "alerting:siem.eqlRule/siem/rule/getRuleState", + "alerting:siem.eqlRule/siem/rule/getAlertSummary", + "alerting:siem.eqlRule/siem/rule/getExecutionLog", + "alerting:siem.eqlRule/siem/rule/getActionErrorLog", + "alerting:siem.eqlRule/siem/rule/find", + "alerting:siem.eqlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.eqlRule/siem/rule/getBackfill", + "alerting:siem.eqlRule/siem/rule/findBackfill", + "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/get", + "alerting:siem.indicatorRule/siem/rule/bulkGet", + "alerting:siem.indicatorRule/siem/rule/getRuleState", + "alerting:siem.indicatorRule/siem/rule/getAlertSummary", + "alerting:siem.indicatorRule/siem/rule/getExecutionLog", + "alerting:siem.indicatorRule/siem/rule/getActionErrorLog", + "alerting:siem.indicatorRule/siem/rule/find", + "alerting:siem.indicatorRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.indicatorRule/siem/rule/getBackfill", + "alerting:siem.indicatorRule/siem/rule/findBackfill", + "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/get", + "alerting:siem.mlRule/siem/rule/bulkGet", + "alerting:siem.mlRule/siem/rule/getRuleState", + "alerting:siem.mlRule/siem/rule/getAlertSummary", + "alerting:siem.mlRule/siem/rule/getExecutionLog", + "alerting:siem.mlRule/siem/rule/getActionErrorLog", + "alerting:siem.mlRule/siem/rule/find", + "alerting:siem.mlRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.mlRule/siem/rule/getBackfill", + "alerting:siem.mlRule/siem/rule/findBackfill", + "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/get", + "alerting:siem.queryRule/siem/rule/bulkGet", + "alerting:siem.queryRule/siem/rule/getRuleState", + "alerting:siem.queryRule/siem/rule/getAlertSummary", + "alerting:siem.queryRule/siem/rule/getExecutionLog", + "alerting:siem.queryRule/siem/rule/getActionErrorLog", + "alerting:siem.queryRule/siem/rule/find", + "alerting:siem.queryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.queryRule/siem/rule/getBackfill", + "alerting:siem.queryRule/siem/rule/findBackfill", + "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/get", + "alerting:siem.savedQueryRule/siem/rule/bulkGet", + "alerting:siem.savedQueryRule/siem/rule/getRuleState", + "alerting:siem.savedQueryRule/siem/rule/getAlertSummary", + "alerting:siem.savedQueryRule/siem/rule/getExecutionLog", + "alerting:siem.savedQueryRule/siem/rule/getActionErrorLog", + "alerting:siem.savedQueryRule/siem/rule/find", + "alerting:siem.savedQueryRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.savedQueryRule/siem/rule/getBackfill", + "alerting:siem.savedQueryRule/siem/rule/findBackfill", + "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/get", + "alerting:siem.thresholdRule/siem/rule/bulkGet", + "alerting:siem.thresholdRule/siem/rule/getRuleState", + "alerting:siem.thresholdRule/siem/rule/getAlertSummary", + "alerting:siem.thresholdRule/siem/rule/getExecutionLog", + "alerting:siem.thresholdRule/siem/rule/getActionErrorLog", + "alerting:siem.thresholdRule/siem/rule/find", + "alerting:siem.thresholdRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.thresholdRule/siem/rule/getBackfill", + "alerting:siem.thresholdRule/siem/rule/findBackfill", + "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/get", + "alerting:siem.newTermsRule/siem/rule/bulkGet", + "alerting:siem.newTermsRule/siem/rule/getRuleState", + "alerting:siem.newTermsRule/siem/rule/getAlertSummary", + "alerting:siem.newTermsRule/siem/rule/getExecutionLog", + "alerting:siem.newTermsRule/siem/rule/getActionErrorLog", + "alerting:siem.newTermsRule/siem/rule/find", + "alerting:siem.newTermsRule/siem/rule/getRuleExecutionKPI", + "alerting:siem.newTermsRule/siem/rule/getBackfill", + "alerting:siem.newTermsRule/siem/rule/findBackfill", + "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.notifications/siem/alert/get", + "alerting:siem.notifications/siem/alert/find", + "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.notifications/siem/alert/getAlertSummary", + "alerting:siem.notifications/siem/alert/update", + "alerting:siem.esqlRule/siem/alert/get", + "alerting:siem.esqlRule/siem/alert/find", + "alerting:siem.esqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.esqlRule/siem/alert/getAlertSummary", + "alerting:siem.esqlRule/siem/alert/update", + "alerting:siem.eqlRule/siem/alert/get", + "alerting:siem.eqlRule/siem/alert/find", + "alerting:siem.eqlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.eqlRule/siem/alert/getAlertSummary", + "alerting:siem.eqlRule/siem/alert/update", + "alerting:siem.indicatorRule/siem/alert/get", + "alerting:siem.indicatorRule/siem/alert/find", + "alerting:siem.indicatorRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.indicatorRule/siem/alert/getAlertSummary", + "alerting:siem.indicatorRule/siem/alert/update", + "alerting:siem.mlRule/siem/alert/get", + "alerting:siem.mlRule/siem/alert/find", + "alerting:siem.mlRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.mlRule/siem/alert/getAlertSummary", + "alerting:siem.mlRule/siem/alert/update", + "alerting:siem.queryRule/siem/alert/get", + "alerting:siem.queryRule/siem/alert/find", + "alerting:siem.queryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.queryRule/siem/alert/getAlertSummary", + "alerting:siem.queryRule/siem/alert/update", + "alerting:siem.savedQueryRule/siem/alert/get", + "alerting:siem.savedQueryRule/siem/alert/find", + "alerting:siem.savedQueryRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.savedQueryRule/siem/alert/getAlertSummary", + "alerting:siem.savedQueryRule/siem/alert/update", + "alerting:siem.thresholdRule/siem/alert/get", + "alerting:siem.thresholdRule/siem/alert/find", + "alerting:siem.thresholdRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.thresholdRule/siem/alert/getAlertSummary", + "alerting:siem.thresholdRule/siem/alert/update", + "alerting:siem.newTermsRule/siem/alert/get", + "alerting:siem.newTermsRule/siem/alert/find", + "alerting:siem.newTermsRule/siem/alert/getAuthorizedAlertsIndices", + "alerting:siem.newTermsRule/siem/alert/getAlertSummary", + "alerting:siem.newTermsRule/siem/alert/update", + "app:discover", + "ui:catalogue/discover", + "ui:navLinks/discover", + "saved_object:url/create", + "saved_object:url/bulk_create", + "saved_object:url/update", + "saved_object:url/bulk_update", + "saved_object:url/delete", + "saved_object:url/bulk_delete", + "saved_object:url/share_to_space", + "saved_object:search/bulk_get", + "saved_object:search/get", + "saved_object:search/find", + "saved_object:search/open_point_in_time", + "saved_object:search/close_point_in_time", + "ui:discover_v2/show", + "ui:discover_v2/createShortUrl", + "api:dashboardUsageStats", + "app:dashboards", + "ui:catalogue/dashboard", + "ui:navLinks/dashboards", + "saved_object:visualization/bulk_get", + "saved_object:visualization/get", + "saved_object:visualization/find", + "saved_object:visualization/open_point_in_time", + "saved_object:visualization/close_point_in_time", + "saved_object:canvas-workpad/bulk_get", + "saved_object:canvas-workpad/get", + "saved_object:canvas-workpad/find", + "saved_object:canvas-workpad/open_point_in_time", + "saved_object:canvas-workpad/close_point_in_time", + "saved_object:event-annotation-group/bulk_get", + "saved_object:event-annotation-group/get", + "saved_object:event-annotation-group/find", + "saved_object:event-annotation-group/open_point_in_time", + "saved_object:event-annotation-group/close_point_in_time", + "saved_object:lens/bulk_get", + "saved_object:lens/get", + "saved_object:lens/find", + "saved_object:lens/open_point_in_time", + "saved_object:lens/close_point_in_time", + "saved_object:links/bulk_get", + "saved_object:links/get", + "saved_object:links/find", + "saved_object:links/open_point_in_time", + "saved_object:links/close_point_in_time", + "saved_object:map/bulk_get", + "saved_object:map/get", + "saved_object:map/find", + "saved_object:map/open_point_in_time", + "saved_object:map/close_point_in_time", + "saved_object:dashboard/bulk_get", + "saved_object:dashboard/get", + "saved_object:dashboard/find", + "saved_object:dashboard/open_point_in_time", + "saved_object:dashboard/close_point_in_time", + "ui:dashboard_v2/show", + "ui:dashboard_v2/createShortUrl", + "app:maps", + "ui:catalogue/maps", + "ui:navLinks/maps", + "ui:maps_v2/show", + "app:visualize", + "app:lens", + "ui:catalogue/visualize", + "ui:navLinks/visualize", + "ui:navLinks/lens", + "ui:visualize_v2/show", + "ui:visualize_v2/createShortUrl", + ], + "scan_operations_all": Array [ + "login:", + "api:securitySolution-writeScanOperations", + "ui:siemV4/writeScanOperations", + ], + "trusted_applications_all": Array [ + "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-writeTrustedApplications", + "api:securitySolution-readTrustedApplications", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", + "ui:siemV4/writeTrustedApplications", + "ui:siemV4/readTrustedApplications", + ], + "trusted_applications_read": Array [ + "login:", + "api:lists-read", + "api:lists-summary", + "api:securitySolution-readTrustedApplications", + "ui:siemV4/readTrustedApplications", + ], + "workflow_insights_all": Array [ + "login:", + "api:securitySolution-writeWorkflowInsights", + "api:securitySolution-readWorkflowInsights", + "ui:siemV4/writeWorkflowInsights", + "ui:siemV4/readWorkflowInsights", + ], + "workflow_insights_read": Array [ + "login:", + "api:securitySolution-readWorkflowInsights", + "ui:siemV4/readWorkflowInsights", + ], + }, } `); }); From dc21aa1990a3d8c718a051a0be16e4ee185b7e1f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 1 Sep 2025 11:42:07 +0200 Subject: [PATCH 13/33] update unit tests for fix --- .../product_features_extensions.test.ts | 20 +++++++++---------- .../product_features_extensions.test.ts | 18 ++++++++--------- 2 files changed, 19 insertions(+), 19 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts index ae0a7ced79d7f..f7ef4c321b357 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts @@ -5,7 +5,7 @@ * 2.0. */ import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -21,7 +21,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['all'], - api: [`${SECURITY_FEATURE_ID_V3}-all`], + api: [`${SECURITY_FEATURE_ID}-all`], }, read: { savedObject: { @@ -29,7 +29,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['read'], - api: [`${SECURITY_FEATURE_ID_V3}-read`], + api: [`${SECURITY_FEATURE_ID}-read`], }, }, }; @@ -49,7 +49,7 @@ describe('updateGlobalArtifactManageReplacements', () => { expect(featureConfig).toEqual(originalConfig); }); - it('should modify privileges for SECURITY_FEATURE_ID_V3 in both default and minimal', () => { + it('should modify privileges for SECURITY_FEATURE_ID in both default and minimal', () => { const testFeatureConfig = { ...featureConfig, privileges: { @@ -58,10 +58,10 @@ describe('updateGlobalArtifactManageReplacements', () => { ...featureConfig.privileges?.all, replacedBy: { default: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], + minimal: [{ feature: SECURITY_FEATURE_ID, privileges: ['all'] }], }, }, }, @@ -73,13 +73,13 @@ describe('updateGlobalArtifactManageReplacements', () => { // Default privileges modified const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 + ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID ); expect(v3Default?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); // Minimal privileges modified const v3Minimal = replacedBy.minimal.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 + ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID ); expect(v3Minimal?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); @@ -90,7 +90,7 @@ describe('updateGlobalArtifactManageReplacements', () => { expect(otherFeature?.privileges).toEqual(['all']); }); - it('should only modify existing SECURITY_FEATURE_ID_V3 entries', () => { + it('should only modify existing SECURITY_FEATURE_ID entries', () => { const testFeatureConfig = { ...featureConfig, privileges: { @@ -109,7 +109,7 @@ describe('updateGlobalArtifactManageReplacements', () => { const replacedBy = testFeatureConfig.privileges.all.replacedBy; - // No SECURITY_FEATURE_ID_V3, so no changes + // No SECURITY_FEATURE_ID, so no changes expect(replacedBy.default[0].privileges).toEqual(['all']); expect(replacedBy.minimal[0].privileges).toEqual(['all']); }); diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts index d6d5318776b90..af2d09dce9832 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts @@ -5,7 +5,7 @@ * 2.0. */ import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; -import { SECURITY_FEATURE_ID_V3 } from '@kbn/security-solution-features/constants'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -21,7 +21,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['all'], - api: [`${SECURITY_FEATURE_ID_V3}-all`], + api: [`${SECURITY_FEATURE_ID}-all`], }, read: { savedObject: { @@ -29,7 +29,7 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { read: ['*'], }, ui: ['read'], - api: [`${SECURITY_FEATURE_ID_V3}-read`], + api: [`${SECURITY_FEATURE_ID}-read`], }, }, }; @@ -49,7 +49,7 @@ describe('updateGlobalArtifactManageReplacements', () => { expect(featureConfig).toEqual(originalConfig); }); - it('should modify privileges for SECURITY_FEATURE_ID_V3 in both default and minimal', () => { + it('should modify privileges for SECURITY_FEATURE_ID in both default and minimal', () => { const testFeatureConfig = { ...featureConfig, privileges: { @@ -58,10 +58,10 @@ describe('updateGlobalArtifactManageReplacements', () => { ...featureConfig.privileges?.all, replacedBy: { default: [ - { feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }, + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID_V3, privileges: ['all'] }], + minimal: [{ feature: SECURITY_FEATURE_ID, privileges: ['all'] }], }, }, }, @@ -73,7 +73,7 @@ describe('updateGlobalArtifactManageReplacements', () => { // Default privileges modified const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID_V3 + ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID ); expect(v3Default?.privileges).toEqual([ 'minimal_all', @@ -88,7 +88,7 @@ describe('updateGlobalArtifactManageReplacements', () => { expect(otherFeature?.privileges).toEqual(['all']); }); - it('should only modify existing SECURITY_FEATURE_ID_V3 entries', () => { + it('should only modify existing SECURITY_FEATURE_ID entries', () => { const testFeatureConfig = { ...featureConfig, privileges: { @@ -107,7 +107,7 @@ describe('updateGlobalArtifactManageReplacements', () => { const replacedBy = testFeatureConfig.privileges.all.replacedBy; - // No SECURITY_FEATURE_ID_V3, so no changes + // No SECURITY_FEATURE_ID, so no changes expect(replacedBy.default[0].privileges).toEqual(['all']); expect(replacedBy.minimal[0].privileges).toEqual(['all']); }); From 7b947f92a91a3ebcfe22d5c1bc0bbe9106472f8b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 1 Sep 2025 14:06:23 +0200 Subject: [PATCH 14/33] fix cy test --- .../cypress/screens/custom_roles/assign_to_space_flyout.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts index 881576bd16a77..4fefa00f9532a 100644 --- a/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts +++ b/x-pack/solutions/security/test/security_solution_cypress/cypress/screens/custom_roles/assign_to_space_flyout.ts @@ -5,13 +5,15 @@ * 2.0. */ +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; + export const SPACE_SELECTOR_COMBO_BOX = '[data-test-subj="spaceSelectorComboBox"]'; // Privileges export const SECURITY_CATEGORY = '[data-test-subj="featureCategory_securitySolution"]'; // Sub-privileges -export const SECURITY_FEATURE = '[data-test-subj="featureCategory_securitySolution_siemV3"]'; +export const SECURITY_FEATURE = `[data-test-subj="featureCategory_securitySolution_${SECURITY_FEATURE_ID}"]`; export const SECURITY_FEATURE_DESCRIPTION = '[aria-describedby="Security description text"]'; export const CASES_FEATURE = From 1fa4910c36dec921bc2bcf09312b011be81d8e6a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 2 Sep 2025 10:45:00 +0200 Subject: [PATCH 15/33] rename test file --- .../role_migrations/trial_license_complete_tier/index.ts | 2 +- ...l_artifact_management.ts => siem_artifact_sub_privileges.ts} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/{siem_v3_global_artifact_management.ts => siem_artifact_sub_privileges.ts} (100%) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts index dab519112f24b..08bf7acf23454 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -8,6 +8,6 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_wo export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('Endpoint related user role migrations', function () { - loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + loadTestFile(require.resolve('./siem_artifact_sub_privileges')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts similarity index 100% rename from x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_v3_global_artifact_management.ts rename to x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts From f20636deb5e13d85ebbe9103374fd666cafedc5f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 2 Sep 2025 14:14:10 +0200 Subject: [PATCH 16/33] endpoint exceptions: update role migration test to use as acceptance test --- .../siem_artifact_sub_privileges.ts | 380 ++++++++++++++---- 1 file changed, 297 insertions(+), 83 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts index aaa1f16c8077a..2e3bc342793b8 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_sub_privileges.ts @@ -14,17 +14,14 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_wo export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertest'); - const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; - - // these artifact privileges are shared between ESS and Serverless, while Endpoint Exceptions privilege exists only on Serverless - const ARTIFACTS = [ + const PRE_SIEM_V4_ESS_ARTIFACTS = [ 'trusted_applications', 'event_filters', 'blocklist', 'host_isolation_exceptions', ]; - - const ROLE_NAME = 'siem_v3_test_role'; + const ALL_ARTIFACTS = [...PRE_SIEM_V4_ESS_ARTIFACTS, 'endpoint_exceptions']; + const ROLE_NAME = 'siem_test_role'; const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => supertest @@ -64,8 +61,8 @@ export default function ({ getService }: FtrProviderContext) { return role.kibana[0].feature[SECURITY_FEATURE_ID]; }; - describe('@ess @serverless @skipInServerlessMKI Role migrations towards siemV3', () => { - afterEach(async () => { + describe('@ess @serverless @skipInServerlessMKI `siem` role migrations for Artifact sub-privileges', () => { + after(async () => { await supertest .delete(`/api/security/role/${ROLE_NAME}`) .set('kbn-xsrf', 'true') @@ -73,136 +70,353 @@ export default function ({ getService }: FtrProviderContext) { .expect([204, 404]); }); - for (const deprecatedSiem of DEPRECATED_SIEM_VERSIONS) { - describe(`from ${deprecatedSiem}`, () => { - const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); + describe(`From siemV3 - adding Endpoint exceptions`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole('siemV3'); + + describe(`siemV3:READ`, () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Endpoint exceptions + 'minimal_read', + // Endpoint Exceptions were included in siem:READ, so we need to enable it explicitly + 'endpoint_exceptions_read', + ]); + }); + }); - describe(`${deprecatedSiem}:READ`, () => { - it('should keep READ privilege', async () => { - await putDeprecatedSiemPrivilegesInRole(['read']); + describe(`siemV3:MINIMAL_READ`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); - expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + // Endpoint Exceptions were included in siem:MINIMAL_READ, so we need to enable it explicitly + 'endpoint_exceptions_read', + ]); }); }); - describe(`${deprecatedSiem}:MINIMAL_READ`, () => { - for (const artifact of ARTIFACTS) { - it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_read`, - ]); - }); - } + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); - // Endpoint Exception privilege only exists on Serverless - it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `endpoint_exceptions_read`]); + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_read']); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ 'minimal_read', - `endpoint_exceptions_read`, + 'endpoint_exceptions_read', ]); }); - // adding Global Artifact Management to any artifact:WRITE privilege - for (const artifact of ARTIFACTS) { - it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); - - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_read', - `${artifact}_all`, - 'global_artifact_management_all', - ]); - }); - } - - // Endpoint Exception privilege only exists on Serverless - it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { + it('should keep endpoint_exceptions:ALL', async () => { await putDeprecatedSiemPrivilegesInRole(['minimal_read', 'endpoint_exceptions_all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ 'minimal_read', 'endpoint_exceptions_all', - 'global_artifact_management_all', ]); }); }); + }); + + describe(`siemV3:ALL`, () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show Endpoint exceptions + 'minimal_all', + // Endpoint Exceptions were included in siem:ALL, so we need to enable it explicitly + 'endpoint_exceptions_all', + ]); + }); + }); - describe(`${deprecatedSiem}:ALL`, () => { - // siem:ALL includes Endpoint Exceptions both on ESS and Serverless - it('@skipInServerless should add global_artifact_management:ALL on ESS', async () => { - await putDeprecatedSiemPrivilegesInRole(['all']); + describe('siemV3:MINIMAL_ALL', () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - // sub-features toggle enabled to show Global Artifact Management 'minimal_all', - // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour - 'global_artifact_management_all', + // Endpoint Exceptions were included in siem:MINIMAL_ALL, so we need to enable it explicitly + 'endpoint_exceptions_all', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all', 'endpoint_exceptions_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_read', ]); }); - it('@skipInEss should add global_artifact_management:ALL and endpoint_exceptions:ALL on serverless', async () => { - await putDeprecatedSiemPrivilegesInRole(['all']); + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all', 'endpoint_exceptions_all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - // sub-features toggle enabled to show Global Artifact Management 'minimal_all', - // Endpoint exceptions are tied to siem:ALL, hence the global_artifact_management_all to keep behaviour - 'global_artifact_management_all', - // Enpdoint Exceptions were included in siem:ALL, so we need to include them in siem:MINIMAL_ALL 'endpoint_exceptions_all', ]); }); }); + }); + }); + + describe('From `siem` and `siemV2` - adding Endpoint exceptions and Global artifact management', () => { + for (const deprecatedSiem of ['siemV2', 'siem'] as const) { + describe(`from ${deprecatedSiem}`, () => { + const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); - describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { - // on ESS, siem:MINIMAL_ALL includes Endpoint Exceptions ALL - describe('@skipInServerless ESS', () => { - it('should add global_artifact_management:ALL', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + describe(`Sub-feature 1: adding Endpoint Exceptions`, () => { + describe(`${deprecatedSiem}:READ`, () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['read']); - expect(await getMigratedSiemFeaturesFromRole()).to.eql([ - 'minimal_all', - 'global_artifact_management_all', - ]); + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); }); - }); - // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege, it can be NONE - describe('@skipInEss on Serverless', () => { - it('@skipInEss should NOT add global_artifact_management:ALL', async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); - expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_all', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); }); - for (const artifact of [...ARTIFACTS, 'endpoint_exceptions']) { - it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + describe(`${deprecatedSiem}:ALL`, () => { + it('should add endpoint_exceptions:ALL and global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + describe('@skipInServerless on ESS', () => { + it('should add endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe('@skipInEss on Serverless', () => { + it('should keep endpoint_exceptions:NONE', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + it('should keep endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_all', + 'endpoint_exceptions_read', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_read', + ]); + }); + + it('should keep endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_all', + 'endpoint_exceptions_all', + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'endpoint_exceptions_all', + 'global_artifact_management_all', + ]); + }); + }); + }); + }); + + describe('Sub-feature 2: adding Global Artifact Management', () => { + describe(`${deprecatedSiem}:MINIMAL_READ`, () => { + for (const artifact of PRE_SIEM_V4_ESS_ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + const migratedPrivilages = await getMigratedSiemFeaturesFromRole(); + // testing existence/absence instead of strict equality as Endpoint exceptions are added on ESS, see above test cases + expect(migratedPrivilages).to.contain('minimal_read'); + expect(migratedPrivilages).to.contain(`${artifact}_read`); + expect(migratedPrivilages).not.to.contain('global_artifact_management_all'); + }); + } + + // Endpoint Exception privilege only existed on Serverless pre siemV4 + it('@skipInEss should NOT add global_artifact_management:ALL to endpoint_exceptions:READ', async () => { + await putDeprecatedSiemPrivilegesInRole([ 'minimal_read', - `${artifact}_read`, + `endpoint_exceptions_read`, + ]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `endpoint_exceptions_read`, ]); }); - it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { - await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + // adding Global Artifact Management to any artifact:WRITE privilege + for (const artifact of PRE_SIEM_V4_ESS_ARTIFACTS) { + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + const migratedPrivilages = await getMigratedSiemFeaturesFromRole(); + // testing existence instead of strict equality as Endpoint exceptions are added on ESS, see above test cases + expect(migratedPrivilages).to.contain('minimal_read'); + expect(migratedPrivilages).to.contain(`${artifact}_all`); + expect(migratedPrivilages).to.contain('global_artifact_management_all'); + }); + } + + // Endpoint Exception privilege only existed on Serverless pre siemV4 + it('@skipInEss should add global_artifact_management:ALL to endpoint_exceptions:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole([ + 'minimal_read', + 'endpoint_exceptions_all', + ]); expect(await getMigratedSiemFeaturesFromRole()).to.eql([ 'minimal_read', - `${artifact}_all`, + 'endpoint_exceptions_all', 'global_artifact_management_all', ]); }); - } + }); + + describe(`${deprecatedSiem}:ALL`, () => { + // siem:ALL includes Endpoint Exceptions both on ESS and Serverless + it('should add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + // sub-features toggle enabled to show new sub-features + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + }); + + describe(`${deprecatedSiem}:MINIMAL_ALL`, () => { + // on ESS, siem:MINIMAL_ALL included Endpoint Exceptions ALL + it('@skipInServerless should add global_artifact_management:ALL on ESS', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_all', + 'global_artifact_management_all', + 'endpoint_exceptions_all', + ]); + }); + + // on Serverless, siem:MINIMAL_ALL means that Endpoint Exceptions is controlled by sub-feature privilege + describe('@skipInEss on Serverless', () => { + it('@skipInEss should NOT add global_artifact_management:ALL', async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_all']); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_all']); + }); + + for (const artifact of ALL_ARTIFACTS) { + it(`should NOT add global_artifact_management:ALL to ${artifact}:READ`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_read`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_read`, + ]); + }); + + it(`should add global_artifact_management:ALL to ${artifact}:ALL`, async () => { + await putDeprecatedSiemPrivilegesInRole(['minimal_read', `${artifact}_all`]); + + expect(await getMigratedSiemFeaturesFromRole()).to.eql([ + 'minimal_read', + `${artifact}_all`, + 'global_artifact_management_all', + ]); + }); + } + }); + }); }); }); - }); - } + } + }); }); } From 8ef41b7ba73617a05ddee81098f0eb6f436e246c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 4 Sep 2025 09:22:10 +0200 Subject: [PATCH 17/33] endpoint exceptions: add privilege replacements --- .../src/security/kibana_sub_features.ts | 4 +- .../src/security/product_feature_config.ts | 4 + .../security/v1_features/kibana_features.ts | 6 +- .../security/v2_features/kibana_features.ts | 14 +- .../security/v3_features/kibana_features.ts | 4 + .../product_features_extensions.test.ts | 279 ++++++++++++++---- .../product_features_extensions.ts | 157 +++++++--- .../product_features_extensions.test.ts | 206 +++++++++---- .../product_features_extensions.ts | 116 +++++--- 9 files changed, 590 insertions(+), 200 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts index 7627297beef89..f59f4a891c402 100644 --- a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts @@ -671,7 +671,7 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ privileges: [ { id: 'endpoint_exceptions_all', - includeIn: 'all', + includeIn: 'none', name: TRANSLATIONS.all, savedObject: { all: [], @@ -682,7 +682,7 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ }, { id: 'endpoint_exceptions_read', - includeIn: 'read', + includeIn: 'none', name: TRANSLATIONS.read, savedObject: { all: [], diff --git a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts index 73a95b1ff4f30..e7a80965433d7 100644 --- a/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts +++ b/x-pack/solutions/security/packages/features/src/security/product_feature_config.ts @@ -167,4 +167,8 @@ export const securityDefaultProductFeaturesConfig: SecurityProductFeaturesConfig SecuritySubFeatureId.globalArtifactManagement, ], }, + + [ProductFeatureSecurityKey.endpointExceptions]: { + subFeatureIds: [SecuritySubFeatureId.endpointExceptions], + }, }; diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts index 36eba1f14b612..5faff2a7f86cb 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_features.ts @@ -93,13 +93,13 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - // note: overriden by product feature endpointArtifactManagement when enabled + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array { feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['all'] }, { feature: NOTES_FEATURE_ID, privileges: ['all'] }, - // note: overriden by product feature endpointArtifactManagement when enabled + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }, ], }, @@ -143,11 +143,13 @@ export const getSecurityBaseKibanaFeature = ({ default: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array { feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }, ], minimal: [ { feature: TIMELINE_FEATURE_ID, privileges: ['read'] }, { feature: NOTES_FEATURE_ID, privileges: ['read'] }, + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }, ], }, diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts index 5f3920b325a19..35bfb6dda7533 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_features.ts @@ -89,14 +89,10 @@ export const getSecurityV2BaseKibanaFeature = ({ privileges: { all: { replacedBy: { - default: [ - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }, - ], - minimal: [ - // note: overriden by product feature endpointArtifactManagement when enabled - { feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }, - ], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array + minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], @@ -116,7 +112,9 @@ export const getSecurityV2BaseKibanaFeature = ({ }, read: { replacedBy: { + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts index 7c003f656d4eb..3c3fec30385da 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_features.ts @@ -89,7 +89,9 @@ export const getSecurityV3BaseKibanaFeature = ({ privileges: { all: { replacedBy: { + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['all'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_all'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], @@ -110,7 +112,9 @@ export const getSecurityV3BaseKibanaFeature = ({ }, read: { replacedBy: { + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array default: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['read'] }], + // note: ESS/serverless specific productFeaturesExtensions modify this privilege array minimal: [{ feature: SECURITY_FEATURE_ID_V4, privileges: ['minimal_read'] }], }, app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts index f7ef4c321b357..d2b70d158484f 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.test.ts @@ -4,7 +4,13 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; +import { + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + addGlobalArtifactManagementToAll, + addGlobalArtifactManagementToMinimalAll, + enableSecuritySubfeaturesToggle, +} from './product_features_extensions'; import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -34,83 +40,244 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { }, }; -describe('updateGlobalArtifactManageReplacements', () => { - let featureConfig: MutableKibanaFeatureConfig; +describe('ESS product feature extensions - feature config modifiers', () => { + let configWithoutReplacedBy: MutableKibanaFeatureConfig; + let configWithReplacedBy: MutableKibanaFeatureConfig; beforeEach(() => { - featureConfig = cloneDeep(baseFeatureConfig); - }); - - it('should do nothing if replacedBy is not present', () => { - const originalConfig = JSON.parse(JSON.stringify(featureConfig)); - - updateGlobalArtifactManageReplacements(featureConfig as MutableKibanaFeatureConfig); - - expect(featureConfig).toEqual(originalConfig); - }); - - it('should modify privileges for SECURITY_FEATURE_ID in both default and minimal', () => { - const testFeatureConfig = { - ...featureConfig, + configWithoutReplacedBy = cloneDeep(baseFeatureConfig); + configWithReplacedBy = cloneDeep({ + ...configWithoutReplacedBy, privileges: { - ...featureConfig.privileges, + ...configWithoutReplacedBy.privileges, all: { - ...featureConfig.privileges?.all, + ...configWithoutReplacedBy.privileges?.all, replacedBy: { default: [ { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID, privileges: ['all'] }], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }, + }, + read: { + ...configWithoutReplacedBy.privileges?.read, + replacedBy: { + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], }, }, }, - }; + }) as MutableKibanaFeatureConfig; + }); + + describe('addGlobalArtifactManagementToMinimalAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + addGlobalArtifactManagementToMinimalAll(testConfig); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - // Default privileges modified - const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID - ); - expect(v3Default?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); + it('should add global artifact management privilege to siem.minimal_all', () => { + const testConfig = cloneDeep(configWithReplacedBy); - // Minimal privileges modified - const v3Minimal = replacedBy.minimal.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID - ); - expect(v3Minimal?.privileges).toEqual(['minimal_all', 'global_artifact_management_all']); + addGlobalArtifactManagementToMinimalAll(testConfig); - // Ensure other features remain unchanged - const otherFeature = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === 'other_feature' - ); - expect(otherFeature?.privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'minimal_all', + 'global_artifact_management_all', // <- global artifact management is added + ], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); }); - it('should only modify existing SECURITY_FEATURE_ID entries', () => { - const testFeatureConfig = { - ...featureConfig, - privileges: { - ...featureConfig.privileges, - all: { - ...featureConfig.privileges?.all, - replacedBy: { - default: [{ feature: 'other_feature', privileges: ['all'] }], - minimal: [{ feature: 'other_feature', privileges: ['all'] }], + describe('addGlobalArtifactManagementToAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add global artifact management privilege to siem.all', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'global_artifact_management_all', // <- global artifact management is added + ], }, - }, - }, - }; + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); + }); + + describe('addEndpointExceptionsToMinimalReadAndMinimalAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToMinimalReadAndMinimalAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.minimal_all and siem.minimal_read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToMinimalReadAndMinimalAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all', 'endpoint_exceptions_all'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('addEndpointExceptionsToReadAndAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.all and siem.read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'endpoint_exceptions_all', // <- endpoint exception is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all'], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('enableSecuritySubfeaturesToggle', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + enableSecuritySubfeaturesToggle(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + it('should change `all` and `read` to `minimal_all` and `minimal_read`', () => { + const testConfig = cloneDeep(configWithReplacedBy); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + enableSecuritySubfeaturesToggle(testConfig); - // No SECURITY_FEATURE_ID, so no changes - expect(replacedBy.default[0].privileges).toEqual(['all']); - expect(replacedBy.minimal[0].privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); }); }); diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts index 1c48a1da36174..4c9ba29348ba6 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { APP_ID, SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; +import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; import type { MutableKibanaFeatureConfig, @@ -13,29 +13,47 @@ import type { export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = { security: { - allVersions: { - [ProductFeatureSecurityKey.endpointExceptions]: { - privileges: { - all: { - ui: ['showEndpointExceptions', 'crudEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], - }, - read: { - ui: ['showEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`], - }, - }, - }, - }, + allVersions: {}, version: { siem: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToMinimalAll, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], }, }, siemV2: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToMinimalAll, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], + }, + }, + siemV3: { + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToMinimalReadAndMinimalAll, + addEndpointExceptionsToReadAndAll, + ], }, }, }, @@ -44,36 +62,97 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = // When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. -// This needs to be done here because the replacements of serverless and ESS are different. -export function updateGlobalArtifactManageReplacements( +// This needs to be done here because some the replacements of serverless and ESS are different, other +// replacements are tied to endpointArtifactManagement PLI - hence PLI related privileges cannot be added to +// the shared base config in `kibana_features.ts`. +export function addGlobalArtifactManagementToMinimalAll( featureConfig: MutableKibanaFeatureConfig ): void { - const replacedBy = featureConfig.privileges?.all?.replacedBy; - if (!replacedBy) { - return; + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + + if (allReplacedBy && 'minimal' in allReplacedBy) { + const siemMinimalAll = allReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID + ); + + // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL, hence we're adding global artifact management to preserve behaviour + siemMinimalAll?.privileges.push('global_artifact_management_all'); } +} + +export function addGlobalArtifactManagementToAll(featureConfig: MutableKibanaFeatureConfig): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; - if ('default' in replacedBy) { - const siemDefault = replacedBy.default.find( - ({ feature }) => feature === SECURITY_FEATURE_ID // Only for SIEM feature replacements + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + // on ESS, Endpoint Exception ALL is included in siem:ALL, hence we're adding global artifact management to preserve behaviour + siemAll?.privileges.push('global_artifact_management_all'); + } +} + +// When Endpoint Exceptions sub-feature privilege is harmonized between ESS and Serverless (from siemV4), +// the privileges needed to be added to users with specific security privileges. +// On ESS, Endpoint exceptions were included in siem:MINIMAL_READ and siem:MINIMAL_ALL. +export function addEndpointExceptionsToMinimalReadAndMinimalAll( + featureConfig: MutableKibanaFeatureConfig +): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'minimal' in allReplacedBy) { + const siemMinimalAll = allReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID ); - if (siemDefault) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - siemDefault.privileges = [ - 'minimal_all', - 'global_artifact_management_all', // Enabling sub-features toggle to show that Global Artifact Management is now provided to the user. - ]; + + siemMinimalAll?.privileges.push('endpoint_exceptions_all'); + } + + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'minimal' in readReplacedBy) { + const siemMinimalRead = readReplacedBy.minimal.find( + ({ feature }) => feature === SECURITY_FEATURE_ID + ); + + siemMinimalRead?.privileges.push('endpoint_exceptions_read'); + } +} + +// On ESS, Endpoint exceptions were included in siem:READ and siem:ALL. +export function addEndpointExceptionsToReadAndAll(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemRead?.privileges.push('endpoint_exceptions_read'); + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemAll?.privileges.push('endpoint_exceptions_all'); + } +} + +export function enableSecuritySubfeaturesToggle(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemRead) { + siemRead.privileges = siemRead.privileges.map((privilege) => + privilege === 'read' ? 'minimal_read' : privilege + ); } } - if ('minimal' in replacedBy) { - const siemMinimal = replacedBy.minimal.find(({ feature }) => feature === SECURITY_FEATURE_ID); // only for SIEM feature replacements - if (siemMinimal) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - siemMinimal.privileges = [ - 'minimal_all', - 'global_artifact_management_all', // on ESS, Endpoint Exception ALL is included in siem:MINIMAL_ALL - ]; + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemAll) { + siemAll.privileges = siemAll.privileges.map((privilege) => + privilege === 'all' ? 'minimal_all' : privilege + ); } } } diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts index af2d09dce9832..a26e7646fb2b5 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.test.ts @@ -4,7 +4,11 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { updateGlobalArtifactManageReplacements } from './product_features_extensions'; +import { + addEndpointExceptionsToReadAndAll, + addGlobalArtifactManagementToAll, + enableSecuritySubfeaturesToggle, +} from './product_features_extensions'; import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import type { MutableKibanaFeatureConfig } from '@kbn/security-solution-features'; import { cloneDeep } from 'lodash'; @@ -34,81 +38,165 @@ const baseFeatureConfig: MutableKibanaFeatureConfig = { }, }; -describe('updateGlobalArtifactManageReplacements', () => { - let featureConfig: MutableKibanaFeatureConfig; +describe('ESS product feature extensions - feature config modifiers', () => { + let configWithoutReplacedBy: MutableKibanaFeatureConfig; + let configWithReplacedBy: MutableKibanaFeatureConfig; beforeEach(() => { - featureConfig = cloneDeep(baseFeatureConfig); - }); - - it('should do nothing if replacedBy is not present', () => { - const originalConfig = JSON.parse(JSON.stringify(featureConfig)); - - updateGlobalArtifactManageReplacements(featureConfig as MutableKibanaFeatureConfig); - - expect(featureConfig).toEqual(originalConfig); - }); - - it('should modify privileges for SECURITY_FEATURE_ID in both default and minimal', () => { - const testFeatureConfig = { - ...featureConfig, + configWithoutReplacedBy = cloneDeep(baseFeatureConfig); + configWithReplacedBy = cloneDeep({ + ...configWithoutReplacedBy, privileges: { - ...featureConfig.privileges, + ...configWithoutReplacedBy.privileges, all: { - ...featureConfig.privileges?.all, + ...configWithoutReplacedBy.privileges?.all, replacedBy: { default: [ { feature: SECURITY_FEATURE_ID, privileges: ['all'] }, { feature: 'other_feature', privileges: ['all'] }, ], - minimal: [{ feature: SECURITY_FEATURE_ID, privileges: ['all'] }], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], }, }, - }, - }; - - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); - - const replacedBy = testFeatureConfig.privileges.all.replacedBy; - - // Default privileges modified - const v3Default = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === SECURITY_FEATURE_ID - ); - expect(v3Default?.privileges).toEqual([ - 'minimal_all', - 'global_artifact_management_all', - 'endpoint_exceptions_all', - ]); - - // Ensure other features remain unchanged - const otherFeature = replacedBy.default.find( - ({ feature }: { feature: string }) => feature === 'other_feature' - ); - expect(otherFeature?.privileges).toEqual(['all']); - }); - - it('should only modify existing SECURITY_FEATURE_ID entries', () => { - const testFeatureConfig = { - ...featureConfig, - privileges: { - ...featureConfig.privileges, - all: { - ...featureConfig.privileges?.all, + read: { + ...configWithoutReplacedBy.privileges?.read, replacedBy: { - default: [{ feature: 'other_feature', privileges: ['all'] }], - minimal: [{ feature: 'other_feature', privileges: ['all'] }], + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['read'] }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], }, }, }, - }; + }) as MutableKibanaFeatureConfig; + }); + + describe('addGlobalArtifactManagementToAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add global artifact management privilege to siem.all', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addGlobalArtifactManagementToAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'global_artifact_management_all', // <- global artifact management is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual( + configWithReplacedBy.privileges?.read.replacedBy + ); + }); + }); + + describe('addEndpointExceptionsToReadAndAll', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); + + it('should add endpoint exceptions privilege to siem.all and siem.read', () => { + const testConfig = cloneDeep(configWithReplacedBy); + + addEndpointExceptionsToReadAndAll(testConfig); + + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: [ + 'all', + 'endpoint_exceptions_all', // <- endpoint exception is added + ], + }, + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['minimal_all'], + }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { + feature: SECURITY_FEATURE_ID, + privileges: ['read', 'endpoint_exceptions_read'], // <- endpoint exception is added + }, + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); + }); + + describe('enableSecuritySubfeaturesToggle', () => { + it('should do nothing if replacedBy is not present', () => { + const testConfig = cloneDeep(configWithoutReplacedBy); + + enableSecuritySubfeaturesToggle(testConfig); + + expect(testConfig).toEqual(configWithoutReplacedBy); + }); - updateGlobalArtifactManageReplacements(testFeatureConfig as MutableKibanaFeatureConfig); + it('should change `all` and `read` to `minimal_all` and `minimal_read`', () => { + const testConfig = cloneDeep(configWithReplacedBy); - const replacedBy = testFeatureConfig.privileges.all.replacedBy; + enableSecuritySubfeaturesToggle(testConfig); - // No SECURITY_FEATURE_ID, so no changes - expect(replacedBy.default[0].privileges).toEqual(['all']); - expect(replacedBy.minimal[0].privileges).toEqual(['all']); + expect(testConfig.privileges?.all.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['all'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_all'] }, + { feature: 'other_feature', privileges: ['minimal_all'] }, + ], + }); + expect(testConfig.privileges?.read.replacedBy).toEqual({ + default: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, // <- changed to 'minimal' + { feature: 'other_feature', privileges: ['read'] }, + ], + minimal: [ + { feature: SECURITY_FEATURE_ID, privileges: ['minimal_read'] }, + { feature: 'other_feature', privileges: ['minimal_read'] }, + ], + }); + }); }); }); diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts index 099487677b22d..3d8b963920936 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts @@ -8,28 +8,47 @@ import type { MutableKibanaFeatureConfig, ProductFeaturesConfiguratorExtensions, } from '@kbn/security-solution-features'; -import { - ProductFeatureSecurityKey, - SecuritySubFeatureId, -} from '@kbn/security-solution-features/keys'; +import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = { security: { - allVersions: { - [ProductFeatureSecurityKey.endpointExceptions]: { - subFeatureIds: [SecuritySubFeatureId.endpointExceptions], - }, - }, + allVersions: {}, version: { siem: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], }, }, siemV2: { [ProductFeatureSecurityKey.endpointArtifactManagement]: { - featureConfigModifiers: [updateGlobalArtifactManageReplacements], + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addGlobalArtifactManagementToAll, + ], + }, + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], + }, + }, + siemV3: { + [ProductFeatureSecurityKey.endpointExceptions]: { + featureConfigModifiers: [ + enableSecuritySubfeaturesToggle, + addEndpointExceptionsToReadAndAll, + ], }, }, }, @@ -38,30 +57,59 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = // When endpointArtifactManagement PLI is enabled, the replacedBy to the SIEM feature needs to // account for the privileges of the additional sub-features that it introduces, migrating them correctly. -// This needs to be done here because the replacements of serverless and ESS are different. -export function updateGlobalArtifactManageReplacements( - featureConfig: MutableKibanaFeatureConfig -): void { - const replacedBy = featureConfig.privileges?.all?.replacedBy; - if (!replacedBy || !('default' in replacedBy)) { - return; +// This needs to be done here because some the replacements of serverless and ESS are different, other +// replacements are tied to endpointArtifactManagement PLI - hence PLI related privileges cannot be added to +// the shared base config in `kibana_features.ts`. +export function addGlobalArtifactManagementToAll(featureConfig: MutableKibanaFeatureConfig): void { + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + // on ESS, Endpoint Exception ALL is included in siem:ALL, hence we're adding global artifact management to preserve behaviour + siemAll?.privileges.push('global_artifact_management_all'); + } +} + +// When Endpoint Exceptions sub-feature privilege is harmonized between ESS and Serverless (from siemV4), +// the privileges needed to be added to users with specific security privileges. +// On ESS, Endpoint exceptions were included in siem:MINIMAL_READ and siem:MINIMAL_ALL. +export function addEndpointExceptionsToReadAndAll(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemRead?.privileges.push('endpoint_exceptions_read'); + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + siemAll?.privileges.push('endpoint_exceptions_all'); } +} + +export function enableSecuritySubfeaturesToggle(featureConfig: MutableKibanaFeatureConfig): void { + const readReplacedBy = featureConfig.privileges?.read?.replacedBy; + if (readReplacedBy && 'default' in readReplacedBy) { + const siemRead = readReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); + + if (siemRead) { + siemRead.privileges = siemRead.privileges.map((privilege) => + privilege === 'read' ? 'minimal_read' : privilege + ); + } + } + + const allReplacedBy = featureConfig.privileges?.all?.replacedBy; + if (allReplacedBy && 'default' in allReplacedBy) { + const siemAll = allReplacedBy.default.find(({ feature }) => feature === SECURITY_FEATURE_ID); - // only "default" is overwritten, "minimal" is not as it does not includes Endpoint Exceptions ALL. - const siemDefault = replacedBy.default.find( - ({ feature }) => feature === SECURITY_FEATURE_ID // Only for SIEM feature replacements - ); - if (siemDefault) { - // Override replaced privileges from `all` to `minimal_all` with additional sub-features privileges - siemDefault.privileges = [ - 'minimal_all', - // Writing global (not per-policy) Artifacts is gated with Global Artifact Management:ALL starting with siemV3. - // Users who have been able to write ANY Artifact before are now granted with this privilege to keep existing behavior. - // This migration is for Endpoint Exceptions artifact in Serverless offering, as it included in Security:ALL privilege. - 'global_artifact_management_all', - // As we are switching from `all` to `minimal_all`, Endpoint Exceptions is needed to be added, as it was included in `all`, - // but not in `minimal_all`. - 'endpoint_exceptions_all', - ]; + if (siemAll) { + siemAll.privileges = siemAll.privileges.map((privilege) => + privilege === 'all' ? 'minimal_all' : privilege + ); + } } } From 52f3610773394be28d0781db0afc0ca5f6f7d53d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 4 Sep 2025 09:59:55 +0200 Subject: [PATCH 18/33] snapshot test: remove endpoint exceptions from siemV4.ALL/READ --- .../test_suites/platform_security/authorization.ts | 6 ------ 1 file changed, 6 deletions(-) diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index 1973cf9f8d02f..a021e0760a61a 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -8199,8 +8199,6 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", - "api:securitySolution-showEndpointExceptions", - "api:securitySolution-crudEndpointExceptions", "app:securitySolution", "app:csp", "app:kibana", @@ -8493,8 +8491,6 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV4/investigation-guide", "ui:siemV4/investigation-guide-interactions", "ui:siemV4/threat-intelligence", - "ui:siemV4/showEndpointExceptions", - "ui:siemV4/crudEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", @@ -10289,7 +10285,6 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", - "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", "app:kibana", @@ -10429,7 +10424,6 @@ export default function ({ getService }: FtrProviderContext) { "ui:siemV4/investigation-guide", "ui:siemV4/investigation-guide-interactions", "ui:siemV4/threat-intelligence", - "ui:siemV4/showEndpointExceptions", "alerting:siem.notifications/siem/rule/get", "alerting:siem.notifications/siem/rule/bulkGet", "alerting:siem.notifications/siem/rule/getRuleState", From 4fcf593a1b39832a4f8df683848f2ba60150dce8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 4 Sep 2025 10:12:35 +0200 Subject: [PATCH 19/33] update search ai lake role migration test --- .../role_migrations/search_ai_lake_tier/index.ts | 2 +- ..._artifact_management.ts => siem_base_privileges.ts} | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) rename x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/{siem_v3_global_artifact_management.ts => siem_base_privileges.ts} (88%) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts index c53c20a5dd067..bb2bd792ff8ee 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/index.ts @@ -8,6 +8,6 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_wo export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { describe('Endpoint related user role migrations without Endpoint product line', function () { - loadTestFile(require.resolve('./siem_v3_global_artifact_management')); + loadTestFile(require.resolve('./siem_base_privileges')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts similarity index 88% rename from x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts rename to x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts index fa2d61793a22a..c38161f64b33f 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_v3_global_artifact_management.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/search_ai_lake_tier/siem_base_privileges.ts @@ -14,9 +14,9 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_wo export default function ({ getService }: FtrProviderContext) { const supertest = getService('supertest'); - const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2']; + const DEPRECATED_SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3']; - const ROLE_NAME = 'siem_v3_test_role'; + const ROLE_NAME = 'siem_test_role'; const putKibanaFeatureInRole = (feature: string) => (privileges: string[]) => supertest @@ -56,7 +56,7 @@ export default function ({ getService }: FtrProviderContext) { return role.kibana[0].feature[SECURITY_FEATURE_ID]; }; - describe('@serverless @skipInServerlessMKI Role migrations towards siemV3 without Endpoint product line', () => { + describe('@serverless @skipInServerlessMKI Role migrations without Endpoint product line', () => { afterEach(async () => { await supertest .delete(`/api/security/role/${ROLE_NAME}`) @@ -69,7 +69,7 @@ export default function ({ getService }: FtrProviderContext) { describe(`from ${deprecatedSiem}`, () => { const putDeprecatedSiemPrivilegesInRole = putKibanaFeatureInRole(deprecatedSiem); - it(`should keep ${deprecatedSiem}:READ privilege`, async () => { + it(`should keep ${deprecatedSiem}:READ privilege without switching to MINIMAL_READ`, async () => { await putDeprecatedSiemPrivilegesInRole(['read']); expect(await getMigratedSiemFeaturesFromRole()).to.eql(['read']); @@ -81,7 +81,7 @@ export default function ({ getService }: FtrProviderContext) { expect(await getMigratedSiemFeaturesFromRole()).to.eql(['minimal_read']); }); - it(`should keep ${deprecatedSiem}:ALL privilege`, async () => { + it(`should keep ${deprecatedSiem}:ALL privilege without switching to MINIMAL_ALL`, async () => { await putDeprecatedSiemPrivilegesInRole(['all']); expect(await getMigratedSiemFeaturesFromRole()).to.eql(['all']); From 237215d5f232811cec056f63e47334660fac611a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 4 Sep 2025 15:58:58 +0200 Subject: [PATCH 20/33] move api backward compatibility test --- .../role_migrations/trial_license_complete_tier/index.ts | 3 ++- .../trial_license_complete_tier/siem_artifact_api_actions.ts} | 0 .../edr_workflows/spaces/trial_license_complete_tier/index.ts | 1 - 3 files changed, 2 insertions(+), 2 deletions(-) rename x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/{spaces/trial_license_complete_tier/role_backwards_compatibility.ts => role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts} (100%) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts index 08bf7acf23454..1b7d01f1ca009 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/index.ts @@ -7,7 +7,8 @@ import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; export default function endpointAPIIntegrationTests({ loadTestFile }: FtrProviderContext) { - describe('Endpoint related user role migrations', function () { + describe('Endpoint related user role migrations, feature deprecations', function () { + loadTestFile(require.resolve('./siem_artifact_api_actions')); loadTestFile(require.resolve('./siem_artifact_sub_privileges')); }); } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts similarity index 100% rename from x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/role_backwards_compatibility.ts rename to x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts index db42ca4b377fc..e838ddf9c724b 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/index.ts @@ -62,7 +62,6 @@ export default function endpointAPIIntegrationTests(providerContext: FtrProvider loadTestFile(require.resolve('./space_awareness')); loadTestFile(require.resolve('./artifacts')); - loadTestFile(require.resolve('./role_backwards_compatibility')); loadTestFile(require.resolve('./response_actions')); }); } From 9bdae849cc8d849bec63cd593800ea107068bb6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 4 Sep 2025 15:59:26 +0200 Subject: [PATCH 21/33] update api backward compatibility test --- .../siem_artifact_api_actions.ts | 301 +++++++++++++----- 1 file changed, 225 insertions(+), 76 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts index df584ad2c1b1e..3a2c83a671a1e 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts @@ -7,19 +7,26 @@ import type TestAgent from 'supertest/lib/agent'; import type { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-constants'; -import { ENDPOINT_ARTIFACT_LISTS, ENDPOINT_LIST_ID } from '@kbn/securitysolution-list-constants'; +import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import type { Role } from '@kbn/security-plugin-types-common'; import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { ArtifactTestData } from '../../../../../security_solution_endpoint/services/endpoint_artifacts'; import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; +type ArtifactListsWithRequiredPrivileges = Array<{ + listId: (typeof ENDPOINT_ARTIFACT_LIST_IDS)[number]; + privileges: string[]; +}>; + export default function ({ getService }: FtrProviderContext) { const utils = getService('securitySolutionUtils'); const rolesUsersProvider = getService('rolesUsersProvider'); const endpointArtifactTestResources = getService('endpointArtifactTestResources'); - describe('@ess @skipInServerless, @skipInServerlessMKI Endpoint Artifacts space awareness user role backwards compatibility until siemV3', function () { + const formatPrivileges = (privileges: string[]) => privileges.map((p) => `'${p}'`).join(', '); + + describe('@ess @skipInServerless, @skipInServerlessMKI Endpoint Artifacts role backwards compatibility', function () { const afterEachDataCleanup: Array> = []; const SIEM_VERSIONS = ['siem', 'siemV2', 'siemV3', 'siemV4'] as const; @@ -64,79 +71,221 @@ export default function ({ getService }: FtrProviderContext) { await Promise.allSettled(afterEachDataCleanup.splice(0).map((data) => data.cleanup())); }); - // testing with all SIEM versions for backward compatibility - for (const siemVersion of SIEM_VERSIONS) { - describe(`with ${siemVersion} feature version`, () => { - const artifactTypes: Array<{ - listId: (typeof ENDPOINT_ARTIFACT_LIST_IDS)[number] | typeof ENDPOINT_LIST_ID; - privileges: string[]; - }> = [ - { - listId: ENDPOINT_LIST_ID, - privileges: ['all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, - privileges: ['read', 'trusted_applications_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, - privileges: ['read', 'event_filters_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, - privileges: ['read', 'blocklist_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, - privileges: ['read', 'host_isolation_exceptions_all'], - }, - - { - listId: ENDPOINT_LIST_ID, - privileges: ['minimal_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, - privileges: ['minimal_read', 'trusted_applications_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, - privileges: ['minimal_read', 'event_filters_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, - privileges: ['minimal_read', 'blocklist_all'], - }, - { - listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, - privileges: ['minimal_read', 'host_isolation_exceptions_all'], - }, - ]; - - for (const artifactType of artifactTypes) { - it(`should allow creating a global artifact on ${ - artifactType.listId - } list with original privileges ${artifactType.privileges.join(', ')}`, async () => { - const supertestGlobalArtifactManager = await createUserWithSiemPrivileges(siemVersion, [ - ...artifactType.privileges, - - // adding global access to newer than siemV2, old version should receive it during rule migration - ...(siemVersion !== 'siem' && siemVersion !== 'siemV2' - ? ['global_artifact_management_all'] - : []), - ]); - - const createdArtifact = await endpointArtifactTestResources.createArtifact( - artifactType.listId, - { tags: [GLOBAL_ARTIFACT_TAG] }, - { supertest: supertestGlobalArtifactManager } - ); - - afterEachDataCleanup.push(createdArtifact); - }); - } - }); - } + describe('From siemV4', () => { + const siemVersion = 'siemV4'; + const siemV4ArtifactPrivileges: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['read', 'endpoint_exceptions_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all', 'global_artifact_management_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_read', 'endpoint_exceptions_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: [ + 'minimal_read', + 'trusted_applications_all', + 'global_artifact_management_all', + ], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: [ + 'minimal_read', + 'host_isolation_exceptions_all', + 'global_artifact_management_all', + ], + }, + ]; + + for (const { listId, privileges } of siemV4ArtifactPrivileges) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + + describe('From siemV3: EndpointExceptions migration', () => { + const siemVersion = 'siemV3'; + const siemV3ArtifactPrivileges: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all', 'global_artifact_management_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: [ + 'minimal_read', + 'trusted_applications_all', + 'global_artifact_management_all', + ], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all', 'global_artifact_management_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: [ + 'minimal_read', + 'host_isolation_exceptions_all', + 'global_artifact_management_all', + ], + }, + ]; + + for (const { listId, privileges } of siemV3ArtifactPrivileges) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + + describe('From siem/siemV2: GlobalArtifactManagement and EndpointExceptions migration ', () => { + for (const siemVersion of ['siemV2', 'siem'] as const) { + describe(`with ${siemVersion} feature version`, () => { + const artifactTypes: ArtifactListsWithRequiredPrivileges = [ + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['read', 'trusted_applications_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['read', 'event_filters_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['read', 'blocklist_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['read', 'host_isolation_exceptions_all'], + }, + + { + listId: ENDPOINT_ARTIFACT_LISTS.endpointExceptions.id, + privileges: ['minimal_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.trustedApps.id, + privileges: ['minimal_read', 'trusted_applications_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.eventFilters.id, + privileges: ['minimal_read', 'event_filters_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.blocklists.id, + privileges: ['minimal_read', 'blocklist_all'], + }, + { + listId: ENDPOINT_ARTIFACT_LISTS.hostIsolationExceptions.id, + privileges: ['minimal_read', 'host_isolation_exceptions_all'], + }, + ]; + + for (const { listId, privileges } of artifactTypes) { + it(`should allow creating a global artifact on '${listId}' list with deprecated privileges ${formatPrivileges( + privileges + )}`, async () => { + const supertestGlobalArtifactManager = await createUserWithSiemPrivileges( + siemVersion, + privileges + ); + + const createdArtifact = await endpointArtifactTestResources.createArtifact( + listId, + { tags: [GLOBAL_ARTIFACT_TAG] }, + { supertest: supertestGlobalArtifactManager } + ); + + afterEachDataCleanup.push(createdArtifact); + }); + } + }); + } + }); }); } From 5a1c6d17f28ea0f462c803d729718a27f897ba20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 5 Sep 2025 15:38:18 +0200 Subject: [PATCH 22/33] provide needed SO and lists privileges to endpoint exception similarly to other endpoint artifacts --- .../src/security/kibana_sub_features.ts | 12 +++- .../platform_security/authorization.ts | 71 +++++++++++++++++++ 2 files changed, 80 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts index f59f4a891c402..697240384d2c2 100644 --- a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts @@ -674,11 +674,17 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ includeIn: 'none', name: TRANSLATIONS.all, savedObject: { - all: [], + all: [EXCEPTION_LIST_NAMESPACE_AGNOSTIC], read: [], }, ui: ['showEndpointExceptions', 'crudEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`], + api: [ + 'lists-all', + 'lists-read', + 'lists-summary', + `${APP_ID}-showEndpointExceptions`, + `${APP_ID}-crudEndpointExceptions`, + ], }, { id: 'endpoint_exceptions_read', @@ -689,7 +695,7 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ read: [], }, ui: ['showEndpointExceptions'], - api: [`${APP_ID}-showEndpointExceptions`], + api: ['lists-read', 'lists-summary', `${APP_ID}-showEndpointExceptions`], }, ], }, diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index a021e0760a61a..35837990b43b6 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -1138,9 +1138,24 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", "api:securitySolution-writeGlobalArtifacts", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siem/showEndpointExceptions", "ui:siem/crudEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -1149,6 +1164,8 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siem/showEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -2560,6 +2577,7 @@ export default function ({ getService }: FtrProviderContext) { "api:bulkGetUserProfiles", "api:securitySolution-entity-analytics", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -3833,9 +3851,24 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", "api:securitySolution-writeGlobalArtifacts", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV2/showEndpointExceptions", "ui:siemV2/crudEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -3844,6 +3877,8 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV2/showEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -5169,6 +5204,7 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -6427,8 +6463,23 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV3/showEndpointExceptions", "ui:siemV3/crudEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -6436,6 +6487,8 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV3/showEndpointExceptions", "ui:siemV4/showEndpointExceptions", @@ -7756,6 +7809,7 @@ export default function ({ getService }: FtrProviderContext) { "api:cloud-defend-read", "api:bulkGetUserProfiles", "api:securitySolution-threat-intelligence", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "app:securitySolution", "app:csp", @@ -8993,13 +9047,30 @@ export default function ({ getService }: FtrProviderContext) { ], "endpoint_exceptions_all": Array [ "login:", + "api:lists-all", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "api:securitySolution-crudEndpointExceptions", + "saved_object:exception-list-agnostic/bulk_get", + "saved_object:exception-list-agnostic/get", + "saved_object:exception-list-agnostic/find", + "saved_object:exception-list-agnostic/open_point_in_time", + "saved_object:exception-list-agnostic/close_point_in_time", + "saved_object:exception-list-agnostic/create", + "saved_object:exception-list-agnostic/bulk_create", + "saved_object:exception-list-agnostic/update", + "saved_object:exception-list-agnostic/bulk_update", + "saved_object:exception-list-agnostic/delete", + "saved_object:exception-list-agnostic/bulk_delete", + "saved_object:exception-list-agnostic/share_to_space", "ui:siemV4/showEndpointExceptions", "ui:siemV4/crudEndpointExceptions", ], "endpoint_exceptions_read": Array [ "login:", + "api:lists-read", + "api:lists-summary", "api:securitySolution-showEndpointExceptions", "ui:siemV4/showEndpointExceptions", ], From dc991dff825961bb6142f32b7ea8477d82c221a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 5 Sep 2025 15:51:20 +0200 Subject: [PATCH 23/33] provide endpoint exceptions api backward compatibility for earlier siem versions --- .../product_features_extensions.ts | 17 ++++++++++++++++- .../product_features_extensions.ts | 15 +++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts index 4c9ba29348ba6..0e79795be13ba 100644 --- a/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_ess/server/product_features/product_features_extensions.ts @@ -4,7 +4,7 @@ * 2.0; you may not use this file except in compliance with the Elastic License * 2.0. */ -import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; +import { APP_ID, SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common'; import { ProductFeatureSecurityKey } from '@kbn/security-solution-features/keys'; import type { MutableKibanaFeatureConfig, @@ -29,6 +29,13 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = addEndpointExceptionsToMinimalReadAndMinimalAll, addEndpointExceptionsToReadAndAll, ], + // On ESS, there has been no Endpoint Exceptions sub-feature privilege, but was included in security 'read' and 'all', + // as well as in security 'minimal_read' and 'minimal_all'. + // Using api privileges below provides the required backwards compatibility. + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, }, }, siemV2: { @@ -45,6 +52,10 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = addEndpointExceptionsToMinimalReadAndMinimalAll, addEndpointExceptionsToReadAndAll, ], + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, }, }, siemV3: { @@ -54,6 +65,10 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = addEndpointExceptionsToMinimalReadAndMinimalAll, addEndpointExceptionsToReadAndAll, ], + privileges: { + all: { api: [`${APP_ID}-showEndpointExceptions`, `${APP_ID}-crudEndpointExceptions`] }, + read: { api: [`${APP_ID}-showEndpointExceptions`] }, + }, }, }, }, diff --git a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts index 3d8b963920936..56e8b6c34d5a7 100644 --- a/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts +++ b/x-pack/solutions/security/plugins/security_solution_serverless/server/product_features/product_features_extensions.ts @@ -27,6 +27,13 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = enableSecuritySubfeaturesToggle, addEndpointExceptionsToReadAndAll, ], + // On Serverless, endpoint exception was a sub-feature privilege, but was included in security 'read' and 'all'. + // Using `includeIn` here will provide backwards compatibility, without adding endpoint exceptions api privileges + // to security 'minimal_read' and 'minimal_all'. + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], }, }, siemV2: { @@ -41,6 +48,10 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = enableSecuritySubfeaturesToggle, addEndpointExceptionsToReadAndAll, ], + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], }, }, siemV3: { @@ -49,6 +60,10 @@ export const productFeaturesExtensions: ProductFeaturesConfiguratorExtensions = enableSecuritySubfeaturesToggle, addEndpointExceptionsToReadAndAll, ], + subFeaturesPrivileges: [ + { id: 'endpoint_exceptions_all', includeIn: 'all' }, + { id: 'endpoint_exceptions_read', includeIn: 'read' }, + ], }, }, }, From f853ef8d6ebd62c09a4dea816d41f22bfb30d564 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 8 Sep 2025 17:15:31 +0200 Subject: [PATCH 24/33] revert ftr test role versions to siemV3 --- .../scripts/endpoint/common/roles_users/detections_admin.ts | 3 +-- .../common/roles_users/endpoint_operations_analyst.ts | 3 +-- .../common/roles_users/endpoint_security_policy_manager.ts | 5 ++--- .../scripts/endpoint/common/roles_users/hunter.ts | 3 +-- .../scripts/endpoint/common/roles_users/platform_engineer.ts | 3 +-- .../scripts/endpoint/common/roles_users/rule_author.ts | 3 +-- .../scripts/endpoint/common/roles_users/soc_manager.ts | 3 +-- .../scripts/endpoint/common/roles_users/t1_analyst.ts | 3 +-- .../scripts/endpoint/common/roles_users/t2_analyst.ts | 3 +-- .../scripts/endpoint/common/roles_users/t3_analyst.ts | 3 +-- .../common/roles_users/threat_intelligence_analyst.ts | 3 +-- .../common/roles_users/with_artifact_read_privileges_role.ts | 3 +-- .../common/roles_users/with_response_actions_role.ts | 5 ++--- .../common/roles_users/without_response_actions_role.ts | 3 +-- 14 files changed, 16 insertions(+), 30 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts index 61e4bc9e0d667..31b50395e3852 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getDetectionsAdmin: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getDetectionsAdmin: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all', 'global_artifact_management_all'], + siemV3: ['all', 'global_artifact_management_all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index 2b34518df8179..54096048b330b 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -6,7 +6,6 @@ */ import type { Role } from '@kbn/security-plugin/common'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointOperationsAnalyst: () => Omit = () => { // IMPORTANT @@ -60,7 +59,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 825d20bc992db..82de13966b770 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getEndpointSecurityPolicyManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', @@ -49,7 +48,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getHunter: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index 3c9a4205e23ff..3f181c4c1fad3 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getPlatformEngineer: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index c4fcd7592bbb7..64f5af2cc590a 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getRuleAuthor: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index 50d3dc5694a65..8fe19c71412a5 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getSocManager: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'policy_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index f2b5f2fb76d85..d4d82b1004a98 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT1Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all'], + siemV3: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index 4e3b74fe2ddd2..3f382f6ba1009 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT2Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: ['all', 'actions_log_management_read'], + siemV3: ['all', 'actions_log_management_read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 6fdd359a99503..076a42b86fc5b 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getT3Analyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'read_alerts', 'crud_alerts', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index 193eed6484d8e..23c23f224a29a 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getThreatIntelligenceAnalyst: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'blocklist_all', 'global_artifact_management_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index 16327c6a1a91d..83e19bff446df 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithArtifactReadPrivilegesRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,7 +17,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'blocklist_read', 'trusted_applications_read', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index decc743d14592..2f7aeb7aed702 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -7,7 +7,6 @@ import type { Role } from '@kbn/security-plugin/common'; import { getNoResponseActionsRole } from './without_response_actions_role'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getWithResponseActionsRole: () => Omit = () => { const noResponseActionsRole = getNoResponseActionsRole(); @@ -18,8 +17,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - [SECURITY_FEATURE_ID]: [ - ...noResponseActionsRole.kibana[0].feature[SECURITY_FEATURE_ID], + siemV3: [ + ...noResponseActionsRole.kibana[0].feature.siemV3, 'file_operations_all', 'execute_operations_all', 'scan_operations_all', diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 96b012ccac9fa..3ce1d80e43a61 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -6,7 +6,6 @@ */ import type { Role } from '@kbn/security-plugin/common'; -import { SECURITY_FEATURE_ID } from '../../../../common/constants'; export const getNoResponseActionsRole: () => Omit = () => ({ elasticsearch: { @@ -43,7 +42,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - [SECURITY_FEATURE_ID]: [ + siemV3: [ 'all', 'endpoint_list_all', 'endpoint_list_read', From 5d211b9d5317163af91dc648ca93329500437087 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Mon, 8 Sep 2025 17:15:54 +0200 Subject: [PATCH 25/33] update ftrs to be able to use not the latest siem version --- ...rity_solution_edr_workflows_roles_users.ts | 7 ++++-- .../siem_artifact_api_actions.ts | 6 +++-- .../trial_license_complete_tier/artifacts.ts | 22 +++++++++---------- 3 files changed, 19 insertions(+), 16 deletions(-) diff --git a/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts b/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts index e333ccdb6cedb..e895531b181cd 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/config/services/security_solution_edr_workflows_roles_users.ts @@ -64,8 +64,11 @@ export function RolesUsersProvider({ getService }: FtrProviderContext) { if (predefinedRole) { const roleConfig = rolesMapping[predefinedRole]; if (extraPrivileges) { - roleConfig.kibana[0].feature[SECURITY_FEATURE_ID] = [ - ...roleConfig.kibana[0].feature[SECURITY_FEATURE_ID], + const actualSiem = Object.keys(roleConfig.kibana[0].feature).find((feature) => + feature.startsWith('siem') + ); + roleConfig.kibana[0].feature[actualSiem!] = [ + ...roleConfig.kibana[0].feature[actualSiem!], ...extraPrivileges, ]; } diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts index 3a2c83a671a1e..9117b859cc15d 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/role_migrations/trial_license_complete_tier/siem_artifact_api_actions.ts @@ -10,7 +10,6 @@ import type { ENDPOINT_ARTIFACT_LIST_IDS } from '@kbn/securitysolution-list-cons import { ENDPOINT_ARTIFACT_LISTS } from '@kbn/securitysolution-list-constants'; import type { Role } from '@kbn/security-plugin-types-common'; import { GLOBAL_ARTIFACT_TAG } from '@kbn/security-solution-plugin/common/endpoint/service/artifacts'; -import { SECURITY_FEATURE_ID } from '@kbn/security-solution-plugin/common/constants'; import type { ArtifactTestData } from '../../../../../security_solution_endpoint/services/endpoint_artifacts'; import type { FtrProviderContext } from '../../../../ftr_provider_context_edr_workflows'; @@ -43,7 +42,10 @@ export default function ({ getService }: FtrProviderContext) { ); // remove actual siem - delete globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID]; + const actualSiem = Object.keys(globalArtifactManagerRole.kibana[0].feature).find((feature) => + feature.startsWith('siem') + ); + delete globalArtifactManagerRole.kibana[0].feature[actualSiem!]; // add (deprecated) siem feature globalArtifactManagerRole.kibana[0].feature[siemVersion] = siemPrivileges; diff --git a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts index 28016820c1894..7b97178f6bfb8 100644 --- a/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts +++ b/x-pack/solutions/security/test/security_solution_api_integration/test_suites/edr_workflows/spaces/trial_license_complete_tier/artifacts.ts @@ -63,16 +63,14 @@ export default function ({ getService }: FtrProviderContext) { { name: 'artifactManager' } ); - if ( - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( - 'global_artifact_management_all' - ) - ) { - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID] = - artifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].filter( - (privilege) => privilege !== 'global_artifact_management_all' - ); - } + const siemFeatureId = + Object.keys(artifactManagerRole.kibana[0].feature).find((featureId) => + featureId.startsWith('siem') + ) ?? SECURITY_FEATURE_ID; + + artifactManagerRole.kibana[0].feature[siemFeatureId] = artifactManagerRole.kibana[0].feature[ + siemFeatureId + ].filter((privilege) => privilege !== 'global_artifact_management_all'); globalArtifactManagerRole = Object.assign( rolesUsersProvider.loader.getPreDefinedRole('t3_analyst'), @@ -80,11 +78,11 @@ export default function ({ getService }: FtrProviderContext) { ); if ( - !globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].includes( + !globalArtifactManagerRole.kibana[0].feature[siemFeatureId].includes( 'global_artifact_management_all' ) ) { - globalArtifactManagerRole.kibana[0].feature[SECURITY_FEATURE_ID].push( + globalArtifactManagerRole.kibana[0].feature[siemFeatureId].push( 'global_artifact_management_all' ); } From 89a7ea2d4697bc0d81e881869b688c2c5fcd857d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 9 Sep 2025 10:44:41 +0200 Subject: [PATCH 26/33] add rules/bulkEditParams coming from `main` to siemV4 in snapshot test introduced in #227891 --- .../platform_security/authorization.ts | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts index 026081b770175..ae059f76c24b7 100644 --- a/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts +++ b/x-pack/solutions/security/test/serverless/api_integration/test_suites/platform_security/authorization.ts @@ -8664,6 +8664,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.notifications/siem/rule/getBackfill", "alerting:siem.notifications/siem/rule/findBackfill", "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", "alerting:siem.notifications/siem/rule/create", "alerting:siem.notifications/siem/rule/delete", "alerting:siem.notifications/siem/rule/update", @@ -8695,6 +8696,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.esqlRule/siem/rule/getBackfill", "alerting:siem.esqlRule/siem/rule/findBackfill", "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", "alerting:siem.esqlRule/siem/rule/create", "alerting:siem.esqlRule/siem/rule/delete", "alerting:siem.esqlRule/siem/rule/update", @@ -8726,6 +8728,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.eqlRule/siem/rule/getBackfill", "alerting:siem.eqlRule/siem/rule/findBackfill", "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", "alerting:siem.eqlRule/siem/rule/create", "alerting:siem.eqlRule/siem/rule/delete", "alerting:siem.eqlRule/siem/rule/update", @@ -8757,6 +8760,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.indicatorRule/siem/rule/getBackfill", "alerting:siem.indicatorRule/siem/rule/findBackfill", "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", "alerting:siem.indicatorRule/siem/rule/create", "alerting:siem.indicatorRule/siem/rule/delete", "alerting:siem.indicatorRule/siem/rule/update", @@ -8788,6 +8792,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.mlRule/siem/rule/getBackfill", "alerting:siem.mlRule/siem/rule/findBackfill", "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", "alerting:siem.mlRule/siem/rule/create", "alerting:siem.mlRule/siem/rule/delete", "alerting:siem.mlRule/siem/rule/update", @@ -8819,6 +8824,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.queryRule/siem/rule/getBackfill", "alerting:siem.queryRule/siem/rule/findBackfill", "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", "alerting:siem.queryRule/siem/rule/create", "alerting:siem.queryRule/siem/rule/delete", "alerting:siem.queryRule/siem/rule/update", @@ -8850,6 +8856,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.savedQueryRule/siem/rule/getBackfill", "alerting:siem.savedQueryRule/siem/rule/findBackfill", "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", "alerting:siem.savedQueryRule/siem/rule/create", "alerting:siem.savedQueryRule/siem/rule/delete", "alerting:siem.savedQueryRule/siem/rule/update", @@ -8881,6 +8888,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.thresholdRule/siem/rule/getBackfill", "alerting:siem.thresholdRule/siem/rule/findBackfill", "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", "alerting:siem.thresholdRule/siem/rule/create", "alerting:siem.thresholdRule/siem/rule/delete", "alerting:siem.thresholdRule/siem/rule/update", @@ -8912,6 +8920,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/rule/getBackfill", "alerting:siem.newTermsRule/siem/rule/findBackfill", "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", "alerting:siem.newTermsRule/siem/rule/create", "alerting:siem.newTermsRule/siem/rule/delete", "alerting:siem.newTermsRule/siem/rule/update", @@ -9597,6 +9606,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.notifications/siem/rule/getBackfill", "alerting:siem.notifications/siem/rule/findBackfill", "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", "alerting:siem.notifications/siem/rule/create", "alerting:siem.notifications/siem/rule/delete", "alerting:siem.notifications/siem/rule/update", @@ -9628,6 +9638,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.esqlRule/siem/rule/getBackfill", "alerting:siem.esqlRule/siem/rule/findBackfill", "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", "alerting:siem.esqlRule/siem/rule/create", "alerting:siem.esqlRule/siem/rule/delete", "alerting:siem.esqlRule/siem/rule/update", @@ -9659,6 +9670,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.eqlRule/siem/rule/getBackfill", "alerting:siem.eqlRule/siem/rule/findBackfill", "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", "alerting:siem.eqlRule/siem/rule/create", "alerting:siem.eqlRule/siem/rule/delete", "alerting:siem.eqlRule/siem/rule/update", @@ -9690,6 +9702,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.indicatorRule/siem/rule/getBackfill", "alerting:siem.indicatorRule/siem/rule/findBackfill", "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", "alerting:siem.indicatorRule/siem/rule/create", "alerting:siem.indicatorRule/siem/rule/delete", "alerting:siem.indicatorRule/siem/rule/update", @@ -9721,6 +9734,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.mlRule/siem/rule/getBackfill", "alerting:siem.mlRule/siem/rule/findBackfill", "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", "alerting:siem.mlRule/siem/rule/create", "alerting:siem.mlRule/siem/rule/delete", "alerting:siem.mlRule/siem/rule/update", @@ -9752,6 +9766,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.queryRule/siem/rule/getBackfill", "alerting:siem.queryRule/siem/rule/findBackfill", "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", "alerting:siem.queryRule/siem/rule/create", "alerting:siem.queryRule/siem/rule/delete", "alerting:siem.queryRule/siem/rule/update", @@ -9783,6 +9798,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.savedQueryRule/siem/rule/getBackfill", "alerting:siem.savedQueryRule/siem/rule/findBackfill", "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", "alerting:siem.savedQueryRule/siem/rule/create", "alerting:siem.savedQueryRule/siem/rule/delete", "alerting:siem.savedQueryRule/siem/rule/update", @@ -9814,6 +9830,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.thresholdRule/siem/rule/getBackfill", "alerting:siem.thresholdRule/siem/rule/findBackfill", "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", "alerting:siem.thresholdRule/siem/rule/create", "alerting:siem.thresholdRule/siem/rule/delete", "alerting:siem.thresholdRule/siem/rule/update", @@ -9845,6 +9862,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/rule/getBackfill", "alerting:siem.newTermsRule/siem/rule/findBackfill", "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", "alerting:siem.newTermsRule/siem/rule/create", "alerting:siem.newTermsRule/siem/rule/delete", "alerting:siem.newTermsRule/siem/rule/update", @@ -10217,6 +10235,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.notifications/siem/rule/getBackfill", "alerting:siem.notifications/siem/rule/findBackfill", "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", "alerting:siem.esqlRule/siem/rule/get", "alerting:siem.esqlRule/siem/rule/bulkGet", "alerting:siem.esqlRule/siem/rule/getRuleState", @@ -10228,6 +10247,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.esqlRule/siem/rule/getBackfill", "alerting:siem.esqlRule/siem/rule/findBackfill", "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", "alerting:siem.eqlRule/siem/rule/get", "alerting:siem.eqlRule/siem/rule/bulkGet", "alerting:siem.eqlRule/siem/rule/getRuleState", @@ -10239,6 +10259,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.eqlRule/siem/rule/getBackfill", "alerting:siem.eqlRule/siem/rule/findBackfill", "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", "alerting:siem.indicatorRule/siem/rule/get", "alerting:siem.indicatorRule/siem/rule/bulkGet", "alerting:siem.indicatorRule/siem/rule/getRuleState", @@ -10250,6 +10271,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.indicatorRule/siem/rule/getBackfill", "alerting:siem.indicatorRule/siem/rule/findBackfill", "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", "alerting:siem.mlRule/siem/rule/get", "alerting:siem.mlRule/siem/rule/bulkGet", "alerting:siem.mlRule/siem/rule/getRuleState", @@ -10261,6 +10283,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.mlRule/siem/rule/getBackfill", "alerting:siem.mlRule/siem/rule/findBackfill", "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", "alerting:siem.queryRule/siem/rule/get", "alerting:siem.queryRule/siem/rule/bulkGet", "alerting:siem.queryRule/siem/rule/getRuleState", @@ -10272,6 +10295,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.queryRule/siem/rule/getBackfill", "alerting:siem.queryRule/siem/rule/findBackfill", "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", "alerting:siem.savedQueryRule/siem/rule/get", "alerting:siem.savedQueryRule/siem/rule/bulkGet", "alerting:siem.savedQueryRule/siem/rule/getRuleState", @@ -10283,6 +10307,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.savedQueryRule/siem/rule/getBackfill", "alerting:siem.savedQueryRule/siem/rule/findBackfill", "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", "alerting:siem.thresholdRule/siem/rule/get", "alerting:siem.thresholdRule/siem/rule/bulkGet", "alerting:siem.thresholdRule/siem/rule/getRuleState", @@ -10294,6 +10319,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.thresholdRule/siem/rule/getBackfill", "alerting:siem.thresholdRule/siem/rule/findBackfill", "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", "alerting:siem.newTermsRule/siem/rule/get", "alerting:siem.newTermsRule/siem/rule/bulkGet", "alerting:siem.newTermsRule/siem/rule/getRuleState", @@ -10305,6 +10331,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/rule/getBackfill", "alerting:siem.newTermsRule/siem/rule/findBackfill", "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", "alerting:siem.notifications/siem/alert/get", "alerting:siem.notifications/siem/alert/find", "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", @@ -10614,6 +10641,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.notifications/siem/rule/getBackfill", "alerting:siem.notifications/siem/rule/findBackfill", "alerting:siem.notifications/siem/rule/findGaps", + "alerting:siem.notifications/siem/rule/bulkEditParams", "alerting:siem.esqlRule/siem/rule/get", "alerting:siem.esqlRule/siem/rule/bulkGet", "alerting:siem.esqlRule/siem/rule/getRuleState", @@ -10625,6 +10653,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.esqlRule/siem/rule/getBackfill", "alerting:siem.esqlRule/siem/rule/findBackfill", "alerting:siem.esqlRule/siem/rule/findGaps", + "alerting:siem.esqlRule/siem/rule/bulkEditParams", "alerting:siem.eqlRule/siem/rule/get", "alerting:siem.eqlRule/siem/rule/bulkGet", "alerting:siem.eqlRule/siem/rule/getRuleState", @@ -10636,6 +10665,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.eqlRule/siem/rule/getBackfill", "alerting:siem.eqlRule/siem/rule/findBackfill", "alerting:siem.eqlRule/siem/rule/findGaps", + "alerting:siem.eqlRule/siem/rule/bulkEditParams", "alerting:siem.indicatorRule/siem/rule/get", "alerting:siem.indicatorRule/siem/rule/bulkGet", "alerting:siem.indicatorRule/siem/rule/getRuleState", @@ -10647,6 +10677,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.indicatorRule/siem/rule/getBackfill", "alerting:siem.indicatorRule/siem/rule/findBackfill", "alerting:siem.indicatorRule/siem/rule/findGaps", + "alerting:siem.indicatorRule/siem/rule/bulkEditParams", "alerting:siem.mlRule/siem/rule/get", "alerting:siem.mlRule/siem/rule/bulkGet", "alerting:siem.mlRule/siem/rule/getRuleState", @@ -10658,6 +10689,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.mlRule/siem/rule/getBackfill", "alerting:siem.mlRule/siem/rule/findBackfill", "alerting:siem.mlRule/siem/rule/findGaps", + "alerting:siem.mlRule/siem/rule/bulkEditParams", "alerting:siem.queryRule/siem/rule/get", "alerting:siem.queryRule/siem/rule/bulkGet", "alerting:siem.queryRule/siem/rule/getRuleState", @@ -10669,6 +10701,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.queryRule/siem/rule/getBackfill", "alerting:siem.queryRule/siem/rule/findBackfill", "alerting:siem.queryRule/siem/rule/findGaps", + "alerting:siem.queryRule/siem/rule/bulkEditParams", "alerting:siem.savedQueryRule/siem/rule/get", "alerting:siem.savedQueryRule/siem/rule/bulkGet", "alerting:siem.savedQueryRule/siem/rule/getRuleState", @@ -10680,6 +10713,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.savedQueryRule/siem/rule/getBackfill", "alerting:siem.savedQueryRule/siem/rule/findBackfill", "alerting:siem.savedQueryRule/siem/rule/findGaps", + "alerting:siem.savedQueryRule/siem/rule/bulkEditParams", "alerting:siem.thresholdRule/siem/rule/get", "alerting:siem.thresholdRule/siem/rule/bulkGet", "alerting:siem.thresholdRule/siem/rule/getRuleState", @@ -10691,6 +10725,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.thresholdRule/siem/rule/getBackfill", "alerting:siem.thresholdRule/siem/rule/findBackfill", "alerting:siem.thresholdRule/siem/rule/findGaps", + "alerting:siem.thresholdRule/siem/rule/bulkEditParams", "alerting:siem.newTermsRule/siem/rule/get", "alerting:siem.newTermsRule/siem/rule/bulkGet", "alerting:siem.newTermsRule/siem/rule/getRuleState", @@ -10702,6 +10737,7 @@ export default function ({ getService }: FtrProviderContext) { "alerting:siem.newTermsRule/siem/rule/getBackfill", "alerting:siem.newTermsRule/siem/rule/findBackfill", "alerting:siem.newTermsRule/siem/rule/findGaps", + "alerting:siem.newTermsRule/siem/rule/bulkEditParams", "alerting:siem.notifications/siem/alert/get", "alerting:siem.notifications/siem/alert/find", "alerting:siem.notifications/siem/alert/getAuthorizedAlertsIndices", From 5d26d112fac510f935013544dc9235638ebbb9fa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 9 Sep 2025 10:45:06 +0200 Subject: [PATCH 27/33] reorder sub-feature privileges --- .../security/v1_features/kibana_sub_features.ts | 14 +++++++------- .../security/v2_features/kibana_sub_features.ts | 14 +++++++------- .../security/v3_features/kibana_sub_features.ts | 4 ++-- .../security/v4_features/kibana_sub_features.ts | 2 +- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts index 8c12b3758a9f5..a0303ed1c53c0 100644 --- a/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v1_features/kibana_sub_features.ts @@ -29,12 +29,6 @@ import { const replacements: Partial> = { [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], - [SecuritySubFeatureId.endpointExceptions]: [ - { - feature: SECURITY_FEATURE_ID_V4, - additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, - }, - ], [SecuritySubFeatureId.trustedApplications]: [ { feature: SECURITY_FEATURE_ID_V4, @@ -59,6 +53,12 @@ const replacements: Partial additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], + [SecuritySubFeatureId.endpointExceptions]: [ + { + feature: SECURITY_FEATURE_ID_V4, + additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, + }, + ], [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], @@ -85,11 +85,11 @@ export const getSecuritySubFeaturesMap = ({ }: SecurityFeatureParams): Map => { const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.trustedApplications, trustedApplicationsSubFeature()], [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], diff --git a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts index 2d6de60c00221..16f9ac593a3ec 100644 --- a/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v2_features/kibana_sub_features.ts @@ -33,12 +33,6 @@ import { addSubFeatureReplacements } from '../../utils'; const replacements: Partial> = { [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], - [SecuritySubFeatureId.endpointExceptions]: [ - { - feature: SECURITY_FEATURE_ID_V4, - additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, - }, - ], [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedApplications]: [ { @@ -64,6 +58,12 @@ const replacements: Partial additionalPrivileges: { event_filters_all: ['global_artifact_management_all'] }, }, ], + [SecuritySubFeatureId.endpointExceptions]: [ + { + feature: SECURITY_FEATURE_ID_V4, + additionalPrivileges: { endpoint_exceptions_all: ['global_artifact_management_all'] }, + }, + ], [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], @@ -91,7 +91,6 @@ export const getSecurityV2SubFeaturesMap = ({ const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [ SecuritySubFeatureId.globalArtifactManagement, globalArtifactManagementSubFeature(experimentalFeatures), @@ -100,6 +99,7 @@ export const getSecurityV2SubFeaturesMap = ({ [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], diff --git a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts index 448d1fc58b3bc..d2cd5f2075f23 100644 --- a/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v3_features/kibana_sub_features.ts @@ -33,13 +33,13 @@ import { addSubFeatureReplacements } from '../../utils'; const replacements: Partial> = { [SecuritySubFeatureId.endpointList]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.workflowInsights]: [{ feature: SECURITY_FEATURE_ID_V4 }], - [SecuritySubFeatureId.endpointExceptions]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.globalArtifactManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedApplications]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.trustedDevices]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.hostIsolationExceptionsBasic]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.blocklist]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.eventFilters]: [{ feature: SECURITY_FEATURE_ID_V4 }], + [SecuritySubFeatureId.endpointExceptions]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.policyManagement]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.responseActionsHistory]: [{ feature: SECURITY_FEATURE_ID_V4 }], [SecuritySubFeatureId.hostIsolation]: [{ feature: SECURITY_FEATURE_ID_V4 }], @@ -67,7 +67,6 @@ export const getSecurityV3SubFeaturesMap = ({ const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [ SecuritySubFeatureId.globalArtifactManagement, globalArtifactManagementSubFeature(experimentalFeatures), @@ -77,6 +76,7 @@ export const getSecurityV3SubFeaturesMap = ({ [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts index c0890a6297c68..705804aedba83 100644 --- a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts @@ -45,7 +45,6 @@ export const getSecurityV4SubFeaturesMap = ({ const securitySubFeaturesList: Array<[SecuritySubFeatureId, SubFeatureConfig]> = [ [SecuritySubFeatureId.endpointList, endpointListSubFeature()], [SecuritySubFeatureId.workflowInsights, workflowInsightsSubFeature()], - [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [ SecuritySubFeatureId.globalArtifactManagement, globalArtifactManagementSubFeature(experimentalFeatures), @@ -55,6 +54,7 @@ export const getSecurityV4SubFeaturesMap = ({ [SecuritySubFeatureId.hostIsolationExceptionsBasic, hostIsolationExceptionsBasicSubFeature()], [SecuritySubFeatureId.blocklist, blocklistSubFeature()], [SecuritySubFeatureId.eventFilters, eventFiltersSubFeature()], + [SecuritySubFeatureId.endpointExceptions, endpointExceptionsSubFeature()], [SecuritySubFeatureId.policyManagement, policyManagementSubFeature()], [SecuritySubFeatureId.responseActionsHistory, responseActionsHistorySubFeature()], [SecuritySubFeatureId.hostIsolation, hostIsolationSubFeature()], From ef5a9521b6046629449708246925033fed8e659d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 9 Sep 2025 10:46:04 +0200 Subject: [PATCH 28/33] update rbac cy tests --- .../management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 1 + .../e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index c5b25dab080a5..114c99c893186 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -66,6 +66,7 @@ describe( 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', 'Event Filters Filter out endpoint events that you do not need or want stored in Elasticsearch.Event Filters sub-feature privilegeAllReadNone', + 'Endpoint Exceptions Manage Endpoint Exceptions.Endpoint Exceptions sub-feature privilegeAllReadNone', 'Elastic Defend Policy Management Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.Elastic Defend Policy Management sub-feature privilegeAllReadNone', 'Response Actions History Access the history of response actions performed on endpoints.Response Actions History sub-feature privilegeAllReadNone', 'Host Isolation Perform the "isolate" and "release" response actions.Host Isolation sub-feature privilegeAllNone', diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts index 80871ec94a4c1..fbc34c3660975 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac_with_space_awareness.cy.ts @@ -101,9 +101,7 @@ describe( return features; }) - // Using `include.members` here because in serverless, an additional privilege shows - // up in this list - `Endpoint exceptions`. - .should('include.members', [ + .should('deep.equal', [ 'Endpoint ListAll', 'Automatic TroubleshootingNone', 'Global Artifact ManagementNone', @@ -112,6 +110,7 @@ describe( 'Host Isolation ExceptionsNone', 'BlocklistNone', 'Event FiltersNone', + 'Endpoint ExceptionsNone', 'Elastic Defend Policy ManagementNone', 'Response Actions HistoryNone', 'Host IsolationAll', From fc8d11e6a43f712d6c913efd6c4d1b0294de22af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Tue, 9 Sep 2025 10:54:26 +0200 Subject: [PATCH 29/33] update ESS privileges tests with added endpoint exception sub-privilege --- .../test/api_integration/apis/security/privileges.ts | 8 ++++++++ .../api_integration_basic/apis/security/privileges.ts | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/x-pack/platform/test/api_integration/apis/security/privileges.ts b/x-pack/platform/test/api_integration/apis/security/privileges.ts index f158514dc3f6a..5685daf51a952 100644 --- a/x-pack/platform/test/api_integration/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration/apis/security/privileges.ts @@ -120,6 +120,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', @@ -148,6 +150,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', @@ -176,6 +180,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', @@ -204,6 +210,8 @@ export default function ({ getService }: FtrProviderContext) { 'blocklist_read', 'event_filters_all', 'event_filters_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'policy_management_all', 'policy_management_read', 'actions_log_management_all', diff --git a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts index f96a1ed4f44c3..bacb3d82785aa 100644 --- a/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts +++ b/x-pack/platform/test/api_integration_basic/apis/security/privileges.ts @@ -222,6 +222,8 @@ export default function ({ getService }: FtrProviderContext) { 'all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', @@ -248,6 +250,8 @@ export default function ({ getService }: FtrProviderContext) { 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', @@ -276,6 +280,8 @@ export default function ({ getService }: FtrProviderContext) { 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', @@ -304,6 +310,8 @@ export default function ({ getService }: FtrProviderContext) { 'global_artifact_management_all', 'blocklist_all', 'blocklist_read', + 'endpoint_exceptions_all', + 'endpoint_exceptions_read', 'endpoint_list_all', 'endpoint_list_read', 'event_filters_all', From 594a99652e6b3e9f08922bf0ce8e6cf5c0f0fcf1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Thu, 18 Sep 2025 15:56:48 +0200 Subject: [PATCH 30/33] update Endpoint exceptions privilege text --- .../packages/features/src/security/kibana_sub_features.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts index 697240384d2c2..428d1a066d92d 100644 --- a/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/kibana_sub_features.ts @@ -663,7 +663,10 @@ export const endpointExceptionsSubFeature = (): SubFeatureConfig => ({ ), description: i18n.translate( 'securitySolutionPackages.features.featureRegistry.subFeatures.endpointExceptions.description', - { defaultMessage: 'Manage Endpoint Exceptions.' } + { + defaultMessage: + 'Reduce false positive alerts, and keep Elastic Defend from blocking standard processes.', + } ), privilegeGroups: [ { From ccb81e85b6fd1678c3e5704272fbbc1c70bb1e3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 19 Sep 2025 10:25:32 +0200 Subject: [PATCH 31/33] update privilege description in test as well --- .../public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts index 114c99c893186..2f719b8bafcb5 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/rbac/endpoint_role_rbac.cy.ts @@ -66,7 +66,7 @@ describe( 'Host Isolation Exceptions Add specific IP addresses that isolated hosts are still allowed to communicate with, even when isolated from the rest of the network.Host Isolation Exceptions sub-feature privilegeAllReadNone', 'Blocklist Extend Elastic Defend’s protection against malicious processes and protect against potentially harmful applications.Blocklist sub-feature privilegeAllReadNone', 'Event Filters Filter out endpoint events that you do not need or want stored in Elasticsearch.Event Filters sub-feature privilegeAllReadNone', - 'Endpoint Exceptions Manage Endpoint Exceptions.Endpoint Exceptions sub-feature privilegeAllReadNone', + 'Endpoint Exceptions Reduce false positive alerts, and keep Elastic Defend from blocking standard processes.Endpoint Exceptions sub-feature privilegeAllReadNone', 'Elastic Defend Policy Management Access the Elastic Defend integration policy to configure protections, event collection, and advanced policy features.Elastic Defend Policy Management sub-feature privilegeAllReadNone', 'Response Actions History Access the history of response actions performed on endpoints.Response Actions History sub-feature privilegeAllReadNone', 'Host Isolation Perform the "isolate" and "release" response actions.Host Isolation sub-feature privilegeAllNone', From 4b235babe9d85fb1895845091bb93feba39f4325 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 19 Sep 2025 15:34:00 +0200 Subject: [PATCH 32/33] adapt incoming changes from #234853 to siemV4 --- .../features/src/security/v4_features/kibana_sub_features.ts | 3 --- 1 file changed, 3 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts index 705804aedba83..04bb8c69afc31 100644 --- a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_sub_features.ts @@ -78,9 +78,6 @@ export const getSecurityV4SubFeaturesMap = ({ ); // Remove disabled experimental features - if (!experimentalFeatures.defendInsights) { - securitySubFeaturesMap.delete(SecuritySubFeatureId.workflowInsights); - } if (!experimentalFeatures.trustedDevices) { securitySubFeaturesMap.delete(SecuritySubFeatureId.trustedDevices); } From 20e2e9d46d0ce7f49bdc4457fd17e70d8697820f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gerg=C5=91=20=C3=81brah=C3=A1m?= Date: Fri, 19 Sep 2025 16:34:27 +0200 Subject: [PATCH 33/33] apply incoming changes from #234146 to siemV4 --- .../features/src/security/v4_features/kibana_features.ts | 2 -- 1 file changed, 2 deletions(-) diff --git a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts index daa1f42609af9..315d01066ddfe 100644 --- a/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts +++ b/x-pack/solutions/security/packages/features/src/security/v4_features/kibana_features.ts @@ -6,7 +6,6 @@ */ import { i18n } from '@kbn/i18n'; -import { KibanaFeatureScope } from '@kbn/features-plugin/common'; import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; import { @@ -58,7 +57,6 @@ export const getSecurityV4BaseKibanaFeature = ({ ), order: 1100, category: DEFAULT_APP_CATEGORIES.security, - scope: [KibanaFeatureScope.Spaces, KibanaFeatureScope.Security], app: [APP_ID, CLOUD_POSTURE_APP_ID, 'kibana'], catalogue: [APP_ID], management: {