From 18286b64165b48a7e2586622eae8d9f07a24f5a9 Mon Sep 17 00:00:00 2001 From: Edgar Santos Date: Wed, 5 Nov 2025 10:38:18 +0100 Subject: [PATCH 1/3] Updates roles/tests/test roles to use new Features This updates prebuilt roles and those used in tests to: * Reference siemv5 instead of the older siemv4 * Add the new `rules:read` or `rules:all` feature where appropriate Without this change, our tests are implicitly testing the `replacedBy`/"migration" path that existing users will follow. With that version of the code being green, we can have confidence in the behavior for existing users, and can then update our tests to use the latest features, here. --- .../project_roles/security/roles.yml | 260 +++++++++--------- .../security/search_ai_lake/roles.yml | 12 +- .../serverless_resources/security_roles.json | 51 ++-- .../project_controller_security_roles.yml | 258 +++++++++-------- .../common/test/ess_roles.json | 18 +- .../e2e/artifacts/endpoint_exceptions.cy.ts | 8 +- .../artifacts/endpoint_exceptions.no_ff.cy.ts | 2 + .../common/roles_users/detections_admin.ts | 3 +- .../endpoint_operations_analyst.ts | 4 +- .../endpoint_security_policy_manager.ts | 5 +- .../endpoint/common/roles_users/hunter.ts | 3 +- .../common/roles_users/platform_engineer.ts | 3 +- .../common/roles_users/rule_author.ts | 5 +- .../es_serverless_resources/roles.yml | 258 +++++++++-------- .../common/roles_users/soc_manager.ts | 3 +- .../endpoint/common/roles_users/t1_analyst.ts | 3 +- .../endpoint/common/roles_users/t2_analyst.ts | 3 +- .../endpoint/common/roles_users/t3_analyst.ts | 5 +- .../threat_intelligence_analyst.ts | 3 +- .../with_artifact_read_privileges_role.ts | 3 +- .../roles_users/with_response_actions_role.ts | 5 +- .../without_response_actions_role.ts | 3 +- .../test/session_view/basic/tests/index.ts | 3 +- 23 files changed, 469 insertions(+), 452 deletions(-) diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index 55af5ec6d8a1c..638b17f5626ac 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -45,10 +45,10 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read - - feature_siemV4.endpoint_exceptions_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_siemV5.endpoint_exceptions_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.minimal_all - feature_securitySolutionAttackDiscovery.minimal_all @@ -130,22 +130,21 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -203,9 +202,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCasesV2.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -266,9 +265,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -334,24 +333,23 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -419,11 +417,12 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.endpoint_list_read - - feature_siemV4.global_artifact_management_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_read + - feature_siemV5.global_artifact_management_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -492,20 +491,19 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_read - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_read + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -582,26 +580,25 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all - - feature_siemV4.soc_management_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_siemV5.soc_management_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -674,11 +671,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.global_artifact_management_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -743,20 +739,19 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -825,24 +820,24 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -919,19 +914,18 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml index 0d0785c6b34ba..f37a6b32466fe 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml @@ -45,7 +45,8 @@ _search_ai_lake_analyst: - application: "kibana-.kibana" privileges: - "feature_ml.read" - - "feature_siemV4.all" + - "feature_siemV5.all" + - "feature_securitySolutionRulesV1.all" - "feature_securitySolutionCasesV2.all" - "feature_securitySolutionAssistant.all" - "feature_securitySolutionAttackDiscovery.minimal_all" @@ -120,10 +121,11 @@ _search_ai_lake_soc_manager: applications: - application: "kibana-.kibana" privileges: - - "feature_siemV4.all" - - "feature_siemV4.global_artifact_management_all" - - "feature_siemV4.workflow_insights_all" - - "feature_siemV4.soc_management_all" + - "feature_siemV5.all" + - "feature_siemV5.global_artifact_management_all" + - "feature_siemV5.workflow_insights_all" + - "feature_siemV5.soc_management_all" + - "feature_securitySolutionRulesV1.all" - "feature_securitySolutionCasesV2.all" - "feature_securitySolutionAssistant.all" - "feature_securitySolutionAttackDiscovery.all" diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json index aecec6532056e..b2a36153665c7 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/security_roles.json @@ -44,9 +44,11 @@ "ml": [ "read" ], - "siemV4": [ - "read", - "read_alerts" + "siemV5": [ + "read" + ], + "securitySolutionRulesV1": [ + "read" ], "securitySolutionAssistant": [ "all" @@ -124,9 +126,11 @@ "ml": [ "read" ], - "siemV4": [ - "read", - "read_alerts" + "siemV5": [ + "read" + ], + "securitySolutionRulesV1": [ + "read" ], "securitySolutionAssistant": [ "all" @@ -226,10 +230,8 @@ "ml": [ "read" ], - "siemV4": [ + "siemV5": [ "all", - "read_alerts", - "crud_alerts", "endpoint_list_all", "trusted_applications_all", "event_filters_all", @@ -242,6 +244,9 @@ "actions_log_management_all", "file_operations_all" ], + "securitySolutionRulesV1": [ + "all" + ], "securitySolutionCasesV2": [ "all" ], @@ -349,12 +354,13 @@ "ml": [ "read" ], - "siemV4": [ + "siemV5": [ "all", - "read_alerts", - "crud_alerts", "endpoint_exceptions_all" ], + "securitySolutionRulesV1": [ + "all" + ], "securitySolutionAssistant": [ "all" ], @@ -443,12 +449,13 @@ "ml": [ "read" ], - "siemV4": [ + "siemV5": [ "all", - "read_alerts", - "crud_alerts", "endpoint_exceptions_all" ], + "securitySolutionRulesV1": [ + "all" + ], "securitySolutionAssistant": [ "all" ], @@ -531,12 +538,13 @@ "ml": [ "all" ], - "siemV4": [ + "siemV5": [ "all", - "read_alerts", - "crud_alerts", "endpoint_exceptions_all" ], + "securitySolutionRulesV1": [ + "all" + ], "securitySolutionAssistant": [ "all" ], @@ -634,12 +642,13 @@ "ml": [ "all" ], - "siemV4": [ + "siemV5": [ "all", - "read_alerts", - "crud_alerts", "endpoint_exceptions_all" ], + "securitySolutionRulesV1": [ + "all" + ], "securitySolutionAssistant": [ "all" ], diff --git a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml index 559bbe78bb270..b5d480fa3400b 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml @@ -44,10 +44,10 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read - - feature_siemV4.endpoint_exceptions_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_siemV5.endpoint_exceptions_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -121,22 +121,21 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -192,9 +191,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -253,9 +252,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -319,24 +318,23 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -397,11 +395,12 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.endpoint_list_read - - feature_siemV4.global_artifact_management_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_read + - feature_siemV5.global_artifact_management_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -469,20 +468,19 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_read - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_read + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -551,25 +549,24 @@ soc_manager: privileges: - feature_ml.read - feature_generalCases.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_observabilityCases.all - feature_securitySolutionAssistant.all @@ -637,11 +634,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.global_artifact_management_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -699,20 +695,19 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -779,24 +774,24 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response History - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all # Execute - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response History + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all # Execute + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -863,19 +858,18 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json index 9a68261aa965f..13742ad7baa1f 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json +++ b/x-pack/solutions/security/plugins/security_solution/common/test/ess_roles.json @@ -27,7 +27,8 @@ { "feature": { "ml": ["read"], - "siemV4": ["read", "read_alerts", "endpoint_exceptions_read"], + "siemV5": ["read", "endpoint_exceptions_read"], + "securitySolutionRulesV1": ["read"], "securitySolutionAssistant": ["none"], "securitySolutionAttackDiscovery": ["none"], "securitySolutionCasesV2": ["read"], @@ -78,7 +79,8 @@ { "feature": { "ml": ["read"], - "siemV4": ["all", "read_alerts", "crud_alerts", "global_artifact_management_all", "endpoint_exceptions_all"], + "siemV5": ["all", "global_artifact_management_all", "endpoint_exceptions_all"], + "securitySolutionRulesV1": ["all"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -129,7 +131,8 @@ { "feature": { "ml": ["read"], - "siemV4": ["all", "read_alerts", "crud_alerts", "global_artifact_management_all", "endpoint_exceptions_all"], + "siemV5": ["all", "global_artifact_management_all", "endpoint_exceptions_all"], + "securitySolutionRulesV1": ["all"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -152,7 +155,8 @@ "kibana": [ { "feature": { - "siemV4": ["read", "endpoint_exceptions_read"] + "siemV5": ["read", "endpoint_exceptions_read"], + "securitySolutionRulesV1": ["read"] }, "spaces": ["*"], "base": [] @@ -202,7 +206,8 @@ { "feature": { "ml": ["read"], - "siemV4": ["all", "read_alerts", "crud_alerts", "global_artifact_management_all", "endpoint_exceptions_all"], + "siemV5": ["all", "global_artifact_management_all", "endpoint_exceptions_all"], + "securitySolutionRulesV1": ["all"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], @@ -258,7 +263,8 @@ { "feature": { "ml": ["read"], - "siemV4": ["all", "read_alerts", "crud_alerts", "global_artifact_management_all", "endpoint_exceptions_all"], + "siemV5": ["all", "global_artifact_management_all", "endpoint_exceptions_all"], + "securitySolutionRulesV1": ["all"], "securitySolutionAssistant": ["all"], "securitySolutionAttackDiscovery": ["all"], "securitySolutionCasesV2": ["all"], diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts index 0edc6f0dbfaad..028d796ff5d94 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.cy.ts @@ -6,7 +6,12 @@ */ import * as essSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/security_header'; import * as serverlessSecurityHeaders from '@kbn/test-suites-xpack-security/security_solution_cypress/cypress/screens/serverless_security_header'; -import { APP_MANAGE_PATH, APP_PATH, SECURITY_FEATURE_ID } from '../../../../../common/constants'; +import { + APP_MANAGE_PATH, + APP_PATH, + RULES_FEATURE_ID, + SECURITY_FEATURE_ID, +} from '../../../../../common/constants'; import { login, ROLE } from '../../tasks/login'; describe( @@ -28,6 +33,7 @@ describe( const loginWithReadAccess = () => { login.withCustomKibanaPrivileges({ [SECURITY_FEATURE_ID]: ['read', 'endpoint_exceptions_read'], + [RULES_FEATURE_ID]: ['read'], }); }; diff --git a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts index 4ae0426f239a5..96020764a823d 100644 --- a/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts +++ b/x-pack/solutions/security/plugins/security_solution/public/management/cypress/e2e/artifacts/endpoint_exceptions.no_ff.cy.ts @@ -9,6 +9,7 @@ import * as serverlessSecurityHeaders from '@kbn/test-suites-xpack-security/secu import { APP_ENDPOINT_EXCEPTIONS_PATH, APP_PATH, + RULES_FEATURE_ID, SECURITY_FEATURE_ID, } from '../../../../../common/constants'; import { login, ROLE } from '../../tasks/login'; @@ -18,6 +19,7 @@ describe('Endpoint exceptions - preserving behaviour without `endpointExceptions const loginWithReadAccess = () => { login.withCustomKibanaPrivileges({ [SECURITY_FEATURE_ID]: ['read', 'endpoint_exceptions_read'], + [RULES_FEATURE_ID]: ['read'], }); }; diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts index 152230dc6c2ae..3a3a2959eeef0 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/detections_admin.ts @@ -17,7 +17,8 @@ export const getDetectionsAdmin: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: ['all', 'global_artifact_management_all', 'endpoint_exceptions_all'], + siemV5: ['all', 'global_artifact_management_all', 'endpoint_exceptions_all'], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index c3f6106e3786b..abe75262b80af 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -59,9 +59,8 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { osquery: ['all'], securitySolutionCasesV3: ['all'], builtinAlerts: ['all'], - siemV4: [ + siemV5: [ 'all', - 'read_alerts', 'policy_management_all', 'endpoint_list_all', 'global_artifact_management_all', @@ -79,6 +78,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { 'scan_operations_all', 'workflow_insights_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts index 24b6f542a2594..b3449cd4042f1 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_security_policy_manager.ts @@ -17,7 +17,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'policy_management_all', @@ -32,6 +32,7 @@ export const getEndpointSecurityPolicyManager: () => Omit = () => 'workflow_insights_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, @@ -49,7 +50,7 @@ export const getEndpointSecurityPolicyManagementReadRole: () => Omit Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'policy_management_read', @@ -33,6 +33,7 @@ export const getHunter: () => Omit = () => { 'process_operations_all', 'actions_log_management_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts index 1e0d5bc452380..55724169f8fdb 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/platform_engineer.ts @@ -17,7 +17,7 @@ export const getPlatformEngineer: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'policy_management_all', @@ -34,6 +34,7 @@ export const getPlatformEngineer: () => Omit = () => { 'workflow_insights_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts index cbf54b1d1ccb2..72afd1e4d7402 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/rule_author.ts @@ -17,10 +17,8 @@ export const getRuleAuthor: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', - 'read_alerts', - 'crud_alerts', 'policy_management_all', 'endpoint_list_all', 'global_artifact_management_all', @@ -33,6 +31,7 @@ export const getRuleAuthor: () => Omit = () => { 'actions_log_management_read', 'workflow_insights_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index 61af258f26878..4cc1c9eb66293 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -65,10 +65,10 @@ viewer: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read - - feature_siemV4.endpoint_exceptions_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_siemV5.endpoint_exceptions_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -145,22 +145,21 @@ editor: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -216,9 +215,9 @@ t1_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.read - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -279,9 +278,9 @@ t2_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.read - - feature_siemV4.read_alerts - - feature_siemV4.endpoint_list_read + - feature_siemV5.read + - feature_siemV5.endpoint_list_read + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -346,24 +345,23 @@ t3_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.policy_management_read # Elastic Defend Policy Management - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response actions history - - feature_siemV4.file_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.policy_management_read # Elastic Defend Policy Management + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response actions history + - feature_siemV5.file_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -426,11 +424,12 @@ threat_intelligence_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.endpoint_list_read - - feature_siemV4.global_artifact_management_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.endpoint_list_read + - feature_siemV5.global_artifact_management_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -499,20 +498,19 @@ rule_author: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_read - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_read + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -581,25 +579,24 @@ soc_manager: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -668,11 +665,10 @@ detections_admin: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.global_artifact_management_all - - feature_siemV4.endpoint_exceptions_all + - feature_siemV5.all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.endpoint_exceptions_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -732,20 +728,19 @@ platform_engineer: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.actions_log_management_read - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.actions_log_management_read + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -815,24 +810,24 @@ endpoint_operations_analyst: - application: 'kibana-.kibana' privileges: - feature_ml.read - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.host_isolation_all - - feature_siemV4.process_operations_all - - feature_siemV4.actions_log_management_all # Response History - - feature_siemV4.file_operations_all - - feature_siemV4.execute_operations_all # Execute - - feature_siemV4.scan_operations_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.host_isolation_all + - feature_siemV5.process_operations_all + - feature_siemV5.actions_log_management_all # Response History + - feature_siemV5.file_operations_all + - feature_siemV5.execute_operations_all # Execute + - feature_siemV5.scan_operations_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all @@ -901,19 +896,18 @@ endpoint_policy_manager: - application: 'kibana-.kibana' privileges: - feature_ml.all - - feature_siemV4.all - - feature_siemV4.read_alerts - - feature_siemV4.crud_alerts - - feature_siemV4.policy_management_all - - feature_siemV4.endpoint_list_all - - feature_siemV4.global_artifact_management_all - - feature_siemV4.trusted_applications_all - - feature_siemV4.trusted_devices_all - - feature_siemV4.event_filters_all - - feature_siemV4.host_isolation_exceptions_all - - feature_siemV4.blocklist_all # Elastic Defend Policy Management - - feature_siemV4.endpoint_exceptions_all - - feature_siemV4.workflow_insights_all + - feature_siemV5.all + - feature_siemV5.policy_management_all + - feature_siemV5.endpoint_list_all + - feature_siemV5.global_artifact_management_all + - feature_siemV5.trusted_applications_all + - feature_siemV5.trusted_devices_all + - feature_siemV5.event_filters_all + - feature_siemV5.host_isolation_exceptions_all + - feature_siemV5.blocklist_all # Elastic Defend Policy Management + - feature_siemV5.endpoint_exceptions_all + - feature_siemV5.workflow_insights_all + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts index b525c4cd2bf14..2ec8d73c14969 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/soc_manager.ts @@ -17,7 +17,7 @@ export const getSocManager: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'policy_management_all', @@ -37,6 +37,7 @@ export const getSocManager: () => Omit = () => { 'workflow_insights_all', 'soc_management_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts index e95cbf2ba69e2..986ec23f87a87 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t1_analyst.ts @@ -17,7 +17,8 @@ export const getT1Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: ['read'], + siemV5: ['read'], + securitySolutionRulesV1: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts index 5632dca5181ea..dd4856bae8aa7 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t2_analyst.ts @@ -17,7 +17,8 @@ export const getT2Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: ['read', 'actions_log_management_read'], + siemV5: ['read', 'actions_log_management_read'], + securitySolutionRulesV1: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts index 7c438213e9c29..4d56404d84f13 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/t3_analyst.ts @@ -17,10 +17,8 @@ export const getT3Analyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', - 'read_alerts', - 'crud_alerts', 'endpoint_list_all', 'global_artifact_management_all', 'trusted_applications_all', @@ -37,6 +35,7 @@ export const getT3Analyst: () => Omit = () => { 'scan_operations_all', 'workflow_insights_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts index cec7588fe1d7b..172281a785c33 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/threat_intelligence_analyst.ts @@ -17,13 +17,14 @@ export const getThreatIntelligenceAnalyst: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'blocklist_all', 'global_artifact_management_all', 'endpoint_exceptions_all', 'actions_log_management_read', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts index ebbc7016112dc..1fec4b0e6b440 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_artifact_read_privileges_role.ts @@ -17,7 +17,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ + siemV5: [ 'all', 'blocklist_read', 'trusted_applications_read', @@ -26,6 +26,7 @@ export const getWithArtifactReadPrivilegesRole: () => Omit = () => 'event_filters_read', 'endpoint_exceptions_read', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts index 27f99fb931cb4..a100b6d14f714 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/with_response_actions_role.ts @@ -17,8 +17,8 @@ export const getWithResponseActionsRole: () => Omit = () => { ...noResponseActionsRole.kibana[0], feature: { ...noResponseActionsRole.kibana[0].feature, - siemV4: [ - ...noResponseActionsRole.kibana[0].feature.siemV4, + siemV5: [ + ...noResponseActionsRole.kibana[0].feature.siemV5, 'file_operations_all', 'execute_operations_all', 'scan_operations_all', @@ -27,6 +27,7 @@ export const getWithResponseActionsRole: () => Omit = () => { 'actions_log_management_all', 'actions_log_management_read', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts index 3f62b9b015053..83ad00ecaad2f 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/without_response_actions_role.ts @@ -42,7 +42,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ osquery: ['all'], savedObjectsManagement: ['all'], savedObjectsTagging: ['all'], - siemV4: [ + siemV5: [ 'all', 'endpoint_list_all', 'trusted_applications_all', @@ -53,6 +53,7 @@ export const getNoResponseActionsRole: () => Omit = () => ({ 'endpoint_exceptions_all', 'policy_management_all', ], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], stackAlerts: ['all'], diff --git a/x-pack/solutions/security/test/session_view/basic/tests/index.ts b/x-pack/solutions/security/test/session_view/basic/tests/index.ts index bb75968988454..b7ced36dd0573 100644 --- a/x-pack/solutions/security/test/session_view/basic/tests/index.ts +++ b/x-pack/solutions/security/test/session_view/basic/tests/index.ts @@ -57,7 +57,8 @@ export const securitySolutionOnlyReadSpacesAll: Role = { kibana: [ { feature: { - siemV4: ['read'], + siemV5: ['read'], + securitySolutionRulesV1: ['read'], }, spaces: ['*'], }, From ac4378d94b24011655f89df3928edc8051f7acf4 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Fri, 5 Dec 2025 11:25:39 -0600 Subject: [PATCH 2/3] Endpoint Operations Analyst can only read rules. Reference: https://docs.google.com/spreadsheets/d/16aGow187AunLCBFZLlbVyS81iQNuMpNxd96LOerWj4c --- .../src/serverless_resources/project_roles/security/roles.yml | 2 +- .../lib/kibana_roles/project_controller_security_roles.yml | 2 +- .../endpoint/common/roles_users/endpoint_operations_analyst.ts | 2 +- .../roles_users/serverless/es_serverless_resources/roles.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index 638b17f5626ac..bde0e90a39cc8 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -837,7 +837,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.all + - feature_securitySolutionRulesV1.read - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml index b5d480fa3400b..640f02b0fbc63 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml @@ -791,7 +791,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all # Execute - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.all + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index abe75262b80af..b675f61c329ab 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -78,7 +78,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { 'scan_operations_all', 'workflow_insights_all', ], - securitySolutionRulesV1: ['all'], + securitySolutionRulesV1: ['read'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index 4cc1c9eb66293..a93ee933802cb 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -827,7 +827,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all # Execute - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.all + - feature_securitySolutionRulesV1.read - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all From 2729b57584b8126a6c387da69e332714246a6578 Mon Sep 17 00:00:00 2001 From: Ryland Herrick Date: Tue, 9 Dec 2025 14:08:17 -0600 Subject: [PATCH 3/3] Revert "Endpoint Operations Analyst can only read rules." This reverts commit ac4378d94b24011655f89df3928edc8051f7acf4. Testing to see whether this change is what's causing our current CI failures. --- .../src/serverless_resources/project_roles/security/roles.yml | 2 +- .../lib/kibana_roles/project_controller_security_roles.yml | 2 +- .../endpoint/common/roles_users/endpoint_operations_analyst.ts | 2 +- .../roles_users/serverless/es_serverless_resources/roles.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml index bde0e90a39cc8..638b17f5626ac 100644 --- a/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml +++ b/src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml @@ -837,7 +837,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.read + - feature_securitySolutionRulesV1.all - feature_securitySolutionCasesV2.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml index 640f02b0fbc63..b5d480fa3400b 100644 --- a/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml +++ b/x-pack/platform/plugins/shared/osquery/cypress/lib/kibana_roles/project_controller_security_roles.yml @@ -791,7 +791,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all # Execute - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.read + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts index b675f61c329ab..abe75262b80af 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/endpoint_operations_analyst.ts @@ -78,7 +78,7 @@ export const getEndpointOperationsAnalyst: () => Omit = () => { 'scan_operations_all', 'workflow_insights_all', ], - securitySolutionRulesV1: ['read'], + securitySolutionRulesV1: ['all'], securitySolutionTimeline: ['all'], securitySolutionNotes: ['all'], }, diff --git a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml index a93ee933802cb..4cc1c9eb66293 100644 --- a/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml +++ b/x-pack/solutions/security/plugins/security_solution/scripts/endpoint/common/roles_users/serverless/es_serverless_resources/roles.yml @@ -827,7 +827,7 @@ endpoint_operations_analyst: - feature_siemV5.execute_operations_all # Execute - feature_siemV5.scan_operations_all - feature_siemV5.workflow_insights_all - - feature_securitySolutionRulesV1.read + - feature_securitySolutionRulesV1.all - feature_securitySolutionCases.all - feature_securitySolutionAssistant.all - feature_securitySolutionAttackDiscovery.all