Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Error When Assigning an Alert #202051

Open
pborgonovi opened this issue Nov 27, 2024 · 3 comments
Open

[Security Solution] Error When Assigning an Alert #202051

pborgonovi opened this issue Nov 27, 2024 · 3 comments
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts/Rules RBAC Security Solution RBAC for rules and alerts impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@pborgonovi
Copy link
Contributor

Describe the bug:

When users with maintenance, write, read, and view_index_metadata privileges for the indices .alerts-security.alerts-* and .internal.alerts-security.alerts-* and Read access to Security in Kibana select an alert in the Alerts Table or the Alert Detail Flyout and tries to assign the alert to a user, the system shows two messages:

  1. “Successfully updated assignees for 1 alert.”
  • This message indicates the assignment was processed successfully.
  1. “Failed to find users”
  • This message shows an error related to the API call:
    API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403)

Despite the success message, the assignment does not seem to work properly.

Kibana/Elasticsearch Stack version:

8.17

Server OS version:

Browser and Browser OS versions:

Elastic Endpoint version:

Original install method (e.g. download page, yum, from source, etc.):

Functional Area (e.g. Endpoint management, timelines, resolver, etc.):

Pre requisites:

Create a new role in Kibana with the following settings:

  1. Index Privileges:
  • Privileges: read, write, maintenance, view_index_metadata
  1. Kibana Privileges:
  • Feature Privileges:
    Security: Read Access Only

Steps to reproduce:

  1. Create an user and assign to the custom role
  2. Login with the new user
  3. Navigate to the Alerts Table or open the Alert Detail Flyout.
  4. Select an alert.
  5. Attempt to assign the alert to a user.
  6. Observe the messages displayed by the system.

Current behavior:

  • The system displays two conflicting messages:
  1. A success message indicating the alert was assigned.
  2. An error message indicating the user does not have the necessary privileges to retrieve user profiles.

Expected behavior:

  • The system should assign the alert without errors, provided the user has sufficient privileges.
  • If the user lacks the necessary privileges, the system should display a single, clear error message explaining the issue.

Screenshots (if relevant):

Screen.Recording.2024-11-27.at.10.09.43.AM.mov
Screen.Recording.2024-11-27.at.10.11.22.AM.mov

Image

Errors in browser console (if relevant):

{
    "statusCode": 403,
    "error": "Forbidden",
    "message": "API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles]"
}

Provide logs and/or server output (if relevant):

Any additional context (logs, chat logs, magical formulas, etc.):
@pborgonovi pborgonovi added bug Fixes for quality problems that affect the customer experience impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team triage_needed labels Nov 27, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@yctercero yctercero added Feature:Detection Alerts/Rules RBAC Security Solution RBAC for rules and alerts and removed triage_needed labels Jan 3, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Feature:Detection Alerts/Rules RBAC Security Solution RBAC for rules and alerts impact:medium Addressing this issue will have a medium level of impact on the quality/strength of our product. Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yctercero @elasticmachine @PhilippeOberti @pborgonovi