[Security Solution] Error When Assigning an Alert #202051
Assignees
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Detection Alerts/Rules RBAC
Security Solution RBAC for rules and alerts
fixed
impact:medium
Addressing this issue will have a medium level of impact on the quality/strength of our product.
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.18.0
v8.19.0
v9.0.0
v9.1.0
Comments
pborgonovi
added
bug
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Pinging @elastic/security-detection-engine (Team:Detection Engine) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
yctercero
added
Feature:Detection Alerts/Rules RBAC
|
Few observations:
Why this happens?
User was configured with read only Security Feature, that covers only first API, that's why we see error
However I propose to include |
vitaliidm
added a commit
that referenced
this issue
Mar 4, 2025
…ege to Security Feature (#211824) ## Summary - addresses #202051 Few observations, based on ticket [description](#202051): 1. User can update assignees in alert(i.e. update any alert details, which is handled by **SecuritySolution** priv) 2. User can see suggested users in searchbox 3. User **can not** see assignees details(name, avatar) in alerts table column and alerts flyout(that's where error toast originates from) Why this happens? 2 different APIs used to show users in searchbox and user details in alerts table column: 1. API to show users in searchbox: [/internal/detection_engine/users/_find](https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/users/suggest_user_profiles_route.ts#L24) It requires `securitySolution` privilege 2. API for alerts table cell: [/internal/security/user_profile/_bulk_get](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/security/server/routes/user_profile/bulk_get.ts#L20) It requires `bulkGetUserProfiles` privilege User was configured with read only Security Feature, that covers only first API, that's why we see error > API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403) However `bulkGetUserProfiles` is covered by `Cases` feature already. If Cases access will be set to read, user would be able to see assignees details through `/internal/security/user_profile/_bulk_get` API. It happens, because cases API tags include `bulkGetUserProfiles` privilege: https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/cases/common/utils/api_tags.ts#L32, https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/packages/features/src/cases/types.ts#L7 This PR includes `bulkGetUserProfiles` privilege in Security Feature: #211824. Since, it's already present in Cases feature, and user profiles available through Security Solution `/internal/detection_engine/users/_find` API
kibanamachine
pushed a commit
to kibanamachine/kibana
that referenced
this issue
Mar 4, 2025
…ege to Security Feature (elastic#211824) ## Summary - addresses elastic#202051 Few observations, based on ticket [description](elastic#202051): 1. User can update assignees in alert(i.e. update any alert details, which is handled by **SecuritySolution** priv) 2. User can see suggested users in searchbox 3. User **can not** see assignees details(name, avatar) in alerts table column and alerts flyout(that's where error toast originates from) Why this happens? 2 different APIs used to show users in searchbox and user details in alerts table column: 1. API to show users in searchbox: [/internal/detection_engine/users/_find](https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/users/suggest_user_profiles_route.ts#L24) It requires `securitySolution` privilege 2. API for alerts table cell: [/internal/security/user_profile/_bulk_get](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/security/server/routes/user_profile/bulk_get.ts#L20) It requires `bulkGetUserProfiles` privilege User was configured with read only Security Feature, that covers only first API, that's why we see error > API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403) However `bulkGetUserProfiles` is covered by `Cases` feature already. If Cases access will be set to read, user would be able to see assignees details through `/internal/security/user_profile/_bulk_get` API. It happens, because cases API tags include `bulkGetUserProfiles` privilege: https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/cases/common/utils/api_tags.ts#L32, https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/packages/features/src/cases/types.ts#L7 This PR includes `bulkGetUserProfiles` privilege in Security Feature: elastic#211824. Since, it's already present in Cases feature, and user profiles available through Security Solution `/internal/detection_engine/users/_find` API (cherry picked from commit 847be91)
vitaliidm
added a commit
to vitaliidm/kibana
that referenced
this issue
Mar 4, 2025
…ege to Security Feature (elastic#211824) ## Summary - addresses elastic#202051 Few observations, based on ticket [description](elastic#202051): 1. User can update assignees in alert(i.e. update any alert details, which is handled by **SecuritySolution** priv) 2. User can see suggested users in searchbox 3. User **can not** see assignees details(name, avatar) in alerts table column and alerts flyout(that's where error toast originates from) Why this happens? 2 different APIs used to show users in searchbox and user details in alerts table column: 1. API to show users in searchbox: [/internal/detection_engine/users/_find](https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/users/suggest_user_profiles_route.ts#L24) It requires `securitySolution` privilege 2. API for alerts table cell: [/internal/security/user_profile/_bulk_get](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/security/server/routes/user_profile/bulk_get.ts#L20) It requires `bulkGetUserProfiles` privilege User was configured with read only Security Feature, that covers only first API, that's why we see error > API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403) However `bulkGetUserProfiles` is covered by `Cases` feature already. If Cases access will be set to read, user would be able to see assignees details through `/internal/security/user_profile/_bulk_get` API. It happens, because cases API tags include `bulkGetUserProfiles` privilege: https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/cases/common/utils/api_tags.ts#L32, https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/packages/features/src/cases/types.ts#L7 This PR includes `bulkGetUserProfiles` privilege in Security Feature: elastic#211824. Since, it's already present in Cases feature, and user profiles available through Security Solution `/internal/detection_engine/users/_find` API (cherry picked from commit 847be91) # Conflicts: # x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts
vitaliidm
added a commit
to vitaliidm/kibana
that referenced
this issue
Mar 4, 2025
…ege to Security Feature (elastic#211824) ## Summary - addresses elastic#202051 Few observations, based on ticket [description](elastic#202051): 1. User can update assignees in alert(i.e. update any alert details, which is handled by **SecuritySolution** priv) 2. User can see suggested users in searchbox 3. User **can not** see assignees details(name, avatar) in alerts table column and alerts flyout(that's where error toast originates from) Why this happens? 2 different APIs used to show users in searchbox and user details in alerts table column: 1. API to show users in searchbox: [/internal/detection_engine/users/_find](https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/plugins/security_solution/server/lib/detection_engine/routes/users/suggest_user_profiles_route.ts#L24) It requires `securitySolution` privilege 2. API for alerts table cell: [/internal/security/user_profile/_bulk_get](https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/security/server/routes/user_profile/bulk_get.ts#L20) It requires `bulkGetUserProfiles` privilege User was configured with read only Security Feature, that covers only first API, that's why we see error > API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403) However `bulkGetUserProfiles` is covered by `Cases` feature already. If Cases access will be set to read, user would be able to see assignees details through `/internal/security/user_profile/_bulk_get` API. It happens, because cases API tags include `bulkGetUserProfiles` privilege: https://github.com/elastic/kibana/blob/8.18/x-pack/platform/plugins/shared/cases/common/utils/api_tags.ts#L32, https://github.com/elastic/kibana/blob/8.18/x-pack/solutions/security/packages/features/src/cases/types.ts#L7 This PR includes `bulkGetUserProfiles` privilege in Security Feature: elastic#211824. Since, it's already present in Cases feature, and user profiles available through Security Solution `/internal/detection_engine/users/_find` API (cherry picked from commit 847be91) # Conflicts: # x-pack/test_serverless/api_integration/test_suites/security/platform_security/authorization.ts
|
addressed in #211824 |
|
Fix has been successfully verified. Bug no longer reproducible. Closing this out. 
Screen.Recording.2025-03-05.at.11.24.28.AM.mov |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug:
When users with
maintenance, write, read, and view_index_metadataprivileges for the indices.alerts-security.alerts-* and .internal.alerts-security.alerts-*andReadaccess to Security in Kibana select an alert in the Alerts Table or the Alert Detail Flyout and tries to assign the alert to a user, the system shows two messages:API [POST /internal/security/user_profile/_bulk_get] is unauthorized for user, this action is granted by the Kibana privileges [bulkGetUserProfiles] (403)
Despite the success message, the assignment does not seem to work properly.
Kibana/Elasticsearch Stack version:
8.17
Server OS version:
Browser and Browser OS versions:
Elastic Endpoint version:
Original install method (e.g. download page, yum, from source, etc.):
Functional Area (e.g. Endpoint management, timelines, resolver, etc.):
Pre requisites:
Create a new role in Kibana with the following settings:
Security: Read Access Only
Steps to reproduce:
Current behavior:
Expected behavior:
Screenshots (if relevant):
Screen.Recording.2024-11-27.at.10.09.43.AM.mov
Screen.Recording.2024-11-27.at.10.11.22.AM.mov
Errors in browser console (if relevant):
Provide logs and/or server output (if relevant):
Any additional context (logs, chat logs, magical formulas, etc.):
The text was updated successfully, but these errors were encountered: