Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Detection Engine] Improve index access warning message #213457

Open
yctercero opened this issue Mar 6, 2025 · 3 comments
Open

[Detection Engine] Improve index access warning message #213457

yctercero opened this issue Mar 6, 2025 · 3 comments
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@yctercero
Copy link
Contributor

yctercero commented Mar 6, 2025
edited
Loading

Summary

In response to feedback, we are looking to improve the warning message we show users when they do not have access to all the indices specified by a rule index pattern.

As an example, if a rule has an index pattern of filebeat-* and the user has a role which excludes some indices from filebeat-* we show the following error:

Image

The feedback from users was that this gives the impression that there is something wrong, like maybe no indices were queried within filebeat-*. We discussed doing 2 things:

  • Modifying the language to specify that indices were queried, but a subset of the pattern may not have been if the user was not assigned access
  • Add a command that the user can run in dev tools, if they would like to understand what indices they have privileges to
@yctercero yctercero added Feature:Detection Rules Security Solution rules and Detection Engine Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Engine Security Solution Detection Engine Area labels Mar 6, 2025
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detection-engine (Team:Detection Engine)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@yctercero
Copy link
Contributor Author

@nastasha-solomon @approksiu @ARWNightingale could we get help with figuring out the wording here? What we want to communicate is that we searched all indices to which the user had permissions, but that there may be some indices within the indicated pattern that the user does not have access to and were not searched.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature:Detection Rules Security Solution rules and Detection Engine Team:Detection Engine Security Solution Detection Engine Area Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yctercero @elasticmachine