Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Alerting][Enhancement] Allow configuration of the user/role that alerts are written on behalf of #166566

Open
spong opened this issue Sep 15, 2023 · 1 comment
Open

[Alerting][Enhancement] Allow configuration of the user/role that alerts are written on behalf of #166566

spong opened this issue Sep 15, 2023 · 1 comment
Labels
enhancement New value added to drive a business result Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting sdh-linked Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@spong
Copy link
Member

spong commented Sep 15, 2023
edited
Loading

This enhancement request is the result of a recent support ticket (https://github.com/elastic/sdh-security-team/issues/720#issuecomment-1721665672) where the user wants to leverage ingest pipelines on the alerts index to re-route alerts to a custom index. This worked in 7.x in the previous Security Solution implementation as it would write alerts on behalf of the current user, however now in 8.x we're writing alerts on behalf of the kibana_system user, which is immutable, and so cannot be updated to write to custom indices.

With the ingest pipeline below configured on the alerts index, rules will fail when writing alerts as the kibana_system user will not have the adequate write privileges:

  "re-route-alerts-pipeline" : {
    "description" : "Pipeline that re-routes alerts to a custom index",
    "processors" : [
      {
        "set" : {
          "field" : "_index",
          "value" : "custom-alerts-index"
        }
      }
    ],
    "version" : 100
  },

In this instance a logstash solution was not feasible, and there were performance concerns with regards to leveraging an index action on all rules. Adding some sort configuration like this to ensure the functionality of ingest pipelines like the above would work with the user's current workflow, but additional options for achieving this result can be considered.

Note: the current workaround here is to create a custom index that the kibana_system user can write to, which ends up being a Kibana System Index e.g. .alerts-alternate-alias. Users should not be creating and managing their own Kibana System Indices, but this is the only workaround at the moment.
@spong spong added enhancement New value added to drive a business result Feature:Alerting Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework sdh-linked labels Sep 15, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@ersin-erdal ersin-erdal moved this from Awaiting Triage to Todo in AppEx: ResponseOps - Execution & Connectors Sep 21, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Alerting/RulesFramework Issues related to the Alerting Rules Framework Feature:Alerting sdh-linked Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
No open projects
AppEx: ResponseOps - Execution & Connectors
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spong @mikecote @elasticmachine