Loading

Detections privileges

Learn about the access requirements for detection features, including:

  • Privilege requirements: Cluster, index, and Kibana privileges that your role needs to enable detections, manage rules, and more
  • Predefined roles: Elastic Cloud Serverless roles with detection privileges
  • Authorization model: How detection rules use API keys to run background tasks

For instructions on turning on the detections feature, refer to Turn on detections.

When creating custom roles for detection features, you'll need to grant access to system indices that include your space ID (<space-id>). For example, the default space uses .alerts-security.alerts-default. Refer to the following details to understand which system indices your role might require access to.

Only uses the .alerts-security.alerts-<space-id> index.

Uses the .alerts-security.alerts-<space-id> index. If you upgraded from version 8.0 or earlier, you might also need privileges on the legacy .siem-signals-<space-id> index.

Required to initialize the detection engine in a Kibana space.

Cluster privileges
manage
Index privileges

manage, write, read, view_index_metadata on:

  • .alerts-security.alerts-<space-id>
  • .siem-signals-<space-id> (only if you upgraded from version 8.0 or earlier)
  • .lists-<space-id>
  • .items-<space-id>
Kibana privileges
  • All for the Rules, Alerts, and Exceptions feature
  • All for the Security feature
Cluster privileges
None
Index privileges

read on:

  • .preview.alerts-security.alerts-<space-id>
  • .internal.preview.alerts-security.alerts-<space-id>-*
Kibana privileges
  • All for the Rules, Alerts, and Exceptions feature
  • All for the Security feature
Cluster privileges
None
Index privileges

manage, write, read, view_index_metadata on:

  • .alerts-security.alerts-<space-id>
  • .siem-signals-<space-id> (only if you upgraded from version 8.0 or earlier)
  • .lists-<space-id>
  • .items-<space-id>
Kibana privileges
  • All for the Rules, Alerts, and Exceptions feature
  • All for the Security feature
Note

To manage rules with actions and connectors, you need additional privileges for the Actions and Connectors feature (Management> Actions and Connectors):

  • All: Provides full access to rule actions and connectors.
  • Read: Allows you to edit rule actions and use existing connectors, but you cannot create new connectors.

To import rules with actions, you need at least Read privileges. To overwrite or add new connectors during import, you need All privileges.

Allows you to manage alerts without modifying rules.

Cluster privileges
None
Index privileges

maintenance, write, read, view_index_metadata on:

  • .alerts-security.alerts-<space-id>
  • .internal.alerts-security.alerts-<space-id>-*
  • .siem-signals-<space-id> (only if you upgraded from version 8.0 or earlier)
  • .lists-<space-id>
  • .items-<space-id>
Kibana privileges
  • All for the Rules, Alerts, and Exceptions feature
  • All for the Security feature
Note

Alerts are managed through Elasticsearch index privileges. To view alert management flows, you need at least Read for the Rules, Alerts, and Exceptions feature.

Before a user can be assigned to a case, they must log into Kibana at least once to create a user profile.

Cluster privileges
None
Index privileges
None
Kibana privileges
  • All for the Rules, Alerts, and Exceptions feature
  • All for the Security feature
Cluster privileges
manage
Index privileges

manage, write, read, view_index_metadata on:

  • .lists-<space-id>
  • .items-<space-id>
Kibana privileges
  • All for the Rules and Saved Objects Management features
  • All for the Security feature
Important

To create the .lists and .items data streams in your space, visit the Rules page for each appropriate space.

Elastic Cloud Serverless includes predefined roles with detection privileges:

Action Roles with access
Manage rules Threat Intelligence Analyst, Tier 3 Analyst, Detections Eng, SOC Manager, Endpoint Policy Manager, Platform Engineer, Editor
View rules (read only) Tier 1 Analyst, Tier 2 Analyst, Viewer, Endpoint Operations Analyst
Manage alerts All roles except Viewer
Manage exceptions and value lists Threat Intelligence Analyst, Tier 3 Analyst, Detections Eng, SOC Manager, Endpoint Policy Manager, Platform Engineer, Editor
View exceptions and value lists (read only) Tier 1 Analyst, Tier 2 Analyst, Viewer, Endpoint Operations Analyst

Detection rules, including all background detection checks and the actions they generate, are authorized using an API key associated with the last user to edit the rule. When a rule is created or modified, an API key is generated that captures a snapshot of that user's privileges. This API key is used to run all background tasks associated with the rule, including detection checks and executing actions.

Important

If a rule requires certain privileges to run (such as index privileges), and a user without those privileges updates the rule, the rule will no longer function.