Detections requirements
editDetections requirements
editTo use the Detections feature, you first need to configure a few settings. You also need the appropriate role to send notifications when detection alerts are generated.
Additionally, there are some advanced settings used to configure value list upload limits.
Enable and access detections
editTo use the Detections feature, it must be enabled and you must have either the appropriate predefined Security user role or a custom role with privileges to access rules and alerts. If your role doesn’t have the privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you.
For instructions about using machine learning jobs and rules, refer to Machine learning job and rule requirements.
Custom role privileges
editThe following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on Kibana privileges, refer to Custom roles.
Action | Cluster Privilege | Index Privileges | Kibana Privileges |
---|---|---|---|
Enable detections in your space |
|
|
|
Enable detections in all spaces NOTE: To turn on detections, visit the Rules and Alerts pages for each space. |
|
|
|
Preview rules |
N/A |
|
|
Manage rules |
N/A |
|
NOTE: You need additional
|
Manage alerts NOTE: Allows you to manage alerts, but not modify rules. |
N/A |
|
|
Create the NOTE: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space. |
|
|
|
Authorization
editRules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.
If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.