Detections requirements

edit

To use the Detections feature, you first need to configure a few settings. You also need the appropriate role to send notifications when detection alerts are generated.

Additionally, there are some advanced settings used to configure value list upload limits.

Enable and access detections
edit

To use the Detections feature, it must be enabled and you must have either the appropriate predefined Security user role or a custom role with privileges to access rules and alerts. If your role doesn’t have the privileges needed to enable this feature, you can request someone who has these privileges to visit your Kibana space, which will turn it on for you.

For instructions about using machine learning jobs and rules, refer to Machine learning job and rule requirements.

Custom role privileges
edit

The following table describes the required custom role privileges to access the Detections feature, including rules and alerts. For more information on Kibana privileges, refer to Custom roles.

Action Cluster Privilege Index Privileges Kibana Privileges

Enable detections in your space

manage

manage, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

  • .alerts-security.alerts-<space-id>
  • .lists-<space-id>
  • .items-<space-id>

All for the Security feature

Enable detections in all spaces

NOTE: To turn on detections, visit the Rules and Alerts pages for each space.

manage

manage, write, read, and view_index_metadata for these system indices and data streams:

  • .alerts-security.alerts-<space-id>
  • .lists-<space-id>
  • .items-<space-id>

All for the Security feature

Preview rules

N/A

read for these indices:

  • .preview.alerts-security.alerts-<space-id>
  • .internal.preview.alerts-security.alerts-<space-id>-*

All for the Security feature

Manage rules

N/A

manage, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

  • .alerts-security.alerts-<space-id
  • .lists-<space-id>
  • .items-<space-id>

All for the Security feature

NOTE: You need additional Action and Connectors feature privileges (Management → Action and Connectors) to manage rules with actions and connectors:

  • To provide full access to rule actions and connectors, give your role All privileges. With Read privileges, you can edit rule actions, but will have limited capabilities to manage connectors. For example, Read privileges allow you to add or remove an existing connector from a rule, but does not allow you to create a new connector.
  • To import rules with actions, you need at least Read privileges for the Action and Connectors feature. To overwrite or add new connectors, you need All privileges for the Actions and Connectors feature. To import rules without actions, you don’t need Actions and Connectors privileges.

Manage alerts

NOTE: Allows you to manage alerts, but not modify rules.

N/A

maintenance, write, read, and view_index_metadata for these system indices and data streams, where <space-id> is the space name:

  • .alerts-security.alerts-<space-id>
  • .internal.alerts-security.alerts-<space-id>-*
  • .lists-<space-id>
  • .items-<space-id>

Read for the Security feature

Create the .lists and .items data streams in your space

NOTE: To initiate the process that creates the data streams, you must visit the Rules page for each appropriate space.

manage

manage, write, read, and view_index_metadata for these data streams, where <space-id> is the space name:

  • .lists-<space-id>
  • .items-<space-id>

All for the Security and Saved Objects Management features

Authorization
edit

Rules, including all background detection and the actions they generate, are authorized using an API key associated with the last user to edit the rule. Upon creating or modifying a rule, an API key is generated for that user, capturing a snapshot of their privileges. The API key is then used to run all background tasks associated with the rule including detection checks and executing actions.

If a rule requires certain privileges to run, such as index privileges, keep in mind that if a user without those privileges updates the rule, the rule will no longer function.