[Detection Engine] Extracts Rules/Alerts/Exceptions permission to new Rules feature privileges

[rylnd]

Note: this is a rewritten copy of the changes in #232113. Initial feedback and conversation can be found there.

Epic: https://github.com/elastic/security-team/issues/8799

Added a new Rules feature that controls access to:

1. Detection rules
2. Alerts
3. Rule exceptions

In the first iteration, Rules feature doesn't allow more granular customization of a user's role as described in https://github.com/elastic/security-team/issues/8799. Granular controls will be extracted from the Rules feature as sub-features in future iterations.

Note also that this PR does not update existing prebuilt/test roles, as per this suggestion. That work is contained in a followup PR, which will be merged subsequent to this one.

How to test this PR

The extraction of the Rules feature from SIEM opens several new possibilities to configure roles.

Rule: none

This role configuration allows access to the rest of Security Solution without access to Detection Rules and Alerts.

• Rules menu item is visible to the users, no Detection rules (SIEM), no Shared exceptions lists items in the menu. Benchmark rules and Migrations should still be accessible.
• Users should not be able to access any rule page directly
• Users cannot access the Alerts page, Alerts menu is hidden
• No coverage page
• Detection rule monitoring dashboard - depends on access to the .kibana-event-log-* - should not be visible to user
• No security rules shown in Stack management -> Rules
• For the security setup guide (Getting started) - no rule setup will be possible

Rule: read

This role configuration should allow users to read rules and visit any rule pages but without the ability to edit rules, alerts, or exceptions.

The minimal Kibana feature configuration:

Required index privileges:

• Rule details page:
  • No action snoozing option,
  • No edit rule settings button or actions menu
  • “Enable” control is not editable
  • Export should be possible
• In the rules table (Installed rules and Rules Monitoring tables):
  • Bulk actions: only Export option is present
  • “Enable” control is not editable
  • No action snoozing option
  • No edit rule settings button or actions menu
  • No “Create new rule” button
  • No “Import rule” button
• “Add elastic rules” page:
  • No “Install rule” link
  • No “Install all” button
  • No install rule buttons/or greyed out on the rule flyout.
• Rule Updates tab
  • No Update all, individual rule updates
  • On the update flyout - only option to Close, not Update button
• Stack management Rules
  • Should not be possible to modify the security rules from there

Rule: all

This role configurration should have access to rules, alerts, and exceptions without limitations.

• Ability to create, import, edit, update and delete rules.
• Rules write access, the user will be able to see rules and details and edit all rule details.

Testing Utils

Testing configs and scripts

This bash script will add/update the kibana roles defined in the config.yml file into your local instance. Usernames will be the same as the role titles and all passwords are set to a default `changeme`

• config.yaml
• rbac-ess-testing-roles.sh

Additional areas to test

• Old role configuration (siemV3) should work correctly. Roles created prior to this PR with siemV3:all should map to siemV4:all + rules:all. Roles with siemV3:read to siemV4:read and rules:read.
• Serverless with predefined roles
• Check the AI4SOC tier for regressions

PR Handoff TODOs

• Rebase PR on main
  • Fixing merge conflicts
  • Switching v3 -> v4 and v4 -> v5
  • Carry over detection_engine.tsx changes into newly abstracted files implemented here
  • Update test mocks
  • Fix broken tests
• Align AI4SOC privileges (related slack thread)
  • Switch out all link capabilities
• SIEM migrations update to RULES WRITE (related issue)
  • Align with threat hunting
  • Update warning messages and related behavior
• Figure out how read or crud alerts in src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml is used
  • Delete if not used
• Write new tests
  • Keeping in mind new version pitfalls (related comment)
  • Determine testing coverage approach (cypress? FTR? etc.)
  • ...
• Manual testing
  • Potentially reverting migration changes to smoke test "current" behavior (comment)
  • ...
• Update Elasticsearch controller (predefined serverless roles) code to match this PR
  • Must be done when this PR gets deployed to serverless
  • https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.yaml
  • https://github.com/elastic/elasticsearch-controller/blob/main/internal/config/roles/security.ai_soc_engine.yaml

Release Note

Rules feature privileges are added to ESS. Access to Rules may now be explicitly set on both ESS and Serverless for user roles.

Docs Issue

• https://github.com/elastic/docs-content-internal/issues/597

[kibanamachine]

Project deployed, see credentials at: https://buildkite.com/elastic/kibana-deploy-project-from-pr/builds/680

[e40pud]

Mentioned this in the slack, we want to keep current behaviour that allows alerts modifying when "Security" set to "Read", meaning user should be able to modify alerts with the new "Rules" kibana privilege set to "Read".

Right now I'm getting this error:

[kibanamachine]

Cloud deployment initiated, see credentials at: https://buildkite.com/elastic/kibana-deploy-cloud-from-pr/builds/506

[denar50]

@logeekal thanks for the testing!
I have pushed a commit that fixes the permissions for the onboardings. So you should be able to see them now when only having rules read.

[e40pud]

@sdesalas

This is moving inside /public/detections/components (instead of /public/common/components) .

The MissingPrivilegesCallOut is not moving anywhere it is still inside the /public/common/components (here is the code).

There is a new component for detections missing privileges that added inside the /public/detections/components (here is the code).

[rylnd]

@sdesalas @e40pud thanks for the heads up! I merged those changes in here and tested a few permutations of missing privileges. Things still look/behave as expected on our end 👍 :

[MichelLosier]

LGTM for fleet

[pborgonovi]

@denar50 @rylnd @dplumlee
I've been doing extensive tests since draft PR thus I'm approving it from Sec Eng Prod end.

[logeekal]

Thank for incorporating all the changes from Automatic Migrations. I tested in ECH with all combinations of Dashboards and Rules Privileges and Automatic Migrations is working as expected.

[jeramysoucy]

LGTM! I appreciate the e2e privilege testing strategy 👍

[dhurley14]

LGTM! Thanks for carrying this through @rylnd @denar50 @dplumlee.

[dhurley14]

For a future investigation:

In every siem feature we include 'alert' in the savedObject: all but skip it in the read privilege. I'm wondering if the addition of the 'alert' SO is redundant because that SO access is controlled via the alerting: { rule: ... feature? cc: @ymao1

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: 21ae269
• Storybooks Preview
• Cloud Deployment

Metrics [docs]

Module Count

Fewer modules leads to a faster build time

id	before	after	diff
securitySolution	8476	8477	+1

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id	before	after	diff
@kbn/security-solution-features	30	31	+1

Async chunks

Total size of all lazy-loaded chunks that will be downloaded as the user navigates the app

id	before	after	diff
securitySolution	11.1MB	11.1MB	-1.0KB

Public APIs missing exports

Total count of every type that is part of your API that should be exported but is not. This will cause broken links in the API documentation system. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats exports for more detailed information.

id	before	after	diff
@kbn/security-solution-features	10	11	+1

Page load bundle

Size of the bundles that are downloaded on every page load. Target size is below 100kb

id	before	after	diff
securitySolution	169.6KB	170.1KB	+526.0B
securitySolutionEss	34.4KB	34.5KB	+59.0B
securitySolutionServerless	46.1KB	46.2KB	+55.0B
total			+640.0B

Unknown metric groups

API count

id	before	after	diff
@kbn/security-solution-features	36	37	+1

History

• 💚 Build #369722 succeeded ce7bffc
• 💛 Build #369068 was flaky b45cdce
• 💚 Build #368759 succeeded 5f6fbd5
• 💚 Build #368720 succeeded 56d7cae
• 💔 Build #368652 failed d04dd7f

cc @rylnd @denar50 @dplumlee