Skip to content

Rules exceptions subfeatures #243095

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 122 commits into
base: main
Choose a base branch
from
Draft

Rules exceptions subfeatures #243095

wants to merge 122 commits into from
+6,293 −2,117

Conversation

@dhurley14
Copy link
Contributor

@dhurley14 dhurley14 commented Nov 14, 2025

Summary

Summarize your PR. If it involves visual changes include a screenshot or gif.

Checklist

Check the PR satisfies following conditions.

Reviewers should verify this PR satisfies this list as well.

  • Any text added follows EUI's writing guidelines, uses sentence case text and includes i18n support
  • Documentation was added for features that require explanation or tutorials
  • Unit or functional tests were updated or added to match the most common scenarios
  • If a plugin configuration key changed, check if it needs to be allowlisted in the cloud and added to the docker list
  • This was checked for breaking HTTP API changes, and any breaking changes have been approved by the breaking-change committee. The release_note:breaking label should be applied in these situations.
  • Flaky Test Runner was used on any tests changed
  • The PR description includes the appropriate Release Notes section, and the correct release_note:* label is applied per the guidelines
  • Review the backport guidelines and apply applicable backport:* labels.

Identify risks

Does this PR introduce any risks? For example, consider risks like hard to test bugs, performance regression, potential of data loss.

Describe the risk, its severity, and mitigation for each identified risk. Invite stakeholders and evaluate how to proceed before merging.

rylnd and others added 30 commits October 29, 2025 16:12
@rylnd @denar50
Introduces Rules feature and subsequent app changes
958deed 
This does not include changes to existing roles, nor the role migration
machinery.
@rylnd @denar50
style: revert linting changes to large yaml/JSON files
4e60d94 
These changes were made automatically in an initial commit that added
our new features to roles; those changes have since been reverted
(320c34f), and thus there should not currently be any behavioral
changes in these files, which makes these stylistic changes even more
unnecessary.

Note: I also noticed that a few old references had (accidentally?)
remained in `security_roles.json` after `320c34f485`; this cleans those
up as well.
@denar50
update the siem migrations required permissions
02765d8 
Instead of requiring siemVX read/all, it now requires securitySolutionRulesV1 read/all
@denar50
update attack discovery required permissions
b35f598
@denar50
update timeline required permissions
686745e
@denar50
fix onboarding sections
2f7cff4 
It is unclear on wether "dashboards" and "integrations" should be exclusive to `siemV5` or `securitySolutionRulesV1`. So for now we are showing it when the user has either of those.
@kibanamachine @denar50
[CI] Auto-commit changed files from 'node scripts/eslint_all_files --…
4cb8ba0 
…no-cache --fix'
@denar50
allow alert management operations for roles with read only access
65d000a 
This is the current behaviour accoring do the documentation https://www.elastic.co/docs/solutions/security/detect-and-alert/detections-requirements.
@denar50
fix create shared exception list endpoint
d70db6e 
Now it requires the `securitySolutionRulesV1.all` privilege
@denar50
fix unit test
3cc5064
@dplumlee
fixes bulk_action route to allow export on rules-read
4738084
@kibanamachine
Changes from node scripts/eslint_all_files --no-cache --fix
191d62c
@denar50
fix cypress test: endpoint_role_rbac_with_space_awareness.cy.ts
5ed674e 
No security subfeature is required in all spaces anymore. The test was failing because the `siemV5` feature file never got updated and it was still referencing a feature flag that has been enabled and removed in `main`.
The feature flag in question is `endpointManagementSpaceAwarenessEnabled` which was being used to override the subfeature configuration by setting `requireAllSpaces=false` and `privilegesTooltip=undefined`. Now that the feature flag doesn't exist, it makes sense to remove these properties directly in the subfeature configuration instead of overriding them outside of it.
@denar50
Merge branch 'main' into rules-rbac-new
0ceb610
@kibanamachine
Changes from node scripts/eslint_all_files --no-cache --fix
f2b15ee
@denar50
fix manage value lists button disabled for rules-all
f47b16e 
The logic to show it was relying on the old siemPrivileges, however value lists is now under rules.
@dplumlee
fix showing rule update callouts when users don't have rules-all
51c9819
@denar50
fix authorization tests
603be1f 
Reshuffling privileges and removal of alerting privileges from siemV5. These alerting privileges exist exclusively in securitySolutionRulesV1
@denar50
Merge branch 'main' into rules-rbac-new
9089355
@rylnd
Merge branch 'main' into rules-rbac-new
33896fa 
This notably includes the fix to the infinite loop on the alerts page
when a role lacks sufficient lists privileges.
@denar50
Merge remote-tracking branch 'upstream/main' into rules-rbac-1
319a17b
@denar50
add missing socManagement sub feature config to siemV4 and siemV5
80ce6a5
@denar50
fix ai4soc cypress test
17018e6 
The test broke after merging main into the branch
@denar50
add missing siemV5 case to trusted devices rbac cypress test
11b9349
@denar50
fix authorization tests after new ai4soc changes
63635af
@denar50
fix api privileges tests after ai4soc changes
daa8579
@dplumlee
fixes respectLicenseLevel test that broke merging upstream
dd43f8b
@denar50
Merge branch 'main' into rules-rbac-new
fc6baad
@denar50
add cypress tests for the rules management page
5b544bc
@dplumlee
removes unused code and resolves PR TODOs
698722a
rylnd and others added 28 commits December 1, 2025 14:04
@rylnd
Merge pull request #15 from logeekal/fix/automatic_migration_rbac_fix…
3ac5a56 
…_server

[Automatic Migrations] Fixed Privileges for Dashboard endpoints.
@rylnd
Grant 'alerting.alert.all' privileges to rules:read users
49b139c 
In order to maintain backwards compatibility with alert privileges for
existing SIEM users, we need more than `alert.read` for `siem:read`
users`. Since our only other option is `alert.all`, we instead grant
them this privilege (although arguably this is more access than they
previously had). However, once the `securityAlerts` privilege work is
complete, `securityAlerts.all` will be pared down to precisely what is
needed for security users.

Discussion around this change can be found
[here](https://github.com/elastic/kibana/pull/239634/files/632bbc0e8c2597ae9f676123d6ecd09b644bbf73#r2510764307).
@rylnd
Add missing Defend privileges to siemV5
110938b 
These were deleted before siemv5 was defined, then added back since.
Luckily we have tests verifying the fact that these privileges are
"replaced."
@dplumlee
hides exceptions tab in rule details based on permissions
8bcc70d
@gergoabraham
handle siem version dynamically in artifact details tab cypress test
83e004a
@dplumlee
fixes search bar jest tests
ac0a95e
@rylnd
Merge pull request #16 from gergoabraham/fix-artifact-details-cypress…
0ffcabd 
…-for-siem-upgrade

[Defend Workflows cypress fix] Handle siem version dynamically in  artifact details tab cypress test
@dplumlee
updates api integration configs
6649a32
@dplumlee
updates serverless test authorization snapshot
8759e3a
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
3798511 
…ions-subfeatures
@dplumlee
Merge branch 'main' into rules-rbac-new
f8615ae
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
d5bcf47 
…ions-subfeatures
@dplumlee
fix types
2849d90
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
dcc9d74 
…ions-subfeatures
@dplumlee
fix security role object types
bf24ee0
@dplumlee
REMOVES exceptions serverless security_roles for now
7a74953
@dplumlee
reverts security roles changes
915fa66
@dplumlee
fix types
a304a99
@dplumlee
update deprecated feature ID FTR tests
dd16915
@dplumlee
updates roles for rule cypress tests
33f8eae
@rylnd
Merge branch 'main' into rules-rbac-new
339b8ee
@dplumlee
allows users with read privileges to view uninstalled prebuilt rules …
d04dd7f 
…and updateable rules
@dplumlee
adds mocks to rule upgrade tests
b66434e
@dplumlee
updates rule upgrade cypress tests
56d7cae
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
c22fa97 
…ions-subfeatures
@rylnd
Add SIEM V4 user to AI4DSOC capabilities tests
5f6fbd5 
This will ensure behaviors are correct for all intermediate SIEM
features.
@dplumlee
fix rules management cypress tests
d86686c
@dplumlee
Merge remote-tracking branch 'rylnd/rules-rbac-new' into rules-except…
9c2a813 
…ions-subfeatures
@elasticmachine
Copy link
Contributor

elasticmachine commented Dec 4, 2025

⏳ Build in-progress, with failures

Failed CI Steps

History

cc @dhurley14 @dplumlee

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dhurley14 dhurley14

@dplumlee dplumlee

Labels

ci:cloud-deploy Create or update a Cloud deployment

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@dhurley14 @elasticmachine @rylnd @logeekal @dplumlee @denar50 @kibanamachine @gergoabraham