From 9a8f49f6db9dcdf30f70c3e0f394f8f323301a84 Mon Sep 17 00:00:00 2001 From: Joe Peeples Date: Tue, 12 Nov 2024 12:38:12 -0500 Subject: [PATCH 1/2] [BUG] All Kibana privileges don't grant Security / Elastic Defend features by default (#6134) * Align with ESS on nav steps * Add admonition for emphasis (cherry picked from commit 122bea236bbad741fbf513ef32234e7f444b1990) # Conflicts: # docs/serverless/edr-install-config/defend-feature-privs.asciidoc --- .../defend-feature-privs.asciidoc | 6 +- .../defend-feature-privs.asciidoc | 71 +++++++++++++++++++ 2 files changed, 76 insertions(+), 1 deletion(-) create mode 100644 docs/serverless/edr-install-config/defend-feature-privs.asciidoc diff --git a/docs/getting-started/defend-feature-privs.asciidoc b/docs/getting-started/defend-feature-privs.asciidoc index 555ba4ff5b..128fcd59ac 100644 --- a/docs/getting-started/defend-feature-privs.asciidoc +++ b/docs/getting-started/defend-feature-privs.asciidoc @@ -15,7 +15,11 @@ NOTE: {elastic-defend}'s feature privileges must be assigned to *All Spaces*. Yo [role="screenshot"] image::images/endpoint-privileges.png[Configuring privileges in Kibana,75%] -To grant access, select *All* for the *Security* feature in the *{kib} privileges* configuration UI, then turn on the *Customize sub-feature privileges* switch. For each of the following sub-feature privileges, select the type of access you want to allow: +To grant access, select *All* for the *Security* feature in the *Assign role to space* configuration UI, then turn on the *Customize sub-feature privileges* switch. + +IMPORTANT: Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually. + +For each of the following sub-feature privileges, select the type of access you want to allow: * *All*: Users have full access to the feature, which includes performing all available actions and managing configuration. * *Read*: Users can view the feature, but can't perform any actions or manage configuration. (Some features don't have this privilege.) diff --git a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc new file mode 100644 index 0000000000..353ca6997f --- /dev/null +++ b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc @@ -0,0 +1,71 @@ +[[security-endpoint-management-req]] += {elastic-defend} feature privileges + +// :description: Manage user roles and privileges to grant access to {elastic-defend} features. +// :keywords: security, defend, reference, manage + +preview:[] + +You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features. + +To configure roles and privileges, find **Roles** in the navigation menu or by using the global search field. For more details on using this UI, refer to <>. + +[NOTE] +==== +{elastic-defend}'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space. +==== + +To grant access, select **All** for the **Security** feature in the **Assign role to space** configuration UI, then turn on the **Customize sub-feature privileges** switch. + +IMPORTANT: Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually. + +For each of the following sub-feature privileges, select the type of access you want to allow: + +* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration. +* **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege). +* **None**: Users can't access or view the feature. + +|=== +| | + +| **Endpoint List** +| Access the <> page, which lists all hosts running {elastic-defend}, and associated integration details. + +| **Trusted Applications** +| Access the <> page to remediate conflicts with other software, such as antivirus or endpoint security applications + +| **Host Isolation Exceptions** +| Access the <> page to add specific IP addresses that isolated hosts can still communicate with. + +| **Blocklist** +| Access the <> page to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. + +| **Event Filters** +| Access the <> page to filter out endpoint events that you don't want stored in {es}. + +| **{elastic-defend} Policy Management** +| Access the <> page and {elastic-defend} integration policies to configure protections, event collection, and advanced policy features. + +| **Response Actions History** +| Access the <> for endpoints. + +| **Host Isolation** +| Allow users to <>. + +| **Process Operations** +| Perform host process-related <>, including `processes`, `kill-process`, and `suspend-process`. + +| **File Operations** +| Perform file-related <> in the response console. + +| **Execute Operations** +a| Perform shell commands and script-related <> in the response console. + +[WARNING] +==== +The commands are run on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Only grant this feature privilege to {elastic-sec} users who require this level of access. +==== + +| **Scan Operations** +| Perform folder scan <> in the response console. +|=== From e59b271a6d544333aa26c6644a39607839d6bdcb Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 12 Nov 2024 17:41:16 +0000 Subject: [PATCH 2/2] Delete docs/serverless directory and its contents --- .../defend-feature-privs.asciidoc | 71 ------------------- 1 file changed, 71 deletions(-) delete mode 100644 docs/serverless/edr-install-config/defend-feature-privs.asciidoc diff --git a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc b/docs/serverless/edr-install-config/defend-feature-privs.asciidoc deleted file mode 100644 index 353ca6997f..0000000000 --- a/docs/serverless/edr-install-config/defend-feature-privs.asciidoc +++ /dev/null @@ -1,71 +0,0 @@ -[[security-endpoint-management-req]] -= {elastic-defend} feature privileges - -// :description: Manage user roles and privileges to grant access to {elastic-defend} features. -// :keywords: security, defend, reference, manage - -preview:[] - -You can create user roles and define privileges to manage feature access in {elastic-sec}. This allows you to use the principle of least privilege while managing access to {elastic-defend}'s features. - -To configure roles and privileges, find **Roles** in the navigation menu or by using the global search field. For more details on using this UI, refer to <>. - -[NOTE] -==== -{elastic-defend}'s feature privileges must be assigned to **All Spaces**. You can't assign them to an individual space. -==== - -To grant access, select **All** for the **Security** feature in the **Assign role to space** configuration UI, then turn on the **Customize sub-feature privileges** switch. - -IMPORTANT: Selecting **All** for the overall **Security** feature does NOT enable any sub-features. You must also enable the **Customize sub-feature privileges** switch, and then enable each sub-feature privilege individually. - -For each of the following sub-feature privileges, select the type of access you want to allow: - -* **All**: Users have full access to the feature, which includes performing all available actions and managing configuration. -* **Read**: Users can view the feature, but can't perform any actions or manage configuration (some features don't have this privilege). -* **None**: Users can't access or view the feature. - -|=== -| | - -| **Endpoint List** -| Access the <> page, which lists all hosts running {elastic-defend}, and associated integration details. - -| **Trusted Applications** -| Access the <> page to remediate conflicts with other software, such as antivirus or endpoint security applications - -| **Host Isolation Exceptions** -| Access the <> page to add specific IP addresses that isolated hosts can still communicate with. - -| **Blocklist** -| Access the <> page to prevent specified applications from running on hosts, extending the list of processes that {elastic-defend} considers malicious. - -| **Event Filters** -| Access the <> page to filter out endpoint events that you don't want stored in {es}. - -| **{elastic-defend} Policy Management** -| Access the <> page and {elastic-defend} integration policies to configure protections, event collection, and advanced policy features. - -| **Response Actions History** -| Access the <> for endpoints. - -| **Host Isolation** -| Allow users to <>. - -| **Process Operations** -| Perform host process-related <>, including `processes`, `kill-process`, and `suspend-process`. - -| **File Operations** -| Perform file-related <> in the response console. - -| **Execute Operations** -a| Perform shell commands and script-related <> in the response console. - -[WARNING] -==== -The commands are run on the host using the same user account running the {elastic-defend} integration, which normally has full control over the system. Only grant this feature privilege to {elastic-sec} users who require this level of access. -==== - -| **Scan Operations** -| Perform folder scan <> in the response console. -|===