General rule access
doc If you want to use the alerting features in a Kibana app, you must have the appropriate feature privileges. For example, to create rules in Stack Management > Rules and Connectors, you must have
allprivileges for the Management > Stack Rules feature. To attach actions to the rule, you must also havereadprivileges for the Actions and Connectors feature. For more information on configuring roles that provide access to features, go to Feature privileges.
Specific rule type (via feature)
doc You must have
allprivileges for the appropriate Kibana features, depending on theconsumerandrule_type_idof the rules you’re creating. For example, the Management > Stack Rules feature, Analytics > Discover and Machine Learning features, Observability, and Security features. If the rule hasactions, you must also havereadprivileges for the Management > Actions and Connectors feature. For more details, refer to Feature privileges.
Users can pull Kibana Rule Types via the Kibana API. They can compare these output id's to the following code table for v8.5.0 (see below for how to pull/simplify). Column producer may also be helpful to line up to general parent features.
| feature | allows rule/create for related sub-privilege |
|---|---|
| feature_apm | apm.anomaly/apm |
| feature_apm | apm.error_rate/apm |
| feature_apm | apm.transaction_duration/apm |
| feature_apm | apm.transaction_error_rate/apm |
| feature_discover | .es-query/discover |
| feature_discover.read | .es-query/discover |
| feature_infrastructure | metrics.alert.inventory.threshold/infrastructure |
| feature_infrastructure | metrics.alert.threshold/infrastructure |
| feature_logs | logs.alert.document.count/logs |
| feature_ml | xpack.ml.anomaly_detection_alert/ml |
| feature_ml | xpack.ml.anomaly_detection_jobs_health/ml |
| feature_siem | siem.eqlRule/siem |
| feature_siem | siem.indicatorRule/siem |
| feature_siem | siem.mlRule/siem |
| feature_siem | siem.newTermsRule/siem |
| feature_siem | siem.notifications/siem |
| feature_siem | siem.queryRule/siem |
| feature_siem | siem.savedQueryRule/siem |
| feature_siem | siem.thresholdRule/siem |
| feature_stackAlerts | .es-query/stackAlerts |
| feature_stackAlerts | .geo-containment/stackAlerts |
| feature_stackAlerts | .index-threshold/stackAlerts |
| feature_stackAlerts | transform_health/stackAlerts |
| feature_uptime | xpack.uptime.alerts.durationAnomaly/uptime |
| feature_uptime | xpack.uptime.alerts.monitorStatus/uptime |
| feature_uptime | xpack.uptime.alerts.tls/uptime |
| feature_uptime | xpack.uptime.alerts.tlsCertificate/uptime |
| read | .es-query/discover |
| reserved_ml_admin | xpack.ml.anomaly_detection_alert/ml |
| reserved_ml_admin | xpack.ml.anomaly_detection_jobs_health/ml |
| reserved_monitoring | monitoring_alert_cluster_health/monitoring |
| reserved_monitoring | monitoring_alert_cpu_usage/monitoring |
| reserved_monitoring | monitoring_alert_disk_usage/monitoring |
| reserved_monitoring | monitoring_alert_elasticsearch_version_mismatch/monitoring |
| reserved_monitoring | monitoring_alert_jvm_memory_usage/monitoring |
| reserved_monitoring | monitoring_alert_kibana_version_mismatch/monitoring |
| reserved_monitoring | monitoring_alert_license_expiration/monitoring |
| reserved_monitoring | monitoring_alert_logstash_version_mismatch/monitoring |
| reserved_monitoring | monitoring_alert_missing_monitoring_data/monitoring |
| reserved_monitoring | monitoring_alert_nodes_changed/monitoring |
| reserved_monitoring | monitoring_alert_thread_pool_search_rejections/monitoring |
| reserved_monitoring | monitoring_alert_thread_pool_write_rejections/monitoring |
| reserved_monitoring | monitoring_ccr_read_exceptions/monitoring |
| reserved_monitoring | monitoring_shard_size/monitoring |
| space_all | .es-query/discover |
| space_all | .es-query/stackAlerts |
| space_all | .geo-containment/stackAlerts |
| space_all | .index-threshold/stackAlerts |
| space_all | apm.anomaly/apm |
| space_all | apm.error_rate/apm |
| space_all | apm.transaction_duration/apm |
| space_all | apm.transaction_error_rate/apm |
| space_all | logs.alert.document.count/logs |
| space_all | metrics.alert.inventory.threshold/infrastructure |
| space_all | metrics.alert.threshold/infrastructure |
| space_all | siem.eqlRule/siem |
| space_all | siem.indicatorRule/siem |
| space_all | siem.mlRule/siem |
| space_all | siem.newTermsRule/siem |
| space_all | siem.notifications/siem |
| space_all | siem.queryRule/siem |
| space_all | siem.savedQueryRule/siem |
| space_all | siem.thresholdRule/siem |
| space_all | transform_health/stackAlerts |
| space_all | xpack.ml.anomaly_detection_alert/ml |
| space_all | xpack.ml.anomaly_detection_jobs_health/ml |
| space_all | xpack.uptime.alerts.durationAnomaly/uptime |
| space_all | xpack.uptime.alerts.monitorStatus/uptime |
| space_all | xpack.uptime.alerts.tls/uptime |
| space_all | xpack.uptime.alerts.tlsCertificate/uptime |
| space_read | .es-query/discover |
from
GET _security/privilege > priv.json
import json,re
with open("priv2.json") as f:
d=json.loads(f.read())
d = d["kibana-.kibana"]
for k in d.keys():
for i in d[k]["actions"]:
if "rule/create" in i:
r.append(f"{k}//{i}")
rr = [x for x in r if not x.startswith('all//')]
for rrr in rr:
we = re.search("(.+?):8.5.0",rrr)[1]
qw= re.search('8.5.0:(.+?)rule/create',rrr)[1]
print(f"{we}//{qw}")