Skip to content

Commit

Permalink
update readme's for each role and remove create_index from lists priv…
Browse files Browse the repository at this point in the history 
…ilege for the soc manager role
  • Loading branch information
@dhurley14
dhurley14 committed Nov 10, 2020
1 parent b73e3af commit 75b148f
Show file tree
Hide file tree
Showing 8 changed files with 30 additions and 33 deletions.
17 changes: 8 additions & 9 deletions ...ins/security_solution/server/lib/detection_engine/scripts/roles_users/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,12 @@
2. The T1 and T2 Analyst roles do not seem to have much of a functional difference but I created them as is.
3. I gave the Hunter role "all" privileges for saved objects management and builtInAlerts so that they can create rules.
4. Rule Author has the ability to create rules and create value lists
5. SOC Manager and Platform Engineer roles do not have much of a distinctive difference. However, when going through these roles and testing them out I noticed we require "manage" privileges. I'm not sure we need "manage" and could possibly remove it as a requirement but does anyone remember why we needed manage as a privilege for these indices?

| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :------------------------------------------: | :----------: | :------------------: | :-------------------------------: | :--------------: | :-------------------------------: |
| T1 Analyst | read | read | read | read | read |
| T2 Analyst | read | read | read | read | read, create_doc |
| Hunter / T3 Analyst | read, write | read | read | read, write | read, create_doc |
| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read, write |
| SOC Manager | read, write | read | read, write, create_index, manage | read, write | read, write, create_index, manage |
| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Acction Connectors | Signals/Alerts |
| :------------------------------------------: | :----------: | :------------------: | :---------: | :--------------: | :----------------: | :------------------------------: |
| T1 Analyst | read | read | none | read | read | read, write |
| T2 Analyst | read | read | read | read | read | read, write |
| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write |
| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata |
| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage |
| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all | all |
6 changes: 3 additions & 3 deletions ...urity_solution/server/lib/detection_engine/scripts/roles_users/hunter/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,6 @@ This user can CRUD rules and signals. The main difference here is the user has

privileges whereas the T1 and T2 have "read" privileges which prevents them from creating rules

| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :--------------: |
| Hunter / T3 Analyst | read, write | read | read | read, write | read, create_doc |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
| :-----------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: |
| Hunter / T3 Analyst | read, write | read | read | read, write | read | read, write |
7 changes: 4 additions & 3 deletions ...ion/server/lib/detection_engine/scripts/roles_users/platform_engineer/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
essentially a superuser for security solution
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :------------------------------------------: | :----------: | :------------------: | :---: | :--------------: | :------------: |
| Platform Engineer (data ingest, cluster ops) | read, write | all | all | read, write | all |

| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
| :------------------------------------------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: |
| Platform Engineer (data ingest, cluster ops) | all | all | all | read, write | all | all |
6 changes: 3 additions & 3 deletions ..._solution/server/lib/detection_engine/scripts/roles_users/rule_author/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
rule author has the same privileges as hunter with the additional privileges of uploading value lists

| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :-----------------------------------------: | :----------: | :------------------: | :---------: | :--------------: | :------------: |
| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read, write |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
| :-----------------------------------------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :------------------------------: |
| Rule Author / Manager / Detections Engineer | read, write | read | read, write | read, write | read | read, write, view_index_metadata |
6 changes: 3 additions & 3 deletions ..._solution/server/lib/detection_engine/scripts/roles_users/soc_manager/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
SOC Manager has all of the privileges of a rule author role with the additional privilege of creating the signals index and lists indices upon initial visit

| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :---------: | :----------: | :------------------: | :-------------------------------: | :--------------: | :-------------------------------: |
| SOC Manager | read, write | read | read, write, create_index, manage | read, write | read, write, create_index, manage |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
| :---------: | :----------: | :------------------: | :---------: | :--------------: | :---------------: | :-----------------: |
| SOC Manager | read, write | read | read, write | read, write | all | read, write, manage |
8 changes: 3 additions & 5 deletions ...solution/server/lib/detection_engine/scripts/roles_users/soc_manager/detections_role.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,14 +10,12 @@
"filebeat-*",
"logs-*",
"packetbeat-*",
"winlogbeat-*"
"winlogbeat-*",
".lists*",
".items*"
],
"privileges": ["read", "write"]
},
{
"names": [".lists*", ".items*"],
"privileges": ["read", "write", "create_index", "manage"]
},
{
"names": [".siem-signals-*"],
"privileges": ["read", "write", "create_index", "manage"]
Expand Down
6 changes: 3 additions & 3 deletions ...y_solution/server/lib/detection_engine/scripts/roles_users/t1_analyst/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,3 @@
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :--------: | :----------: | :------------------: | :---: | :--------------: | :------------: |
| T1 Analyst | read | read | read | read | read |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Actions Connectors | Signals/Alerts |
| :--------: | :----------: | :------------------: | :---: | :--------------: | :----------------: | :------------: |
| T1 Analyst | read | read | none | read | read | read, write |
7 changes: 3 additions & 4 deletions ...y_solution/server/lib/detection_engine/scripts/roles_users/t2_analyst/README.md
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
This role can view rules. Essentially there is no difference between a T1 and T2 analyst.


| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Signals/Alerts |
| :--------: | :----------: | :------------------: | :---: | :--------------: | :--------------: |
| T2 Analyst | read | read | read | read | read, create_doc |
| Role | Data Sources | SIEM ML Jobs/Results | Lists | Rules/Exceptions | Action Connectors | Signals/Alerts |
| :--------: | :----------: | :------------------: | :---: | :--------------: | :---------------: | :------------: |
| T2 Analyst | read | read | read | read | read | read, write |

0 comments on commit 75b148f

Please sign in to comment.