[Sentinel One] - Fix Cannot execute ILM policy delete step for threat event #137222
+9
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
elasticsearchmachine
added
needs:triage
5 tasks
mohitjha-elastic
force-pushed
the
sentinel_one_threat_event_ilm_policy
branch
from
571bbc6 to
929baa0
Compare
elasticsearchmachine
added
Team:Security
|
Pinging @elastic/es-security (Team:Security) |
ShourieG
added
>non-issue
:Security/Authorization
azasypkin
approved these changes
Oct 30, 2025
mohitjha-elastic
added a commit
to mohitjha-elastic/elasticsearch
that referenced
this pull request
Oct 31, 2025
… event (elastic#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502)
mohitjha-elastic
added a commit
to mohitjha-elastic/elasticsearch
that referenced
this pull request
Oct 31, 2025
… event (elastic#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
💚 All backports created successfully
Questions ?Please refer to the Backport tool documentation |
mohitjha-elastic
added a commit
to mohitjha-elastic/elasticsearch
that referenced
this pull request
Oct 31, 2025
… event (elastic#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502) # Conflicts: # x-pack/plugin/core/src/main/java/org/elasticsearch/xpack/core/security/authz/store/KibanaOwnedReservedRoleDescriptors.java
mohitjha-elastic
added a commit
that referenced
this pull request
Nov 3, 2025
… event (#137222) (#137424) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502)
mohitjha-elastic
added a commit
to mohitjha-elastic/elasticsearch
that referenced
this pull request
Nov 3, 2025
… event (elastic#137222) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502)
mohitjha-elastic
added a commit
that referenced
this pull request
Nov 3, 2025
… event (#137222) (#137426) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502)
mohitjha-elastic
added a commit
that referenced
this pull request
Nov 4, 2025
… event (#137222) (#137425) This PR introduces a short-term solution by adding the logs-sentinel_one.threat_event-* indices to the kibana_system role with delete privileges. This prevents deletion failures when the index enters the ILM deletion phase. Since the transform pipeline is also shipped as part of this change, the role requires additional read and write permissions. (cherry picked from commit ddb1502)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR Description:
This PR focuses on the short term solution which add the
logs-sentinel_one.threat_event-*indices under thekibana_systemrole with deletion privileges to prevent a failed deletion error when the index enters the deletion phase for the ILM lifecycle, in upcoming PR. As it ships transform pipeline too hence read, write permissions are also required.Current behavior:
It shows permission issue while deleting the index.
Similar Issues : elastic/kibana#197390, #131825
Closing elastic/kibana#240901
NOTE: We would need this to be backported to at least 8.18.0 and above.