elastic · paul-tavares · Apr 15, 2025 · Apr 14, 2025 · Apr 14, 2025 · Apr 15, 2025
diff --git a/docs/changelog/126803.yaml b/docs/changelog/126803.yaml
@@ -0,0 +1,6 @@
+pr: 126803
+summary: "[Security Solution] Add `read` index privileges to `kibana_system` role\
+ \ for Microsoft Defender integration indexes"
+area: Authorization
+type: enhancement
+issues: []
@@ -345,7 +345,10 @@ static RoleDescriptor kibanaSystem(String name) {
  // ingested by Fleet integrations
  // in order to provide support for response actions related to malicious events
  // for such agents.
- RoleDescriptor.IndicesPrivileges.builder().indices("logs-sentinel_one.*", "logs-crowdstrike.*").privileges("read").build(),
+ RoleDescriptor.IndicesPrivileges.builder()
+ .indices("logs-sentinel_one.*", "logs-crowdstrike.*", "logs-microsoft_defender_endpoint.*", "logs-m365_defender.*")
+ .privileges("read")
+ .build(),
  // For ILM policy for APM, Endpoint, & Synthetics packages that have delete
  // action
  RoleDescriptor.IndicesPrivileges.builder()

diff --git a/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java b/.../test/java/org/elasticsearch/xpack/core/security/authz/store/ReservedRolesStoreTests.java
@@ -1031,7 +1031,9 @@ public void testKibanaSystemRole() {
  // Tests for third-party agent indices that `kibana_system` has only `read` access
  Arrays.asList(
  "logs-sentinel_one." + randomAlphaOfLength(randomIntBetween(0, 13)),
- "logs-crowdstrike." + randomAlphaOfLength(randomIntBetween(0, 13))
+ "logs-crowdstrike." + randomAlphaOfLength(randomIntBetween(0, 13)),
+ "logs-microsoft_defender_endpoint." + randomAlphaOfLength(randomIntBetween(0, 13)),
+ "logs-m365_defender." + randomAlphaOfLength(randomIntBetween(0, 13))
  ).forEach((index) -> {
  final IndexAbstraction indexAbstraction = mockIndexAbstraction(index);
  assertThat(kibanaRole.indices().allowedIndicesMatcher("indices:foo").test(indexAbstraction), is(false));