[SIEM] Detection engine when security is disabled

[cwurm]

When security is disabled (as is the default), the Detection engine will show Detection engine permissions required. It's somewhat misleading, since without the security plugin the concept of privileges doesn't even exist.

A more helpful message might be The Security plugin has to be enabled to use the detection engine. See the documentation on how to do that. (documentation could link to this).

In the background there is a 500 Internal Server Error:

[elasticmachine]

Pinging @elastic/siem (Team:SIEM)

[tsg]

Related to this, in BC2, one gets an additional toaster error saying "Failed to query signals". That's unnecessary since the page is blocked anyway.

[rylnd]

Resurrecting this issue as it's resurfaced during our testing of 7.7. (Thanks @XavierM)

With #59438, the default behavior for errors coming from SIEM endpoints is to display them in a toaster. When security is disabled, SIEM endpoints that attempt to communicate with elasticsearch will return a 401. As a result, the original issue persists, and we're now seeing more toaster errors than in 7.6; typically one for each failed request. This is incorrect: this behavior can occur, but only if security is disabled in kibana and enabled in elasticsearch, which is not a situation we need to support.

[rylnd]

A bit more context: we've been testing the behavior of SIEM when security is disabled mainly to verify that SIEM continues to function for something like demo.elastic.co. However, after speaking with the owners of that instance, it appears that they do not disable security and instead just have a read-only user that's always logged in.

Regardless, security being disabled is still a situation that SIEM needs to support (or at least address).

[rylnd]

After some more thorough testing I wanted to update this issue with the current behavior as of 7.7.0 BC2.

If security is disabled on both the elasticsearch instance and kibana, when visiting the detections page you see the "permissions required" message on the page, and there's additionally a toaster error with a clear CTA:

Other notes

• The "signals index exists" endpoint correctly returns a 404, which is ignored by the frontend (i.e. it is not presented to the user as a toaster)
• Detections is the only tab that displays an error toaster; the other tabs e.g. hosts continue to display data as expected.

[kdk2933]

After some more thorough testing I wanted to update this issue with the current behavior as of 7.7.0 BC2.

If security is disabled on both the elasticsearch instance and kibana, when visiting the detections page you see the "permissions required" message on the page, and there's additionally a toaster error with a clear CTA:

Other notes

* The "signals index exists" endpoint correctly returns a 404, which is ignored by the frontend (i.e. it is not presented to the user as a toaster)

* Detections is the only tab that displays an error toaster; the other tabs e.g. hosts continue to display data as expected.

After some more thorough testing I wanted to update this issue with the current behavior as of 7.7.0 BC2.

If security is disabled on both the elasticsearch instance and kibana, when visiting the detections page you see the "permissions required" message on the page, and there's additionally a toaster error with a clear CTA:

Other notes

* The "signals index exists" endpoint correctly returns a 404, which is ignored by the frontend (i.e. it is not presented to the user as a toaster)

* Detections is the only tab that displays an error toaster; the other tabs e.g. hosts continue to display data as expected.

Did you get the fix for the issue?