I am receiving a Health Check warning regarding the roles and responsibilities for our "investigative_canvas" in Enterprise Security. I have referred to the URL below initially. I do not see any problems with the below stanza. Am I missing something?
access = read : [ ess_analyst ], write : [ admin ]
export = system
owner = nobody
version = 6.6.2
modtime = 1508440201.516152100
@mtupper after looking at the link you are talking about, I realized the problem lies in the fact that the
ess_analyst has access to this collection. It is recommended that only admins have access to these collections.
My mistake should have added that.
"Health Check: Review roles for unnecessary read or write access to the "investigation_event" collection and remove access if possible."
We only recently began receiving these errors after moving our environment from an on-prem solution to the cloud. We did a fresh install of ES, a clone did not work on at the time.