Elasticsearch Security Privileges
While ElastAlert 2 will just work out-of-the-box for unsecured Elasticsearch, it will need a user with a certain set of permissions to work on secure Elasticseach that allow it to read the documents, check the cluster status etc.
SearchGuard Permissions
The permissions in Elasticsearch are specific to the plugin being used for RBAC. However, the permissions mentioned here can be mapped easily to different plugins other than Searchguard.
Details about SearchGuard Action Groups: https://docs.search-guard.com/latest/action-groups
Writeback Permissions
For the global config (which writes to the writeback index), you would need to give all permissions on the writeback indices. In addition, some permissions related to Cluster Monitor Access are required.
Cluster Permissions
: CLUSTER_MONITOR, indices:data/read/scroll*
Index Permissions
(Over Writeback Indices): INDICES_ALL
Per Rule Permissions
For per rule Elasticsearch config, you would need at least the read permissions on the index you want to query. Detailed SearchGuard Permissions:
Cluster Permissions
: CLUSTER_COMPOSITE_OPS_RO
Index Permissions
(Over the index the rule is querying on): READ, indices:data/read/scroll*