Hello Morgan,
yes, we completed that step. This is mandatory to make the App visible to users in non Admin userroles.
However the API-Key assigned to the App requires admin permission and admin userrole.
This results in a situation where any user with access to the App can install rules, regardles of the permissions of his own user role.
------------------------------
SIEM-2020
------------------------------
Original Message:
Sent: Wed December 11, 2024 06:03 AM
From: Comghall Morgan
Subject: YARA & Sigma Rule Manager, Permissions for Adding/Enabling Rules
Hello,
After install have you completed the following steps:
https://www.ibm.com/docs/en/qradar-common?topic=checklist-assigning-user-capabilities-manager-yara-sigma-rules
------------------------------
Comghall Morgan
QRadar Support Architect
IBM
Original Message:
Sent: Mon November 25, 2024 10:06 AM
From: SIEM-2020
Subject: YARA & Sigma Rule Manager, Permissions for Adding/Enabling Rules
The Yara & Sigma Rule Manager seems to be a valuable app for Threat Hunting an we would like to use. However the permissions cause some headache in our environment where we have 4 User with Admin role and 20 users with Analyst role. Maybe we are just missing the rights knobs or settings and someone can point us to a solution.
Installation requires an API Key with Admin Userrole. When we try a less privilged role, the app configuration of the API key fails. However, we do not want to give Permission to all of our SIEM users to add and enable rules on the fly. The normal role modell, does not allow this either.
Is there a way to allow AQL based hunting with this App, but inhibit creation of rules ? Often the rules are payload based searches and can have a performance impact. Or can we at least make sure, that new rules are added in "Disabled" state ?
------------------------------
SIEM-2020
------------------------------