Skip to content

[sentinel_one] Cannot execute ILM policy delete step #235996

New issue
New issue
Closed as duplicate of#235512
Closed as duplicate of#235512
[sentinel_one] Cannot execute ILM policy delete step#235996
Labels
Team:FleetTeam label for Observability Data Collection Fleet team
@mohitjha-elastic

Description

@mohitjha-elastic
mohitjha-elastic
opened on Aug 28, 2025

Kibana/Elasticsearch Stack version: 8.18.0

Description:

The kibana_system role lacks the necessary permissions to delete system indices related to logs-sentinel_one.application-* and logs-sentinel_one.application_risk-*, as defined in the ILM policy located inside the package.

It shows permission issue in deleting the index

Error:

{
  "failed_step": "delete",
  "step_info": {
    "type": "security_exception",
    "reason": "action [indices:admin/delete] is unauthorized for user [found-internal-kibana4-server] with effective roles [found-internal-kibana4-server,kibana_system] on indices [.ds-logs-sentinel_one.application_risk-default-2025.08.28-000001], this action is granted by the index privileges [delete_index,manage,all]"
  }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    Team:FleetTeam label for Observability Data Collection Fleet team

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions