[EDR Workflows] Update predefined roles with siemV4 (#238635)

## Summary

Update `security` roles used in local serverless instance and in tests:
- switch from `siemV3` to `siemV4`
- apply the migration from the following Kibana PR:
  - #233433
  - rules:
    - security ALL -> endpoint exceptions ALL
    - security READ -> endpoint exceptions READ
- **BUGFIX**: t1/t2 analyst roles lose their endpoint exceptions READ
access, as intended

PR in `elasticsearch-controller`:
- elastic/elasticsearch-controller#1223

Author: gergoabraham

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/roles.yml

@@ -1,5 +1,5 @@
 # ----- Copy from internal roles config in elasticsearch-controller
-# modeled after the t1_analyst minus osquery run saved queries privilege
+# modeled after the t1_analyst minus osquery run saved queries privilege, plus endpoint exceptions read
 viewer:
   cluster: []
   indices:
@@ -45,9 +45,10 @@ viewer:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.read
-        - feature_siemV3.read_alerts
-        - feature_siemV3.endpoint_list_read
+        - feature_siemV4.read
+        - feature_siemV4.read_alerts
+        - feature_siemV4.endpoint_list_read
+        - feature_siemV4.endpoint_exceptions_read
         - feature_securitySolutionCasesV2.read
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -128,21 +129,22 @@ editor:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all
-        - feature_siemV3.policy_management_read # Elastic Defend Policy Management
-        - feature_siemV3.host_isolation_all
-        - feature_siemV3.process_operations_all
-        - feature_siemV3.actions_log_management_all # Response actions history
-        - feature_siemV3.file_operations_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.policy_management_read # Elastic Defend Policy Management
+        - feature_siemV4.host_isolation_all
+        - feature_siemV4.process_operations_all
+        - feature_siemV4.actions_log_management_all # Response actions history
+        - feature_siemV4.file_operations_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -199,9 +201,9 @@ t1_analyst:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.read
-        - feature_siemV3.read_alerts
-        - feature_siemV3.endpoint_list_read
+        - feature_siemV4.read
+        - feature_siemV4.read_alerts
+        - feature_siemV4.endpoint_list_read
         - feature_securitySolutionCasesV2.read
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -261,9 +263,9 @@ t2_analyst:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.read
-        - feature_siemV3.read_alerts
-        - feature_siemV3.endpoint_list_read
+        - feature_siemV4.read
+        - feature_siemV4.read_alerts
+        - feature_siemV4.endpoint_list_read
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -328,23 +330,24 @@ t3_analyst:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all
-        - feature_siemV3.policy_management_read # Elastic Defend Policy Management
-        - feature_siemV3.host_isolation_all
-        - feature_siemV3.process_operations_all
-        - feature_siemV3.actions_log_management_all # Response actions history
-        - feature_siemV3.file_operations_all
-        - feature_siemV3.scan_operations_all
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.policy_management_read # Elastic Defend Policy Management
+        - feature_siemV4.host_isolation_all
+        - feature_siemV4.process_operations_all
+        - feature_siemV4.actions_log_management_all # Response actions history
+        - feature_siemV4.file_operations_all
+        - feature_siemV4.scan_operations_all
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -411,10 +414,11 @@ threat_intelligence_analyst:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.endpoint_list_read
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.blocklist_all
+        - feature_siemV4.all
+        - feature_siemV4.endpoint_list_read
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.blocklist_all
+        - feature_siemV4.endpoint_exceptions_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -482,19 +486,20 @@ rule_author:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.policy_management_all
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_read
-        - feature_siemV3.blocklist_all # Elastic Defend Policy Management
-        - feature_siemV3.actions_log_management_read
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.policy_management_all
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_read
+        - feature_siemV4.blocklist_all # Elastic Defend Policy Management
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.actions_log_management_read
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -562,24 +567,25 @@ soc_manager:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.policy_management_all
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all
-        - feature_siemV3.host_isolation_all
-        - feature_siemV3.process_operations_all
-        - feature_siemV3.actions_log_management_all
-        - feature_siemV3.file_operations_all
-        - feature_siemV3.execute_operations_all
-        - feature_siemV3.scan_operations_all
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.policy_management_all
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.host_isolation_all
+        - feature_siemV4.process_operations_all
+        - feature_siemV4.actions_log_management_all
+        - feature_siemV4.file_operations_all
+        - feature_siemV4.execute_operations_all
+        - feature_siemV4.scan_operations_all
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -651,10 +657,11 @@ detections_admin:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.all
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.global_artifact_management_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.endpoint_exceptions_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -718,19 +725,20 @@ platform_engineer:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.all
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.policy_management_all
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all # Elastic Defend Policy Management
-        - feature_siemV3.actions_log_management_read
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.policy_management_all
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all # Elastic Defend Policy Management
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.actions_log_management_read
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -798,23 +806,24 @@ endpoint_operations_analyst:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.read
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.policy_management_all
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all
-        - feature_siemV3.host_isolation_all
-        - feature_siemV3.process_operations_all
-        - feature_siemV3.actions_log_management_all
-        - feature_siemV3.file_operations_all
-        - feature_siemV3.execute_operations_all
-        - feature_siemV3.scan_operations_all
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.policy_management_all
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.host_isolation_all
+        - feature_siemV4.process_operations_all
+        - feature_siemV4.actions_log_management_all
+        - feature_siemV4.file_operations_all
+        - feature_siemV4.execute_operations_all
+        - feature_siemV4.scan_operations_all
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all
@@ -890,18 +899,19 @@ endpoint_policy_manager:
     - application: 'kibana-.kibana'
       privileges:
         - feature_ml.all
-        - feature_siemV3.all
-        - feature_siemV3.read_alerts
-        - feature_siemV3.crud_alerts
-        - feature_siemV3.policy_management_all
-        - feature_siemV3.endpoint_list_all
-        - feature_siemV3.global_artifact_management_all
-        - feature_siemV3.trusted_applications_all
-        - feature_siemV3.trusted_devices_all
-        - feature_siemV3.event_filters_all
-        - feature_siemV3.host_isolation_exceptions_all
-        - feature_siemV3.blocklist_all # Elastic Defend Policy Management
-        - feature_siemV3.workflow_insights_all
+        - feature_siemV4.all
+        - feature_siemV4.read_alerts
+        - feature_siemV4.crud_alerts
+        - feature_siemV4.policy_management_all
+        - feature_siemV4.endpoint_list_all
+        - feature_siemV4.global_artifact_management_all
+        - feature_siemV4.trusted_applications_all
+        - feature_siemV4.trusted_devices_all
+        - feature_siemV4.event_filters_all
+        - feature_siemV4.host_isolation_exceptions_all
+        - feature_siemV4.blocklist_all # Elastic Defend Policy Management
+        - feature_siemV4.endpoint_exceptions_all
+        - feature_siemV4.workflow_insights_all
         - feature_securitySolutionCasesV2.all
         - feature_securitySolutionAssistant.all
         - feature_securitySolutionAttackDiscovery.all

src/platform/packages/shared/kbn-es/src/serverless_resources/project_roles/security/search_ai_lake/roles.yml

@@ -45,7 +45,7 @@ _search_ai_lake_analyst:
     - application: "kibana-.kibana"
       privileges:
         - "feature_ml.read"
-        - "feature_siemV3.all"
+        - "feature_siemV4.all"
         - "feature_securitySolutionCasesV2.all"
         - "feature_securitySolutionAssistant.all"
         - "feature_securitySolutionAttackDiscovery.minimal_all"
@@ -119,9 +119,9 @@ _search_ai_lake_soc_manager:
   applications:
     - application: "kibana-.kibana"
       privileges:
-        - "feature_siemV3.all"
-        - "feature_siemV3.global_artifact_management_all"
-        - "feature_siemV3.workflow_insights_all"
+        - "feature_siemV4.all"
+        - "feature_siemV4.global_artifact_management_all"
+        - "feature_siemV4.workflow_insights_all"
         - "feature_securitySolutionCasesV2.all"
         - "feature_securitySolutionAssistant.all"
         - "feature_securitySolutionAttackDiscovery.all"