Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECS audit events for alerts plugin #80288

Closed
thomheymann opened this issue Oct 13, 2020 · 3 comments · Fixed by #84113
Closed

ECS audit events for alerts plugin #80288

thomheymann opened this issue Oct 13, 2020 · 3 comments · Fixed by #84113
Assignees
@thomheymann
Labels
Feature:Security/Audit Platform Security - Audit Logging feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!

Comments

@thomheymann
Copy link
Contributor

thomheymann commented Oct 13, 2020
edited
Loading

In order to support better auditing capabilities across the stack we would like to add ECS audit events to alerts plugin:

  • Remove legacy audit events in alerts plugin:

    • alerts_authorization_failure
    • alerts_authorization_success
    • actions_authorization_failure
    • actions_authorization_success

  • Following auditing guidelines, create ECS audit events using the new audit service API:

    const auditLogger = securitySetup.audit.withRequest(request);
auditLogger.log({
  message: 'User is updating dashboard [id=123]',
  event: {
    action: 'saved_object_update',
    outcome: 'unknown',
  },
  kibana: {
    saved_object: { type: 'dashboard', id: '123' },
  },
});

Event types: https://docs.google.com/document/d/1J4iv3WhkfJqH241KmBPW6eOZGe4MbBz6XE_KlBL2-_s/edit#
@thomheymann thomheymann added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Feature:Security/Audit Platform Security - Audit Logging feature labels Oct 13, 2020
@thomheymann thomheymann self-assigned this Oct 13, 2020
@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-alerting-services (Team:Alerting Services)

@elasticmachine
Copy link
Contributor

Pinging @elastic/kibana-security (Team:Security)

@thomheymann thomheymann mentioned this issue Oct 13, 2020
Merged
4 tasks
@thomheymann
Copy link
Contributor Author

Requires #42762 so that we can generate the correct id when logging a create event before actually creating an alert / action

@thomheymann thomheymann mentioned this issue Nov 23, 2020
Merged
3 tasks
@kobelb kobelb added the needs-team Issues missing a team label label Jan 31, 2022
@botelastic botelastic bot removed the needs-team Issues missing a team label label Jan 31, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomheymann thomheymann

Labels
Feature:Security/Audit Platform Security - Audit Logging feature Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ECS audit events for alerting elastic/kibana
3 participants
@thomheymann @kobelb @elasticmachine