Add correlation section to audit logging docs #123757

jportner · 2022-01-25T18:59:03Z

Related to: #123737

This PR updates the audit logging docs to include more details about how audit events can be correlated.

Docs preview link: https://kibana_123757.docs-preview.app.elstc.co/diff

Note: the backports to 7.17 and earlier will need to have the "Correlating audit events" section header changed to "Correlating ECS audit events"

kibana-ci · 2022-01-25T19:15:53Z

💚 Build Succeeded

Buildkite Build
Commit: ad6ef48

History

💚 Build #19507 succeeded 31a5dbf274ceb28fd28b7f64bb943fa9be1f5322
💚 Build #19506 succeeded f3d7b803513bcfb59b4b67bba6fe935c7a062175

To update your PR or re-run it, just comment with:
@elasticmachine merge upstream

elasticmachine · 2022-01-26T13:21:41Z

Pinging @elastic/kibana-security (Team:Security)

legrego

LGTM, thanks!

legrego · 2022-01-26T13:48:28Z

docs/user/security/audit-logging.asciidoc

+{"event":{"action":"http_request","category":["web"],"outcome":"unknown"},"http":{"request":{"method":"post"}},"url":{"domain":"localhost","path":"/api/alerting/rule","port":5601,"scheme":"https"},"user":{"name":"thom","roles":["superuser"]},"kibana":{"space_id":"default","session_id":"3dHCZRB..."},"@timestamp":"2022-01-25T13:05:34.449-05:00","message":"User is requesting [/api/alerting/rule] endpoint","trace":{"id":"e300e06..."}}
+{"event":{"action":"space_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"space","id":"default"}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.454-05:00","message":"User has accessed space [id=default]","trace":{"id":"e300e06..."}}
+{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.948-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}
+{"event":{"action":"connector_get","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"3dHCZRB...","saved_object":{"type":"action","id":"5e3b1ae..."}},"user":{"name":"thom","roles":["superuser"]},"@timestamp":"2022-01-25T13:05:34.956-05:00","message":"User has accessed connector [id=5e3b1ae...]","trace":{"id":"e300e06..."}}


Out of scope for this PR, but do you know why we are accessing the same connector twice? That feels like a bug, or at the very least unnecessary overhead.

Great minds think alike! I opened a GH issue for this yesterday: #123753

It's not a bug but it is unnecessary overhead IMO.

(cherry picked from commit 6e4c311)

* Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events"

…elastic#123830) * Add correlation section to audit logging docs (elastic#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279)

…) (#123831) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279)

…) (#123832) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279)

…) (#123833) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279)

…) (#123836) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

…) (#123835) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

…) (#123834) * Add correlation section to audit logging docs (#123757) (cherry picked from commit 6e4c311) * "Correlating audit events" -> "Correlating ECS audit events" (cherry picked from commit 8241279) Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>

jportner added Team:Security Team focused on: Auth, Users, Roles, Spaces, Audit Logging, and more! release_note:skip Skip the PR/issue when compiling release notes docs v7.11.3 v7.12.2 v7.13.5 v8.1.0 v7.14.3 v7.15.3 v7.17.0 v7.16.4 v8.0.1 labels Jan 25, 2022

jportner force-pushed the update-audit-logging-docs branch from f3d7b80 to 31a5dbf Compare January 25, 2022 19:00

Add correlation section to audit logging docs

ad6ef48

jportner force-pushed the update-audit-logging-docs branch from 31a5dbf to ad6ef48 Compare January 25, 2022 19:15

jportner requested a review from legrego January 25, 2022 19:46

jportner marked this pull request as ready for review January 26, 2022 13:21

legrego approved these changes Jan 26, 2022

View reviewed changes

jportner merged commit 6e4c311 into elastic:main Jan 26, 2022

jportner deleted the update-audit-logging-docs branch January 26, 2022 13:54

jportner mentioned this pull request Jan 26, 2022

[8.0] Add correlation section to audit logging docs (#123757) #123829

Merged

jportner added a commit to jportner/kibana that referenced this pull request Jan 26, 2022

Add correlation section to audit logging docs (elastic#123757)

61a05bd

(cherry picked from commit 6e4c311)

jportner mentioned this pull request Jan 26, 2022

[7.17] Add correlation section to audit logging docs (#123757) #123830

Merged

jportner added a commit to jportner/kibana that referenced this pull request Jan 26, 2022

Add correlation section to audit logging docs (elastic#123757)

4bb11da

(cherry picked from commit 6e4c311)

jportner added a commit that referenced this pull request Jan 26, 2022

Add correlation section to audit logging docs (#123757) (#123829)

b17d377

(cherry picked from commit 6e4c311)

pgayvallet mentioned this pull request May 9, 2022

Stop Kibana from generating unique X-Opaque-ID values when not received from the client. #123737

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add correlation section to audit logging docs #123757

Add correlation section to audit logging docs #123757

jportner commented Jan 25, 2022 •

edited

Loading

kibana-ci commented Jan 25, 2022

elasticmachine commented Jan 26, 2022

legrego left a comment

legrego Jan 26, 2022

jportner Jan 26, 2022

Add correlation section to audit logging docs #123757

Add correlation section to audit logging docs #123757

Conversation

jportner commented Jan 25, 2022 • edited Loading

kibana-ci commented Jan 25, 2022

💚 Build Succeeded

History

elasticmachine commented Jan 26, 2022

legrego left a comment

Choose a reason for hiding this comment

legrego Jan 26, 2022

Choose a reason for hiding this comment

jportner Jan 26, 2022

Choose a reason for hiding this comment

jportner commented Jan 25, 2022 •

edited

Loading