From 68f4a7c76934900c6154fe87f6791dea72966505 Mon Sep 17 00:00:00 2001
From: Robert Sese <734194+rsese@users.noreply.github.com>
Date: Fri, 29 Mar 2024 12:05:19 -0500
Subject: [PATCH] audit log: special case api.request description (#49934)

---
 src/audit-logs/data/ghec/enterprise.json      |  2 +-
 src/audit-logs/data/ghes-3.10/enterprise.json |  2 +-
 src/audit-logs/data/ghes-3.11/enterprise.json |  2 +-
 src/audit-logs/data/ghes-3.12/enterprise.json |  2 +-
 src/audit-logs/data/ghes-3.13/enterprise.json |  2 +-
 src/audit-logs/data/ghes-3.9/enterprise.json  |  2 +-
 src/audit-logs/lib/config.json                |  5 +-
 src/audit-logs/lib/index.js                   | 47 +++++++++++--------
 8 files changed, 37 insertions(+), 27 deletions(-)

diff --git a/src/audit-logs/data/ghec/enterprise.json b/src/audit-logs/data/ghec/enterprise.json
index 558b6edca300..a23ad0812ced 100644
--- a/src/audit-logs/data/ghec/enterprise.json
+++ b/src/audit-logs/data/ghec/enterprise.json
@@ -146,7 +146,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "user_agent",
diff --git a/src/audit-logs/data/ghes-3.10/enterprise.json b/src/audit-logs/data/ghes-3.10/enterprise.json
index f0458b8620e0..4a207b9cf7b3 100644
--- a/src/audit-logs/data/ghes-3.10/enterprise.json
+++ b/src/audit-logs/data/ghes-3.10/enterprise.json
@@ -1093,7 +1093,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "@timestamp",
diff --git a/src/audit-logs/data/ghes-3.11/enterprise.json b/src/audit-logs/data/ghes-3.11/enterprise.json
index 3df982a32b91..c6a5d2a51d82 100644
--- a/src/audit-logs/data/ghes-3.11/enterprise.json
+++ b/src/audit-logs/data/ghes-3.11/enterprise.json
@@ -1099,7 +1099,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "@timestamp",
diff --git a/src/audit-logs/data/ghes-3.12/enterprise.json b/src/audit-logs/data/ghes-3.12/enterprise.json
index 26ce8e3f6135..c10cdd97b86e 100644
--- a/src/audit-logs/data/ghes-3.12/enterprise.json
+++ b/src/audit-logs/data/ghes-3.12/enterprise.json
@@ -1099,7 +1099,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "@timestamp",
diff --git a/src/audit-logs/data/ghes-3.13/enterprise.json b/src/audit-logs/data/ghes-3.13/enterprise.json
index 732c9ddef4d0..10bad204ec20 100644
--- a/src/audit-logs/data/ghes-3.13/enterprise.json
+++ b/src/audit-logs/data/ghes-3.13/enterprise.json
@@ -1105,7 +1105,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "@timestamp",
diff --git a/src/audit-logs/data/ghes-3.9/enterprise.json b/src/audit-logs/data/ghes-3.9/enterprise.json
index 57a3811231ce..179c4b8bfa2a 100644
--- a/src/audit-logs/data/ghes-3.9/enterprise.json
+++ b/src/audit-logs/data/ghes-3.9/enterprise.json
@@ -1027,7 +1027,7 @@
   },
   {
     "action": "api.request",
-    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "description": "An API request was made to a security-significant endpoint for the enterprise. This event is only included if API Request Events is enabled in the enterprise's audit log settings. This event is only available via audit log streaming.",
     "docs_reference_links": "/admin/monitoring-activity-in-your-enterprise/reviewing-audit-logs-for-your-enterprise/streaming-the-audit-log-for-your-enterprise#enabling-audit-log-streaming-of-api-requests",
     "fields": [
       "@timestamp",
diff --git a/src/audit-logs/lib/config.json b/src/audit-logs/lib/config.json
index d4b5ded2dd77..4d52982f7e0c 100644
--- a/src/audit-logs/lib/config.json
+++ b/src/audit-logs/lib/config.json
@@ -1,4 +1,7 @@
 {
-  "apiOnlyEventsAdditionalDescription": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+  "appendedDescriptions": {
+    "apiOnlyEvents": "This event is not available in the web interface, only via the REST API, audit log streaming, or JSON/CSV exports.",
+    "apiRequestEvent": "This event is only available via audit log streaming."
+  },
   "sha": "86e8c1638b4820a64a1e66501abd9e824b449b3e"
 }
\ No newline at end of file
diff --git a/src/audit-logs/lib/index.js b/src/audit-logs/lib/index.js
index e74a2984832c..55df3f3ad997 100644
--- a/src/audit-logs/lib/index.js
+++ b/src/audit-logs/lib/index.js
@@ -101,18 +101,11 @@ export function filterByAllowlistValues(
 
       const minimal = {
         action: event.action,
-        description: event.description,
+        description: processAndGetEventDescription(event, eventAllowlists, pipelineConfig),
         docs_reference_links: event.docs_reference_links,
         fields: event.fields,
       }
 
-      if (
-        eventAllowlists.includes('org_api_only') ||
-        eventAllowlists.includes('business_api_only')
-      ) {
-        minimal.description += ` ${pipelineConfig.apiOnlyEventsAdditionalDescription}`
-      }
-
       minimalEvents.push(minimal)
     }
   }
@@ -167,19 +160,12 @@ export function filterAndUpdateGhesDataByAllowlistValues(
       if (ghesVersionAllowlists === null) continue
       if (seenByGhesVersion.get(fullGhesVersion)?.has(event.action)) continue
 
-      const minimal = {
-        action: event.action,
-        description: event.description,
-        docs_reference_links: event.docs_reference_links,
-        fields: event.ghes[ghesVersion].fields,
-      }
-
       if (ghesVersionAllowlists.includes(allowListValue)) {
-        if (
-          ghesVersionAllowlists.includes('org_api_only') ||
-          ghesVersionAllowlists.includes('business_api_only')
-        ) {
-          minimal.description += ` ${pipelineConfig.apiOnlyEventsAdditionalDescription}`
+        const minimal = {
+          action: event.action,
+          description: processAndGetEventDescription(event, ghesVersionAllowlists, pipelineConfig),
+          docs_reference_links: event.docs_reference_links,
+          fields: event.ghes[ghesVersion].fields,
         }
 
         // we need to initialize as we go to build up the `minimalEvents`
@@ -208,3 +194,24 @@ export function filterAndUpdateGhesDataByAllowlistValues(
     }
   }
 }
+
+function processAndGetEventDescription(event, allowlists, pipelineConfig) {
+  let description = event.description
+
+  // api.request is a unique event because it's an api_only event but is the only
+  // one of these events where the description we append isn't correct so we
+  // have to account for it separately.  There's not yet anything in the schema
+  // we can hook onto to treat it differently.
+  if (
+    (allowlists.includes('org_api_only') || allowlists.includes('business_api_only')) &&
+    event.action !== 'api.request'
+  ) {
+    description += ` ${pipelineConfig.appendedDescriptions.apiOnlyEvents}`
+  }
+
+  if (event.action === 'api.request') {
+    description += ` ${pipelineConfig.appendedDescriptions.apiRequestEvent}`
+  }
+
+  return description
+}