Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Assistant] Adds audit logging to knowledge base entry changes #203349

Merged
merged 9 commits into from
Dec 11, 2024
Merged

[Security Assistant] Adds audit logging to knowledge base entry changes #203349

merged 9 commits into from
Dec 11, 2024

Conversation

stephmilovic
Copy link
Contributor

@stephmilovic stephmilovic commented Dec 7, 2024
edited by kibanamachine
Loading

Summary

Resolves https://github.com/elastic/security-team/issues/11367

Adds audit logging events for: knowledge_base_entry_create, knowledge_base_entry_update, and knowledge_base_entry_delete

knowledge_base_entry_create

{
  "@timestamp":"2024-12-06T16:43:45.958-07:00",
  "message":"User has created knowledge base entry [id=93730ccc-2e8e-4bbb-bb79-72a4b722d190, name=\"My document\"]"
  "event":{
    "action":"knowledge_base_entry_create",
    "category":[
      "database"
    ],
    "type":[
      "creation"
    ],
    "outcome":"success"
  },
  "user":{
    "id":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
    "name":"elastic",
    "roles":[
      "superuser"
    ]
  },
  "kibana":{
    "space_id":"default",
    "session_id":"pklKJi6Kkks4tjI39pDGe288z3ou//lh0FHu+Ey57kE="
  },
  "trace":{
    "id":"bb33e39e-98b0-4362-95f5-34b3aa3bdd35"
  },
  "client":{
    "ip":"127.0.0.1"
  },
  "http":{
    "request":{
      "headers":{
        "x-forwarded-for":"127.0.0.1"
      }
    }
  },
  "service":{
    "node":{
      "roles":[
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs":{
    "version":"8.11.0"
  },
  "log":{
    "level":"INFO",
    "logger":"plugins.security.audit.ecs"
  },
  "process":{
    "pid":42480,
    "uptime":29.778092292
  },
  "transaction":{
    "id":"fe1039f3c161756c"
  }
}

knowledge_base_entry_update

{
  "@timestamp":"2024-12-10T14:35:11.354-07:00",
  "message":"User has updated knowledge base entry [id=93730ccc-2e8e-4bbb-bb79-72a4b722d190, name=\"My document\"]",
  "event":{
    "action":"knowledge_base_entry_update",
    "category":[
      "database"
    ],
    "type":[
      "change"
    ],
    "outcome":"success"
  },
  "user":{
    "id":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
    "name":"elastic",
    "roles":[
      "superuser"
    ]
  },
  "kibana":{
    "space_id":"default",
    "session_id":"raBw0MluNHMgGNz1YxXHFP/Qj7ctWDPuENNWfS4n3/A="
  },
  "trace":{
    "id":"791c7a7f-a8bb-4983-9818-3ee66886181b"
  },
  "client":{
    "ip":"127.0.0.1"
  },
  "http":{
    "request":{
      "headers":{
        "x-forwarded-for":"127.0.0.1"
      }
    }
  },
  "service":{
    "node":{
      "roles":[
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs":{
    "version":"8.11.0"
  },
  "log":{
    "level":"INFO",
    "logger":"plugins.security.audit.ecs"
  },
  "process":{
    "pid":49499,
    "uptime":820.908983584
  },
  "transaction":{
    "id":"5c8741ee1b3a248a"
  }
}

knowledge_base_entry_delete

{
  "@timestamp":"2024-12-06T16:43:50.028-07:00",
  "message":"User has deleted knowledge base entry [id=52fc47fb-c0d9-418f-af50-2e4fa6610746]",
  "event":{
    "action":"knowledge_base_entry_delete",
    "category":[
      "database"
    ],
    "type":[
      "deletion"
    ],
    "outcome":"success"
  },
  "user":{
    "id":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
    "name":"elastic",
    "roles":[
      "superuser"
    ]
  },
  "kibana":{
    "space_id":"default",
    "session_id":"pklKJi6Kkks4tjI39pDGe288z3ou//lh0FHu+Ey57kE="
  },
  "trace":{
    "id":"70088508-080f-4cf6-838c-1dd9676b592f"
  },
  "client":{
    "ip":"127.0.0.1"
  },
  "http":{
    "request":{
      "headers":{
        "x-forwarded-for":"127.0.0.1"
      }
    }
  },
  "service":{
    "node":{
      "roles":[
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs":{
    "version":"8.11.0"
  },
  "log":{
    "level":"INFO",
    "logger":"plugins.security.audit.ecs"
  },
  "process":{
    "pid":42480,
    "uptime":33.848645
  },
  "transaction":{
    "id":"315d60aa8e32df91"
  }
}

To test

  1. add this line to your kibana.dev.yml: xpack.security.audit.enabled: true
  2. start es from snapshot and include this argument: -E xpack.security.audit.enabled=true
  3. start kibana
  4. Set up KB
  5. Create an entry
  6. Update an entry
  7. Delete an entry
  8. Open the file logs/audit.log
  9. Search for knowledge_base_entry_create, knowledge_base_entry_update, and knowledge_base_entry_delete to ensure audit logs were added for each action you took

@stephmilovic stephmilovic added release_note:enhancement Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) Team:Security Generative AI Security Generative AI labels Dec 7, 2024
@stephmilovic stephmilovic marked this pull request as ready for review December 10, 2024 21:41
@stephmilovic stephmilovic requested a review from a team as a code owner December 10, 2024 21:41
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@elasticmachine
Copy link
Contributor

💚 Build Succeeded

Metrics [docs]

Public APIs missing comments

Total count of every public API that lacks a comment. Target amount is 0. Run node scripts/build_api_docs --plugin [yourplugin] --stats comments for more detailed information.

id before after diff
elasticAssistant 41 40 -1
Unknown metric groups

API count

id before after diff
elasticAssistant 56 55 -1

History

patrykkopycinski
patrykkopycinski reviewed Dec 11, 2024
View reviewed changes
x-pack/plugins/elastic_assistant/server/routes/knowledge_base/entries/bulk_actions_route.ts
id: deletedId,
outcome: AUDIT_OUTCOME.SUCCESS,
})
);
});
}
if (numFailed > 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we also want to raport failed actions?

@stephmilovic stephmilovic merged commit 84a2d40 into elastic:main Dec 11, 2024
12 checks passed
@kibanamachine
Copy link
Contributor

Starting backport for target branches: 8.x

https://github.com/elastic/kibana/actions/runs/12283023020

kibanamachine pushed a commit to kibanamachine/kibana that referenced this pull request Dec 11, 2024
@stephmilovic
[Security Assistant] Adds audit logging to knowledge base entry chang…
583a171 
…es (elastic#203349)

(cherry picked from commit 84a2d40)
@kibanamachine kibanamachine mentioned this pull request Dec 11, 2024
Merged
@kibanamachine
Copy link
Contributor

💚 All backports created successfully

Status Branch Result
8.x

Note: Successful backport PRs will be merged automatically after passing CI.

Questions ?

Please refer to the Backport tool documentation

CAWilson94 pushed a commit to CAWilson94/kibana that referenced this pull request Dec 12, 2024
@stephmilovic @CAWilson94
[Security Assistant] Adds audit logging to knowledge base entry chang…
cf6f94a 
…es (elastic#203349)
kibanamachine added a commit that referenced this pull request Dec 12, 2024
@kibanamachine @stephmilovic @elasticmachine
[8.x] [Security Assistant] Adds audit logging to knowledge base entry…
f859a06 
… changes (#203349) (#203886)

# Backport

This will backport the following commits from `main` to `8.x`:
- [[Security Assistant] Adds audit logging to knowledge base entry
changes (#203349)](#203349)

<!--- Backport version: 9.4.3 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sqren/backport)

<!--BACKPORT [{"author":{"name":"Steph
Milovic","email":"[email protected]"},"sourceCommit":{"committedDate":"2024-12-11T18:55:08Z","message":"[Security
Assistant] Adds audit logging to knowledge base entry changes
(#203349)","sha":"84a2d409537737fb66ddfca63bb3f772deb265e8","branchLabelMapping":{"^v9.0.0$":"main","^v8.18.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:enhancement","v9.0.0","Team:
SecuritySolution","backport:prev-minor","Team:Security Generative
AI"],"title":"[Security Assistant] Adds audit logging to knowledge base
entry
changes","number":203349,"url":"https://github.com/elastic/kibana/pull/203349","mergeCommit":{"message":"[Security
Assistant] Adds audit logging to knowledge base entry changes
(#203349)","sha":"84a2d409537737fb66ddfca63bb3f772deb265e8"}},"sourceBranch":"main","suggestedTargetBranches":[],"targetPullRequestStates":[{"branch":"main","label":"v9.0.0","branchLabelMappingKey":"^v9.0.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/203349","number":203349,"mergeCommit":{"message":"[Security
Assistant] Adds audit logging to knowledge base entry changes
(#203349)","sha":"84a2d409537737fb66ddfca63bb3f772deb265e8"}}]}]
BACKPORT-->

Co-authored-by: Steph Milovic <[email protected]>
Co-authored-by: Elastic Machine <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patrykkopycinski patrykkopycinski patrykkopycinski approved these changes

Assignees
No one assigned
Labels
backport:prev-minor Backport to (8.x) the previous minor version (i.e. one version back from main) release_note:enhancement Team:Security Generative AI Security Generative AI Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. v8.18.0 v9.0.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@stephmilovic @elasticmachine @kibanamachine @patrykkopycinski