Hi,
I have a question regarding Kibana's audit logging and the deletion of alerting rules.
Below is the audit logs I got for deleting an alerting rule in Kibana UI:
{
"event": {
"action": "http_request",
"category": [
"web"
],
"outcome": "unknown"
},
"http": {
"request": {
"method": "delete"
}
},
"url": {
"domain": "10.0.41.111",
"path": "/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b",
"port": 5601,
"scheme": "https"
},
"user": {
"name": "elastic",
"roles": [
"superuser"
]
},
"kibana": {
"space_id": "default",
"session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ="
},
"trace": {
"id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
},
"service": {
"node": {
"roles": [
"background_tasks",
"ui"
]
}
},
"ecs": {
"version": "8.4.0"
},
"@timestamp": "2023-03-14T05:00:10.427-04:00",
"message": "User is requesting [/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b] endpoint",
"log": {
"level": "INFO",
"logger": "plugins.security.audit.ecs"
},
"process": {
"pid": 1600759
},
"transaction": {
"id": "c478044baa4c0347"
}
}
{
"event": {
"action": "space_get",
"category": [
"database"
],
"type": [
"access"
],
"outcome": "success"
},
"kibana": {
"space_id": "default",
"session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
"saved_object": {
"type": "space",
"id": "default"
}
},
"user": {
"name": "elastic",
"roles": [
"superuser"
]
},
"trace": {
"id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
},
"service": {
"node": {
"roles": [
"background_tasks",
"ui"
]
}
},
"ecs": {
"version": "8.4.0"
},
"@timestamp": "2023-03-14T05:00:10.437-04:00",
"message": "User has accessed space [id=default]",
"log": {
"level": "INFO",
"logger": "plugins.security.audit.ecs"
},
"process": {
"pid": 1600759
},
"transaction": {
"id": "c478044baa4c0347"
}
}
{
"event": {
"action": "rule_delete",
"category": [
"database"
],
"type": [
"deletion"
],
"outcome": "unknown"
},
"kibana": {
"space_id": "default",
"session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
"saved_object": {
"type": "alert",
"id": "95f95c80-c246-11ed-ba1f-9d1770043f8b"
}
},
"user": {
"name": "elastic",
"roles": [
"superuser"
]
},
"trace": {
"id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
},
"service": {
"node": {
"roles": [
"background_tasks",
"ui"
]
}
},
"ecs": {
"version": "8.4.0"
},
"@timestamp": "2023-03-14T05:00:10.465-04:00",
"message": "User is deleting rule [id=95f95c80-c246-11ed-ba1f-9d1770043f8b]",
"log": {
"level": "INFO",
"logger": "plugins.security.audit.ecs"
},
"process": {
"pid": 1600759
},
"transaction": {
"id": "c478044baa4c0347"
}
}
From the audit log, it shows that the user elastic has deleted the rule with id 95f95c80-c246-11ed-ba1f-9d1770043f8b. However, is there a way to map back this rule id to the human-readable name, eg. "Check CPU Load" so that the auditor can confirm that the rule "Check CPU Load" is deleted by the user elastic?
Thanks.