Kibana Audit Log - Alerting Rule Deletion

wanch · March 14, 2023, 9:59am

Hi,

I have a question regarding Kibana's audit logging and the deletion of alerting rules.

Below is the audit logs I got for deleting an alerting rule in Kibana UI:

{
  "event": {
    "action": "http_request",
    "category": [
      "web"
    ],
    "outcome": "unknown"
  },
  "http": {
    "request": {
      "method": "delete"
    }
  },
  "url": {
    "domain": "10.0.41.111",
    "path": "/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b",
    "port": 5601,
    "scheme": "https"
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ="
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.427-04:00",
  "message": "User is requesting [/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b] endpoint",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}
{
  "event": {
    "action": "space_get",
    "category": [
      "database"
    ],
    "type": [
      "access"
    ],
    "outcome": "success"
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
    "saved_object": {
      "type": "space",
      "id": "default"
    }
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.437-04:00",
  "message": "User has accessed space [id=default]",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}
{
  "event": {
    "action": "rule_delete",
    "category": [
      "database"
    ],
    "type": [
      "deletion"
    ],
    "outcome": "unknown"
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
    "saved_object": {
      "type": "alert",
      "id": "95f95c80-c246-11ed-ba1f-9d1770043f8b"
    }
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.465-04:00",
  "message": "User is deleting rule [id=95f95c80-c246-11ed-ba1f-9d1770043f8b]",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}

From the audit log, it shows that the user elastic has deleted the rule with id 95f95c80-c246-11ed-ba1f-9d1770043f8b. However, is there a way to map back this rule id to the human-readable name, eg. "Check CPU Load" so that the auditor can confirm that the rule "Check CPU Load" is deleted by the user elastic?

Thanks.

system · April 11, 2023, 10:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Active alert from deleted rule Elasticsearch elastic-stack-alerting	2	890	March 13, 2023
Auditing Kibana's user events Kibana	2	156	August 14, 2023
New to Kibana: How to Remove Lingering Active Alerts? (Rules Deleted) Kibana elastic-stack-alerting	2	458	March 11, 2024
Bug Report: Alert behaviour after deleting its rule Kibana elastic-stack-alerting	3	339	March 24, 2023
Alerting API. Where can I find alert_id? Kibana elastic-stack-alerting	4	1066	August 25, 2022

Kibana Audit Log - Alerting Rule Deletion

Related topics