Kibana Audit Log - Alerting Rule Deletion

Hi,

I have a question regarding Kibana's audit logging and the deletion of alerting rules.

Below is the audit logs I got for deleting an alerting rule in Kibana UI:

{
  "event": {
    "action": "http_request",
    "category": [
      "web"
    ],
    "outcome": "unknown"
  },
  "http": {
    "request": {
      "method": "delete"
    }
  },
  "url": {
    "domain": "10.0.41.111",
    "path": "/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b",
    "port": 5601,
    "scheme": "https"
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ="
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.427-04:00",
  "message": "User is requesting [/api/alerting/rule/95f95c80-c246-11ed-ba1f-9d1770043f8b] endpoint",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}
{
  "event": {
    "action": "space_get",
    "category": [
      "database"
    ],
    "type": [
      "access"
    ],
    "outcome": "success"
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
    "saved_object": {
      "type": "space",
      "id": "default"
    }
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.437-04:00",
  "message": "User has accessed space [id=default]",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}
{
  "event": {
    "action": "rule_delete",
    "category": [
      "database"
    ],
    "type": [
      "deletion"
    ],
    "outcome": "unknown"
  },
  "kibana": {
    "space_id": "default",
    "session_id": "0UIiCmiKybqcmf5iQ//4H9LLwItzejuaq871azMEwkQ=",
    "saved_object": {
      "type": "alert",
      "id": "95f95c80-c246-11ed-ba1f-9d1770043f8b"
    }
  },
  "user": {
    "name": "elastic",
    "roles": [
      "superuser"
    ]
  },
  "trace": {
    "id": "b638a8c1-9afd-4e7d-bf2e-7681f3d5e9ed"
  },
  "service": {
    "node": {
      "roles": [
        "background_tasks",
        "ui"
      ]
    }
  },
  "ecs": {
    "version": "8.4.0"
  },
  "@timestamp": "2023-03-14T05:00:10.465-04:00",
  "message": "User is deleting rule [id=95f95c80-c246-11ed-ba1f-9d1770043f8b]",
  "log": {
    "level": "INFO",
    "logger": "plugins.security.audit.ecs"
  },
  "process": {
    "pid": 1600759
  },
  "transaction": {
    "id": "c478044baa4c0347"
  }
}

From the audit log, it shows that the user elastic has deleted the rule with id 95f95c80-c246-11ed-ba1f-9d1770043f8b. However, is there a way to map back this rule id to the human-readable name, eg. "Check CPU Load" so that the auditor can confirm that the rule "Check CPU Load" is deleted by the user elastic?

Thanks.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.