github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-24 01:38:56 -04:00
Code Issues Projects Releases Packages Wiki Activity

[Alerting] Updating audit event terminology (#102263)

Browse source 
* Updating audit terminology

* Fixing unit tests

* Updating audit docs

Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
ymao1 2021-06-21 14:17:44 -04:00 committed by GitHub
parent f448f1f1bf
commit 6c699a562c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
16 changed files with 193 additions and 193 deletions
Download patch file Download diff file Expand all files Collapse all files

68
docs/user/security/audit-logging.asciidoc
View file

@ -93,9 +93,9 @@ Refer to the corresponding {es} logs for potential write errors.
| `unknown` | User is creating a connector.
| `failure` | User is not authorized to create a connector.
.2+| `alert_create`
| `unknown` | User is creating an alert.
| `failure` | User is not authorized to create an alert.
.2+| `rule_create`
| `unknown` | User is creating a rule.
| `failure` | User is not authorized to create a rule.
.2+| `space_create`
| `unknown` | User is creating a space.
@ -128,38 +128,38 @@ Refer to the corresponding {es} logs for potential write errors.
| `unknown` | User is updating a connector.
| `failure` | User is not authorized to update a connector.
.2+| `alert_update`
| `unknown` | User is updating an alert.
| `failure` | User is not authorized to update an alert.
.2+| `rule_update`
| `unknown` | User is updating a rule.
| `failure` | User is not authorized to update a rule.
.2+| `alert_update_api_key`
| `unknown` | User is updating the API key of an alert.
| `failure` | User is not authorized to update the API key of an alert.
.2+| `rule_update_api_key`
| `unknown` | User is updating the API key of a rule.
| `failure` | User is not authorized to update the API key of a rule.
.2+| `alert_enable`
| `unknown` | User is enabling an alert.
| `failure` | User is not authorized to enable an alert.
.2+| `rule_enable`
| `unknown` | User is enabling a rule.
| `failure` | User is not authorized to enable a rule.
.2+| `alert_disable`
| `unknown` | User is disabling an alert.
| `failure` | User is not authorized to disable an alert.
.2+| `rule_disable`
| `unknown` | User is disabling a rule.
| `failure` | User is not authorized to disable a rule.
.2+| `alert_mute`
.2+| `rule_mute`
| `unknown` | User is muting a rule.
| `failure` | User is not authorized to mute a rule.
.2+| `rule_unmute`
| `unknown` | User is unmuting a rule.
| `failure` | User is not authorized to unmute a rule.
.2+| `rule_alert_mute`
| `unknown` | User is muting an alert.
| `failure` | User is not authorized to mute an alert.
.2+| `alert_unmute`
.2+| `rule_alert_unmute`
| `unknown` | User is unmuting an alert.
| `failure` | User is not authorized to unmute an alert.
.2+| `alert_instance_mute`
| `unknown` | User is muting an alert instance.
| `failure` | User is not authorized to mute an alert instance.
.2+| `alert_instance_unmute`
| `unknown` | User is unmuting an alert instance.
| `failure` | User is not authorized to unmute an alert instance.
.2+| `space_update`
| `unknown` | User is updating a space.
| `failure` | User is not authorized to update a space.
@ -183,9 +183,9 @@ Refer to the corresponding {es} logs for potential write errors.
| `unknown` | User is deleting a connector.
| `failure` | User is not authorized to delete a connector.
.2+| `alert_delete`
| `unknown` | User is deleting an alert.
| `failure` | User is not authorized to delete an alert.
.2+| `rule_delete`
| `unknown` | User is deleting a rule.
| `failure` | User is not authorized to delete a rule.
.2+| `space_delete`
| `unknown` | User is deleting a space.
@ -218,13 +218,13 @@ Refer to the corresponding {es} logs for potential write errors.
| `success` | User has accessed a connector as part of a search operation.
| `failure` | User is not authorized to search for connectors.
.2+| `alert_get`
| `success` | User has accessed an alert.
| `failure` | User is not authorized to access an alert.
.2+| `rule_get`
| `success` | User has accessed a rule.
| `failure` | User is not authorized to access a rule.
.2+| `alert_find`
| `success` | User has accessed an alert as part of a search operation.
| `failure` | User is not authorized to search for alerts.
.2+| `rule_find`
| `success` | User has accessed a rule as part of a search operation.
| `failure` | User is not authorized to search for rules.
.2+| `space_get`
| `success` | User has accessed a space.

102
x-pack/plugins/alerting/server/alerts_client/alerts_client.ts
View file

@ -63,7 +63,7 @@ import { parseDuration } from '../../common/parse_duration';
import { retryIfConflicts } from '../lib/retry_if_conflicts';
import { partiallyUpdateAlert } from '../saved_objects';
import { markApiKeyForInvalidation } from '../invalidate_pending_api_keys/mark_api_key_for_invalidation';
import { alertAuditEvent, AlertAuditAction } from './audit_events';
import { ruleAuditEvent, RuleAuditAction } from './audit_events';
import { KueryNode, nodeBuilder } from '../../../../../src/plugins/data/common';
import { mapSortField } from './lib';
import { getAlertExecutionStatusPending } from '../lib/alert_execution_status';
@ -253,8 +253,8 @@ export class AlertsClient {
});
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.CREATE,
ruleAuditEvent({
action: RuleAuditAction.CREATE,
savedObject: { type: 'alert', id },
error,
})
@ -305,8 +305,8 @@ export class AlertsClient {
};
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.CREATE,
ruleAuditEvent({
action: RuleAuditAction.CREATE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -375,8 +375,8 @@ export class AlertsClient {
});
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.GET,
ruleAuditEvent({
action: RuleAuditAction.GET,
savedObject: { type: 'alert', id },
error,
})
@ -384,8 +384,8 @@ export class AlertsClient {
throw error;
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.GET,
ruleAuditEvent({
action: RuleAuditAction.GET,
savedObject: { type: 'alert', id },
})
);
@ -467,8 +467,8 @@ export class AlertsClient {
);
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.FIND,
ruleAuditEvent({
action: RuleAuditAction.FIND,
error,
})
);
@ -508,8 +508,8 @@ export class AlertsClient {
);
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.FIND,
ruleAuditEvent({
action: RuleAuditAction.FIND,
savedObject: { type: 'alert', id },
error,
})
@ -525,8 +525,8 @@ export class AlertsClient {
authorizedData.forEach(({ id }) =>
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.FIND,
ruleAuditEvent({
action: RuleAuditAction.FIND,
savedObject: { type: 'alert', id },
})
)
@ -620,8 +620,8 @@ export class AlertsClient {
});
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.DELETE,
ruleAuditEvent({
action: RuleAuditAction.DELETE,
savedObject: { type: 'alert', id },
error,
})
@ -630,8 +630,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.DELETE,
ruleAuditEvent({
action: RuleAuditAction.DELETE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -694,8 +694,8 @@ export class AlertsClient {
});
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UPDATE,
ruleAuditEvent({
action: RuleAuditAction.UPDATE,
savedObject: { type: 'alert', id },
error,
})
@ -704,8 +704,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UPDATE,
ruleAuditEvent({
action: RuleAuditAction.UPDATE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -870,8 +870,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UPDATE_API_KEY,
ruleAuditEvent({
action: RuleAuditAction.UPDATE_API_KEY,
savedObject: { type: 'alert', id },
error,
})
@ -900,8 +900,8 @@ export class AlertsClient {
});
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UPDATE_API_KEY,
ruleAuditEvent({
action: RuleAuditAction.UPDATE_API_KEY,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -976,8 +976,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.ENABLE,
ruleAuditEvent({
action: RuleAuditAction.ENABLE,
savedObject: { type: 'alert', id },
error,
})
@ -986,8 +986,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.ENABLE,
ruleAuditEvent({
action: RuleAuditAction.ENABLE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -1090,8 +1090,8 @@ export class AlertsClient {
});
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.DISABLE,
ruleAuditEvent({
action: RuleAuditAction.DISABLE,
savedObject: { type: 'alert', id },
error,
})
@ -1100,8 +1100,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.DISABLE,
ruleAuditEvent({
action: RuleAuditAction.DISABLE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -1167,8 +1167,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.MUTE,
ruleAuditEvent({
action: RuleAuditAction.MUTE,
savedObject: { type: 'alert', id },
error,
})
@ -1177,8 +1177,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.MUTE,
ruleAuditEvent({
action: RuleAuditAction.MUTE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -1229,8 +1229,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UNMUTE,
ruleAuditEvent({
action: RuleAuditAction.UNMUTE,
savedObject: { type: 'alert', id },
error,
})
@ -1239,8 +1239,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UNMUTE,
ruleAuditEvent({
action: RuleAuditAction.UNMUTE,
outcome: 'unknown',
savedObject: { type: 'alert', id },
})
@ -1291,8 +1291,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.MUTE_INSTANCE,
ruleAuditEvent({
action: RuleAuditAction.MUTE_ALERT,
savedObject: { type: 'alert', id: alertId },
error,
})
@ -1301,8 +1301,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.MUTE_INSTANCE,
ruleAuditEvent({
action: RuleAuditAction.MUTE_ALERT,
outcome: 'unknown',
savedObject: { type: 'alert', id: alertId },
})
@ -1358,8 +1358,8 @@ export class AlertsClient {
}
} catch (error) {
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UNMUTE_INSTANCE,
ruleAuditEvent({
action: RuleAuditAction.UNMUTE_ALERT,
savedObject: { type: 'alert', id: alertId },
error,
})
@ -1368,8 +1368,8 @@ export class AlertsClient {
}
this.auditLogger?.log(
alertAuditEvent({
action: AlertAuditAction.UNMUTE_INSTANCE,
ruleAuditEvent({
action: RuleAuditAction.UNMUTE_ALERT,
outcome: 'unknown',
savedObject: { type: 'alert', id: alertId },
})

28
x-pack/plugins/alerting/server/alerts_client/audit_events.test.ts
View file

@ -5,13 +5,13 @@
* 2.0.
*/
import { AlertAuditAction, alertAuditEvent } from './audit_events';
import { RuleAuditAction, ruleAuditEvent } from './audit_events';
describe('#alertAuditEvent', () => {
describe('#ruleAuditEvent', () => {
test('creates event with `unknown` outcome', () => {
expect(
alertAuditEvent({
action: AlertAuditAction.CREATE,
ruleAuditEvent({
action: RuleAuditAction.CREATE,
outcome: 'unknown',
savedObject: { type: 'alert', id: 'ALERT_ID' },
})
@ -19,7 +19,7 @@ describe('#alertAuditEvent', () => {
Object {
"error": undefined,
"event": Object {
"action": "alert_create",
"action": "rule_create",
"category": Array [
"database",
],
@ -34,22 +34,22 @@ describe('#alertAuditEvent', () => {
"type": "alert",
},
},
"message": "User is creating alert [id=ALERT_ID]",
"message": "User is creating rule [id=ALERT_ID]",
}
`);
});
test('creates event with `success` outcome', () => {
expect(
alertAuditEvent({
action: AlertAuditAction.CREATE,
ruleAuditEvent({
action: RuleAuditAction.CREATE,
savedObject: { type: 'alert', id: 'ALERT_ID' },
})
).toMatchInlineSnapshot(`
Object {
"error": undefined,
"event": Object {
"action": "alert_create",
"action": "rule_create",
"category": Array [
"database",
],
@ -64,15 +64,15 @@ describe('#alertAuditEvent', () => {
"type": "alert",
},
},
"message": "User has created alert [id=ALERT_ID]",
"message": "User has created rule [id=ALERT_ID]",
}
`);
});
test('creates event with `failure` outcome', () => {
expect(
alertAuditEvent({
action: AlertAuditAction.CREATE,
ruleAuditEvent({
action: RuleAuditAction.CREATE,
savedObject: { type: 'alert', id: 'ALERT_ID' },
error: new Error('ERROR_MESSAGE'),
})
@ -83,7 +83,7 @@ describe('#alertAuditEvent', () => {
"message": "ERROR_MESSAGE",
},
"event": Object {
"action": "alert_create",
"action": "rule_create",
"category": Array [
"database",
],
@ -98,7 +98,7 @@ describe('#alertAuditEvent', () => {
"type": "alert",
},
},
"message": "Failed attempt to create alert [id=ALERT_ID]",
"message": "Failed attempt to create rule [id=ALERT_ID]",
}
`);
});

88
x-pack/plugins/alerting/server/alerts_client/audit_events.ts
View file

@ -8,67 +8,67 @@
import { EcsEventOutcome, EcsEventType } from 'src/core/server';
import { AuditEvent } from '../../../security/server';
export enum AlertAuditAction {
CREATE = 'alert_create',
GET = 'alert_get',
UPDATE = 'alert_update',
UPDATE_API_KEY = 'alert_update_api_key',
ENABLE = 'alert_enable',
DISABLE = 'alert_disable',
DELETE = 'alert_delete',
FIND = 'alert_find',
MUTE = 'alert_mute',
UNMUTE = 'alert_unmute',
MUTE_INSTANCE = 'alert_instance_mute',
UNMUTE_INSTANCE = 'alert_instance_unmute',
export enum RuleAuditAction {
CREATE = 'rule_create',
GET = 'rule_get',
UPDATE = 'rule_update',
UPDATE_API_KEY = 'rule_update_api_key',
ENABLE = 'rule_enable',
DISABLE = 'rule_disable',
DELETE = 'rule_delete',
FIND = 'rule_find',
MUTE = 'rule_mute',
UNMUTE = 'rule_unmute',
MUTE_ALERT = 'rule_alert_mute',
UNMUTE_ALERT = 'rule_alert_unmute',
}
type VerbsTuple = [string, string, string];
const eventVerbs: Record<AlertAuditAction, VerbsTuple> = {
alert_create: ['create', 'creating', 'created'],
alert_get: ['access', 'accessing', 'accessed'],
alert_update: ['update', 'updating', 'updated'],
alert_update_api_key: ['update API key of', 'updating API key of', 'updated API key of'],
alert_enable: ['enable', 'enabling', 'enabled'],
alert_disable: ['disable', 'disabling', 'disabled'],
alert_delete: ['delete', 'deleting', 'deleted'],
alert_find: ['access', 'accessing', 'accessed'],
alert_mute: ['mute', 'muting', 'muted'],
alert_unmute: ['unmute', 'unmuting', 'unmuted'],
alert_instance_mute: ['mute instance of', 'muting instance of', 'muted instance of'],
alert_instance_unmute: ['unmute instance of', 'unmuting instance of', 'unmuted instance of'],
const eventVerbs: Record<RuleAuditAction, VerbsTuple> = {
rule_create: ['create', 'creating', 'created'],
rule_get: ['access', 'accessing', 'accessed'],
rule_update: ['update', 'updating', 'updated'],
rule_update_api_key: ['update API key of', 'updating API key of', 'updated API key of'],
rule_enable: ['enable', 'enabling', 'enabled'],
rule_disable: ['disable', 'disabling', 'disabled'],
rule_delete: ['delete', 'deleting', 'deleted'],
rule_find: ['access', 'accessing', 'accessed'],
rule_mute: ['mute', 'muting', 'muted'],
rule_unmute: ['unmute', 'unmuting', 'unmuted'],
rule_alert_mute: ['mute alert of', 'muting alert of', 'muted alert of'],
rule_alert_unmute: ['unmute alert of', 'unmuting alert of', 'unmuted alert of'],
};
const eventTypes: Record<AlertAuditAction, EcsEventType> = {
alert_create: 'creation',
alert_get: 'access',
alert_update: 'change',
alert_update_api_key: 'change',
alert_enable: 'change',
alert_disable: 'change',
alert_delete: 'deletion',
alert_find: 'access',
alert_mute: 'change',
alert_unmute: 'change',
alert_instance_mute: 'change',
alert_instance_unmute: 'change',
const eventTypes: Record<RuleAuditAction, EcsEventType> = {
rule_create: 'creation',
rule_get: 'access',
rule_update: 'change',
rule_update_api_key: 'change',
rule_enable: 'change',
rule_disable: 'change',
rule_delete: 'deletion',
rule_find: 'access',
rule_mute: 'change',
rule_unmute: 'change',
rule_alert_mute: 'change',
rule_alert_unmute: 'change',
};
export interface AlertAuditEventParams {
action: AlertAuditAction;
export interface RuleAuditEventParams {
action: RuleAuditAction;
outcome?: EcsEventOutcome;
savedObject?: NonNullable<AuditEvent['kibana']>['saved_object'];
error?: Error;
}
export function alertAuditEvent({
export function ruleAuditEvent({
action,
savedObject,
outcome,
error,
}: AlertAuditEventParams): AuditEvent {
const doc = savedObject ? `alert [id=${savedObject.id}]` : 'an alert';
}: RuleAuditEventParams): AuditEvent {
const doc = savedObject ? `rule [id=${savedObject.id}]` : 'a rule';
const [present, progressive, past] = eventVerbs[action];
const message = error
? `Failed attempt to ${present} ${doc}`

8
x-pack/plugins/alerting/server/alerts_client/tests/create.test.ts
View file

@ -226,7 +226,7 @@ describe('create()', () => {
});
describe('auditLogger', () => {
test('logs audit event when creating an alert', async () => {
test('logs audit event when creating a rule', async () => {
const data = getMockData({
enabled: false,
actions: [],
@ -241,7 +241,7 @@ describe('create()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_create',
action: 'rule_create',
outcome: 'unknown',
}),
kibana: { saved_object: { id: 'mock-saved-object-id', type: 'alert' } },
@ -249,7 +249,7 @@ describe('create()', () => {
);
});
test('logs audit event when not authorised to create an alert', async () => {
test('logs audit event when not authorised to create a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(
@ -263,7 +263,7 @@ describe('create()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_create',
action: 'rule_create',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/delete.test.ts
View file

@ -258,12 +258,12 @@ describe('delete()', () => {
});
describe('auditLogger', () => {
test('logs audit event when deleting an alert', async () => {
test('logs audit event when deleting a rule', async () => {
await alertsClient.delete({ id: '1' });
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_delete',
action: 'rule_delete',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -271,14 +271,14 @@ describe('delete()', () => {
);
});
test('logs audit event when not authorised to delete an alert', async () => {
test('logs audit event when not authorised to delete a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(alertsClient.delete({ id: '1' })).rejects.toThrow();
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_delete',
action: 'rule_delete',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/disable.test.ts
View file

@ -126,12 +126,12 @@ describe('disable()', () => {
});
describe('auditLogger', () => {
test('logs audit event when disabling an alert', async () => {
test('logs audit event when disabling a rule', async () => {
await alertsClient.disable({ id: '1' });
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_disable',
action: 'rule_disable',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -139,14 +139,14 @@ describe('disable()', () => {
);
});
test('logs audit event when not authorised to disable an alert', async () => {
test('logs audit event when not authorised to disable a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(alertsClient.disable({ id: '1' })).rejects.toThrow();
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_disable',
action: 'rule_disable',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/enable.test.ts
View file

@ -165,12 +165,12 @@ describe('enable()', () => {
});
describe('auditLogger', () => {
test('logs audit event when enabling an alert', async () => {
test('logs audit event when enabling a rule', async () => {
await alertsClient.enable({ id: '1' });
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_enable',
action: 'rule_enable',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -178,14 +178,14 @@ describe('enable()', () => {
);
});
test('logs audit event when not authorised to enable an alert', async () => {
test('logs audit event when not authorised to enable a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(alertsClient.enable({ id: '1' })).rejects.toThrow();
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_enable',
action: 'rule_enable',
outcome: 'failure',
}),
kibana: {

12
x-pack/plugins/alerting/server/alerts_client/tests/find.test.ts
View file

@ -277,13 +277,13 @@ describe('find()', () => {
});
describe('auditLogger', () => {
test('logs audit event when searching alerts', async () => {
test('logs audit event when searching rules', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
await alertsClient.find();
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_find',
action: 'rule_find',
outcome: 'success',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -291,7 +291,7 @@ describe('find()', () => {
);
});
test('logs audit event when not authorised to search alerts', async () => {
test('logs audit event when not authorised to search rules', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
authorization.getFindAuthorizationFilter.mockRejectedValue(new Error('Unauthorized'));
@ -299,7 +299,7 @@ describe('find()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_find',
action: 'rule_find',
outcome: 'failure',
}),
error: {
@ -310,7 +310,7 @@ describe('find()', () => {
);
});
test('logs audit event when not authorised to search alert type', async () => {
test('logs audit event when not authorised to search rule type', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
authorization.getFindAuthorizationFilter.mockResolvedValue({
ensureRuleTypeIsAuthorized: jest.fn(() => {
@ -323,7 +323,7 @@ describe('find()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_find',
action: 'rule_find',
outcome: 'failure',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },

8
x-pack/plugins/alerting/server/alerts_client/tests/get.test.ts
View file

@ -226,13 +226,13 @@ describe('get()', () => {
});
});
test('logs audit event when getting an alert', async () => {
test('logs audit event when getting a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
await alertsClient.get({ id: '1' });
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_get',
action: 'rule_get',
outcome: 'success',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -240,7 +240,7 @@ describe('get()', () => {
);
});
test('logs audit event when not authorised to get an alert', async () => {
test('logs audit event when not authorised to get a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
@ -248,7 +248,7 @@ describe('get()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_get',
action: 'rule_get',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/mute_all.test.ts
View file

@ -155,7 +155,7 @@ describe('muteAll()', () => {
});
describe('auditLogger', () => {
test('logs audit event when muting an alert', async () => {
test('logs audit event when muting a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -181,7 +181,7 @@ describe('muteAll()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_mute',
action: 'rule_mute',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -189,7 +189,7 @@ describe('muteAll()', () => {
);
});
test('logs audit event when not authorised to mute an alert', async () => {
test('logs audit event when not authorised to mute a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -217,7 +217,7 @@ describe('muteAll()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_mute',
action: 'rule_mute',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/mute_instance.test.ts
View file

@ -189,7 +189,7 @@ describe('muteInstance()', () => {
});
describe('auditLogger', () => {
test('logs audit event when muting an alert instance', async () => {
test('logs audit event when muting an alert', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -209,7 +209,7 @@ describe('muteInstance()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_instance_mute',
action: 'rule_alert_mute',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -217,7 +217,7 @@ describe('muteInstance()', () => {
);
});
test('logs audit event when not authorised to mute an alert instance', async () => {
test('logs audit event when not authorised to mute an alert', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -241,7 +241,7 @@ describe('muteInstance()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_instance_mute',
action: 'rule_alert_mute',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/unmute_all.test.ts
View file

@ -155,7 +155,7 @@ describe('unmuteAll()', () => {
});
describe('auditLogger', () => {
test('logs audit event when unmuting an alert', async () => {
test('logs audit event when unmuting a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -181,7 +181,7 @@ describe('unmuteAll()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_unmute',
action: 'rule_unmute',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -189,7 +189,7 @@ describe('unmuteAll()', () => {
);
});
test('logs audit event when not authorised to unmute an alert', async () => {
test('logs audit event when not authorised to unmute a rule', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -217,7 +217,7 @@ describe('unmuteAll()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_unmute',
action: 'rule_unmute',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/unmute_instance.test.ts
View file

@ -187,7 +187,7 @@ describe('unmuteInstance()', () => {
});
describe('auditLogger', () => {
test('logs audit event when unmuting an alert instance', async () => {
test('logs audit event when unmuting an alert', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -207,7 +207,7 @@ describe('unmuteInstance()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_instance_unmute',
action: 'rule_alert_unmute',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -215,7 +215,7 @@ describe('unmuteInstance()', () => {
);
});
test('logs audit event when not authorised to unmute an alert instance', async () => {
test('logs audit event when not authorised to unmute an alert', async () => {
const alertsClient = new AlertsClient({ ...alertsClientParams, auditLogger });
unsecuredSavedObjectsClient.get.mockResolvedValueOnce({
id: '1',
@ -239,7 +239,7 @@ describe('unmuteInstance()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_instance_unmute',
action: 'rule_alert_unmute',
outcome: 'failure',
}),
kibana: {

8
x-pack/plugins/alerting/server/alerts_client/tests/update.test.ts
View file

@ -1476,7 +1476,7 @@ describe('update()', () => {
});
});
test('logs audit event when updating an alert', async () => {
test('logs audit event when updating a rule', async () => {
await alertsClient.update({
id: '1',
data: {
@ -1495,7 +1495,7 @@ describe('update()', () => {
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_update',
action: 'rule_update',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -1503,7 +1503,7 @@ describe('update()', () => {
);
});
test('logs audit event when not authorised to update an alert', async () => {
test('logs audit event when not authorised to update a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(
@ -1526,7 +1526,7 @@ describe('update()', () => {
expect.objectContaining({
event: expect.objectContaining({
outcome: 'failure',
action: 'alert_update',
action: 'rule_update',
}),
kibana: {
saved_object: {

8
x-pack/plugins/alerting/server/alerts_client/tests/update_api_key.test.ts
View file

@ -295,13 +295,13 @@ describe('updateApiKey()', () => {
});
describe('auditLogger', () => {
test('logs audit event when updating the API key of an alert', async () => {
test('logs audit event when updating the API key of a rule', async () => {
await alertsClient.updateApiKey({ id: '1' });
expect(auditLogger.log).toHaveBeenCalledWith(
expect.objectContaining({
event: expect.objectContaining({
action: 'alert_update_api_key',
action: 'rule_update_api_key',
outcome: 'unknown',
}),
kibana: { saved_object: { id: '1', type: 'alert' } },
@ -309,7 +309,7 @@ describe('updateApiKey()', () => {
);
});
test('logs audit event when not authorised to update the API key of an alert', async () => {
test('logs audit event when not authorised to update the API key of a rule', async () => {
authorization.ensureAuthorized.mockRejectedValue(new Error('Unauthorized'));
await expect(alertsClient.updateApiKey({ id: '1' })).rejects.toThrow();
@ -317,7 +317,7 @@ describe('updateApiKey()', () => {
expect.objectContaining({
event: expect.objectContaining({
outcome: 'failure',
action: 'alert_update_api_key',
action: 'rule_update_api_key',
}),
kibana: {
saved_object: {