[Cases] Adding new bulk create attachments operation for auditing (#149744)

This PR adds a new authorization log operation for the bulk create attachments API. Co-authored-by: Kibana Machine <42973632+kibanamachine@users.noreply.github.com>
2025-04-23 09:19:04 -04:00 · 2023-01-30 13:35:08 -05:00 · 2023-01-30 13:35:08 -05:00 · aba0b3037c
commit aba0b3037c
parent ec293bfc28
5 changed files with 98 additions and 1 deletions
--- a/docs/user/security/audit-logging.asciidoc
+++ b/docs/user/security/audit-logging.asciidoc
@ -102,6 +102,10 @@ Refer to the corresponding {es} logs for potential write errors.
 | `unknown` | User is creating a case comment.
 | `failure` | User is not authorized to create a case comment.

+.2+| `case_comment_bulk_create`
+| `unknown` | User is creating multiple case comments.
+| `failure` | User is not authorized to create multiple case comments.
+
 .1+| `case_user_action_create_comment`
 | `success` | User has created a case comment.

--- a/x-pack/plugins/cases/server/authorization/snapshots/audit_logger.test.ts.snap
+++ b/x-pack/plugins/cases/server/authorization/snapshots/audit_logger.test.ts.snap
@ -1,5 +1,89 @@
 // Jest Snapshot v1, https://goo.gl/fbAQLP

+exports[`audit_logger log function event structure creates the correct audit event for operation: "bulkCreateAttachments" with an error and entity 1`] = `
+Object {
+  "error": Object {
+    "code": "Error",
+    "message": "an error",
+  },
+  "event": Object {
+    "action": "case_comment_bulk_create",
+    "category": Array [
+      "database",
+    ],
+    "outcome": "failure",
+    "type": Array [
+      "creation",
+    ],
+  },
+  "kibana": Object {
+    "saved_object": Object {
+      "id": "1",
+      "type": "cases-comments",
+    },
+  },
+  "message": "Failed attempt to create cases-comments [id=1] as owner \\"awesome\\"",
+}
+`;
+
+exports[`audit_logger log function event structure creates the correct audit event for operation: "bulkCreateAttachments" with an error but no entity 1`] = `
+Object {
+  "error": Object {
+    "code": "Error",
+    "message": "an error",
+  },
+  "event": Object {
+    "action": "case_comment_bulk_create",
+    "category": Array [
+      "database",
+    ],
+    "outcome": "failure",
+    "type": Array [
+      "creation",
+    ],
+  },
+  "message": "Failed attempt to create a comments as any owners",
+}
+`;
+
+exports[`audit_logger log function event structure creates the correct audit event for operation: "bulkCreateAttachments" without an error but with an entity 1`] = `
+Object {
+  "event": Object {
+    "action": "case_comment_bulk_create",
+    "category": Array [
+      "database",
+    ],
+    "outcome": "unknown",
+    "type": Array [
+      "creation",
+    ],
+  },
+  "kibana": Object {
+    "saved_object": Object {
+      "id": "5",
+      "type": "cases-comments",
+    },
+  },
+  "message": "User is creating cases-comments [id=5] as owner \\"super\\"",
+}
+`;
+
+exports[`audit_logger log function event structure creates the correct audit event for operation: "bulkCreateAttachments" without an error or entity 1`] = `
+Object {
+  "event": Object {
+    "action": "case_comment_bulk_create",
+    "category": Array [
+      "database",
+    ],
+    "outcome": "unknown",
+    "type": Array [
+      "creation",
+    ],
+  },
+  "message": "User is creating a comments as any owners",
+}
+`;
+
 exports[`audit_logger log function event structure creates the correct audit event for operation: "bulkGetCases" with an error and entity 1`] = `
 Object {
  "error": Object {
--- a/x-pack/plugins/cases/server/authorization/index.ts
+++ b/x-pack/plugins/cases/server/authorization/index.ts
@ -254,6 +254,14 @@ const AttachmentOperations = {
    docType: 'comments',
    savedObjectType: CASE_COMMENT_SAVED_OBJECT,
  },
+  [WriteOperations.BulkCreateAttachments]: {
+    ecsType: EVENT_TYPES.creation,
+    name: WriteOperations.CreateComment as const,
+    action: 'case_comment_bulk_create',
+    verbs: createVerbs,
+    docType: 'comments',
+    savedObjectType: CASE_COMMENT_SAVED_OBJECT,
+  },
  [WriteOperations.DeleteAllComments]: {
    ecsType: EVENT_TYPES.deletion,
    name: DELETE_COMMENT_OPERATION,
--- a/x-pack/plugins/cases/server/authorization/types.ts
+++ b/x-pack/plugins/cases/server/authorization/types.ts
@ -60,6 +60,7 @@ export enum WriteOperations {
  UpdateCase = 'updateCase',
  PushCase = 'pushCase',
  CreateComment = 'createComment',
+  BulkCreateAttachments = 'bulkCreateAttachments',
  DeleteAllComments = 'deleteAllComments',
  DeleteComment = 'deleteComment',
  UpdateComment = 'updateComment',
--- a/x-pack/plugins/cases/server/client/attachments/bulk_create.ts
+++ b/x-pack/plugins/cases/server/client/attachments/bulk_create.ts
@ -64,7 +64,7 @@ export const bulkCreate = async (
      );

    await authorization.ensureAuthorized({
-      operation: Operations.createComment,
+      operation: Operations.bulkCreateAttachments,
      entities,
    });