[RAC][Timeline] - Add audit log to RBAC wrapped search strategy

docs/user/security/audit-logging.asciidoc

@@ -172,6 +172,10 @@ Refer to the corresponding {es} logs for potential write errors.
 | `unknown` | User is updating a space.
 | `failure` | User is not authorized to update a space.
 
+.2+| `alert_update`
+| `unknown` | User is updating an alert.
+| `failure` | User is not authorized to update an alert.
+
 3+a|
 ====== Type: deletion
 
@@ -242,6 +246,14 @@ Refer to the corresponding {es} logs for potential write errors.
 | `success` | User has accessed a space as part of a search operation.
 | `failure` | User is not authorized to search for spaces.
 
+.2+| `alert_get`
+| `success` | User has accessed an alert.
+| `failure` | User is not authorized to access an alert.
+
+.2+| `alert_find`
+| `success` | User has accessed alerts.
+| `failure` | User is not authorized to access alerts.
+
 3+a|
 ===== Category: web
 

x-pack/plugins/rule_registry/server/index.ts

@@ -24,6 +24,7 @@ export type {
 export * from './config';
 export * from './rule_data_plugin_service';
 export * from './rule_data_client';
+export * from './alert_data_client/audit_events';
 
 export { createLifecycleRuleTypeFactory } from './utils/create_lifecycle_rule_type_factory';
 export {

x-pack/plugins/timelines/common/search_strategy/timeline/events/all/index.ts

@@ -6,6 +6,7 @@
  */
 
 import { JsonObject } from '@kbn/utility-types';
+import { AlertConsumers } from '@kbn/rule-data-utils';
 
 import type { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
 import type { Ecs } from '../../../../ecs';
@@ -43,4 +44,5 @@ export interface TimelineEventsAllRequestOptions extends TimelineRequestOptionsP
   language: 'eql' | 'kuery' | 'lucene';
   excludeEcsData?: boolean;
   authFilter?: JsonObject;
+  alertsConsumers?: AlertConsumers[];
 }

x-pack/plugins/timelines/common/search_strategy/timeline/events/details/index.ts

@@ -6,6 +6,7 @@
  */
 
 import { JsonObject } from '@kbn/utility-types';
+import { AlertConsumers } from '@kbn/rule-data-utils';
 
 import { IEsSearchResponse } from '../../../../../../../../src/plugins/data/common';
 import { Inspect, Maybe } from '../../../common';
@@ -32,4 +33,5 @@ export interface TimelineEventsDetailsRequestOptions
   indexName: string;
   eventId: string;
   authFilter?: JsonObject;
+  alertConsumers?: AlertConsumers[];
 }

x-pack/plugins/timelines/common/search_strategy/timeline/index.ts

@@ -5,6 +5,7 @@
  * 2.0.
  */
 
+import { AlertConsumers } from '@kbn/rule-data-utils';
 import { IEsSearchRequest } from '../../../../../../src/plugins/data/common';
 import { ESQuery } from '../../typed_json';
 import {
@@ -43,6 +44,7 @@ export interface TimelineRequestBasicOptions extends IEsSearchRequest {
   docValueFields?: DocValueFields[];
   factoryQueryType?: TimelineFactoryQueryTypes;
   entityType?: EntityType;
+  alertConsumers?: AlertConsumers[];
 }
 
 export interface TimelineRequestSortField<Field = string> extends SortField<Field> {

x-pack/plugins/timelines/kibana.json

@@ -11,5 +11,5 @@
   "server": true,
   "ui": true,
   "requiredPlugins": ["alerting", "cases", "data", "dataEnhanced", "kibanaReact", "kibanaUtils"],
-  "optionalPlugins": []
+  "optionalPlugins": ["security"]
 }

x-pack/plugins/timelines/server/plugin.ts

@@ -18,18 +18,22 @@ import { defineRoutes } from './routes';
 import { timelineSearchStrategyProvider } from './search_strategy/timeline';
 import { timelineEqlSearchStrategyProvider } from './search_strategy/timeline/eql';
 import { indexFieldsProvider } from './search_strategy/index_fields';
+import { SecurityPluginSetup } from '../../security/server';
 
 export class TimelinesPlugin
   implements Plugin<TimelinesPluginUI, TimelinesPluginStart, SetupPlugins, StartPlugins>
 {
   private readonly logger: Logger;
+  private security?: SecurityPluginSetup;
 
   constructor(initializerContext: PluginInitializerContext) {
     this.logger = initializerContext.logger.get();
   }
 
   public setup(core: CoreSetup<StartPlugins, TimelinesPluginStart>, plugins: SetupPlugins) {
     this.logger.debug('timelines: Setup');
+    this.security = plugins.security;
+
     const router = core.http.createRouter();
 
     // Register server side APIs
@@ -39,7 +43,8 @@ export class TimelinesPlugin
     core.getStartServices().then(([_, depsStart]) => {
       const TimelineSearchStrategy = timelineSearchStrategyProvider(
         depsStart.data,
-        depsStart.alerting
+        depsStart.alerting,
+        this.security
       );
       const TimelineEqlSearchStrategy = timelineEqlSearchStrategyProvider(depsStart.data);
       const IndexFields = indexFieldsProvider();

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/all/query.events_all.dsl.ts

@@ -15,6 +15,7 @@ import {
   TimelineRequestSortField,
 } from '../../../../../../common/search_strategy';
 import { createQueryFilterClauses } from '../../../../../../server/utils/build_query';
+import { getAlertConsumersFilter } from '../utils';
 
 export const buildTimelineEventsAllQuery = ({
   defaultIndex,
@@ -25,9 +26,9 @@ export const buildTimelineEventsAllQuery = ({
   sort,
   timerange,
   authFilter,
+  alertConsumers,
 }: Omit<TimelineEventsAllRequestOptions, 'fieldRequested'>) => {
   const filterClause = [...createQueryFilterClauses(filterQuery)];
-
   const getTimerangeFilter = (timerangeOption: TimerangeInput | undefined): TimerangeFilter[] => {
     if (timerangeOption) {
       const { to, from } = timerangeOption;
@@ -48,7 +49,12 @@ export const buildTimelineEventsAllQuery = ({
     return [];
   };
 
-  const filters = [...filterClause, ...getTimerangeFilter(timerange), { match_all: {} }];
+  const filters = [
+    ...filterClause,
+    ...getTimerangeFilter(timerange),
+    ...getAlertConsumersFilter(alertConsumers),
+    { match_all: {} },
+  ];
   const filter = authFilter != null ? [...filters, authFilter] : filters;
 
   const getSortField = (sortFields: TimelineRequestSortField[]) =>

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/index.ts

@@ -26,9 +26,15 @@ import {
 } from '../../../../../../common/utils/field_formatters';
 
 export const timelineEventsDetails: TimelineFactory<TimelineEventsQueries.details> = {
-  buildDsl: ({ authFilter, ...options }: TimelineEventsDetailsRequestOptions) => {
+  buildDsl: ({ authFilter, alertConsumers, ...options }: TimelineEventsDetailsRequestOptions) => {
     const { indexName, eventId, docValueFields = [] } = options;
-    return buildTimelineDetailsQuery(indexName, eventId, docValueFields, authFilter);
+    return buildTimelineDetailsQuery(
+      indexName,
+      eventId,
+      docValueFields,
+      authFilter,
+      alertConsumers
+    );
   },
   parse: async (
     options: TimelineEventsDetailsRequestOptions,

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/details/query.events_details.dsl.ts

@@ -6,13 +6,17 @@
  */
 
 import { JsonObject } from '@kbn/utility-types';
+import { AlertConsumers } from '@kbn/rule-data-utils';
+
 import { DocValueFields } from '../../../../../../common/search_strategy';
+import { getAlertConsumersFilter } from '../utils';
 
 export const buildTimelineDetailsQuery = (
   indexName: string,
   id: string,
   docValueFields: DocValueFields[],
-  authFilter?: JsonObject
+  authFilter?: JsonObject,
+  alertConsumers?: AlertConsumers[]
 ) => {
   const basicFilter = {
     terms: {
@@ -23,7 +27,7 @@ export const buildTimelineDetailsQuery = (
     authFilter != null
       ? {
           bool: {
-            filter: [basicFilter, authFilter],
+            filter: [basicFilter, authFilter, ...getAlertConsumersFilter(alertConsumers)],
           },
         }
       : {

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/kpi/query.kpi.dsl.ts

@@ -13,11 +13,13 @@ import {
   TimelineRequestBasicOptions,
 } from '../../../../../../common/search_strategy';
 import { createQueryFilterClauses } from '../../../../../utils/filters';
+import { getAlertConsumersFilter } from '../utils';
 
 export const buildTimelineKpiQuery = ({
   defaultIndex,
   filterQuery,
   timerange,
+  alertConsumers,
 }: TimelineRequestBasicOptions) => {
   const filterClause = [...createQueryFilterClauses(filterQuery)];
 
@@ -41,7 +43,12 @@ export const buildTimelineKpiQuery = ({
     return [];
   };
 
-  const filter = [...filterClause, ...getTimerangeFilter(timerange), { match_all: {} }];
+  const filter = [
+    ...filterClause,
+    ...getTimerangeFilter(timerange),
+    ...getAlertConsumersFilter(alertConsumers),
+    { match_all: {} },
+  ];
 
   const dslQuery = {
     allow_no_indices: true,

x-pack/plugins/timelines/server/search_strategy/timeline/factory/events/utils.ts

@@ -0,0 +1,37 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License
+ * 2.0; you may not use this file except in compliance with the Elastic License
+ * 2.0.
+ */
+import { AlertConsumers, ALERT_RULE_CONSUMER } from '@kbn/rule-data-utils';
+
+export const getAlertConsumersFilter = (alertConsumersToInclude: AlertConsumers[] | undefined) => {
+  if (alertConsumersToInclude == null || !alertConsumersToInclude.length) {
+    return [];
+  }
+
+  const consumerFilter = alertConsumersToInclude.map((consumer) => {
+    return {
+      bool: {
+        should: [{ match: { [ALERT_RULE_CONSUMER]: consumer } }],
+        minimum_should_match: 1,
+      },
+    };
+  });
+
+  return [
+    {
+      bool: {
+        filter: [
+          {
+            bool: {
+              should: consumerFilter,
+              minimum_should_match: 1,
+            },
+          },
+        ],
+      },
+    },
+  ];
+};

x-pack/plugins/timelines/server/search_strategy/timeline/index.ts

@@ -5,7 +5,12 @@
  * 2.0.
  */
 
-import { ALERT_RULE_CONSUMER, ALERT_RULE_TYPE_ID, SPACE_IDS } from '@kbn/rule-data-utils';
+import {
+  AlertConsumers,
+  ALERT_RULE_CONSUMER,
+  ALERT_RULE_TYPE_ID,
+  SPACE_IDS,
+} from '@kbn/rule-data-utils';
 import { map, mergeMap, catchError } from 'rxjs/operators';
 import { from } from 'rxjs';
 
@@ -32,18 +37,23 @@ import {
   ENHANCED_ES_SEARCH_STRATEGY,
   ISearchOptions,
 } from '../../../../../../src/plugins/data/common';
+import { AuditLogger, SecurityPluginSetup } from '../../../../security/server';
+import { AlertAuditAction, alertAuditEvent } from '../../../../rule_registry/server';
 
 export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTypes>(
   data: PluginStart,
-  alerting: AlertingPluginStartContract
+  alerting: AlertingPluginStartContract,
+  security?: SecurityPluginSetup
 ): ISearchStrategy<TimelineStrategyRequestType<T>, TimelineStrategyResponseType<T>> => {
   const esAsInternal = data.search.searchAsInternalUser;
   const es = data.search.getSearchStrategy(ENHANCED_ES_SEARCH_STRATEGY);
 
   return {
     search: (request, options, deps) => {
+      const securityAuditLogger = security?.audit.asScoped(deps.request);
       const factoryQueryType = request.factoryQueryType;
       const entityType = request.entityType;
+      const alertConsumers = request.alertConsumers;
 
       if (factoryQueryType == null) {
         throw new Error('factoryQueryType is required');
@@ -59,6 +69,8 @@ export const timelineSearchStrategyProvider = <T extends TimelineFactoryQueryTyp
           deps,
           queryFactory,
           alerting,
+          auditLogger: securityAuditLogger,
+          alertConsumers,
         });
       } else {
         return timelineSearchStrategy({ es, request, options, deps, queryFactory });
@@ -104,13 +116,17 @@ const timelineAlertsSearchStrategy = <T extends TimelineFactoryQueryTypes>({
   deps,
   queryFactory,
   alerting,
+  alertConsumers = [],
+  auditLogger,
 }: {
   es: ISearchStrategy;
   request: TimelineStrategyRequestType<T>;
   options: ISearchOptions;
   deps: SearchStrategyDependencies;
   alerting: AlertingPluginStartContract;
   queryFactory: TimelineFactory<T>;
+  alertConsumers?: AlertConsumers[];
+  auditLogger: AuditLogger | undefined;
 }) => {
   // Based on what solution alerts you want to see, figures out what corresponding
   // index to query (ex: siem --> .alerts-security.alerts)
@@ -133,17 +149,48 @@ const timelineAlertsSearchStrategy = <T extends TimelineFactoryQueryTypes>({
 
   return from(getAuthFilter()).pipe(
     mergeMap(({ filter }) => {
-      const dsl = queryFactory.buildDsl({ ...requestWithAlertsIndices, authFilter: filter });
+      const dsl = queryFactory.buildDsl({
+        ...requestWithAlertsIndices,
+        authFilter: filter,
+        alertConsumers,
+      });
       return es.search({ ...requestWithAlertsIndices, params: dsl }, options, deps);
     }),
     map((response) => {
+      const rawResponse = shimHitsTotal(response.rawResponse, options);
+
+      // Do we have to loop over each hit? Yes.
+      // ecs auditLogger requires that we log each alert independently
+      if (auditLogger != null) {
+        rawResponse.hits?.hits?.forEach((hit) => {
+          auditLogger.log(
+            alertAuditEvent({
+              action: AlertAuditAction.FIND,
+              id: hit._id,
+              outcome: 'success',
+            })
+          );
+        });
+      }
+
       return {
         ...response,
-        rawResponse: shimHitsTotal(response.rawResponse, options),
+        rawResponse,
       };
     }),
     mergeMap((esSearchRes) => queryFactory.parse(requestWithAlertsIndices, esSearchRes)),
     catchError((err) => {
+      // check if auth error, if yes, write to ecs logger
+      if (auditLogger != null && err?.output?.statusCode === 403) {
+        auditLogger.log(
+          alertAuditEvent({
+            action: AlertAuditAction.FIND,
+            outcome: 'failure',
+            error: err,
+          })
+        );
+      }
+
       throw err;
     })
   );

x-pack/plugins/timelines/server/types.ts

@@ -8,6 +8,7 @@
 // eslint-disable-next-line @kbn/eslint/no-restricted-paths
 import { DataPluginSetup, DataPluginStart } from '../../../../src/plugins/data/server/plugin';
 import { PluginStartContract as AlertingPluginStartContract } from '../../alerting/server';
+import { SecurityPluginSetup } from '../../security/server';
 
 // eslint-disable-next-line @typescript-eslint/no-empty-interface
 export interface TimelinesPluginUI {}
@@ -16,6 +17,7 @@ export interface TimelinesPluginStart {}
 
 export interface SetupPlugins {
   data: DataPluginSetup;
+  security?: SecurityPluginSetup;
 }
 
 export interface StartPlugins {