Following on from our work on SAML and Enterprise authentication, we've been extending the security and observability of our platform. Many of our regulated and enterprise customers need to have access to an immutable event trail for auditing purposes. Today, we are announcing the release of our Audit API.
Getting started
The API is available at /audit
and provides a full audit trail of the system and user events for your Pactflow account, including (but not limited to) authentication, API + UI access and contract creation, updates and deletions.
Running the above command will respond with something like the following:
{
"events": [
{
"uuid": "16WlpdLpDMzfMYxLTZYXYw",
"timestamp": "2019-12-10T09:15:24.864+11:00",
"type": "SaasBroker::Api::Resources::RegenerateApiToken",
"db_user_id": 2,
"user_email": "someuser@somecompany.com",
"payload": {
"path": "/settings/tokens/_UjhYvyyEjM9L2SgWd0qsw/regenerate",
"queryString": "",
"method": "POST",
"userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
"referer": "http://somebroker.pact.dius.com.au/settings/api-tokens",
"params": {
"resource_name": "regenerate_token",
"token_uuid": "_UjhYvyyEjM9L2SgWd0qsw"
}
}
},
...
],
"_links": {
"self": {
"href": "http://somebroker.pact.dius.com.au/audit?from=zHO0xNcjUseyU6DsisadXw"
},
"next": {
"href": "http://somebroker.pact.dius.com.au/audit?from=IlECUSbMLJLOy8gFbLLuIg"
}
}
}
All events are sorted in chronological order, and the API is paged. To fetch all events, you can simply iterate through each page using the next
link, which uses the uuid
of the next audit event as the page starting point.
Once you get to the end of the stream, the uuid
of the last event you captured can be passed to the from
parameter of the API to continue where you left off e.g. curl -H "Authorization: Bearer " http://<some broker>/audit?from=lastuuid
.
NOTE: Calls to the audit API will also create a new audit record. So be wary of infinite loops!
Use Cases
The classic case we have observed is to collect and forward to a SOC (Security Operations Centre), such as Sumo Logic, Splunk or an ELK stack. From here, you can observe all activity on the platform, trace an issue or monitor usage.
Availability
The auditing feature is available now for all of our Business and Enterprise plans. Events are automatically expired after 90 days.