Audit API

Following on from our work on SAML and Enterprise authentication, we've been extending the security and observability of our platform. Many of our regulated and enterprise customers need to have access to an immutable event trail for auditing purposes. Today, we are announcing the release of our Audit API.

Getting started

The API is available at /audit and provides a full audit trail of the system and user events for your Pactflow account, including (but not limited to) authentication, API + UI access and contract creation, updates and deletions.

curl -H "Authorization: Bearer <token>" http://<your broker>/audit | jq .
cURL command to get all audit events

Running the above command will respond with something like the following:

{
  "events": [
    {
      "uuid": "16WlpdLpDMzfMYxLTZYXYw",
      "timestamp": "2019-12-10T09:15:24.864+11:00",
      "type": "SaasBroker::Api::Resources::RegenerateApiToken",
      "db_user_id": 2,
      "user_email": "someuser@somecompany.com",
      "payload": {
        "path": "/settings/tokens/_UjhYvyyEjM9L2SgWd0qsw/regenerate",
        "queryString": "",
        "method": "POST",
        "userAgent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36",
        "referer": "http://somebroker.pact.dius.com.au/settings/api-tokens",
        "params": {
          "resource_name": "regenerate_token",
          "token_uuid": "_UjhYvyyEjM9L2SgWd0qsw"
        }
      }
    },
    ...
  ],
  "_links": {
    "self": {
      "href": "http://somebroker.pact.dius.com.au/audit?from=zHO0xNcjUseyU6DsisadXw"
    },
    "next": {
      "href": "http://somebroker.pact.dius.com.au/audit?from=IlECUSbMLJLOy8gFbLLuIg"
    }
  }
}

All events are sorted in chronological order, and the API is paged. To fetch all events, you can simply iterate through each page using the next link, which uses the uuid of the next audit event as the page starting point.

Once you get to the end of the stream, the uuid of the last event you captured can be passed to the from parameter of the API to continue where you left off e.g. curl -H "Authorization: Bearer " http://<some broker>/audit?from=lastuuid.

NOTE: Calls to the audit API will also create a new audit record. So be wary of infinite loops!

Use Cases

The classic case we have observed is to collect and forward to a SOC (Security Operations Centre), such as Sumo Logic, Splunk or an ELK stack. From here, you can observe all activity on the platform, trace an issue or monitor usage.

Availability

The auditing feature is available now for all of our Business and Enterprise plans. Events are automatically expired after 90 days.