[Response Ops][Reporting] Scheduled Reports - Audit Logging (merging into feature branch)

[ymao1]

Towards #216313

Note

This PR will be merged into a feature branch

Summary

Logs audit events when users use the schedule/list/disable scheduled reports APIs

To Verify

1. Set xpack.security.audit.enabled: true in Kibana config and start ES and Kibana
2. Use the API to schedule some reports and then list and disable using the API

For example:

POST kbn:/internal/reporting/schedule/printablePdfV2
{
    "schedule": {
        "rrule": {
            "freq": 3,
            "interval": 1,
            "byhour": [0,1,2],
            "byminute": [50,55]
        }
    },
    "jobParams":"(browserTimezone:America/New_York,layout:(dimensions:(height:2220,width:1409),id:preserve_layout),locatorParams:!((id:DASHBOARD_APP_LOCATOR,params:(dashboardId:edf84fe0-e1a0-11e7-b6d5-4dc382ef7f5b,preserveSavedFilters:!t,timeRange:(from:now-7d/d,to:now),useHash:!f,viewMode:view))),objectType:dashboard,title:'[Logs] Web Traffic',version:'9.1.0')"
}

GET kbn:/internal/reporting/scheduled/list

PATCH kbn:/internal/reporting/scheduled/bulk_disable
{
    "ids": ["<reportId>"]
}

3. In your kibana folder, go to logs/audit.log. You should be able to see some audit events logged, for example

{"event":{"action":"scheduled_report_schedule","category":["database"],"type":["creation"],"outcome":"unknown"},"kibana":{"space_id":"default","session_id":"m82PsJ/ryDwhpCtaoQQkFSjEthWTlMshadIeMY5l+Ww=","saved_object":{"type":"scheduled_report","id":"c871e247-5dd4-4f0a-8419-e70eb184645a","name":"PDF"}},"user":{"id":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","name":"elastic","roles":["superuser"]},"trace":{"id":"e255102c-6ef9-4264-9cbd-9333a0910577"},"client":{"ip":"127.0.0.1"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-06-10T15:06:55.369-04:00","message":"User is creating scheduled report [id=c871e247-5dd4-4f0a-8419-e70eb184645a] [name=PDF]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":95125,"uptime":359.058969666},"transaction":{"id":"1fd4a03b23a4ad0d"}}
{"event":{"action":"scheduled_report_list","category":["database"],"type":["access"],"outcome":"success"},"kibana":{"space_id":"default","session_id":"m82PsJ/ryDwhpCtaoQQkFSjEthWTlMshadIeMY5l+Ww=","saved_object":{"type":"scheduled_report","id":"5f878787-1ea3-4704-b43c-b25e27376e5a"}},"user":{"id":"u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0","name":"elastic","roles":["superuser"]},"trace":{"id":"7fc9d281-ea86-4d1b-b9f2-8f2143d058e0"},"client":{"ip":"127.0.0.1"},"service":{"node":{"roles":["background_tasks","ui"]}},"ecs":{"version":"8.11.0"},"@timestamp":"2025-06-10T15:13:03.960-04:00","message":"User has accessed scheduled report [id=5f878787-1ea3-4704-b43c-b25e27376e5a]","log":{"level":"INFO","logger":"plugins.security.audit.ecs"},"process":{"pid":95125,"uptime":727.648898875},"transaction":{"id":"bb9eabc53740c18c"}}

[elasticmachine]

💛 Build succeeded, but was flaky

• Buildkite Build
• Commit: d06a49e

Failed CI Steps

• FTR Configs #18

Test Failures

• [job] [logs] FTR Configs #18 / Entity Analytics - Entity Store @ess Host transform logic Install Entity Store and test Host transform "before each" hook for "Should return 200 and status 'running' for all engines"

Metrics [docs]

✅ unchanged

History

• 💚 Build #307202 succeeded 1705d76
• 💔 Build #303209 failed 93c806d

cc @ymao1

[js-jankisalvi]

Verified locally, works as expected 👍

[doakalexi]

LGTM! tested locally and works as expected