From 039c8e189441f650d143d7ea92c4122b143b8429 Mon Sep 17 00:00:00 2001
From: Thom Heymann <190132+thomheymann@users.noreply.github.com>
Date: Wed, 9 Dec 2020 16:07:50 +0000
Subject: [PATCH] Add required version number to audit log (#85390)

* Add required version number to audit log

* Added suggestion from code review
---
 x-pack/plugins/security/server/audit/audit_events.ts      | 2 +-
 .../plugins/security/server/audit/audit_service.test.ts   | 1 +
 x-pack/plugins/security/server/audit/audit_service.ts     | 8 +++++++-
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/x-pack/plugins/security/server/audit/audit_events.ts b/x-pack/plugins/security/server/audit/audit_events.ts
index 2e003b1d55ea..0bb2f8ba1a24 100644
--- a/x-pack/plugins/security/server/audit/audit_events.ts
+++ b/x-pack/plugins/security/server/audit/audit_events.ts
@@ -9,7 +9,7 @@ import { AuthenticationResult } from '../authentication/authentication_result';
 
 /**
  * Audit event schema using ECS format.
- * https://www.elastic.co/guide/en/ecs/1.5/index.html
+ * https://www.elastic.co/guide/en/ecs/1.6/index.html
  * @public
  */
 export interface AuditEvent {
diff --git a/x-pack/plugins/security/server/audit/audit_service.test.ts b/x-pack/plugins/security/server/audit/audit_service.test.ts
index 9b30d4dbba45..2b5208368b03 100644
--- a/x-pack/plugins/security/server/audit/audit_service.test.ts
+++ b/x-pack/plugins/security/server/audit/audit_service.test.ts
@@ -103,6 +103,7 @@ describe('#asScoped', () => {
 
     audit.asScoped(request).log({ message: 'MESSAGE', event: { action: 'ACTION' } });
     expect(logger.info).toHaveBeenCalledWith('MESSAGE', {
+      ecs: { version: '1.6.0' },
       event: { action: 'ACTION' },
       kibana: { space_id: 'default' },
       message: 'MESSAGE',
diff --git a/x-pack/plugins/security/server/audit/audit_service.ts b/x-pack/plugins/security/server/audit/audit_service.ts
index 744e4af56c86..1a55f769d22b 100644
--- a/x-pack/plugins/security/server/audit/audit_service.ts
+++ b/x-pack/plugins/security/server/audit/audit_service.ts
@@ -19,6 +19,8 @@ import { SpacesPluginSetup } from '../../../spaces/server';
 import { AuditEvent, httpRequestEvent } from './audit_events';
 import { SecurityPluginSetup } from '..';
 
+export const ECS_VERSION = '1.6.0';
+
 /**
  * @deprecated
  */
@@ -31,6 +33,9 @@ export interface AuditLogger {
 }
 
 interface AuditLogMeta extends AuditEvent {
+  ecs: {
+    version: string;
+  };
   session?: {
     id: string;
   };
@@ -119,7 +124,7 @@ export class AuditService {
        *   message: 'User is updating dashboard [id=123]',
        *   event: {
        *     action: 'saved_object_update',
-       *     outcome: 'unknown'
+       *     outcome: EventOutcome.UNKNOWN
        *   },
        *   kibana: {
        *     saved_object: { type: 'dashboard', id: '123' }
@@ -134,6 +139,7 @@ export class AuditService {
         const user = getCurrentUser(request);
         const spaceId = getSpaceId(request);
         const meta: AuditLogMeta = {
+          ecs: { version: ECS_VERSION },
           ...event,
           user:
             (user && {