Audit Log

The Arthur platform has the ability to produce an audit log of all calls to sensitive endpoints that include models, organizations, RBAC, and uploading / modifying data.

Event Format

Each event in the audit log has the following fields:

Field	Type	Notes
event_category	string	A description of the overarching category for this event. See the table below for a breakdown of the various categories.
event_type	string	An explanation of what kind of event occurred within the event_category. See the table below for a breakdown of the various types.
event_id	string	A unique ID for this event, currently in UUID format but this may change in the future.
timestamp	[string, int]	A timestamp in either Unix Epoch millisecond integer format or RFC 3339 string format, depending on the point of integration.
organization_id	[string, null]	A string UUID of the organization if there is one associated with the event.
model_id	[string, null]	A string UUID of the model if there is one associated with the event.
user_id	[string, null]	A string ID of the user if there is one associated with the event.
user_type	[string, null]	A string description of the kind of user if there is one associated with the event. This can be one of: service-account, arthur-managed, or idp-managed.
http_path	[string, null]	A string HTTP path of the request that triggered the event if one exists.
http_method	[string, null]	A string HTTP method of the request that triggered the event if one exists.
http_status_code	[int, null]	An integer HTTP status code of the request that triggered the event if one exists.

Logged Endpoints

When enabled, Audit Logging will track all requests made to the following endpoints and set the Event Category and Event Type respectively in the audit log events.

Endpoint	Method	Event Category	Event Type
/organizations	POST	events.arthur.ai/organization	created
/organizations/{organization_id}	DELETE	events.arthur.ai/organization	deleted
/models	POST	events.arthur.ai/model	created
/models/{model_id}	PUT	events.arthur.ai/model	updated
/models/{model_id}	DELETE	events.arthur.ai/model	deleted
/alerts/{alert_id}/notifications	POST	events.arthur.ai/alert	created
/models/{model_id}/inferences	POST	events.arthur.ai/ingestion	inference_data_received
/models/{model_id}/inferences	PATCH	events.arthur.ai/ingestion	ground_truth_data_received
/models/{model_id}/inferences/file	POST	events.arthur.ai/ingestion	inference_data_received
/models/{model_id}/reference_data	POST	events.arthur.ai/ingestion	reference_data_received
/models/{model_id}/batches/{batch_id}	PATCH	events.arthur.ai/ingestion	inference_data_batch_completed
/models/{model_id}/reference_data	PATCH	events.arthur.ai/ingestion	reference_data_upload_completed
/authorization/custom_roles	POST	events.arthur.ai/rbac	updated
/authorization/custom_roles	DELETE	events.arthur.ai/rbac	updated

A more thorough description of these endpoints is available at our API documentation.

Integration with EventBridge

The on-prem installation provides support for shipping the Audit Log to AWS EventBridge. In order to configure this, you will need the following:

• Bus Name: Required. The name of the EventBridge bus. This should not be the full ARN of the bus.

• Region: Required. This is the AWS region where your EventBridge bus is located.

• Source: Optional. This value will be added to the EventBridge events “source” for all events. This defaults to “arthur-audit-log”.

• Detail Type: Optional. This value will be added to the EventBridge events “detail-type” for all events. This defaults to “events.arthur.ai”.

An example of the events that are written to EventBridge look like the following (this was captured via an EventBridge to CloudWatch Log Group rule and target):

{
    "version": "0",
    "id": "b87f2a3a-6be1-e1d9-bc94-720d60e0a9d8",
    "detail-type": "events.arthur.ai",
    "source": "arthur-audit-log",
    "account": "1234567890",
    "time": "2022-07-21T22:07:00Z",
    "region": "us-east-2",
    "resources": [],
    "detail": {
        "event_type": "created",
        "event_category": "events.arthur.ai/model",
        "event_id": "da2ec82d-f581-4e72-bb66-fc82504f2a7e",
        "timestamp": "2022-07-21T22:06:59.683+0000",
        "organization_id": "d579359a-7259-4397-a08b-3e36c212350f",
        "model_id": "a950c9ad-6a1e-4042-8e47-461d13072da5",
        "user_id": "df3fe374-26d7-4bd8-bf62-e04a6e078e2b",
        "user_type": "arthur-managed",
        "http_path": "/api/v3/models",
        "http_method": "POST",
        "http_status_code": 200
    }
}

Configuration

The EventBridge integration can be enabled on the Admin Console Config Page by:

1. Checking “Show Other Advanced Options” under the Other Advanced Options section

2. After that is checked, a new section will appear called “Audit Logging”

3. Check “Enable Audit Log”

4. Next a choice of persistence methods appears. Choose “AWS EventBridge”

5. Fill out the “Bus Name”, “Region”, “Event Source”, and “Detail Type” fields that appear.

6. Click “Save config” and deploy the updated version

Required IAM Permissions

In order to send events to AWS EventBridge, the Arthur IAM credentials or role will require the events:PutEvents permission. Here is an example policy that grants that permission on a EventBridge bus called arthur-events in the us-east-2 region, in the 0123456789 AWS account.

{
    "Statement": [
        {
            "Action": "events:PutEvents",
            "Effect": "Allow",
            "Resource": "arn:aws:events:us-east-2:0123456789:event-bus/arthur-events",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}