Schedule a Demo

Audit Log

The Arthur platform has the ability to produce an audit log of all calls to sensitive endpoints that include models, organizations, RBAC, and uploading / modifying data.

Event Format

Each event in the audit log has the following fields:

FieldTypeNotes
event_categorystringA description of the overarching category for this event. See the table below for a breakdown of the various categories.
event_typestringAn explanation of what kind of event occurred within the event_category. See the table below for a breakdown of the various types.
event_idstringA unique ID for this event, currently in UUID format but this may change in the future.
timestamp[string, int]A timestamp in either Unix Epoch millisecond integer format or RFC 3339 string format, depending on the point of integration.
organization_id[string, null]A string UUID of the organization if there is one associated with the event.
model_id[string, null]A string UUID of the model if there is one associated with the event.
user_id[string, null]A string ID of the user if there is one associated with the event.
user_type[string, null]A string description of the kind of user if there is one associated with the event. This can be one of: service-account, arthur-managed, or idp-managed.
http_path[string, null]A string HTTP path of the request that triggered the event if one exists.
http_method[string, null]A string HTTP method of the request that triggered the event if one exists.
http_status_code[int, null]An integer HTTP status code of the request that triggered the event if one exists.

Logged Endpoints

When enabled, Audit Logging will track all requests made to the following endpoints and set the Event Category and Event Type respectively in the audit log events.

EndpointMethodEvent CategoryEvent Type
/organizationsPOSTevents.arthur.ai/organizationcreated
/organizations/{organization_id}DELETEevents.arthur.ai/organizationdeleted
/modelsPOSTevents.arthur.ai/modelcreated
/models/{model_id}PUTevents.arthur.ai/modelupdated
/models/{model_id}DELETEevents.arthur.ai/modeldeleted
/alerts/{alert_id}/notificationsPOSTevents.arthur.ai/alertcreated
/models/{model_id}/inferencesPOSTevents.arthur.ai/ingestioninference_data_received
/models/{model_id}/inferencesPATCHevents.arthur.ai/ingestionground_truth_data_received
/models/{model_id}/inferences/filePOSTevents.arthur.ai/ingestioninference_data_received
/models/{model_id}/reference_dataPOSTevents.arthur.ai/ingestionreference_data_received
/models/{model_id}/batches/{batch_id}PATCHevents.arthur.ai/ingestioninference_data_batch_completed
/models/{model_id}/reference_dataPATCHevents.arthur.ai/ingestionreference_data_upload_completed
/models/{model_id}/metricsPOSTevents.arthur.ai/metricscreated
/models/{model_id}/metrics/{metric_id}PUTevents.arthur.ai/metricsupdated
/models/{model_id}/metrics/{metric_id}DELETEevents.arthur.ai/metricsdeleted
/authorization/custom_rolesPOSTevents.arthur.ai/rbacupdated
/authorization/custom_rolesDELETEevents.arthur.ai/rbacupdated

A more thorough description of these endpoints is available at our API Documentation.

Integration with EventBridge

The on-prem installation provides support for shipping the Audit Log to AWS EventBridge. To configure this, you will need the following:

  • Bus Name: Required. The name of the EventBridge bus. This should not be the full ARN of the bus.
  • Region: Required. This is the AWS region where your EventBridge bus is located.
  • Source: Optional. This value will be added to the EventBridge events "source" for all events. This defaults to "arthur-audit-log".
  • Detail Type: Optional. This value will be added to the EventBridge events "detail-type" for all events. This defaults to "events.arthur.ai."

An example of the events that are written to EventBridge looks like the following (this was captured via an EventBridge to CloudWatch Log Group rule and target):

{
    "version": "0",
    "id": "b87f2a3a-6be1-e1d9-bc94-720d60e0a9d8",
    "detail-type": "events.arthur.ai",
    "source": "arthur-audit-log",
    "account": "1234567890",
    "time": "2022-07-21T22:07:00Z",
    "region": "us-east-2",
    "resources": [],
    "detail": {
        "event_type": "created",
        "event_category": "events.arthur.ai/model",
        "event_id": "da2ec82d-f581-4e72-bb66-fc82504f2a7e",
        "timestamp": "2022-07-21T22:06:59.683+0000",
        "organization_id": "d579359a-7259-4397-a08b-3e36c212350f",
        "model_id": "a950c9ad-6a1e-4042-8e47-461d13072da5",
        "user_id": "df3fe374-26d7-4bd8-bf62-e04a6e078e2b",
        "user_type": "arthur-managed",
        "http_path": "/api/v3/models",
        "http_method": "POST",
        "http_status_code": 200
    }
}

Configuration

The EventBridge integration can be enabled on the Admin Console Config Page by:

  1. Checking "Show Other Advanced Options" under the Other Advanced Options section
  2. After that is checked, a new section will appear called "Audit Logging"
  3. Check "Enable Audit Log"
  4. Next, a choice of persistence methods appears. Choose "AWS EventBridge"
  5. Fill out the "Bus Name," "Region," "Event Source," and "Detail Type" fields that appear.
  6. Click "Save config" and deploy the updated version

Required IAM Permissions

To send events to AWS EventBridge, the Arthur IAM credentials or role will require the events:PutEvents permission. Here is an example policy that grants that permission on an EventBridge bus called arthur-events in the us-east-2 region, in the 0123456789 AWS account.

{
    "Statement": [
        {
            "Action": "events:PutEvents",
            "Effect": "Allow",
            "Resource": "arn:aws:events:us-east-2:0123456789:event-bus/arthur-events",
            "Sid": ""
        }
    ],
    "Version": "2012-10-17"
}