Working with Audits

The Greymatter Audits feature supports the ingestion of audit events into an index. These events are triggered for requests made through the Greymatter platform. For an edge proxy, that handles authentication into the Greymatter platform, the audit event will contain additional data like the identity of the user making the request. This data helps enterprises achieve security compliance by capturing which users are accessing the resources in their system.

User Identity Fields

There are a few fields associated with user identities that warrant clarification. The three fields are:

• from

• user_dn

• originatorToken

Greymatter automatically captures user identities through North/South traffic via a Greymatter edge proxy (core or tenant). For East/West requests (or service-to-service), which originate from the upstream service, it becomes the upstream service's responsibility to properly set HTTP headers that ultimately correlate to user identity fields in the ElasticSearch index. This ensures automatic capture and propagation of identities throughout the network. Should these headers not be set, Greymatter defaults to automatically capturing the mTLS certificate Distinguished Name (DN) used for East/West traffic. For instance, DN information from a Spire certificate will be captured and reflected in the originatorToken field.

from

The from field is only used during OIDC authenticated requests. Greymatter provides two avenues for OIDC authentication: the core Greymatter edge proxy and any tenant edge proxy. Once a user is authenticated, a corresponding FROM header will be set containing the user’s email address from a JWT claim.

user_dn

The user_dn field is only used during PKI authenticated requests. Once again, Greymatter provides two avenues for PKI authentication: the Greymatter edge proxy and any tenant edge proxy. Once a user is authenticated, a corresponding USER_DN header will be set containing the Distinguished Name (DN) from the PKI certificate. The value of this header cannot be changed because it is managed solely by Greymatter proxy.

originatorToken

The originatorToken field is the authoritative field containing the user identity set from either the FROM or USER_DN headers in the request. This array can hold one or more values depending on the authentication mechanisms used throughout the platform and the origin of the request. In the case of OIDC, the value will only be the user’s identity set from the FROM header. For PKI authentication, the value is the user’s identity set from the USER_DN header containing the DN of the user’s PKI certificate.

If impersonation is enabled on proxies, this array can also contain the unique identifiers of system certificate DNs, either through manually managed mTLS or Spire. This particular aspect of the originatorToken field can make querying for users a bit challenging because the array contains more than a single identity. However, there are ways to parse out the necessary data an enterprise needs. The next section will explore this in more detail.

Create a Kibana Dashboard of User Activity

Using any of the above user identity fields, an administrator can create a Kibana dashboard that visualizes user activity throughout the system.

The User Identity (top-left) chart indicates the top 100 users by the from field which is set following OIDC authenticated requests. The Meshes (top-right) chart shows the percentage of data from each individual mesh across all indexes used to power this dashboard. Clicking on a slice of the User Identity chart, will filter the other visualizations. This allows a security specialist to understand when and what that user is accessing. For example, by clicking on the slice for jim.gaspari@greymatter.io, the surrounding visualizations are filtered to show the activity for that user only.

This Kibana dashboard is just a small example of what can be done with the audit fields in the index. The dashboard is available to import into Kibana using the attached file.

For a full reference guide on the fields captured via Greymatter, please see the Audits Index table under references.

The Greymatter audits feature relies on ElasticSearch 7.11 or greater.