Update audit events

docs/user/security/audit-logging.asciidoc

@@ -155,6 +155,15 @@ Refer to the corresponding {es} logs for potential write errors.
 | `unknown` | User is updating an alert.
 | `failure` | User is not authorized to update an alert.
 
+.2+| `rule_snooze`
+| `unknown` | User is snoozing a rule.
+| `failure` | User is not authorized to snooze a rule.
+
+.2+| `rule_unsnooze`
+| `unknown` | User is unsnoozing a rule.
+| `failure` | User is not authorized to unsnooze a rule.
+
+
 3+a|
 ====== Type: deletion
 

x-pack/plugins/alerting/server/rules_client/audit_events.ts

@@ -25,6 +25,7 @@ export enum RuleAuditAction {
   AGGREGATE = 'rule_aggregate',
   GET_EXECUTION_LOG = 'rule_get_execution_log',
   SNOOZE = 'rule_snooze',
+  UNSNOOZE = 'rule_unsnooze',
 }
 
 type VerbsTuple = [string, string, string];
@@ -50,6 +51,7 @@ const eventVerbs: Record<RuleAuditAction, VerbsTuple> = {
     'accessed execution log for',
   ],
   rule_snooze: ['snooze', 'snoozing', 'snoozed'],
+  rule_unsnooze: ['unsnooze', 'unsnoozing', 'unsnoozed'],
 };
 
 const eventTypes: Record<RuleAuditAction, EcsEventType> = {
@@ -69,6 +71,7 @@ const eventTypes: Record<RuleAuditAction, EcsEventType> = {
   rule_aggregate: 'access',
   rule_get_execution_log: 'access',
   rule_snooze: 'change',
+  rule_unsnooze: 'change',
 };
 
 export interface RuleAuditEventParams {

x-pack/plugins/alerting/server/rules_client/rules_client.ts

@@ -1687,7 +1687,7 @@ export class RulesClient {
     } catch (error) {
       this.auditLogger?.log(
         ruleAuditEvent({
-          action: RuleAuditAction.SNOOZE,
+          action: RuleAuditAction.UNSNOOZE,
           savedObject: { type: 'alert', id },
           error,
         })
@@ -1697,7 +1697,7 @@ export class RulesClient {
 
     this.auditLogger?.log(
       ruleAuditEvent({
-        action: RuleAuditAction.SNOOZE,
+        action: RuleAuditAction.UNSNOOZE,
         outcome: 'unknown',
         savedObject: { type: 'alert', id },
       })