diff --git a/x-pack/plugins/security/server/audit/audit_events.test.ts b/x-pack/plugins/security/server/audit/audit_events.test.ts index ae40429eea1b6..1978795f82a24 100644 --- a/x-pack/plugins/security/server/audit/audit_events.test.ts +++ b/x-pack/plugins/security/server/audit/audit_events.test.ts @@ -201,4 +201,46 @@ describe('#httpRequestEvent', () => { } `); }); + + test('uses original URL if rewritten', () => { + expect( + httpRequestEvent({ + request: httpServerMock.createKibanaRequest({ + path: '/path', + query: { query: 'param' }, + kibanaRequestState: { + requestId: '123', + requestUuid: '123e4567-e89b-12d3-a456-426614174000', + rewrittenUrl: { + path: '/original/path', + pathname: '/original/path', + query: 'query=param', + search: '?query=param', + }, + }, + }), + }) + ).toMatchInlineSnapshot(` + Object { + "event": Object { + "action": "http_request", + "category": "web", + "outcome": "unknown", + }, + "http": Object { + "request": Object { + "method": "get", + }, + }, + "message": "User is requesting [/original/path] endpoint", + "url": Object { + "domain": undefined, + "path": "/original/path", + "port": undefined, + "query": "query=param", + "scheme": undefined, + }, + } + `); + }); }); diff --git a/x-pack/plugins/security/server/audit/audit_events.ts b/x-pack/plugins/security/server/audit/audit_events.ts index 48a3b1e7e85b0..1ff9da3a95ff4 100644 --- a/x-pack/plugins/security/server/audit/audit_events.ts +++ b/x-pack/plugins/security/server/audit/audit_events.ts @@ -105,7 +105,7 @@ export interface HttpRequestParams { } export function httpRequestEvent({ request }: HttpRequestParams): AuditEvent { - const { pathname, search } = request.url; + const { pathname, search } = request.rewrittenUrl ?? request.url; return { message: `User is requesting [${pathname}] endpoint`,