Audit logging functionality

[arisonl]

The new Kibana audit logging we are releasing is ECS compliant and hence natively consumable through existing UIs (e.g. Observability logs). It also includes an X-Opaque ID which will allow Kibana audit logs to be correlated with the corresponding Elasticsearch audit logs.

The vision is for an audit logging experience which is unified across Kibana and Elasticsearch, which on a high level breaks down to two parts: A consistent way to set up and a corresponding way to consume and use for the purposes of each use case. There are a number of requests with regards to such functionality, mostly to a UI, for example:

• The ability to correlate Kibana and ES logs in order to put together an end-to-end timeline of events (this is technically possible now on the Kibana side, as discussed previously).
• The ability for users to provide with a justification as to why they are accessing certain assets, a justification that will be recorded and become available when investigating (a requirement mainly coming from government users).
• The ability to select records and open a case which can be then assigned and be investigated (this is possibly related to the case management initiative).

In addition other features might include:

• The ability to set up the unified audit logging from a UI (this is possible of interest to the Security Centre idea).
• Cloud specific requirements.

This is a meta issue to keep track of corresponding requests now that we are closing the main Kibana audit logging issue #17939 and potentially requires cross-team effort (Kibana, ES and Cloud).

Similarly an issue to track all usage and usage analytics requests can be found here #81130
cc @legrego @thomheymann

[elasticmachine]

Pinging @elastic/es-ui (Team:Elasticsearch UI)