MISP
MISP copied to clipboard
MISP
new: [internal] Add option to log last API request
What does it do?
This PR adds in functionality to allow users to optionally turn on storing of the last time an API request was made against an account, similar to the last_login field.
This adds a new field under DB version 87 for last_api_access, updating each time a successful API authentication request occurs, and can be configured from within the MISP settings.
This is a useful change for us (and I assume others), as it allows you to get a better understanding of the activity of all user accounts, not just those that login on the web.
Questions
- [X] Does it require a DB change?
- [X] Are you using it in production? (Not yet - plan to!)
- [ ] Does it require a change in the API (PyMISP for example)?
Not sure why the tests are failing, complaining that the new field in the DB is missing (maybe the DB upgrade hasn't happened in the tests?) New functionality confirmed to work locally.
Any idea @iglocska?
I've had a quick look:
- new db changes
case 86:
$sqlArray[] = sprintf("ALTER table users MODIFY description text;");
break;
case 87:
$sqlArray[] = "ALTER TABLE users ADD `last_login` INT(11) DEFAULT 0;";
Field that the code relies on: last_api_access
https://github.com/MISP/MISP/pull/8519/files#diff-34468d89c8edd011225c0d3577502650bf96ed235857dff317c97cc203f64d97R1382
Make sure you fix the update script ;)
Hello, the similar thing can be done by setting MISP.log_user_ips and MISP.log_user_ips_authkeys to true. Then when you have enabled advanced authkeys, every key access will be logged to Redis and available from web interface.
@iglocska Doh! I must've replaced the upgrade, copying across the field from a previous example and not replaced the column! Thank you! All sorted :crossed_fingers:
@JakubOnderka thanks for the tip, wasn't aware of that! I think this still has merit, as this provides a quick way to get the last activity through querying the MISP users, instead of having to look through the UI or logs.