Reporting on Case Access
Background
There are a number of high profile Donors with LPA’s on Sirius that the majority of users shouldn’t, and don’t need to look at.
However curiosity killed the cat, and so we have to provide a report to SMT of Sirius users who have accessed those Donors and Cases.
Report from SMT
We receive a questionably formatted spreadsheet from SMT with a list of Case References. We have to extract the internal Sirius IDs of the Cases, and the internal Sirius ID’s of the Donors realted to the cases.
You will get a long list of 7XXX-XXXX-XXXX style Case references, you need to extract these, remove all the hyphens, and then drop them into two SQL queries and run these against the database to extract the Donor ID’s and the Case ID’s for use in the LogInsights Query.
Extract the internal ID’s for LogInsights Query
You need to run SQL Queries against the production database, you only need operator access to do this, so you can use the Operator SSM Instance.
Using the two SQL Queries below you will get a long list of Donor ID’s and Case ID’s.
Donor ID SQL Query
SELECT
donor_id
FROM
cases
WHERE
uid IN (
'7123-4567-8901',
'7234-5678-9012',
etc
);
Case ID SQL Query
SELECT
id
FROM
cases
WHERE
uid IN (
'7123-4567-8901',
'7234-5678-9012',
etc
);
LogInsights Query
You need to format the ID’s correctly for the LogInsights query to wrap each of the ID’s in escaped forward slashes. This is important as the LogInsights RegEx will match any partial ID if you don’t and you will get a lot of false positives.
The Log insights query checks for API usage on the two endpoints that we care about (‘persons’ and ‘cases’) and then narrows that down to an internal ID of one of the cases or donors we care about. This LogInsights query will return a list of internal Sirius User ID’s and a count of how many times they have made a request to an endpoint for a case or donor we care about.
Make sure you set the date range correctly for the period you’ve been asked to report on.
LogInsights Query
fields context.category as Category, context.actorId as UserID
| filter context.category = 'Security'
|
filter ((request.path like '/api/v1/persons/' and request.path like /(i?)(\/12345\/|\/23456\/|\/etc\/)/) # donors
OR
(request.path like '/api/v1/cases/' and request.path like /(i?)(\/12345\/|\/23456\/|\/etc\/)/) # cases
| stats count(*) as Requests by context.category, context.actorId
| order by Requests DESC
Extracting the user emails
You need to extract all the user ID’s from the LogInsights query and drop them into the User query to get the emails.
User Email SQL Query
SELECT
id,
email
FROM
assignees
WHERE id IN
(
123,
456,
789,
etc
);
Put the report together.
Format the LogInsights Query results into individual columns in a spreadsheet, in a different tab format the User Email Query results into individual columns. Create a lookup for the user email, using the two id columns, so you end up with the user id, user email, and their request count in the same sheet. Then you can send that over to Product to review and pass onto the business.
You can see the first interation of this and all related fully populated queries, and the final report on the original Jira Ticket.