New package - 1Password Events Reporting (elastic#1722)

* New package - 1Password Events Reporting

Create a new package to collect logs from 1Password Events Reporting.
There are two log data streams:

- Item Usages - Uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used.
- Sign-in Attempts - Uses the 1Password Events API to retrieve information about sign-in attempts.

Closes elastic#1232

* Add Proxy config

* Address feedback

packages/1password/_dev/build/build.yml

@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@1.12

packages/1password/_dev/deploy/docker/config.yml

@@ -0,0 +1,91 @@
+rules:
+ - path: /api/v1/itemusages
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"limit":1000}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_0","has_more":true,"items":[{"uuid":"MCQODBBWJD5HISKYNP3HJPV2DV","timestamp":"2021-08-30T18:57:42.484Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]}
+ - path: /api/v1/itemusages
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"cursor":"cursor_0"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_1","has_more":false,"items":[{"uuid":"5HBWJDWCQADISKY2DVBNP3HJPV","timestamp":"2021-08-30T19:10:00.123Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]}
+ - path: /api/v1/itemusages
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"cursor":"cursor_1"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_1","has_more":false,"items":[]}
+ - path: /api/v1/signinattempts
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"limit":1000}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_0","has_more":true,"items":[{"uuid":"HGIF4OEWXDTVWKEQDIWTKV26HU","session_uuid":"UED4KFZ5BH37IQWTJ7LG4VPWK7","timestamp":"2021-08-11T14:28:03Z","country":"AR","category":"success","type":"credentials_ok","details":null,"target_user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]}
+ - path: /api/v1/signinattempts
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"cursor":"cursor_0"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_1","has_more":true,"items":[{"uuid":"QVWKEOEWXU2DIDHWTK6HGIF4TV","session_uuid":"UED4KFZ5BH37IQWTJ7LG4VPWK7","timestamp":"2021-08-11T15:04:22Z","country":"AR","category":"success","type":"credentials_ok","details":null,"target_user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]}
+ - path: /api/v1/signinattempts
+ methods: ["POST"]
+ request_headers:
+ Content-Type:
+ - "application/json"
+ Authorization:
+ - "Bearer --token--"
+ request_body: '{"cursor":"cursor_1"}'
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - "application/json; charset=utf-8"
+ body: |-
+ {"cursor":"cursor_1","has_more":false,"items":[]}

packages/1password/_dev/deploy/docker/docker-compose.yml

@@ -0,0 +1,15 @@
+version: '3.0'
+services:
+ 1password_eventsapi_mock:
+ image: docker.elastic.co/observability/stream:v0.6.1
+ hostname: 1password_eventsapi_mock
+ ports:
+ - 8080
+ volumes:
+ - ./config.yml:/config.yml
+ environment:
+ PORT: "8080"
+ command:
+ - http-server
+ - --addr=:8080
+ - --config=/config.yml

packages/1password/changelog.yml

@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: "0.1.0"
+ changes:
+ - description: Initial draft of the package
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/1722

packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json

@@ -0,0 +1,12 @@
+{
+ "events": [
+ {
+ "@timestamp": "2021-08-30T22:57:42.484Z",
+ "message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}"
+ },
+ {
+ "@timestamp": "2021-08-30T22:57:42.484Z",
+ "message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}"
+ }
+ ]
+}

packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-config.yml

@@ -0,0 +1,6 @@
+fields:
+ "@timestamp": "2021-08-30T22:57:42.484Z"
+ tags:
+ - preserve_original_event
+dynamic_fields:
+ event.ingested: "^.*$"

packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json

@@ -0,0 +1,142 @@
+{
+ "expected": [
+ {
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "1.1.1.1"
+ ],
+ "user": [
+ "OJQGU46KAPROEJLCK674RHSAY5",
+ "email@1password.com",
+ "Name"
+ ]
+ },
+ "onepassword": {
+ "used_version": 1,
+ "client": {
+ "platform_name": "Chrome",
+ "app_name": "1Password Browser Extension",
+ "app_version": "1109",
+ "platform_version": "93.0.4577.62"
+ },
+ "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
+ "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+ "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+ },
+ "@timestamp": "2021-08-30T18:57:42.484Z",
+ "os": {
+ "name": "Android",
+ "version": "10"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Oceania",
+ "country_name": "Australia",
+ "location": {
+ "lon": 143.2104,
+ "lat": -33.494
+ },
+ "country_iso_code": "AU"
+ },
+ "as": {
+ "number": 13335,
+ "organization": {
+ "name": "Cloudflare, Inc."
+ }
+ },
+ "ip": "1.1.1.1"
+ },
+ "event": {
+ "category": [
+ "file"
+ ],
+ "created": "2021-08-30T22:57:42.484Z",
+ "kind": "event",
+ "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}",
+ "type": [
+ "access"
+ ]
+ },
+ "user": {
+ "email": "email@1password.com",
+ "full_name": "Name",
+ "id": "OJQGU46KAPROEJLCK674RHSAY5"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ },
+ {
+ "ecs": {
+ "version": "1.12.0"
+ },
+ "related": {
+ "ip": [
+ "1.1.1.1"
+ ],
+ "user": [
+ "OJQGU46KAPROEJLCK674RHSAY5",
+ "email@1password.com",
+ "Name"
+ ]
+ },
+ "onepassword": {
+ "used_version": 1,
+ "client": {
+ "platform_name": "Chrome",
+ "app_name": "1Password Browser Extension",
+ "app_version": "1109",
+ "platform_version": "93.0.4577.62"
+ },
+ "uuid": "5HBWJDWCQADISKY2DVBNP3HJPV",
+ "item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
+ "vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
+ },
+ "@timestamp": "2021-08-30T19:10:00.123Z",
+ "os": {
+ "name": "Android",
+ "version": "10"
+ },
+ "source": {
+ "geo": {
+ "continent_name": "Oceania",
+ "country_name": "Australia",
+ "location": {
+ "lon": 143.2104,
+ "lat": -33.494
+ },
+ "country_iso_code": "AU"
+ },
+ "as": {
+ "number": 13335,
+ "organization": {
+ "name": "Cloudflare, Inc."
+ }
+ },
+ "ip": "1.1.1.1"
+ },
+ "event": {
+ "category": [
+ "file"
+ ],
+ "created": "2021-08-30T22:57:42.484Z",
+ "kind": "event",
+ "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}",
+ "type": [
+ "access"
+ ]
+ },
+ "user": {
+ "email": "email@1password.com",
+ "full_name": "Name",
+ "id": "OJQGU46KAPROEJLCK674RHSAY5"
+ },
+ "tags": [
+ "preserve_original_event"
+ ]
+ }
+ ]
+}

packages/1password/data_stream/item_usages/_dev/test/system/test-default-config.yml

@@ -0,0 +1,8 @@
+input: httpjson
+service: 1password_eventsapi_mock
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ token: --token--
+ preserve_original_event: true
+data_stream:
+ vars: ~

packages/1password/data_stream/item_usages/agent/stream/httpjson.yml.hbs

@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/itemusages
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+ - set:
+ target: "header.Content-Type"
+ value: "application/json"
+ - set:
+ target: "header.User-Agent"
+ value: "1Password-Elastic-Filebeat/0.1.0"
+ - set:
+ target: "header.Authorization"
+ value: 'Bearer {{token}}'
+ - set:
+ target: body.cursor
+ value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+ - set:
+ target: body.limit
+ value_type: int
+ value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+ last_cursor:
+ value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+ target: body.items
+response.pagination:
+ - set:
+ target: body.cursor
+ value: '[[.last_response.body.cursor]]'
+ fail_on_template_error: true
+ - delete:
+ target: body.limit
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+ - {{tag}}
+{{/each}}
+{{#contains tags "forwarded"}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}