forked from elastic/integrations
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
New package - 1Password Events Reporting (elastic#1722)
* New package - 1Password Events Reporting Create a new package to collect logs from 1Password Events Reporting. There are two log data streams: - Item Usages - Uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used. - Sign-in Attempts - Uses the 1Password Events API to retrieve information about sign-in attempts. Closes elastic#1232 * Add Proxy config * Address feedback
- Loading branch information
Showing
46 changed files
with
3,269 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
dependencies: | ||
ecs: | ||
reference: git@1.12 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,91 @@ | ||
rules: | ||
- path: /api/v1/itemusages | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"limit":1000}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_0","has_more":true,"items":[{"uuid":"MCQODBBWJD5HISKYNP3HJPV2DV","timestamp":"2021-08-30T18:57:42.484Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]} | ||
- path: /api/v1/itemusages | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"cursor":"cursor_0"}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_1","has_more":false,"items":[{"uuid":"5HBWJDWCQADISKY2DVBNP3HJPV","timestamp":"2021-08-30T19:10:00.123Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]} | ||
- path: /api/v1/itemusages | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"cursor":"cursor_1"}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_1","has_more":false,"items":[]} | ||
- path: /api/v1/signinattempts | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"limit":1000}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_0","has_more":true,"items":[{"uuid":"HGIF4OEWXDTVWKEQDIWTKV26HU","session_uuid":"UED4KFZ5BH37IQWTJ7LG4VPWK7","timestamp":"2021-08-11T14:28:03Z","country":"AR","category":"success","type":"credentials_ok","details":null,"target_user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]} | ||
- path: /api/v1/signinattempts | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"cursor":"cursor_0"}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_1","has_more":true,"items":[{"uuid":"QVWKEOEWXU2DIDHWTK6HGIF4TV","session_uuid":"UED4KFZ5BH37IQWTJ7LG4VPWK7","timestamp":"2021-08-11T15:04:22Z","country":"AR","category":"success","type":"credentials_ok","details":null,"target_user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]} | ||
- path: /api/v1/signinattempts | ||
methods: ["POST"] | ||
request_headers: | ||
Content-Type: | ||
- "application/json" | ||
Authorization: | ||
- "Bearer --token--" | ||
request_body: '{"cursor":"cursor_1"}' | ||
responses: | ||
- status_code: 200 | ||
headers: | ||
Content-Type: | ||
- "application/json; charset=utf-8" | ||
body: |- | ||
{"cursor":"cursor_1","has_more":false,"items":[]} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
version: '3.0' | ||
services: | ||
1password_eventsapi_mock: | ||
image: docker.elastic.co/observability/stream:v0.6.1 | ||
hostname: 1password_eventsapi_mock | ||
ports: | ||
- 8080 | ||
volumes: | ||
- ./config.yml:/config.yml | ||
environment: | ||
PORT: "8080" | ||
command: | ||
- http-server | ||
- --addr=:8080 | ||
- --config=/config.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
# newer versions go on top | ||
- version: "0.1.0" | ||
changes: | ||
- description: Initial draft of the package | ||
type: enhancement | ||
link: https://github.com/elastic/integrations/pull/1722 |
12 changes: 12 additions & 0 deletions
12
packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
{ | ||
"events": [ | ||
{ | ||
"@timestamp": "2021-08-30T22:57:42.484Z", | ||
"message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" | ||
}, | ||
{ | ||
"@timestamp": "2021-08-30T22:57:42.484Z", | ||
"message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}" | ||
} | ||
] | ||
} |
6 changes: 6 additions & 0 deletions
6
...ages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
fields: | ||
"@timestamp": "2021-08-30T22:57:42.484Z" | ||
tags: | ||
- preserve_original_event | ||
dynamic_fields: | ||
event.ingested: "^.*$" |
142 changes: 142 additions & 0 deletions
142
...s/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,142 @@ | ||
{ | ||
"expected": [ | ||
{ | ||
"ecs": { | ||
"version": "1.12.0" | ||
}, | ||
"related": { | ||
"ip": [ | ||
"1.1.1.1" | ||
], | ||
"user": [ | ||
"OJQGU46KAPROEJLCK674RHSAY5", | ||
"email@1password.com", | ||
"Name" | ||
] | ||
}, | ||
"onepassword": { | ||
"used_version": 1, | ||
"client": { | ||
"platform_name": "Chrome", | ||
"app_name": "1Password Browser Extension", | ||
"app_version": "1109", | ||
"platform_version": "93.0.4577.62" | ||
}, | ||
"uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", | ||
"item_uuid": "bvwmmwxisuca7wbehrbyqhag54", | ||
"vault_uuid": "jaqxqf5qylslqiitnduawrndc5" | ||
}, | ||
"@timestamp": "2021-08-30T18:57:42.484Z", | ||
"os": { | ||
"name": "Android", | ||
"version": "10" | ||
}, | ||
"source": { | ||
"geo": { | ||
"continent_name": "Oceania", | ||
"country_name": "Australia", | ||
"location": { | ||
"lon": 143.2104, | ||
"lat": -33.494 | ||
}, | ||
"country_iso_code": "AU" | ||
}, | ||
"as": { | ||
"number": 13335, | ||
"organization": { | ||
"name": "Cloudflare, Inc." | ||
} | ||
}, | ||
"ip": "1.1.1.1" | ||
}, | ||
"event": { | ||
"category": [ | ||
"file" | ||
], | ||
"created": "2021-08-30T22:57:42.484Z", | ||
"kind": "event", | ||
"original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", | ||
"type": [ | ||
"access" | ||
] | ||
}, | ||
"user": { | ||
"email": "email@1password.com", | ||
"full_name": "Name", | ||
"id": "OJQGU46KAPROEJLCK674RHSAY5" | ||
}, | ||
"tags": [ | ||
"preserve_original_event" | ||
] | ||
}, | ||
{ | ||
"ecs": { | ||
"version": "1.12.0" | ||
}, | ||
"related": { | ||
"ip": [ | ||
"1.1.1.1" | ||
], | ||
"user": [ | ||
"OJQGU46KAPROEJLCK674RHSAY5", | ||
"email@1password.com", | ||
"Name" | ||
] | ||
}, | ||
"onepassword": { | ||
"used_version": 1, | ||
"client": { | ||
"platform_name": "Chrome", | ||
"app_name": "1Password Browser Extension", | ||
"app_version": "1109", | ||
"platform_version": "93.0.4577.62" | ||
}, | ||
"uuid": "5HBWJDWCQADISKY2DVBNP3HJPV", | ||
"item_uuid": "bvwmmwxisuca7wbehrbyqhag54", | ||
"vault_uuid": "jaqxqf5qylslqiitnduawrndc5" | ||
}, | ||
"@timestamp": "2021-08-30T19:10:00.123Z", | ||
"os": { | ||
"name": "Android", | ||
"version": "10" | ||
}, | ||
"source": { | ||
"geo": { | ||
"continent_name": "Oceania", | ||
"country_name": "Australia", | ||
"location": { | ||
"lon": 143.2104, | ||
"lat": -33.494 | ||
}, | ||
"country_iso_code": "AU" | ||
}, | ||
"as": { | ||
"number": 13335, | ||
"organization": { | ||
"name": "Cloudflare, Inc." | ||
} | ||
}, | ||
"ip": "1.1.1.1" | ||
}, | ||
"event": { | ||
"category": [ | ||
"file" | ||
], | ||
"created": "2021-08-30T22:57:42.484Z", | ||
"kind": "event", | ||
"original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"1.1.1.1\"}}", | ||
"type": [ | ||
"access" | ||
] | ||
}, | ||
"user": { | ||
"email": "email@1password.com", | ||
"full_name": "Name", | ||
"id": "OJQGU46KAPROEJLCK674RHSAY5" | ||
}, | ||
"tags": [ | ||
"preserve_original_event" | ||
] | ||
} | ||
] | ||
} |
8 changes: 8 additions & 0 deletions
8
packages/1password/data_stream/item_usages/_dev/test/system/test-default-config.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
input: httpjson | ||
service: 1password_eventsapi_mock | ||
vars: | ||
url: http://{{Hostname}}:{{Port}} | ||
token: --token-- | ||
preserve_original_event: true | ||
data_stream: | ||
vars: ~ |
57 changes: 57 additions & 0 deletions
57
packages/1password/data_stream/item_usages/agent/stream/httpjson.yml.hbs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
config_version: 2 | ||
interval: {{interval}} | ||
request.url: {{url}}/api/v1/itemusages | ||
request.method: POST | ||
{{#if proxy_url }} | ||
request.proxy_url: {{proxy_url}} | ||
{{/if}} | ||
{{#if ssl}} | ||
request.ssl: {{ssl}} | ||
{{/if}} | ||
{{#if http_client_timeout}} | ||
request.timeout: {{http_client_timeout}} | ||
{{/if}} | ||
request.transforms: | ||
- set: | ||
target: "header.Content-Type" | ||
value: "application/json" | ||
- set: | ||
target: "header.User-Agent" | ||
value: "1Password-Elastic-Filebeat/0.1.0" | ||
- set: | ||
target: "header.Authorization" | ||
value: 'Bearer {{token}}' | ||
- set: | ||
target: body.cursor | ||
value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]' | ||
- set: | ||
target: body.limit | ||
value_type: int | ||
value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]' | ||
cursor: | ||
last_cursor: | ||
value: '[[.last_response.body.cursor]]' | ||
response.decode_as: application/json | ||
response.split: | ||
target: body.items | ||
response.pagination: | ||
- set: | ||
target: body.cursor | ||
value: '[[.last_response.body.cursor]]' | ||
fail_on_template_error: true | ||
- delete: | ||
target: body.limit | ||
tags: | ||
{{#if preserve_original_event}} | ||
- preserve_original_event | ||
{{/if}} | ||
{{#each tags as |tag i|}} | ||
- {{tag}} | ||
{{/each}} | ||
{{#contains tags "forwarded"}} | ||
publisher_pipeline.disable_host: true | ||
{{/contains}} | ||
{{#if processors}} | ||
processors: | ||
{{processors}} | ||
{{/if}} |
Oops, something went wrong.