diff --git a/packages/1password/_dev/build/docs/README.md b/packages/1password/_dev/build/docs/README.md index d3dd33e7805..b9ffa663e75 100644 --- a/packages/1password/_dev/build/docs/README.md +++ b/packages/1password/_dev/build/docs/README.md @@ -22,9 +22,9 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev *Exported fields* -{{fields "item_usages"}} +{{fields "signin_attempts"}} -{{event "item_usages"}} +{{event "signin_attempts"}} ### Item Usages @@ -32,6 +32,6 @@ Uses the 1Password Events API to retrieve information about items in shared vaul *Exported fields* -{{fields "signin_attempts"}} +{{fields "item_usages"}} -{{event "signin_attempts"}} +{{event "item_usages"}} diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index c349670238e..113d99c5bce 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add new "event.action" to item usage events + type: enhancement + link: https://github.com/elastic/integrations/pull/2367 - version: "1.1.0" changes: - description: Update to ECS 8.0 diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json index 2815f0b47ac..ef004d92a5d 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json @@ -6,7 +6,7 @@ }, { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" + "message": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"action\":\"reveal\",\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" } ] } \ No newline at end of file diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json index d52078352d7..6c9a9790bbc 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json @@ -1,150 +1,151 @@ { "expected": [ { + "@timestamp": "2021-08-30T18:57:42.484Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "category": [ + "file" + ], + "created": "2021-08-30T22:57:42.484Z", + "ingested": "2022-02-16T21:38:40.438009400Z", + "kind": "event", + "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "type": [ + "access" + ] + }, "onepassword": { - "used_version": 1, "client": { - "platform_name": "Chrome", "app_name": "1Password Browser Extension", "app_version": "1109", + "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", + "used_version": 1, + "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, - "@timestamp": "2021-08-30T18:57:42.484Z", - "ecs": { - "version": "8.0.0" + "os": { + "name": "Android", + "version": "10" }, "related": { + "ip": [ + "89.160.20.156" + ], "user": [ "OJQGU46KAPROEJLCK674RHSAY5", "email@1password.com", "Name" - ], - "ip": [ - "89.160.20.156" ] }, - "os": { - "name": "Android", - "version": "10" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "email@1password.com", + "full_name": "Name", + "id": "OJQGU46KAPROEJLCK674RHSAY5" + } + }, + { + "@timestamp": "2021-08-30T19:10:00.123Z", + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2021-12-23T23:23:00.336841554Z", - "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "action": "reveal", "category": [ "file" ], + "created": "2021-08-30T22:57:42.484Z", + "ingested": "2022-02-16T21:38:40.438020200Z", + "kind": "event", + "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"action\":\"reveal\",\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", "type": [ "access" - ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event" - }, - "user": { - "email": "email@1password.com", - "full_name": "Name", - "id": "OJQGU46KAPROEJLCK674RHSAY5" + ] }, - "tags": [ - "preserve_original_event" - ] - }, - { "onepassword": { - "used_version": 1, "client": { - "platform_name": "Chrome", "app_name": "1Password Browser Extension", "app_version": "1109", + "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "uuid": "5HBWJDWCQADISKY2DVBNP3HJPV", "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", + "used_version": 1, + "uuid": "5HBWJDWCQADISKY2DVBNP3HJPV", "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, - "@timestamp": "2021-08-30T19:10:00.123Z", - "ecs": { - "version": "8.0.0" + "os": { + "name": "Android", + "version": "10" }, "related": { + "ip": [ + "89.160.20.156" + ], "user": [ "OJQGU46KAPROEJLCK674RHSAY5", "email@1password.com", "Name" - ], - "ip": [ - "89.160.20.156" ] }, - "os": { - "name": "Android", - "version": "10" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156" }, - "event": { - "ingested": "2021-12-23T23:23:00.337283501Z", - "original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", - "category": [ - "file" - ], - "type": [ - "access" - ], - "created": "2021-08-30T22:57:42.484Z", - "kind": "event" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "email@1password.com", "full_name": "Name", "id": "OJQGU46KAPROEJLCK674RHSAY5" - }, - "tags": [ - "preserve_original_event" - ] + } } ] } \ No newline at end of file diff --git a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml index f0a9cb95a06..8629ce39ff7 100644 --- a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml +++ b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml @@ -33,6 +33,10 @@ processors: - append: field: event.type value: [access] + - rename: + field: onepassword.action + target_field: event.action + ignore_missing: true ######################### ## ECS Related Mapping ## diff --git a/packages/1password/data_stream/item_usages/fields/ecs.yml b/packages/1password/data_stream/item_usages/fields/ecs.yml index efb05d507b3..47fc05e976e 100644 --- a/packages/1password/data_stream/item_usages/fields/ecs.yml +++ b/packages/1password/data_stream/item_usages/fields/ecs.yml @@ -10,6 +10,8 @@ name: event.category - external: ecs name: event.type +- external: ecs + name: event.action - external: ecs name: user.id - external: ecs diff --git a/packages/1password/data_stream/item_usages/sample_event.json b/packages/1password/data_stream/item_usages/sample_event.json index cb199f45f59..f99a2d22da6 100644 --- a/packages/1password/data_stream/item_usages/sample_event.json +++ b/packages/1password/data_stream/item_usages/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-08-30T18:57:42.484Z", "agent": { - "ephemeral_id": "d02e8bec-48d2-46c8-bd33-5982bd82059f", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "b3687a99-8907-497b-ba06-204e9664db73", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { "dataset": "1password.item_usages", @@ -16,18 +16,18 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { "agent_id_status": "verified", "category": [ "file" ], - "created": "2021-12-24T00:23:21.039Z", + "created": "2022-02-16T21:39:23.372Z", "dataset": "1password.item_usages", - "ingested": "2021-12-24T00:23:22Z", + "ingested": "2022-02-16T21:39:24Z", "kind": "event", "type": [ "access" diff --git a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json index 799822df79c..e91f58702cd 100644 --- a/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json +++ b/packages/1password/data_stream/signin_attempts/_dev/test/pipeline/test-signinattempts.json-expected.json @@ -1,156 +1,156 @@ { "expected": [ { + "@timestamp": "2021-08-11T14:28:03.000Z", + "ecs": { + "version": "8.0.0" + }, + "event": { + "action": "success", + "category": [ + "authentication" + ], + "created": "2021-08-30T22:57:42.484Z", + "ingested": "2022-02-16T21:38:40.881604Z", + "kind": "event", + "original": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "outcome": "success", + "type": [ + "info" + ] + }, "onepassword": { - "country": "AR", "client": { - "platform_name": "Chrome", "app_name": "1Password Browser Extension", "app_version": "1109", + "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, + "country": "AR", "details": null, + "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", "type": "credentials_ok", - "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU", - "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7" + "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU" }, - "@timestamp": "2021-08-11T14:28:03.000Z", - "ecs": { - "version": "8.0.0" + "os": { + "name": "Android", + "version": "10" }, "related": { + "ip": [ + "89.160.20.156" + ], "user": [ "OJQGU46KAPROEJLCK674RHSAY5", "email@1password.com", "Name" - ], - "ip": [ - "89.160.20.156" ] }, - "os": { - "name": "Android", - "version": "10" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156" }, + "tags": [ + "preserve_original_event" + ], + "user": { + "email": "email@1password.com", + "full_name": "Name", + "id": "OJQGU46KAPROEJLCK674RHSAY5" + } + }, + { + "@timestamp": "2021-08-11T15:04:22.000Z", + "ecs": { + "version": "8.0.0" + }, "event": { - "ingested": "2021-12-23T23:23:01.194824993Z", - "original": "{\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T14:28:03Z\",\"country\":\"AR\",\"category\":\"success\",\"type\":\"credentials_ok\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "action": "success", + "action": "credentials_failed", "category": [ "authentication" ], + "created": "2021-08-30T22:57:42.484Z", + "ingested": "2022-02-16T21:38:40.881614500Z", + "kind": "event", + "original": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "outcome": "failure", "type": [ "info" - ], - "outcome": "success" - }, - "user": { - "email": "email@1password.com", - "full_name": "Name", - "id": "OJQGU46KAPROEJLCK674RHSAY5" + ] }, - "tags": [ - "preserve_original_event" - ] - }, - { "onepassword": { - "country": "AR", "client": { - "platform_name": "Chrome", "app_name": "1Password Browser Extension", "app_version": "1109", + "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, + "country": "AR", "details": null, + "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", "type": "password_secret_bad", - "uuid": "QVWKEOEWXU2DIDHWTK6HGIF4TV", - "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7" + "uuid": "QVWKEOEWXU2DIDHWTK6HGIF4TV" }, - "@timestamp": "2021-08-11T15:04:22.000Z", - "ecs": { - "version": "8.0.0" + "os": { + "name": "Android", + "version": "10" }, "related": { + "ip": [ + "89.160.20.156" + ], "user": [ "OJQGU46KAPROEJLCK674RHSAY5", "email@1password.com", "Name" - ], - "ip": [ - "89.160.20.156" ] }, - "os": { - "name": "Android", - "version": "10" - }, "source": { - "geo": { - "continent_name": "Europe", - "region_iso_code": "SE-E", - "city_name": "Linköping", - "country_iso_code": "SE", - "country_name": "Sweden", - "region_name": "Östergötland County", - "location": { - "lon": 15.6167, - "lat": 58.4167 - } - }, "as": { "number": 29518, "organization": { "name": "Bredband2 AB" } }, + "geo": { + "city_name": "Linköping", + "continent_name": "Europe", + "country_iso_code": "SE", + "country_name": "Sweden", + "location": { + "lat": 58.4167, + "lon": 15.6167 + }, + "region_iso_code": "SE-E", + "region_name": "Östergötland County" + }, "ip": "89.160.20.156" }, - "event": { - "ingested": "2021-12-23T23:23:01.194828033Z", - "original": "{\"uuid\":\"QVWKEOEWXU2DIDHWTK6HGIF4TV\",\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"timestamp\":\"2021-08-11T15:04:22Z\",\"country\":\"AR\",\"category\":\"credentials_failed\",\"type\":\"password_secret_bad\",\"details\":null,\"target_user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", - "created": "2021-08-30T22:57:42.484Z", - "kind": "event", - "action": "credentials_failed", - "category": [ - "authentication" - ], - "type": [ - "info" - ], - "outcome": "failure" - }, + "tags": [ + "preserve_original_event" + ], "user": { "email": "email@1password.com", "full_name": "Name", "id": "OJQGU46KAPROEJLCK674RHSAY5" - }, - "tags": [ - "preserve_original_event" - ] + } } ] } \ No newline at end of file diff --git a/packages/1password/data_stream/signin_attempts/sample_event.json b/packages/1password/data_stream/signin_attempts/sample_event.json index 43821c1e5bb..2d3d5373249 100644 --- a/packages/1password/data_stream/signin_attempts/sample_event.json +++ b/packages/1password/data_stream/signin_attempts/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-08-11T14:28:03.000Z", "agent": { - "ephemeral_id": "62178cbe-1897-48de-b439-417b38bac0cb", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "b72c7227-b270-431c-88d6-1a42d962ab97", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { "dataset": "1password.signin_attempts", @@ -16,9 +16,9 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { "action": "success", @@ -26,9 +26,9 @@ "category": [ "authentication" ], - "created": "2021-12-24T00:23:56.674Z", + "created": "2022-02-16T21:40:06.467Z", "dataset": "1password.signin_attempts", - "ingested": "2021-12-24T00:23:57Z", + "ingested": "2022-02-16T21:40:09Z", "kind": "event", "outcome": "success", "type": [ diff --git a/packages/1password/docs/README.md b/packages/1password/docs/README.md index cbad91e004b..dc5b02a6ec5 100644 --- a/packages/1password/docs/README.md +++ b/packages/1password/docs/README.md @@ -31,20 +31,23 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.dataset | Event dataset | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type | keyword | -| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword | +| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | -| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword | +| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword | | onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword | -| onepassword.item_uuid | The UUID of the item that was accessed | keyword | -| onepassword.used_version | The version of the item that was accessed | integer | +| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword | +| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object | +| onepassword.session_uuid | The UUID of the session that created the event | keyword | +| onepassword.type | Details about the sign-in attempt | keyword | | onepassword.uuid | The UUID of the event | keyword | -| onepassword.vault_uuid | The UUID of the vault the item is in | keyword | | os.name | Operating system name, without the version. | keyword | | os.version | Operating system version as a raw string. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -65,20 +68,20 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev | user.id | Unique identifier of the user. | keyword | -An example event for `item_usages` looks as following: +An example event for `signin_attempts` looks as following: ```json { - "@timestamp": "2021-08-30T18:57:42.484Z", + "@timestamp": "2021-08-11T14:28:03.000Z", "agent": { - "ephemeral_id": "d02e8bec-48d2-46c8-bd33-5982bd82059f", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "b72c7227-b270-431c-88d6-1a42d962ab97", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { - "dataset": "1password.item_usages", + "dataset": "1password.signin_attempts", "namespace": "ep", "type": "logs" }, @@ -86,21 +89,23 @@ An example event for `item_usages` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { + "action": "success", "agent_id_status": "verified", "category": [ - "file" + "authentication" ], - "created": "2021-12-24T00:23:21.039Z", - "dataset": "1password.item_usages", - "ingested": "2021-12-24T00:23:22Z", + "created": "2022-02-16T21:40:06.467Z", + "dataset": "1password.signin_attempts", + "ingested": "2022-02-16T21:40:09Z", "kind": "event", + "outcome": "success", "type": [ - "access" + "info" ] }, "host": { @@ -116,10 +121,11 @@ An example event for `item_usages` looks as following: "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", - "used_version": 1, - "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", - "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" + "country": "AR", + "details": null, + "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", + "type": "credentials_ok", + "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU" }, "os": { "name": "Android", @@ -140,7 +146,7 @@ An example event for `item_usages` looks as following: }, "tags": [ "forwarded", - "1password-item_usages" + "1password-signin_attempts" ], "user": { "email": "email@1password.com", @@ -170,18 +176,16 @@ Uses the 1Password Events API to retrieve information about items in shared vaul | event.dataset | Event dataset | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type | keyword | -| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword | +| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | -| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword | +| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword | | onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword | -| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword | -| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object | -| onepassword.session_uuid | The UUID of the session that created the event | keyword | -| onepassword.type | Details about the sign-in attempt | keyword | +| onepassword.item_uuid | The UUID of the item that was accessed | keyword | +| onepassword.used_version | The version of the item that was accessed | integer | | onepassword.uuid | The UUID of the event | keyword | +| onepassword.vault_uuid | The UUID of the vault the item is in | keyword | | os.name | Operating system name, without the version. | keyword | | os.version | Operating system version as a raw string. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -202,20 +206,20 @@ Uses the 1Password Events API to retrieve information about items in shared vaul | user.id | Unique identifier of the user. | keyword | -An example event for `signin_attempts` looks as following: +An example event for `item_usages` looks as following: ```json { - "@timestamp": "2021-08-11T14:28:03.000Z", + "@timestamp": "2021-08-30T18:57:42.484Z", "agent": { - "ephemeral_id": "62178cbe-1897-48de-b439-417b38bac0cb", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "b3687a99-8907-497b-ba06-204e9664db73", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { - "dataset": "1password.signin_attempts", + "dataset": "1password.item_usages", "namespace": "ep", "type": "logs" }, @@ -223,23 +227,21 @@ An example event for `signin_attempts` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8a0c0293-badb-46e8-bcaf-4d82e41e65d0", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { - "action": "success", "agent_id_status": "verified", "category": [ - "authentication" + "file" ], - "created": "2021-12-24T00:23:56.674Z", - "dataset": "1password.signin_attempts", - "ingested": "2021-12-24T00:23:57Z", + "created": "2022-02-16T21:39:23.372Z", + "dataset": "1password.item_usages", + "ingested": "2022-02-16T21:39:24Z", "kind": "event", - "outcome": "success", "type": [ - "info" + "access" ] }, "host": { @@ -255,11 +257,10 @@ An example event for `signin_attempts` looks as following: "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "country": "AR", - "details": null, - "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", - "type": "credentials_ok", - "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU" + "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", + "used_version": 1, + "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", + "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, "os": { "name": "Android", @@ -280,7 +281,7 @@ An example event for `signin_attempts` looks as following: }, "tags": [ "forwarded", - "1password-signin_attempts" + "1password-item_usages" ], "user": { "email": "email@1password.com", diff --git a/packages/1password/kibana/search/1password-item-usages.json b/packages/1password/kibana/search/1password-item-usages.json index b638c29f378..578b9d50f85 100644 --- a/packages/1password/kibana/search/1password-item-usages.json +++ b/packages/1password/kibana/search/1password-item-usages.json @@ -2,6 +2,7 @@ "attributes": { "columns": [ "user.email", + "event.action", "onepassword.vault_uuid", "onepassword.item_uuid", "source.geo.country_iso_code" diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index 1f365a5e894..2bc2b3e8bbd 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: 1password title: "1Password Events Reporting" -version: 1.1.0 +version: 1.2.0 license: basic description: Collect events from 1Password Events API with Elastic Agent. type: integration