diff --git a/packages/1password/_dev/build/docs/README.md b/packages/1password/_dev/build/docs/README.md index d3dd33e7805..b9ffa663e75 100644 --- a/packages/1password/_dev/build/docs/README.md +++ b/packages/1password/_dev/build/docs/README.md @@ -22,9 +22,9 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev *Exported fields* -{{fields "item_usages"}} +{{fields "signin_attempts"}} -{{event "item_usages"}} +{{event "signin_attempts"}} ### Item Usages @@ -32,6 +32,6 @@ Uses the 1Password Events API to retrieve information about items in shared vaul *Exported fields* -{{fields "signin_attempts"}} +{{fields "item_usages"}} -{{event "signin_attempts"}} +{{event "item_usages"}} diff --git a/packages/1password/_dev/deploy/docker/config.yml b/packages/1password/_dev/deploy/docker/config.yml index d18f3101907..c6c0e365945 100644 --- a/packages/1password/_dev/deploy/docker/config.yml +++ b/packages/1password/_dev/deploy/docker/config.yml @@ -13,7 +13,7 @@ rules: Content-Type: - "application/json; charset=utf-8" body: |- - {"cursor":"cursor_0","has_more":true,"items":[{"uuid":"MCQODBBWJD5HISKYNP3HJPV2DV","timestamp":"2021-08-30T18:57:42.484Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}}]} + {"cursor":"cursor_0","has_more":true,"items":[{"uuid":"MCQODBBWJD5HISKYNP3HJPV2DV","timestamp":"2021-08-30T18:57:42.484Z","used_version":1,"vault_uuid":"jaqxqf5qylslqiitnduawrndc5","item_uuid":"bvwmmwxisuca7wbehrbyqhag54","user":{"uuid":"OJQGU46KAPROEJLCK674RHSAY5","name":"Name","email":"email@1password.com"},"client":{"app_name":"1Password Browser Extension","app_version":"1109","platform_name":"Chrome","platform_version":"93.0.4577.62","os_name":"Android","os_version":"10","ip_address":"1.1.1.1"}, "location": {"country": "Canada","region": "Ontario","city": "Toronto","latitude": 43.64,"longitude": -79.433}, "action": "reveal"}]} - path: /api/v1/itemusages methods: ["POST"] request_headers: diff --git a/packages/1password/changelog.yml b/packages/1password/changelog.yml index 923fff697f3..6764062444a 100644 --- a/packages/1password/changelog.yml +++ b/packages/1password/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "1.2.0" + changes: + - description: Add new "event.action" to item_usages events. + type: enhancement + link: https://github.com/elastic/integrations/pull/2775 - version: "1.1.1" changes: - description: Fix field mapping conflict for ECS `event.created`. diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json index 2815f0b47ac..affcf912a14 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json @@ -2,7 +2,7 @@ "events": [ { "@timestamp": "2021-08-30T22:57:42.484Z", - "message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}" + "message": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}, \"location\": {\"country\": \"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}, \"action\":\"reveal\"}" }, { "@timestamp": "2021-08-30T22:57:42.484Z", diff --git a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json index df1f1d08add..0f902bd70da 100644 --- a/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json +++ b/packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json @@ -6,12 +6,13 @@ "version": "8.0.0" }, "event": { + "action": "reveal", "category": [ "file" ], "created": "2021-08-30T22:57:42.484Z", "kind": "event", - "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}", + "original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}, \"location\": {\"country\": \"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}, \"action\":\"reveal\"}", "type": [ "access" ] diff --git a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml index f3553c2dcea..ba9038d0691 100644 --- a/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml +++ b/packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml @@ -16,7 +16,7 @@ processors: ####################### - set: field: ecs.version - value: '8.0.0' + value: "8.0.0" # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - set: field: event.created @@ -30,6 +30,10 @@ processors: - append: field: event.type value: [access] + - rename: + field: onepassword.action + target_field: event.action + ignore_missing: true ######################### ## ECS Related Mapping ## @@ -125,6 +129,7 @@ processors: field: - onepassword.timestamp - onepassword.user + - onepassword.location # Use the included GeoIP processor ignore_missing: true - remove: field: event.original diff --git a/packages/1password/data_stream/item_usages/fields/ecs.yml b/packages/1password/data_stream/item_usages/fields/ecs.yml index c0d6370b827..9b967e0515e 100644 --- a/packages/1password/data_stream/item_usages/fields/ecs.yml +++ b/packages/1password/data_stream/item_usages/fields/ecs.yml @@ -12,6 +12,8 @@ name: event.type - external: ecs name: event.created +- external: ecs + name: event.action - external: ecs name: user.id - external: ecs diff --git a/packages/1password/data_stream/item_usages/sample_event.json b/packages/1password/data_stream/item_usages/sample_event.json index cb199f45f59..ad1f50d54c4 100644 --- a/packages/1password/data_stream/item_usages/sample_event.json +++ b/packages/1password/data_stream/item_usages/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-08-30T18:57:42.484Z", "agent": { - "ephemeral_id": "d02e8bec-48d2-46c8-bd33-5982bd82059f", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { "dataset": "1password.item_usages", @@ -16,18 +16,19 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { + "action": "reveal", "agent_id_status": "verified", "category": [ "file" ], - "created": "2021-12-24T00:23:21.039Z", + "created": "2022-03-03T21:25:12.198Z", "dataset": "1password.item_usages", - "ingested": "2021-12-24T00:23:22Z", + "ingested": "2022-03-03T21:25:13Z", "kind": "event", "type": [ "access" diff --git a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml index a5160bf018a..c1c0b88e02b 100644 --- a/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml +++ b/packages/1password/data_stream/signin_attempts/elasticsearch/ingest_pipeline/default.yml @@ -16,7 +16,7 @@ processors: ####################### - set: field: ecs.version - value: '8.0.0' + value: "8.0.0" # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down - set: field: event.created @@ -139,6 +139,7 @@ processors: field: - onepassword.timestamp - onepassword.target_user + - onepassword.location # Use the included GeoIP processor ignore_missing: true - remove: field: event.original diff --git a/packages/1password/data_stream/signin_attempts/sample_event.json b/packages/1password/data_stream/signin_attempts/sample_event.json index 43821c1e5bb..72c46afdaa9 100644 --- a/packages/1password/data_stream/signin_attempts/sample_event.json +++ b/packages/1password/data_stream/signin_attempts/sample_event.json @@ -1,11 +1,11 @@ { "@timestamp": "2021-08-11T14:28:03.000Z", "agent": { - "ephemeral_id": "62178cbe-1897-48de-b439-417b38bac0cb", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { "dataset": "1password.signin_attempts", @@ -16,9 +16,9 @@ "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { "action": "success", @@ -26,9 +26,9 @@ "category": [ "authentication" ], - "created": "2021-12-24T00:23:56.674Z", + "created": "2022-03-03T21:25:49.160Z", "dataset": "1password.signin_attempts", - "ingested": "2021-12-24T00:23:57Z", + "ingested": "2022-03-03T21:25:52Z", "kind": "event", "outcome": "success", "type": [ diff --git a/packages/1password/docs/README.md b/packages/1password/docs/README.md index 8b3c7b9ec56..1122c4fc035 100644 --- a/packages/1password/docs/README.md +++ b/packages/1password/docs/README.md @@ -31,21 +31,24 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev | data_stream.namespace | Data stream namespace. | constant_keyword | | data_stream.type | Data stream type. | constant_keyword | | ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | | event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | | event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | | event.dataset | Event dataset | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | +| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type | keyword | -| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword | +| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | -| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword | +| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword | | onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword | -| onepassword.item_uuid | The UUID of the item that was accessed | keyword | -| onepassword.used_version | The version of the item that was accessed | integer | +| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword | +| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object | +| onepassword.session_uuid | The UUID of the session that created the event | keyword | +| onepassword.type | Details about the sign-in attempt | keyword | | onepassword.uuid | The UUID of the event | keyword | -| onepassword.vault_uuid | The UUID of the vault the item is in | keyword | | os.name | Operating system name, without the version. | keyword | | os.version | Operating system version as a raw string. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -66,20 +69,20 @@ Uses the 1Password Events API to retrieve information about sign-in attempts. Ev | user.id | Unique identifier of the user. | keyword | -An example event for `item_usages` looks as following: +An example event for `signin_attempts` looks as following: ```json { - "@timestamp": "2021-08-30T18:57:42.484Z", + "@timestamp": "2021-08-11T14:28:03.000Z", "agent": { - "ephemeral_id": "d02e8bec-48d2-46c8-bd33-5982bd82059f", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "6a1b2121-406e-47fc-8ab0-3ab3b521f341", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { - "dataset": "1password.item_usages", + "dataset": "1password.signin_attempts", "namespace": "ep", "type": "logs" }, @@ -87,21 +90,23 @@ An example event for `item_usages` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { + "action": "success", "agent_id_status": "verified", "category": [ - "file" + "authentication" ], - "created": "2021-12-24T00:23:21.039Z", - "dataset": "1password.item_usages", - "ingested": "2021-12-24T00:23:22Z", + "created": "2022-03-03T21:25:49.160Z", + "dataset": "1password.signin_attempts", + "ingested": "2022-03-03T21:25:52Z", "kind": "event", + "outcome": "success", "type": [ - "access" + "info" ] }, "host": { @@ -117,10 +122,11 @@ An example event for `item_usages` looks as following: "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", - "used_version": 1, - "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", - "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" + "country": "AR", + "details": null, + "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", + "type": "credentials_ok", + "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU" }, "os": { "name": "Android", @@ -141,7 +147,7 @@ An example event for `item_usages` looks as following: }, "tags": [ "forwarded", - "1password-item_usages" + "1password-signin_attempts" ], "user": { "email": "email@1password.com", @@ -172,18 +178,16 @@ Uses the 1Password Events API to retrieve information about items in shared vaul | event.dataset | Event dataset | constant_keyword | | event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | | event.module | Event module | constant_keyword | -| event.outcome | This is one of four ECS Categorization Fields, and indicates the lowest level in the ECS category hierarchy. `event.outcome` simply denotes whether the event represents a success or a failure from the perspective of the entity that produced the event. Note that when a single transaction is described in multiple events, each event may populate different values of `event.outcome`, according to their perspective. Also note that in the case of a compound event (a single event that contains multiple logical events), this field should be populated with the value that best captures the overall success or failure from the perspective of the event producer. Further note that not all events will have an associated outcome. For example, this field is generally not populated for metric events, events with `event.type:info`, or any events for which an outcome does not make logical sense. | keyword | | event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | | input.type | Input type | keyword | -| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword | +| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword | | onepassword.client.app_version | The version number of the 1Password app | keyword | -| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword | +| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword | | onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword | -| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword | -| onepassword.details | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in | object | -| onepassword.session_uuid | The UUID of the session that created the event | keyword | -| onepassword.type | Details about the sign-in attempt | keyword | +| onepassword.item_uuid | The UUID of the item that was accessed | keyword | +| onepassword.used_version | The version of the item that was accessed | integer | | onepassword.uuid | The UUID of the event | keyword | +| onepassword.vault_uuid | The UUID of the vault the item is in | keyword | | os.name | Operating system name, without the version. | keyword | | os.version | Operating system version as a raw string. | keyword | | related.ip | All of the IPs seen on your event. | ip | @@ -204,20 +208,20 @@ Uses the 1Password Events API to retrieve information about items in shared vaul | user.id | Unique identifier of the user. | keyword | -An example event for `signin_attempts` looks as following: +An example event for `item_usages` looks as following: ```json { - "@timestamp": "2021-08-11T14:28:03.000Z", + "@timestamp": "2021-08-30T18:57:42.484Z", "agent": { - "ephemeral_id": "62178cbe-1897-48de-b439-417b38bac0cb", - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "ephemeral_id": "cbcdd98f-456d-47bb-9f43-cf589ccd810d", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "name": "docker-fleet-agent", "type": "filebeat", - "version": "8.0.0-beta1" + "version": "8.0.0" }, "data_stream": { - "dataset": "1password.signin_attempts", + "dataset": "1password.item_usages", "namespace": "ep", "type": "logs" }, @@ -225,23 +229,22 @@ An example event for `signin_attempts` looks as following: "version": "8.0.0" }, "elastic_agent": { - "id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7", + "id": "8652330e-4de6-4596-a16f-4463a6c56e9e", "snapshot": false, - "version": "8.0.0-beta1" + "version": "8.0.0" }, "event": { - "action": "success", + "action": "reveal", "agent_id_status": "verified", "category": [ - "authentication" + "file" ], - "created": "2021-12-24T00:23:56.674Z", - "dataset": "1password.signin_attempts", - "ingested": "2021-12-24T00:23:57Z", + "created": "2022-03-03T21:25:12.198Z", + "dataset": "1password.item_usages", + "ingested": "2022-03-03T21:25:13Z", "kind": "event", - "outcome": "success", "type": [ - "info" + "access" ] }, "host": { @@ -257,11 +260,10 @@ An example event for `signin_attempts` looks as following: "platform_name": "Chrome", "platform_version": "93.0.4577.62" }, - "country": "AR", - "details": null, - "session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7", - "type": "credentials_ok", - "uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU" + "item_uuid": "bvwmmwxisuca7wbehrbyqhag54", + "used_version": 1, + "uuid": "MCQODBBWJD5HISKYNP3HJPV2DV", + "vault_uuid": "jaqxqf5qylslqiitnduawrndc5" }, "os": { "name": "Android", @@ -282,7 +284,7 @@ An example event for `signin_attempts` looks as following: }, "tags": [ "forwarded", - "1password-signin_attempts" + "1password-item_usages" ], "user": { "email": "email@1password.com", diff --git a/packages/1password/kibana/search/1password-item-usages.json b/packages/1password/kibana/search/1password-item-usages.json index b638c29f378..578b9d50f85 100644 --- a/packages/1password/kibana/search/1password-item-usages.json +++ b/packages/1password/kibana/search/1password-item-usages.json @@ -2,6 +2,7 @@ "attributes": { "columns": [ "user.email", + "event.action", "onepassword.vault_uuid", "onepassword.item_uuid", "source.geo.country_iso_code" diff --git a/packages/1password/manifest.yml b/packages/1password/manifest.yml index 32d1a26fa10..2bc2b3e8bbd 100644 --- a/packages/1password/manifest.yml +++ b/packages/1password/manifest.yml @@ -1,7 +1,7 @@ format_version: 1.0.0 name: 1password title: "1Password Events Reporting" -version: 1.1.1 +version: 1.2.0 license: basic description: Collect events from 1Password Events API with Elastic Agent. type: integration