GithubHelp home page GithubHelp logo

events-api-elastic's Introduction

Eventsapibeat

Eventsapibeat is the open source libbeat based data shipper for pulling events from the 1Password Events API. This beat will fetch successful and failed sign-in attempts and items usage data from public 1Password Events API.

Installation

Download the latest binaries from the releases page. Or build from sources, resulting binary will be located at 'bin' folder:

make eventsapibeat

Configuration

Rename the sample configuration file eventsapibeat-sample.yml to eventsapibeat.yml.

Create a 1Password Events Reporting integration for your account and configure the auth_token.

signin_attempts:
  auth_token: "token"
item_usages:
  auth_token: "token"
audit_events:
  auth_token: "token"

Configure the remaining options and set your output as usual.

Run

./eventsapibeat -c eventsapibeat.yml -e

Elastic Common Schema

Sign-in Attempts fields

Field Description Type
@timestamp The date and time of the sign-in attempt date
event.action The category of the sign-in attempt keyword
user.id The UUID of the user that attempted to sign in to the account keyword
user.full_name The name of the user, hydrated at the time the event was generated keyword
user.email The email address of the user, hydrated at the time the event was generated keyword
os.name The name of the operating system of the user that attempted to sign in to the account keyword
os.version The version of the operating system of the user that attempted to sign in to the account keyword
source.ip The IP address that attempted to sign in to the account ip
geo.country_iso_code The country code of the event. Uses the ISO 3166 standard keyword
geo.region_name The region name of the event keyword
geo.city_name The city name of the event keyword
geo.location The longitude and latitude of the event geo_point
onepassword.uuid The UUID of the event keyword
onepassword.session_uuid The UUID of the session that created the event keyword
onepassword.type Details about the sign-in attempt keyword
onepassword.country The country code of the event. Uses the ISO 3166 standard keyword
onepassword.details Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in keyword
onepassword.client.app_name The name of the 1Password app that attempted to sign in to the account keyword
onepassword.client.app_version The version number of the 1Password app keyword
onepassword.client.platform_name The name of the platform running the 1Password app keyword
onepassword.client.platform_version The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed keyword

Item Usages fields

Field Description Type
@timestamp The date and time of the item usage date
event.action The action performed on the item keyword
user.id The UUID of the user that accessed the item keyword
user.full_name The name of the user, hydrated at the time the event was generated keyword
user.email The email address of the user, hydrated at the time the event was generated keyword
os.name The name of the operating system the item was accessed from keyword
os.version The version of the operating system the item was accessed from keyword
source.ip The IP address the item was accessed from ip
geo.country_iso_code The country code of the event. Uses the ISO 3166 standard keyword
geo.region_name The region name of the event keyword
geo.city_name The city name of the event keyword
geo.location The longitutde and latitude of the event geo_point
onepassword.uuid The UUID of the event keyword
onepassword.used_version The version of the item that was accessed long
onepassword.vault_uuid The UUID of the vault the item is in keyword
onepassword.item_uuid The UUID of the item that was accessed keyword
onepassword.client.app_name The name of the 1Password app the item was accessed from keyword
onepassword.client.app_version The version number of the 1Password app keyword
onepassword.client.platform_name The name of the platform the item was accessed from keyword
onepassword.client.platform_version The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed keyword

Audit Events fields

Field Description Type
@timestamp The date and time of the audit event. Uses the RFC 3339 standard. date
event.action Details about the action taken for the audit event. keyword
user.id The UUID of the user that performed the audit event. keyword
source.ip The IP address that performed the audit event. ip
onepassword.uuid The UUID of the audit event. keyword
onepassword.object_type The target object type of the audit event. keyword
onepassword.object_uuid The target object UUID of the audit event. keyword
onepassword.aux_id Any auxiliary ID of the audit event. long
onepassword.aux_uuid Any auxiliary UUID of the audit event. keyword
onepassword.aux_info Any auxiliary info of the audit event. keyword
onepassword.session.session_uuid The UUID of the user session that performed the audit event. keyword
onepassword.session.device_uuid The UUID of the device that performed the audit event. keyword
onepassword.session.login_time The login time of the user session that performed the audit event. date

events-api-elastic's People

Contributors

anthonythleung avatar dckcode avatar dependabot[bot] avatar hilaryhacksel avatar nelson-vineti avatar ogero avatar simap-ag avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

nelson-vineti nathan1p isabella232 dckcode

events-api-elastic's Issues

Feature request - arm64 release support

Do you know if would be possible to include arm64 in your future releases? Arm64 is starting to be used more heavily for large rackmount boxes in data centers and it would be great to include this. Your source code compiles easily for arm64 but without a release multi architecture docker images are hard to deploy and maintain.

Thank you for considering this. You have done a great job at providing documentation around your logging.

Happy customer with sub clients,

Justin

Unable to setup template name

When deploying the 1password eventsbeatapi.yaml I've setup the following:

---
eventsapibeat:
  insecure_skip_verify: false
  signin_attempts:
    enabled: true
    auth_token: "${AUTH_TOKEN}"
    sample_frequency: "10s"
    cursor_state_file: "signinattempts.eventsapibeatstate"
    starting_cursor: >
      { "limit": 1000, "start_time": "2022-02-24T00:00:00Z" }
  item_usages:
    enabled: true
    auth_token: "${AUTH_TOKEN}"
    sample_frequency: "10s"
    cursor_state_file: "itemusages.eventsapibeatstate"
    starting_cursor: >
      { "limit": 1000, "start_time": "2022-02-24T00:00:00Z" }
output.elasticsearch:
  hosts: ["${ES_HOSTS}"]
  index: "onepassword-logs%{[agent.version]}"
  password: "${ES_PASSWORD}"
  username: "${ES_USERNAME}"
  ssl:
      certificate_authorities:
      - ""
setup.ilm.enabled: true
setup.template.name: "onepassword-logs%{[agent.version]}"
setup.template.pattern: "onepassword-logs%{[agent.version]}"
index.aliases: "onepassword-logs%{[agent.version]}"
setup.ilm.policy_name: "${POLICY}"

When I go to add the index pattern in Kibana the only index that appears is eventsbeatapi even though from my knowledge of filebeat adding the output.elasticsearch.index should resolve this yet seemingly ignores this. Any insight is greatly appreciated.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.