Skip to content

Commit 2b0eee7

Browse files
committed
Merge branch 'master' into feat/ecs-8-0-zeek
2 parents baa1f26 + 6524f61 commit 2b0eee7

File tree

965 files changed

+92752
-197356
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

965 files changed

+92752
-197356
lines changed

.ci/Jenkinsfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ pipeline {
1212
AWS_ACCOUNT_SECRET = "secret/observability-team/ci/elastic-observability-aws-account-auth"
1313
HOME = "${env.WORKSPACE}"
1414
KIND_VERSION = "v0.11.1"
15-
K8S_VERSION = "v1.20.2"
15+
K8S_VERSION = "v1.23.0"
1616
JOB_GCS_BUCKET = 'beats-ci-temp'
1717
JOB_GCS_BUCKET_INTERNAL = 'beats-ci-temp-internal'
1818
JOB_GCS_CREDENTIALS = 'beats-ci-gcs-plugin'

go.mod

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ go 1.17
44

55
require (
66
github.com/blang/semver v3.5.1+incompatible
7-
github.com/elastic/elastic-package v0.31.0
7+
github.com/elastic/elastic-package v0.33.1
88
github.com/elastic/package-registry v1.5.1
99
github.com/magefile/mage v1.11.0
1010
github.com/pkg/errors v0.9.1
@@ -21,9 +21,9 @@ require (
2121
github.com/Microsoft/go-winio v0.5.1 // indirect
2222
github.com/PaesslerAG/gval v1.1.2 // indirect
2323
github.com/PaesslerAG/jsonpath v0.1.1 // indirect
24-
github.com/ProtonMail/go-crypto v0.0.0-20211112122917-428f8eabeeb3 // indirect
24+
github.com/ProtonMail/go-crypto v0.0.0-20220113124808-70ae35bab23f // indirect
2525
github.com/ProtonMail/go-mime v0.0.0-20190923161245-9b5a4261663a // indirect
26-
github.com/ProtonMail/gopenpgp/v2 v2.3.0 // indirect
26+
github.com/ProtonMail/gopenpgp/v2 v2.4.2 // indirect
2727
github.com/PuerkitoBio/purell v1.1.1 // indirect
2828
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
2929
github.com/acomagu/bufpipe v1.0.3 // indirect
@@ -110,7 +110,7 @@ require (
110110
github.com/santhosh-tekuri/jsonschema v1.2.4 // indirect
111111
github.com/sergi/go-diff v1.2.0 // indirect
112112
github.com/sirupsen/logrus v1.8.1 // indirect
113-
github.com/spf13/cobra v1.2.1 // indirect
113+
github.com/spf13/cobra v1.3.0 // indirect
114114
github.com/spf13/pflag v1.0.5 // indirect
115115
github.com/ulikunitz/xz v0.5.10 // indirect
116116
github.com/xanzy/ssh-agent v0.3.1 // indirect
@@ -143,11 +143,11 @@ require (
143143
gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b // indirect
144144
helm.sh/helm/v3 v3.7.2 // indirect
145145
howett.net/plist v0.0.0-20201203080718-1454fab16a06 // indirect
146-
k8s.io/api v0.23.0 // indirect
146+
k8s.io/api v0.23.1 // indirect
147147
k8s.io/apiextensions-apiserver v0.23.0 // indirect
148-
k8s.io/apimachinery v0.23.0 // indirect
149-
k8s.io/cli-runtime v0.23.0 // indirect
150-
k8s.io/client-go v0.23.0 // indirect
148+
k8s.io/apimachinery v0.23.1 // indirect
149+
k8s.io/cli-runtime v0.23.1 // indirect
150+
k8s.io/client-go v0.23.1 // indirect
151151
k8s.io/component-base v0.23.0 // indirect
152152
k8s.io/klog/v2 v2.30.0 // indirect
153153
k8s.io/kube-openapi v0.0.0-20211115234752-e816edb12b65 // indirect

go.sum

Lines changed: 158 additions & 12 deletions
Large diffs are not rendered by default.
Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,3 @@
11
dependencies:
22
ecs:
3-
reference: git@1.12
3+
reference: git@8.0
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
1Password Events Reporting
2+
==========================
3+
4+
With [1Password Business](https://support.1password.com/explore/business/), you can send your account activity to your security information and event management (SIEM) system using the 1Password Events API. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.
5+
6+
With 1Password Events Reporting and Elastic SIEM, you can:
7+
8+
- Control your 1Password data retention
9+
- Build custom graphs and dashboards
10+
- Set up custom alerts that trigger specific actions
11+
- Cross-reference 1Password events with the data from other services
12+
13+
You can set up Events Reporting if you’re an owner or administrator.
14+
Learn how to [obtain your 1Password Events API credentials](https://support.1password.com/events-reporting/#step-1-set-up-an-events-reporting-integration).
15+
16+
Events
17+
------
18+
19+
### Sign-in Attempts
20+
21+
Uses the 1Password Events API to retrieve information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure.
22+
23+
*Exported fields*
24+
25+
{{fields "item_usages"}}
26+
27+
{{event "item_usages"}}
28+
29+
### Item Usages
30+
31+
Uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when it was accessed, and the vault where the item is stored.
32+
33+
*Exported fields*
34+
35+
{{fields "signin_attempts"}}
36+
37+
{{event "signin_attempts"}}

packages/1password/changelog.yml

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,9 @@
11
# newer versions go on top
2+
- version: "1.1.0"
3+
changes:
4+
- description: Update to ECS 8.0
5+
type: enhancement
6+
link: https://github.com/elastic/integrations/pull/2368
27
- version: "1.0.0"
38
changes:
49
- description: GA integration

packages/1password/data_stream/item_usages/_dev/test/pipeline/test-itemusages.json-expected.json

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,7 +15,7 @@
1515
},
1616
"@timestamp": "2021-08-30T18:57:42.484Z",
1717
"ecs": {
18-
"version": "1.12.0"
18+
"version": "8.0.0"
1919
},
2020
"related": {
2121
"user": [
@@ -53,7 +53,7 @@
5353
"ip": "89.160.20.156"
5454
},
5555
"event": {
56-
"ingested": "2021-12-14T14:34:03.382903193Z",
56+
"ingested": "2021-12-23T23:23:00.336841554Z",
5757
"original": "{\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}",
5858
"category": [
5959
"file"
@@ -88,7 +88,7 @@
8888
},
8989
"@timestamp": "2021-08-30T19:10:00.123Z",
9090
"ecs": {
91-
"version": "1.12.0"
91+
"version": "8.0.0"
9292
},
9393
"related": {
9494
"user": [
@@ -126,7 +126,7 @@
126126
"ip": "89.160.20.156"
127127
},
128128
"event": {
129-
"ingested": "2021-12-14T14:34:03.382906002Z",
129+
"ingested": "2021-12-23T23:23:00.337283501Z",
130130
"original": "{\"uuid\":\"5HBWJDWCQADISKY2DVBNP3HJPV\",\"timestamp\":\"2021-08-30T19:10:00.123Z\",\"used_version\":1,\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\",\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"user\":{\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\",\"name\":\"Name\",\"email\":\"email@1password.com\"},\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\",\"os_name\":\"Android\",\"os_version\":\"10\",\"ip_address\":\"89.160.20.156\"}}",
131131
"category": [
132132
"file"

packages/1password/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,7 @@ processors:
1616
#######################
1717
- set:
1818
field: ecs.version
19-
value: '1.12.0'
19+
value: '8.0.0'
2020
- set:
2121
field: event.ingested
2222
value: "{{_ingest.timestamp}}"
Lines changed: 0 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1,66 +1,44 @@
11
- external: ecs
22
name: ecs.version
3-
description: ECS version this event conforms to
43
- external: ecs
54
name: related.user
6-
description: All the user names or other user identifiers seen on the event
75
- external: ecs
86
name: related.ip
9-
description: All of the IPs seen on your event
107
- external: ecs
118
name: event.kind
12-
description: This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not
139
- external: ecs
1410
name: event.category
15-
description: This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories
1611
- external: ecs
1712
name: event.type
18-
description: This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types
1913
- external: ecs
2014
name: user.id
21-
description: The UUID of the user that accessed the item
2215
- external: ecs
2316
name: user.full_name
24-
description: The name of the user, hydrated at the time the event was generated
2517
- external: ecs
2618
name: user.email
27-
description: The email address of the user, hydrated at the time the event was generated
2819
- external: ecs
2920
name: os.name
30-
description: The name of the operating system the item was accessed from
3121
- external: ecs
3222
name: os.version
33-
description: The version of the operating system the item was accessed from
3423
- external: ecs
3524
name: source.as.number
36-
description: Unique number allocated to the autonomous system. The autonomous system number (ASN) uniquely identifies each network on the Internet
3725
- external: ecs
3826
name: source.as.organization.name
39-
description: Organization name
4027
- external: ecs
4128
name: source.geo.city_name
42-
description: City name
4329
- external: ecs
4430
name: source.geo.continent_name
45-
description: Name of the continent
4631
- external: ecs
4732
name: source.geo.country_iso_code
48-
description: Country ISO code
4933
- external: ecs
5034
name: source.geo.country_name
51-
description: Country name
5235
- external: ecs
5336
name: source.geo.location
54-
description: Longitude and latitude
5537
- external: ecs
5638
name: source.geo.region_iso_code
57-
description: Region ISO code
5839
- external: ecs
5940
name: source.geo.region_name
60-
description: Region name
6141
- external: ecs
6242
name: source.ip
63-
description: The IP address the item was accessed from
6443
- external: ecs
6544
name: tags
66-
description: List of keywords used to tag each event
Lines changed: 51 additions & 53 deletions
Original file line numberDiff line numberDiff line change
@@ -1,82 +1,80 @@
11
{
22
"@timestamp": "2021-08-30T18:57:42.484Z",
33
"agent": {
4-
"hostname": "docker-fleet-agent",
4+
"ephemeral_id": "d02e8bec-48d2-46c8-bd33-5982bd82059f",
5+
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
56
"name": "docker-fleet-agent",
6-
"id": "3862ac25-d2c0-421f-8a83-b7b891c2ea75",
7-
"ephemeral_id": "ad63d20a-bc9f-48ea-8854-7c095e26f126",
87
"type": "filebeat",
9-
"version": "7.15.0"
10-
},
11-
"elastic_agent": {
12-
"id": "3862ac25-d2c0-421f-8a83-b7b891c2ea75",
13-
"version": "7.15.0",
14-
"snapshot": true
8+
"version": "8.0.0-beta1"
159
},
1610
"data_stream": {
17-
"namespace": "default",
18-
"type": "logs",
19-
"dataset": "1password.item_usages"
11+
"dataset": "1password.item_usages",
12+
"namespace": "ep",
13+
"type": "logs"
2014
},
2115
"ecs": {
22-
"version": "1.10.0"
16+
"version": "8.0.0"
17+
},
18+
"elastic_agent": {
19+
"id": "82d0dfd8-3946-4ac0-a092-a9146a71e3f7",
20+
"snapshot": false,
21+
"version": "8.0.0-beta1"
2322
},
2423
"event": {
2524
"agent_id_status": "verified",
26-
"ingested": "2021-09-14T13:54:21Z",
27-
"created": "2021-09-14T13:54:19.267Z",
28-
"dataset": "1password.item_usages"
25+
"category": [
26+
"file"
27+
],
28+
"created": "2021-12-24T00:23:21.039Z",
29+
"dataset": "1password.item_usages",
30+
"ingested": "2021-12-24T00:23:22Z",
31+
"kind": "event",
32+
"type": [
33+
"access"
34+
]
35+
},
36+
"host": {
37+
"name": "docker-fleet-agent"
38+
},
39+
"input": {
40+
"type": "httpjson"
2941
},
3042
"onepassword": {
31-
"used_version": 1,
32-
"item_uuid": "4bywxbvwqhrhwca7isug5ammbe",
3343
"client": {
3444
"app_name": "1Password Browser Extension",
35-
"app_version": "20168",
36-
"platform_version": "92.0.4515.159",
37-
"platform_name": "Chrome"
45+
"app_version": "1109",
46+
"platform_name": "Chrome",
47+
"platform_version": "93.0.4577.62"
3848
},
39-
"uuid": "2DQOHNVMCJDJPVDBBWISKY5HP3",
40-
"vault_uuid": "txqfdc5lsjnduylq5awrnaqqii"
41-
},
42-
"user": {
43-
"full_name": "Gero",
44-
"id": "OJQGU46KAPROEJLCK674RHSAY5",
45-
"email": "geronimo.onativia@1password.com"
49+
"item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
50+
"used_version": 1,
51+
"uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
52+
"vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
4653
},
4754
"os": {
48-
"name": "Linux",
49-
"version": ""
55+
"name": "Android",
56+
"version": "10"
57+
},
58+
"related": {
59+
"ip": [
60+
"1.1.1.1"
61+
],
62+
"user": [
63+
"OJQGU46KAPROEJLCK674RHSAY5",
64+
"email@1password.com",
65+
"Name"
66+
]
5067
},
5168
"source": {
52-
"geo": {
53-
"continent_name": "South America",
54-
"region_iso_code": "AR-C",
55-
"city_name": "Buenos Aires",
56-
"country_iso_code": "AR",
57-
"country_name": "Argentina",
58-
"region_name": "Buenos Aires F.D.",
59-
"location": {
60-
"lon": -58.3845,
61-
"lat": -34.6021
62-
}
63-
},
64-
"as": {
65-
"number": 11664,
66-
"organization": {
67-
"name": "Techtel LMDS Comunicaciones Interactivas S.A."
68-
}
69-
},
7069
"ip": "1.1.1.1"
7170
},
7271
"tags": [
7372
"forwarded",
7473
"1password-item_usages"
7574
],
76-
"input": {
77-
"type": "httpjson"
78-
},
79-
"host": {
80-
"name": "docker-fleet-agent"
75+
"user": {
76+
"email": "email@1password.com",
77+
"full_name": "Name",
78+
"id": "OJQGU46KAPROEJLCK674RHSAY5"
8179
}
8280
}

0 commit comments

Comments
 (0)