elastic · andrewkroh · Jul 27, 2022 · Jul 26, 2022
diff --git a/packages/1password/1.5.2/changelog.yml b/packages/1password/1.5.2/changelog.yml
@@ -0,0 +1,81 @@
+# newer versions go on top
+- version: "1.5.2"
+  changes:
+    - description: Update package name and description to align with standard wording
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3478
+- version: "1.5.1"
+  changes:
+    - description: Update readme to improve English
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3534
+- version: "1.5.0"
+  changes:
+    - description: Update package to ECS 8.3.0.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3353
+- version: "1.4.0"
+  changes:
+    - description: Change name of package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/3245
+- version: "1.3.0"
+  changes:
+    - description: Update to ECS 8.2
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2778
+- version: "1.2.2"
+  changes:
+    - description: Fix typo in config template for ignoring host enrichment
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/3092
+- version: "1.2.1"
+  changes:
+    - description: Add documentation for multi-fields
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2916
+- version: "1.2.0"
+  changes:
+    - description: Add new "event.action" to item_usages events.
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2775
+- version: "1.1.1"
+  changes:
+    - description: Fix field mapping conflict for ECS `event.created`.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2687
+- version: "1.1.0"
+  changes:
+    - description: Update to ECS 8.0
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2368
+- version: "1.0.0"
+  changes:
+    - description: GA integration
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2360
+- version: "0.2.2"
+  changes:
+    - description: Regenerate test files using the new GeoIP database
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2339
+- version: "0.2.1"
+  changes:
+    - description: Change test public IPs to the supported subset
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/2327
+- version: "0.2.0"
+  changes:
+    - description: Add 8.0.0 version constraint
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/2214
+- version: "0.1.1"
+  changes:
+    - description: Update Title and Description.
+      type: bugfix
+      link: https://github.com/elastic/integrations/pull/1997
+- version: "0.1.0"
+  changes:
+    - description: Initial draft of the package
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/1722
diff --git a/packages/1password/1.5.2/data_stream/item_usages/agent/stream/httpjson.yml.hbs b/packages/1password/1.5.2/data_stream/item_usages/agent/stream/httpjson.yml.hbs
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/itemusages
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag i|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/1password/1.5.2/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml b/packages/1password/1.5.2/data_stream/item_usages/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,142 @@
+---
+description: Pipeline for normalizing 1Password Item Usage Events
+processors:
+  - rename:
+      field: message
+      target_field: event.original
+  - json:
+      field: event.original
+      target_field: onepassword
+  - drop:
+      description: Drop if no timestamp (invalid json)
+      if: "ctx?.onepassword?.timestamp == null"
+
+  #######################
+  ## ECS Event Mapping ##
+  #######################
+  - set:
+      field: ecs.version
+      value: "8.3.0"
+  # Sets event.created from the @timestamp field generated by filebeat before being overwritten further down
+  - set:
+      field: event.created
+      copy_from: "@timestamp"
+  - set:
+      field: event.kind
+      value: event
+  - append:
+      field: event.category
+      value: [file]
+  - append:
+      field: event.type
+      value: [access]
+  - rename:
+      field: onepassword.action
+      target_field: event.action
+      ignore_missing: true
+
+  #########################
+  ## ECS Related Mapping ##
+  #########################
+  - append:
+      field: related.user
+      value: "{{onepassword.user.uuid}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.uuid != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.email}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.email != null
+  - append:
+      field: related.user
+      value: "{{onepassword.user.name}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.user?.name != null
+  - append:
+      field: related.ip
+      value: "{{onepassword.client.ip_address}}"
+      allow_duplicates: false
+      if: ctx?.onepassword?.client?.ip_address != null
+
+  ######################
+  ## ECS User Mapping ##
+  ######################
+  - rename:
+      field: onepassword.user.uuid
+      target_field: user.id
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.name
+      target_field: user.full_name
+      ignore_missing: true
+  - rename:
+      field: onepassword.user.email
+      target_field: user.email
+      ignore_missing: true
+
+  ####################
+  ## ECS OS Mapping ##
+  ####################
+  - rename:
+      field: onepassword.client.os_name
+      target_field: os.name
+      ignore_missing: true
+  - rename:
+      field: onepassword.client.os_version
+      target_field: os.version
+      ignore_missing: true
+
+  ########################
+  ## ECS Source Mapping ##
+  ########################
+  - rename:
+      field: onepassword.client.ip_address
+      target_field: source.ip
+      ignore_missing: true
+  - geoip:
+      field: source.ip
+      target_field: source.geo
+  - geoip:
+      database_file: GeoLite2-ASN.mmdb
+      field: source.ip
+      target_field: source.as
+      properties:
+        - asn
+        - organization_name
+      ignore_missing: true
+  - rename:
+      field: source.as.asn
+      target_field: source.as.number
+      ignore_missing: true
+  - rename:
+      field: source.as.organization_name
+      target_field: source.as.organization.name
+      ignore_missing: true
+
+  ######################
+  ## ECS Base Mapping ##
+  ######################
+  - date:
+      field: onepassword.timestamp
+      formats:
+        - ISO8601
+
+  #############
+  ## Cleanup ##
+  #############
+  - remove:
+      field:
+        - onepassword.timestamp
+        - onepassword.user
+        - onepassword.location # Use the included GeoIP processor
+      ignore_missing: true
+  - remove:
+      field: event.original
+      if: "ctx?.tags == null || !(ctx.tags.contains('preserve_original_event'))"
+      ignore_failure: true
+      ignore_missing: true
+on_failure:
+  - set:
+      field: error.message
+      value: "{{ _ingest.on_failure_message }}"
diff --git a/packages/1password/1.5.2/data_stream/item_usages/fields/base-fields.yml b/packages/1password/1.5.2/data_stream/item_usages/fields/base-fields.yml
@@ -0,0 +1,23 @@
+- name: input.type
+  type: keyword
+  description: Input type
+- name: data_stream.type
+  type: constant_keyword
+  description: Data stream type.
+- name: data_stream.dataset
+  type: constant_keyword
+  description: Data stream dataset.
+- name: data_stream.namespace
+  type: constant_keyword
+  description: Data stream namespace.
+- name: event.module
+  type: constant_keyword
+  description: Event module
+  value: 1password
+- name: event.dataset
+  type: constant_keyword
+  description: Event dataset
+  value: 1password.item_usages
+- name: '@timestamp'
+  type: date
+  description: Event timestamp.