elastic
diff --git a/‎packages/1password/_dev/build/docs/README.md‎
Lines changed: 11 additions & 0 deletions b/‎packages/1password/_dev/build/docs/README.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎packages/1password/_dev/deploy/docker/config.yml‎
Lines changed: 45 additions & 1 deletion b/‎packages/1password/_dev/deploy/docker/config.yml‎
Lines changed: 45 additions & 1 deletion
diff --git a/‎packages/1password/changelog.yml‎
Lines changed: 5 additions & 0 deletions b/‎packages/1password/changelog.yml‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json‎
Lines changed: 12 additions & 0 deletions b/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json‎
Lines changed: 12 additions & 0 deletions
diff --git a/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-config.yml‎
Lines changed: 4 additions & 0 deletions b/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-config.yml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json‎
Lines changed: 132 additions & 0 deletions b/‎packages/1password/data_stream/audit_events/_dev/test/pipeline/test-auditevents.json-expected.json‎
Lines changed: 132 additions & 0 deletions
diff --git a/‎packages/1password/data_stream/audit_events/_dev/test/system/test-default-config.yml‎
Lines changed: 10 additions & 0 deletions b/‎packages/1password/data_stream/audit_events/_dev/test/system/test-default-config.yml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎packages/1password/data_stream/audit_events/agent/stream/httpjson.yml.hbs‎
Lines changed: 57 additions & 0 deletions b/‎packages/1password/data_stream/audit_events/agent/stream/httpjson.yml.hbs‎
Lines changed: 57 additions & 0 deletions
@@ -36,3 +36,14 @@ This uses the 1Password Events API to retrieve information about items in shared
 {{fields "item_usages"}}
 
 {{event "item_usages"}}
+
+
+### Audit Events
+
+This uses the 1Password Events API to retrieve information about audit events. Events includes information about actions performed by team members such as account updates, access and invitations, device authorization, changes to vault permissions, and more. 
+
+*Exported fields*
+
+{{fields "audit_events"}}
+
+{{event "audit_events"}}
@@ -44,7 +44,6 @@ rules:
             - "application/json; charset=utf-8"
         body: |-
           {"cursor":"cursor_1","has_more":false,"items":[]}
-
   # SignInAttempts
   - path: /api/v1/signinattempts
     methods: ["POST"]
@@ -91,3 +90,48 @@ rules:
             - "application/json; charset=utf-8"
         body: |-
           {"cursor":"cursor_1","has_more":false,"items":[]}
+  - path: /api/v1/auditevents
+    methods: ["POST"]
+    request_headers:
+      Content-Type:
+        - "application/json"
+      Authorization:
+        - "Bearer --token--"
+    request_body: '{"limit":1000}'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json; charset=utf-8"
+        body: |-
+          {"cursor":"cursor_0","has_more":false,"items":[{"uuid": "3UQOGUC7DVOCN4OZP2MDKHFLSG","timestamp": "2022-10-24T21:16:52.827288935Z","actor_uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4","action": "suspend","object_type": "user","object_uuid":"ZRQCUD6A65AKHFETOUFO7NL4OM","session":{"uuid": "ODOHXUYQCJBUJKRGZNNPBJURPE","login_time": "2022-10-24T21:07:34.703106271Z","device_uuid":"rqtd557fn2husnstp5nc66w2xa","ip":"89.160.20.156"},"location":{"country":"Canada","region": "Ontario","city": "Toronto","latitude": 43.64,"longitude": -79.433}}]}
+  - path: /api/v1/auditevents
+    methods: ["POST"]
+    request_headers:
+      Content-Type:
+        - "application/json"
+      Authorization:
+        - "Bearer --token--"
+    request_body: '{"cursor":"cursor_0"}'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json; charset=utf-8"
+        body: |-
+          {"cursor":"cursor_1","has_more":false,"items":[{"uuid": "3UQOGUC7DVOCN4OZP2MDKHFLSG","timestamp": "2022-10-24T21:16:52.827288935Z","actor_uuid": "GLF6WUEKS5CSNDJ2OG6TCZD3M4","action": "suspend","object_type": "user","object_uuid":"ZRQCUD6A65AKHFETOUFO7NL4OM","session":{"uuid": "ODOHXUYQCJBUJKRGZNNPBJURPE","login_time": "2022-10-24T21:07:34.703106271Z","device_uuid":"rqtd557fn2husnstp5nc66w2xa","ip":"89.160.20.156"}}]}
+  - path: /api/v1/auditevents
+    methods: ["POST"]
+    request_headers:
+      Content-Type:
+        - "application/json"
+      Authorization:
+        - "Bearer --token--"
+    request_body: '{"cursor":"cursor_1"}'
+    responses:
+      - status_code: 200
+        headers:
+          Content-Type:
+            - "application/json; charset=utf-8"
+        body: |-
+          {"cursor":"cursor_1","has_more":false,"items":[]}
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "1.10.0"
+  changes:
+    - description: Add audit events to 1Password Events Reporting
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/5496
 - version: "1.9.0"
   changes:
     - description: Allow configuration of HTTP keep-alive to allow for connection reuse.
 
@@ -0,0 +1,12 @@
+{
+    "events": [
+        {
+            "@timestamp": "2022-10-24T21:16:62.827288935Z",
+            "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}"
+        },
+        {
+            "@timestamp": "2022-10-24T21:16:62.827288935Z",
+            "message": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}"
+        }
+    ]
+}
@@ -0,0 +1,4 @@
+fields:
+  "@timestamp": "2022-10-24T21:16:62.827288935Z"
+  tags:
+    - preserve_original_event
@@ -0,0 +1,132 @@
+{
+    "expected": [
+        {
+            "@timestamp": "2022-10-24T21:16:52.827Z",
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "action": "suspend",
+                "category": [
+                    "configuration"
+                ],
+                "created": "2022-10-24T21:16:62.827288935Z",
+                "kind": "event",
+                "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"},\"location\":{\"country\":\"Canada\",\"region\": \"Ontario\",\"city\": \"Toronto\",\"latitude\": 43.64,\"longitude\": -79.433}}",
+                "type": [
+                    "access"
+                ]
+            },
+            "onepassword": {
+                "object_type": "user",
+                "object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+                "session": {
+                    "device_uuid": "rqtd557fn2husnstp5nc66w2xa",
+                    "login_time": "2022-10-24T21:07:34.703106271Z",
+                    "uuid": "ODOHXUYQCJBUJKRGZNNPBJURPE"
+                },
+                "uuid": "3UQOGUC7DVOCN4OZP2MDKHFLSG"
+            },
+            "related": {
+                "ip": [
+                    "89.160.20.156"
+                ],
+                "user": [
+                    "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+                    "ZRQCUD6A65AKHFETOUFO7NL4OM"
+                ]
+            },
+            "source": {
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+            }
+        },
+        {
+            "@timestamp": "2022-10-24T21:16:52.827Z",
+            "ecs": {
+                "version": "8.6.0"
+            },
+            "event": {
+                "action": "suspend",
+                "category": [
+                    "configuration"
+                ],
+                "created": "2022-10-24T21:16:62.827288935Z",
+                "kind": "event",
+                "original": "{\"uuid\": \"3UQOGUC7DVOCN4OZP2MDKHFLSG\",\"timestamp\": \"2022-10-24T21:16:52.827288935Z\",\"actor_uuid\": \"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"action\": \"suspend\",\"object_type\": \"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"uuid\": \"ODOHXUYQCJBUJKRGZNNPBJURPE\",\"login_time\": \"2022-10-24T21:07:34.703106271Z\",\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\"}}",
+                "type": [
+                    "access"
+                ]
+            },
+            "onepassword": {
+                "object_type": "user",
+                "object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
+                "session": {
+                    "device_uuid": "rqtd557fn2husnstp5nc66w2xa",
+                    "login_time": "2022-10-24T21:07:34.703106271Z",
+                    "uuid": "ODOHXUYQCJBUJKRGZNNPBJURPE"
+                },
+                "uuid": "3UQOGUC7DVOCN4OZP2MDKHFLSG"
+            },
+            "related": {
+                "ip": [
+                    "89.160.20.156"
+                ],
+                "user": [
+                    "GLF6WUEKS5CSNDJ2OG6TCZD3M4",
+                    "ZRQCUD6A65AKHFETOUFO7NL4OM"
+                ]
+            },
+            "source": {
+                "as": {
+                    "number": 29518,
+                    "organization": {
+                        "name": "Bredband2 AB"
+                    }
+                },
+                "geo": {
+                    "city_name": "Linköping",
+                    "continent_name": "Europe",
+                    "country_iso_code": "SE",
+                    "country_name": "Sweden",
+                    "location": {
+                        "lat": 58.4167,
+                        "lon": 15.6167
+                    },
+                    "region_iso_code": "SE-E",
+                    "region_name": "Östergötland County"
+                },
+                "ip": "89.160.20.156"
+            },
+            "tags": [
+                "preserve_original_event"
+            ],
+            "user": {
+                "id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
+            }
+        }
+    ]
+}
@@ -0,0 +1,10 @@
+input: httpjson
+service: 1password_eventsapi_mock
+vars:
+  url: http://{{Hostname}}:{{Port}}
+  token: --token--
+  preserve_original_event: true
+data_stream:
+  vars: ~
+assert:
+  hit_count: 2
@@ -0,0 +1,57 @@
+config_version: 2
+interval: {{interval}}
+request.url: {{url}}/api/v1/auditevents
+request.method: POST
+{{#if proxy_url }}
+request.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+request.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+request.timeout: {{http_client_timeout}}
+{{/if}}
+request.transforms:
+  - set:
+      target: "header.Content-Type"
+      value: "application/json"
+  - set:
+      target: "header.User-Agent"
+      value: "1Password-Elastic-Filebeat/0.1.0"
+  - set:
+      target: "header.Authorization"
+      value: 'Bearer {{token}}'
+  - set:
+      target: body.cursor
+      value: '[[if not (eq (len .cursor) 0)]][[.cursor.last_cursor]][[end]]'
+  - set:
+      target: body.limit
+      value_type: int
+      value: '[[if eq (len .cursor) 0]]{{limit}}[[end]]'
+cursor:
+  last_cursor:
+    value: '[[.last_response.body.cursor]]'
+response.decode_as: application/json
+response.split:
+  target: body.items
+response.pagination:
+  - set:
+      target: body.cursor
+      value: '[[.last_response.body.cursor]]'
+      fail_on_template_error: true
+  - delete:
+      target: body.limit
+tags:
+{{#if preserve_original_event}}
+  - preserve_original_event
+{{/if}}
+{{#each tags as |tag|}}
+  - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +fields:
 +  "@timestamp": "2022-10-24T21:16:62.827288935Z"
 +  tags:
 +    - preserve_original_event