Skip to content

Commit

Permalink
Merge pull request #9 from 1Password/gero/13017-ecs-model-docs
Browse files Browse the repository at this point in the history
Add ECS field names and descriptions
  • Loading branch information
ogero authored Aug 19, 2021
2 parents 3d5819c + 762b399 commit 299ee47
Showing 1 changed file with 56 additions and 7 deletions.
63 changes: 56 additions & 7 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,22 +1,25 @@
# Eventsapibeat
Eventsapibeat
=============

Eventsapibeat is the open source libbeat based data shipper for pulling events from the 1Password Events API.
This beat will fetch successful and failed sign-in attempts and items usage data from public 1Password Events API.

## Installation
Installation
------------

Download the latest binaries from [the releases page](https://github.com/1Password/events-api-elastic/releases/latest).
Or build from sources (_resulting binary will be located at _bin_ folder_):
Or build from sources, *resulting binary will be located at 'bin' folder*:

```shell
make eventsapibeat
```

## Configuration
Configuration
-------------

Rename the sample configuration file _eventsapibeat-sample.yml_ to _eventsapibeat.yml_.
Rename the sample configuration file *eventsapibeat-sample.yml* to *eventsapibeat.yml*.

Create a [1Password Events Reporting](https://support.1password.com/events-reporting-elastic/) integration for your account and configure the `auth_token`.
Create a [1Password Events Reporting](https://support.1password.com/events-reporting-elastic/) integration for your account and configure the `auth_token`.

```yaml
signin_attempts:
Expand All @@ -27,8 +30,54 @@ item_usages:
Configure the remaining options and set your output as usual.
## Run
Run
---
```
./eventsapibeat -c eventsapibeat.yml -e
```

Elastic Common Schema
---------------------

### Sign-in Attempts fields

| Field | Description |
|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `@timestamp` | The date and time of the sign-in attempt |
| `event.action` | The category of the sign-in attempt |
| `user.id` | The UUID of the user that attempted to sign in to the account |
| `user.full_name` | The name of the user, hydrated at the time the event was generated |
| `user.email` | The email address of the user, hydrated at the time the event was generated |
| `os.name` | The name of the operating system of the user that attempted to sign in to the account |
| `os.version` | The version of the operating system of the user that attempted to sign in to the account |
| `host.ip` | The IP address that attempted to sign in to the account |
| `onepassword.uuid` | The UUID of the event |
| `onepassword.session_uuid` | The UUID of the session that created the event |
| `onepassword.type` | Details about the sign-in attempt |
| `onepassword.country` | The country code of the event. Uses the ISO 3166 standard |
| `onepassword.details` | Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in |
| `onepassword.client.app_name` | The name of the 1Password app that attempted to sign in to the account |
| `onepassword.client.app_version` | The version number of the 1Password app |
| `onepassword.client.platform_name` | The name of the platform running the 1Password app |
| `onepassword.client.platform_version` | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed |

### Item Usages fields

| Field | Description |
|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| `@timestamp` | The date and time of the sign-in attempt |
| `user.id` | The UUID of the user that accessed the item |
| `user.full_name` | The name of the user, hydrated at the time the event was generated |
| `user.email` | The email address of the user, hydrated at the time the event was generated |
| `os.name` | The name of the operating system the item was accessed from |
| `os.version` | The version of the operating system the item was accessed from |
| `host.ip` | The IP address the item was accessed from |
| `onepassword.uuid` | The UUID of the event |
| `onepassword.used_version` | The version of the item that was accessed |
| `onepassword.vault_uuid` | The UUID of the vault the item is in |
| `onepassword.item_uuid` | The UUID of the item that was accessed |
| `onepassword.client.app_name` | The name of the 1Password app the item was accessed from |
| `onepassword.client.app_version` | The version number of the 1Password app |
| `onepassword.client.platform_name` | The name of the platform the item was accessed from |
| `onepassword.client.platform_version` | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed |

0 comments on commit 299ee47

Please sign in to comment.