Merge branch 'main' into fix/watchguard_firebox_leef_space

1Password/1password-epm/_meta/fields.yml

@@ -0,0 +1,44 @@
+1password.category:
+  description: ''
+  name: 1password.category
+  type: keyword
+
+1password.item_uuid:
+  description: ''
+  name: 1password.item_uuid
+  type: keyword
+
+1password.object.email:
+  description: ''
+  name: 1password.object.email
+  type: keyword
+
+1password.object.name:
+  description: ''
+  name: 1password.object.name
+  type: keyword
+
+1password.object.type:
+  description: ''
+  name: 1password.object.type
+  type: keyword
+
+1password.object.uuid:
+  description: ''
+  name: 1password.object.uuid
+  type: keyword
+
+1password.session_uuid:
+  description: ''
+  name: 1password.session_uuid
+  type: keyword
+
+1password.type:
+  description: ''
+  name: 1password.type
+  type: keyword
+
+1password.vault_uuid:
+  description: ''
+  name: 1password.vault_uuid
+  type: keyword

1Password/1password-epm/_meta/manifest.yml

@@ -0,0 +1,11 @@
+uuid: 09754cc4-e247-4712-9a76-25529ba11b8b
+name: 1Password EPM [BETA]
+slug: one-password-epm
+automation_connector_uuid: f3330ea4-e492-4c57-9764-d2dcf1d044eb
+automation_module_uuid: 56f9e1f6-95ba-45ed-867b-44fb3183934d
+
+description: >-
+  1Password's Enterprise Password Manager offers robust security features for businesses, enabling secure sharing and management of passwords and sensitive data across teams, with advanced admin controls and seamless integration into existing workflows.
+
+data_sources:
+  Authentication logs:

1Password/1password-epm/_meta/smart-descriptions.json

@@ -0,0 +1,29 @@
+[
+  {
+    "value": "Sign in attempts from {client.ip} for user {user.target.name}({user.target.email}) with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "signinattempts"
+      }
+    ]
+  },
+  {
+    "value": "Item usages: {user.name}({user.email}) from {client.ip}: {event.action}{1password.object.type} with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "itemusages"
+      }
+    ]
+  },
+  {
+    "value": "Audit event from {user.name}({user.email}) on {client.ip}: {event.action}{1password.object.type} with status {event.outcome}",
+    "conditions": [
+      {
+        "field": "event.dataset",
+        "value": "auditevents"
+      }
+    ]
+  }
+]

1Password/1password-epm/ingest/parser.yml

@@ -0,0 +1,105 @@
+name: 1password-epm
+ignored_values: [""]
+pipeline:
+  - name: parse_event
+    external:
+      name: json.parse-json
+      properties:
+        input_field: "{{original.message}}"
+        output_field: message
+
+  - name: set_ecs_fields
+
+stages:
+  set_ecs_fields:
+    actions:
+      - set:
+          observer.vendor: "Agilebits"
+          observer.product: "1Password EPM"
+          event.outcome: "failure"
+
+      - set:
+          event.outcome: "success"
+        filter: "{{parse_event.message.category == 'success'}}"
+
+      - set:
+          event.category: ["authentication"]
+          event.type: ["start"]
+        filter: "{{parse_event.message.sekoia_event_type == 'signinattempts'}}"
+
+      - set:
+          event.category: ["session"]
+          event.type: ["info"]
+        filter: "{{parse_event.message.sekoia_event_type == 'itemusages'}}"
+
+      - set:
+          event.category: ["configuration"]
+          event.type: ["change"]
+        filter: "{{parse_event.message.sekoia_event_type == 'auditevents'}}"
+
+      - set:
+          "@timestamp": "{{parse_event.message.timestamp | to_rfc3339}}"
+          event.action: "{{parse_event.message.action}}"
+          event.dataset: "{{parse_event.message.sekoia_event_type}}"
+
+      - set:
+          user.id: "{{parse_event.message.actor_details.uuid}}"
+          user.email: "{{parse_event.message.actor_details.email}}"
+          user.name: "{{parse_event.message.actor_details.name}}"
+        filter: "{{parse_event.message.actor_details != null}}"
+
+      - set:
+          user.id: "{{parse_event.message.user.uuid}}"
+          user.email: "{{parse_event.message.user.email}}"
+          user.name: "{{parse_event.message.user.name}}"
+        filter: "{{parse_event.message.user != null}}"
+
+      - set:
+          user.target.id: "{{parse_event.message.aux_details.uuid}}"
+          user.target.name: "{{parse_event.message.aux_details.name}}"
+          user.target.email: "{{parse_event.message.aux_details.email}}"
+        filter: "{{parse_event.message.aux_details != null}}"
+
+      - set:
+          user.target.id: "{{parse_event.message.target_user.uuid}}"
+          user.target.name: "{{parse_event.message.target_user.name}}"
+          user.target.email: "{{parse_event.message.target_user.email}}"
+        filter: "{{parse_event.message.target_user != null}}"
+
+      - set:
+          1password.session_uuid: "{{parse_event.message.session_uuid}}"
+        filter: ""
+
+      - set:
+          1password.session_uuid: "{{parse_event.message.session.uuid}}"
+        filter: "{{parse_event.message.session != null}}"
+
+      - set:
+          host.id: "{{parse_event.message.session.device_uuid}}"
+
+          client.geo.country_name: "{{parse_event.message.location.country}}"
+          client.geo.region_name: "{{parse_event.message.location.region}}"
+          client.geo.city_name: "{{parse_event.message.location.city}}"
+          client.geo.location.lat: "{{parse_event.message.location.latitude}}"
+          client.geo.location.lon: "{{parse_event.message.location.longitude}}"
+          1password.object.uuid: "{{parse_event.message.object_uuid}}"
+
+          1password.object.name: "{{parse_event.message.object_details.name}}"
+          1password.object.email: "{{parse_event.message.object_details.email}}"
+          1password.object.type: "{{parse_event.message.object_type}}"
+          host.os.name: "{{parse_event.message.client.os_name}}"
+          host.os.version: "{{parse_event.message.client.os_version}}"
+
+          1password.vault_uuid: "{{parse_event.message.vault_uuid}}"
+          1password.item_uuid: "{{parse_event.message.item_uuid}}"
+
+          1password.category: "{{parse_event.message.category}}"
+          1password.type: "{{parse_event.message.type}}"
+
+      - set:
+          client.ip: "{{parse_event.message.session.ip}}"
+        filter: "{{parse_event.message.session.ip | is_ipaddress}}"
+
+      - set:
+          client.ip: "{{parse_event.message.client.ip_address}}"
+        filter: "{{parse_event.message.client.ip_address | is_ipaddress}}"

1Password/1password-epm/tests/test_audit_events.json

@@ -0,0 +1,65 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"auditevents\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"actor_uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"actor_details\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"Jane Doe\", \"email\": \"[email protected]\"}, \"action\": \"join\", \"object_type\": \"gm\", \"object_uuid\": \"pf8soyakgngrphytsyjed4ae3u\", \"aux_id\": 9277034, \"aux_uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"aux_details\": {\"uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"aux_info\": \"R\", \"session\": {\"uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"login_time\": \"2023-03-15T16:33:50-03:00\", \"device_uuid\": \"lc5fqgbrcm4plajd8mwncv2b3u\", \"ip\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"auditevents\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"actor_uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"actor_details\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"Jane Doe\", \"email\": \"[email protected]\"}, \"action\": \"join\", \"object_type\": \"gm\", \"object_uuid\": \"pf8soyakgngrphytsyjed4ae3u\", \"aux_id\": 9277034, \"aux_uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"aux_details\": {\"uuid\": \"K6VFYDCJKHGGDI7QFAXX65LCDY\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"aux_info\": \"R\", \"session\": {\"uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"login_time\": \"2023-03-15T16:33:50-03:00\", \"device_uuid\": \"lc5fqgbrcm4plajd8mwncv2b3u\", \"ip\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}",
+    "event": {
+      "action": "join",
+      "category": [
+        "configuration"
+      ],
+      "dataset": "auditevents",
+      "outcome": "failure",
+      "type": [
+        "change"
+      ]
+    },
+    "1password": {
+      "object": {
+        "type": "gm",
+        "uuid": "pf8soyakgngrphytsyjed4ae3u"
+      },
+      "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM"
+    },
+    "@timestamp": "2023-03-15T19:33:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "id": "lc5fqgbrcm4plajd8mwncv2b3u"
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "Jane Doe"
+      ]
+    },
+    "user": {
+      "email": "[email protected]",
+      "id": "4HCGRGYCTRQFBMGVEGTABYDU2V",
+      "name": "Jane Doe",
+      "target": {
+        "email": "[email protected]",
+        "id": "K6VFYDCJKHGGDI7QFAXX65LCDY",
+        "name": "John Doe"
+      }
+    }
+  }
+}

1Password/1password-epm/tests/test_item_usage_events.json

@@ -0,0 +1,60 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"itemusages\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"used_version\": 0, \"vault_uuid\": \"VZSYVT2LGHTBWBQGUJAIZVRABM\", \"item_uuid\": \"SDGD3I4AJYO6RMHRK8DYVNFIDZ\", \"user\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}, \"action\": \"secure-copy\"}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"itemusages\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"timestamp\": \"2023-03-15T16:33:50-03:00\", \"used_version\": 0, \"vault_uuid\": \"VZSYVT2LGHTBWBQGUJAIZVRABM\", \"item_uuid\": \"SDGD3I4AJYO6RMHRK8DYVNFIDZ\", \"user\": {\"uuid\": \"4HCGRGYCTRQFBMGVEGTABYDU2V\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}, \"action\": \"secure-copy\"}",
+    "event": {
+      "action": "secure-copy",
+      "category": [
+        "session"
+      ],
+      "dataset": "itemusages",
+      "outcome": "failure",
+      "type": [
+        "info"
+      ]
+    },
+    "1password": {
+      "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ",
+      "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM"
+    },
+    "@timestamp": "2023-03-15T19:33:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "os": {
+        "name": "MacOSX",
+        "version": "13.2"
+      }
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ],
+      "user": [
+        "John Doe"
+      ]
+    },
+    "user": {
+      "email": "[email protected]",
+      "id": "4HCGRGYCTRQFBMGVEGTABYDU2V",
+      "name": "John Doe"
+    }
+  }
+}

1Password/1password-epm/tests/test_sign_in_attempts.json

@@ -0,0 +1,59 @@
+{
+  "input": {
+    "message": "{\"sekoia_event_type\": \"signinattempts\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"session_uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"timestamp\": \"2023-03-15T16:32:50-03:00\", \"category\": \"firewall_failed\", \"type\": \"continent_blocked\", \"country\": \"France\", \"details\": {\"value\": \"Europe\"}, \"target_user\": {\"uuid\": \"IR7VJHJ36JHINBFAD7V2T5MP3E\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}"
+  },
+  "expected": {
+    "message": "{\"sekoia_event_type\": \"signinattempts\", \"uuid\": \"56YE2TYN2VFYRLNSHKPW5NVT5E\", \"session_uuid\": \"A5K6COGVRVEJXJW3XQZGS7VAMM\", \"timestamp\": \"2023-03-15T16:32:50-03:00\", \"category\": \"firewall_failed\", \"type\": \"continent_blocked\", \"country\": \"France\", \"details\": {\"value\": \"Europe\"}, \"target_user\": {\"uuid\": \"IR7VJHJ36JHINBFAD7V2T5MP3E\", \"name\": \"John Doe\", \"email\": \"[email protected]\"}, \"client\": {\"app_name\": \"1Password Browser\", \"app_version\": \"20240\", \"platform_name\": \"Chrome\", \"platform_version\": \"string\", \"os_name\": \"MacOSX\", \"os_version\": \"13.2\", \"ip_address\": \"1.2.3.4\"}, \"location\": {\"country\": \"Canada\", \"region\": \"Ontario\", \"city\": \"Toronto\", \"latitude\": 43.5991, \"longitude\": -79.4988}}",
+    "event": {
+      "category": [
+        "authentication"
+      ],
+      "dataset": "signinattempts",
+      "outcome": "failure",
+      "type": [
+        "start"
+      ]
+    },
+    "1password": {
+      "category": "firewall_failed",
+      "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
+      "type": "continent_blocked"
+    },
+    "@timestamp": "2023-03-15T19:32:50Z",
+    "client": {
+      "address": "1.2.3.4",
+      "geo": {
+        "city_name": "Toronto",
+        "country_name": "Canada",
+        "location": {
+          "lat": 43.5991,
+          "lon": -79.4988
+        },
+        "region_name": "Ontario"
+      },
+      "ip": "1.2.3.4"
+    },
+    "host": {
+      "os": {
+        "name": "MacOSX",
+        "version": "13.2"
+      }
+    },
+    "observer": {
+      "product": "1Password EPM",
+      "vendor": "Agilebits"
+    },
+    "related": {
+      "ip": [
+        "1.2.3.4"
+      ]
+    },
+    "user": {
+      "target": {
+        "email": "[email protected]",
+        "id": "IR7VJHJ36JHINBFAD7V2T5MP3E",
+        "name": "John Doe"
+      }
+    }
+  }
+}

1Password/README.md

@@ -0,0 +1,7 @@
+# 1Password
+
+## Description
+The description of the module
+
+## Intakes
+*

1Password/_meta/manifest.yml

@@ -0,0 +1,5 @@
+uuid: c938db6f-be6c-425c-8ea2-eab1ff63bc83
+name: 1Password
+slug: one-password
+description: >-
+  1Password is a password management company that provides secure solutions for storing and managing passwords and sensitive information. Its services are designed for both individuals and teams to ensure online security and simplify credential management.