OnePassword OnePassword Modeling Rule

Modeling Rule

OnePassword

Details

IDOnePassword_OnePassword_ModelingRule
From Version8.4.0

Rules (XIF)

[RULE: 1Password_Common_Fields]
//Recurring fields for all log types
alter
    xdm.event.type = SOURCE_LOG_TYPE,
    xdm.event.operation = action,
    xdm.source.location.country = location -> country,
    xdm.source.location.region = location -> region,
    xdm.source.location.city = location -> city,
    xdm.source.location.latitude = to_float(location -> latitude),
    xdm.source.location.longitude = to_float(location -> longitude);

[RULE: 1Password_Common_Fields_For_Item_and_SignIns]
// Recurring fields only for Item usage actions and Sign in attempts
alter
    host_os_name = client -> os_name,
    host_os_version = client -> os_version,
    extract_ip_address = client -> ip_address
| alter
    full_os_name = concat(host_os_name , " ", host_os_version),
    extract_ipv4 = if(extract_ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",extract_ip_address ,null),
    extract_ipv6 = if(extract_ip_address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",extract_ip_address ,null)
| alter
    xdm.target.host.os = full_os_name,
    xdm.target.application.name = client -> app_name,
    xdm.target.application.version = client -> app_version,
    xdm.source.ipv4 = extract_ipv4,
    xdm.source.ipv6 = extract_ipv6,
    xdm.target.host.os_family = if(host_os_name contains "Mac", XDM_CONST.OS_FAMILY_MACOS, host_os_name contains "Windows", XDM_CONST.OS_FAMILY_WINDOWS, host_os_name contains "Linux", XDM_CONST.OS_FAMILY_LINUX, host_os_name) ;

[MODEL: dataset="1password_1password_raw"]
//1Password - Audit events modeling rules
filter SOURCE_LOG_TYPE = "Audit events"
| call 1Password_Common_Fields
| alter
    extract_ip_address = session -> ip
| alter   
    extract_ipv4 = if(extract_ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",extract_ip_address ,null),
    extract_ipv6 = if(extract_ip_address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",extract_ip_address ,null)
| alter
    xdm.source.user.identifier = actor_details -> uuid,
    xdm.source.user.username = actor_details -> name,
    xdm.source.user.upn = actor_details -> email,
    xdm.source.ipv4 = extract_ipv4,
    xdm.source.ipv6 = extract_ipv6;
//1Password - Item usage action modeling rules
filter SOURCE_LOG_TYPE = "Item usage actions"
| call 1Password_Common_Fields
| call 1Password_Common_Fields_For_Item_and_SignIns
| alter
    xdm.target.resource.parent_id = vault_uuid,
    xdm.target.resource.id = item_uuid,
    xdm.source.user.identifier = user -> uuid,
    xdm.source.user.username = user -> name,
    xdm.source.user.upn = user -> email;
//1Password - Sign in atempts modeling rules
filter SOURCE_LOG_TYPE = "Sign in attempts"
| call 1Password_Common_Fields 
| call 1Password_Common_Fields_For_Item_and_SignIns
| alter
    xdm.event.outcome = category,
    xdm.event.outcome_reason = type,
    xdm.target.user.identifier = target_user -> uuid,
    xdm.target.user.username = target_user -> name,
    xdm.target.user.upn = target_user -> email;

Schema

1password_1password_raw

Field Type Array?
SOURCE_LOG_TYPE string
action string
actor_details string
category string
client string
item_uuid string
location string
session string
target_user string
type string
user string
vault_uuid string
Raw JSON

{
    "1password_1password_raw": {
      "SOURCE_LOG_TYPE": {
        "type": "string",
        "is_array": false
      },
      "action": {
        "type": "string",
        "is_array": false
      },
      "location": {
        "type": "string",
        "is_array": false
      },
      "client": {
        "type": "string",
        "is_array": false
      },
      "session": {
        "type": "string",
        "is_array": false
      },
      "actor_details": {
        "type": "string",
        "is_array": false
      },
      "vault_uuid": {
        "type": "string",
        "is_array": false
      },
      "item_uuid": {
        "type": "string",
        "is_array": false
      },
      "user": {
        "type": "string",
        "is_array": false
      },
      "category": {
        "type": "string",
        "is_array": false
      },
      "type": {
        "type": "string",
        "is_array": false
      },
      "target_user": {
        "type": "string",
        "is_array": false
      }
    }
  }