Rules (XIF)
[RULE: 1Password_Common_Fields]
//Recurring fields for all log types
alter
xdm.event.type = SOURCE_LOG_TYPE,
xdm.event.operation = action,
xdm.source.location.country = location -> country,
xdm.source.location.region = location -> region,
xdm.source.location.city = location -> city,
xdm.source.location.latitude = to_float(location -> latitude),
xdm.source.location.longitude = to_float(location -> longitude);
[RULE: 1Password_Common_Fields_For_Item_and_SignIns]
// Recurring fields only for Item usage actions and Sign in attempts
alter
host_os_name = client -> os_name,
host_os_version = client -> os_version,
extract_ip_address = client -> ip_address
| alter
full_os_name = concat(host_os_name , " ", host_os_version),
extract_ipv4 = if(extract_ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",extract_ip_address ,null),
extract_ipv6 = if(extract_ip_address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",extract_ip_address ,null)
| alter
xdm.target.host.os = full_os_name,
xdm.target.application.name = client -> app_name,
xdm.target.application.version = client -> app_version,
xdm.source.ipv4 = extract_ipv4,
xdm.source.ipv6 = extract_ipv6,
xdm.target.host.os_family = if(host_os_name contains "Mac", XDM_CONST.OS_FAMILY_MACOS, host_os_name contains "Windows", XDM_CONST.OS_FAMILY_WINDOWS, host_os_name contains "Linux", XDM_CONST.OS_FAMILY_LINUX, host_os_name) ;
[MODEL: dataset="1password_1password_raw"]
//1Password - Audit events modeling rules
filter SOURCE_LOG_TYPE = "Audit events"
| call 1Password_Common_Fields
| alter
extract_ip_address = session -> ip
| alter
extract_ipv4 = if(extract_ip_address ~= "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}",extract_ip_address ,null),
extract_ipv6 = if(extract_ip_address ~= "^((?:[a-fA-F\d]{0,4}\:){2,7}[a-fA-F\d]{0,4})$",extract_ip_address ,null)
| alter
xdm.source.user.identifier = actor_details -> uuid,
xdm.source.user.username = actor_details -> name,
xdm.source.user.upn = actor_details -> email,
xdm.source.ipv4 = extract_ipv4,
xdm.source.ipv6 = extract_ipv6;
//1Password - Item usage action modeling rules
filter SOURCE_LOG_TYPE = "Item usage actions"
| call 1Password_Common_Fields
| call 1Password_Common_Fields_For_Item_and_SignIns
| alter
xdm.target.resource.parent_id = vault_uuid,
xdm.target.resource.id = item_uuid,
xdm.source.user.identifier = user -> uuid,
xdm.source.user.username = user -> name,
xdm.source.user.upn = user -> email;
//1Password - Sign in atempts modeling rules
filter SOURCE_LOG_TYPE = "Sign in attempts"
| call 1Password_Common_Fields
| call 1Password_Common_Fields_For_Item_and_SignIns
| alter
xdm.event.outcome = category,
xdm.event.outcome_reason = type,
xdm.target.user.identifier = target_user -> uuid,
xdm.target.user.username = target_user -> name,
xdm.target.user.upn = target_user -> email;
Schema
1password_1password_raw
| Field |
Type |
Array? |
SOURCE_LOG_TYPE |
string |
— |
action |
string |
— |
actor_details |
string |
— |
category |
string |
— |
client |
string |
— |
item_uuid |
string |
— |
location |
string |
— |
session |
string |
— |
target_user |
string |
— |
type |
string |
— |
user |
string |
— |
vault_uuid |
string |
— |
Raw JSON
{
"1password_1password_raw": {
"SOURCE_LOG_TYPE": {
"type": "string",
"is_array": false
},
"action": {
"type": "string",
"is_array": false
},
"location": {
"type": "string",
"is_array": false
},
"client": {
"type": "string",
"is_array": false
},
"session": {
"type": "string",
"is_array": false
},
"actor_details": {
"type": "string",
"is_array": false
},
"vault_uuid": {
"type": "string",
"is_array": false
},
"item_uuid": {
"type": "string",
"is_array": false
},
"user": {
"type": "string",
"is_array": false
},
"category": {
"type": "string",
"is_array": false
},
"type": {
"type": "string",
"is_array": false
},
"target_user": {
"type": "string",
"is_array": false
}
}
}