Last active
August 23, 2024 14:10
-
-
Save azurekid/2724e1954b5403af1be0fbe538101ab7 to your computer and use it in GitHub Desktop.
1pwd-codeless
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
"contentVersion": "1.0.0.0", | |
"parameters": { | |
"location": { | |
"defaultValue": "[resourceGroup().location]", | |
"minLength": 1, | |
"type": "String", | |
"metadata": { | |
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" | |
} | |
}, | |
"workspace": { | |
"defaultValue": "", | |
"type": "String", | |
"metadata": { | |
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" | |
} | |
} | |
}, | |
"variables": { | |
"_solutionName": "OnePassword", | |
"_solutionVersion": "1.0.0", | |
"solutionId": "1Password_Azurekid", | |
"_solutionId": "[variables('solutionId')]", | |
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", | |
"dataConnectorCCPVersion": "1.0.0", | |
"_dataConnectorContentIdConnectorDefinition1": "OnePasswordCCP", | |
"dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]", | |
"_dataConnectorContentIdConnections1": "OnePasswordAuditConnections", | |
"dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]", | |
"dataCollectionEndpointId1": "[concat('/subscriptions/', subscription().id , '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Insights/dataCollectionEndpoints/', parameters('workspace'))]", | |
"blanks": "[replace('b', 'b', '')]", | |
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" | |
}, | |
"resources": [ | |
{ | |
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", | |
"apiVersion": "2023-04-01-preview", | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]", | |
"location": "[parameters('location')]", | |
"dependsOn": [ | |
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" | |
], | |
"properties": { | |
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", | |
"displayName": "OnePasswordCCP", | |
"contentKind": "DataConnector", | |
"mainTemplate": { | |
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
"contentVersion": "[variables('dataConnectorCCPVersion')]", | |
"parameters": {}, | |
"variables": {}, | |
"resources": [ | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", | |
"apiVersion": "2022-09-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", | |
"location": "[parameters('location')]", | |
"kind": "Customizable", | |
"properties": { | |
"connectorUiConfig": { | |
"id": "OnePasswordCCP", | |
"title": "1Password (Serverless)", | |
"publisher": "Azurekid", | |
"descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", | |
"graphQueriesTableName": "OnePasswordEventLogs_CL", | |
"graphQueries": [ | |
{ | |
"metricName": "Total Sign In Attempts received", | |
"legend": "SignIn Attempts", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" | |
}, | |
{ | |
"metricName": "Total Audit Events received", | |
"legend": "Audit Events", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" | |
}, | |
{ | |
"metricName": "Total Item Usage Events received", | |
"legend": "Item Usage Events", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" | |
} | |
], | |
"sampleQueries": [ | |
{ | |
"description": "Get Sample of 1Password events", | |
"query": "{{graphQueriesTableName}}\n | take 10" | |
} | |
], | |
"dataTypes": [ | |
{ | |
"name": "OnePasswordEventLogs_CL", | |
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" | |
} | |
], | |
"connectivityCriteria": [ | |
{ | |
"type": "HasDataConnectors" | |
} | |
], | |
"availability": { | |
"isPreview": false | |
}, | |
"permissions": { | |
"resourceProvider": [ | |
{ | |
"provider": "Microsoft.OperationalInsights/workspaces", | |
"permissionsDisplayText": "Read and Write permissions are required.", | |
"providerDisplayName": "Workspace", | |
"scope": "Workspace", | |
"requiredPermissions": { | |
"write": true, | |
"read": true, | |
"delete": true | |
} | |
} | |
], | |
"customs": [ | |
{ | |
"name": "1Password API token", | |
"description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." | |
} | |
] | |
}, | |
"instructionSteps": [ | |
{ | |
"title": "STEP 1 - Create a 1Password API token", | |
"description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." | |
}, | |
{ | |
"title": "STEP 2 - Choose the correct base URL", | |
"description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." | |
}, | |
{ | |
"title": "STEP 3 - Enter your 1Password Details", | |
"description": "Enter the 1Password base URL & API Token below:", | |
"instructions": [ | |
{ | |
"type": "Textbox", | |
"parameters": { | |
"label": "Base Url", | |
"placeholder": "Enter your Base Url", | |
"type": "text", | |
"name": "BaseUrl" | |
} | |
}, | |
{ | |
"type": "Textbox", | |
"parameters": { | |
"label": "API Token", | |
"placeholder": "Enter your API Token", | |
"type": "password", | |
"name": "ApiToken" | |
} | |
}, | |
{ | |
"type": "ConnectionToggleButton", | |
"parameters": { | |
"connectLabel": "connect", | |
"name": "connect" | |
} | |
} | |
] | |
} | |
] | |
} | |
} | |
}, | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", | |
"apiVersion": "2022-01-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata", | |
"properties": { | |
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", | |
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", | |
"kind": "DataConnector", | |
"version": "[variables('dataConnectorCCPVersion')]", | |
"source": { | |
"sourceId": "[variables('_solutionId')]", | |
"name": "[variables('_solutionName')]", | |
"kind": "Solution" | |
}, | |
"author": { | |
"name": "Rogier Dijkman" | |
}, | |
"support": { | |
"name": "Rogier Dijkman", | |
"email": "support@securehats.nl", | |
"tier": "Partner", | |
"link": "https://www.securehats.nl" | |
}, | |
"dependencies": { | |
"criteria": [ | |
{ | |
"version": "[variables('dataConnectorCCPVersion')]", | |
"contentId": "[variables('_dataConnectorContentIdConnections1')]", | |
"kind": "ResourcesDataConnector" | |
} | |
] | |
} | |
} | |
}, | |
{ | |
"type": "Microsoft.Insights/dataCollectionRules", | |
"apiVersion": "2021-09-01-preview", | |
"name": "1Password", | |
"location": "[parameters('location')]", | |
"properties": { | |
"dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', '1Password')]", | |
"streamDeclarations": { | |
"Custom-OnePasswordEvents": { | |
"columns": [ | |
{ | |
"name": "uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "timestamp", | |
"type": "datetime" | |
}, | |
{ | |
"name": "action", | |
"type": "string" | |
}, | |
{ | |
"name": "actor_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "actor_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "aux_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "aux_id", | |
"type": "int" | |
}, | |
{ | |
"name": "aux_info", | |
"type": "string" | |
}, | |
{ | |
"name": "aux_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "category", | |
"type": "string" | |
}, | |
{ | |
"name": "client", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "country", | |
"type": "string" | |
}, | |
{ | |
"name": "details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "item_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "location", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "object_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "object_type", | |
"type": "string" | |
}, | |
{ | |
"name": "object_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "session", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "session_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "type", | |
"type": "string" | |
}, | |
{ | |
"name": "target_user", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "used_version", | |
"type": "int" | |
}, | |
{ | |
"name": "user", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "vault_uuid", | |
"type": "string" | |
} | |
] | |
} | |
}, | |
"destinations": { | |
"logAnalytics": [ | |
{ | |
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]", | |
"name": "[parameters('workspace') ]" | |
} | |
] | |
}, | |
"dataFlows": [ | |
{ | |
"streams": [ | |
"Custom-OnePasswordEvents" | |
], | |
"destinations": [ | |
"[parameters('workspace')]" | |
], | |
"outputStream": "Custom-OnePasswordEventLogs_CL", | |
"transformKql": "source | extend TimeGenerated = now(), log_source = case(isnotempty(used_version) or isnotempty(aux_id), 'itemusages', isnotempty(country), 'signinattempts', isempty(used_version) and isempty(aux_id) and isempty(country), 'auditevents', 'unknown')" | |
} | |
] | |
} | |
}, | |
{ | |
"name": "OnePasswordEventLogs_CL", | |
"apiVersion": "2022-10-01", | |
"type": "Microsoft.OperationalInsights/workspaces/tables", | |
"location": "[parameters('location')]", | |
"kind": null, | |
"properties": { | |
"schema": { | |
"name": "OnePasswordEventLogs_CL", | |
"columns": [ | |
{ | |
"name": "SourceSystem", | |
"type": "string" | |
}, | |
{ | |
"name": "TimeGenerated", | |
"type": "datetime" | |
}, | |
{ | |
"name": "uuid_s", | |
"type": "string" | |
}, | |
{ | |
"name": "session_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "timestamp", | |
"type": "datetime" | |
}, | |
{ | |
"name": "country", | |
"type": "string" | |
}, | |
{ | |
"name": "category", | |
"type": "string" | |
}, | |
{ | |
"name": "action_type", | |
"type": "string" | |
}, | |
{ | |
"name": "details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "target_user", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "client", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "location", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "actor_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "actor_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "action", | |
"type": "string" | |
}, | |
{ | |
"name": "object_type", | |
"type": "string" | |
}, | |
{ | |
"name": "object_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "object_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "aux_id", | |
"type": "int" | |
}, | |
{ | |
"name": "aux_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "aux_details", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "aux_info", | |
"type": "string" | |
}, | |
{ | |
"name": "session", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "used_version", | |
"type": "int" | |
}, | |
{ | |
"name": "vault_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "item_uuid", | |
"type": "string" | |
}, | |
{ | |
"name": "user", | |
"type": "dynamic" | |
}, | |
{ | |
"name": "log_source", | |
"type": "string" | |
} | |
] | |
} | |
} | |
} | |
] | |
}, | |
"packageKind": "Solution", | |
"packageVersion": "[variables('_solutionVersion')]", | |
"packageName": "[variables('_solutionName')]", | |
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]", | |
"packageId": "[variables('_solutionId')]", | |
"contentSchemaVersion": "3.0.0", | |
"version": "[variables('dataConnectorCCPVersion')]" | |
} | |
}, | |
{ | |
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions", | |
"apiVersion": "2022-09-01-preview", | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]", | |
"location": "[parameters('location')]", | |
"kind": "Customizable", | |
"properties": { | |
"connectorUiConfig": { | |
"id": "OnePasswordCCP", | |
"title": "1Password (Serverless)", | |
"publisher": "AzureKid", | |
"descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.", | |
"graphQueriesTableName": "OnePasswordEventLogs_CL", | |
"graphQueries": [ | |
{ | |
"metricName": "Total Sign In Attempts received", | |
"legend": "SignIn Attempts", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'" | |
}, | |
{ | |
"metricName": "Total Audit Events received", | |
"legend": "Audit Events", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'" | |
}, | |
{ | |
"metricName": "Total Item Usage Events received", | |
"legend": "Item Usage Events", | |
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'" | |
} | |
], | |
"sampleQueries": [ | |
{ | |
"description": "Get Sample of 1Password events", | |
"query": "{{graphQueriesTableName}}\n | take 10" | |
} | |
], | |
"dataTypes": [ | |
{ | |
"name": "OnePasswordEventLogs_CL", | |
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" | |
} | |
], | |
"connectivityCriteria": [ | |
{ | |
"type": "HasDataConnectors" | |
} | |
], | |
"availability": { | |
"isPreview": false | |
}, | |
"permissions": { | |
"resourceProvider": [ | |
{ | |
"provider": "Microsoft.OperationalInsights/workspaces", | |
"permissionsDisplayText": "Read and Write permissions are required.", | |
"providerDisplayName": "Workspace", | |
"scope": "Workspace", | |
"requiredPermissions": { | |
"write": true, | |
"read": true, | |
"delete": true | |
} | |
} | |
], | |
"customs": [ | |
{ | |
"name": "1Password API token", | |
"description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token." | |
} | |
] | |
}, | |
"instructionSteps": [ | |
{ | |
"title": "STEP 1 - Create a 1Password API token:", | |
"description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step." | |
}, | |
{ | |
"title": "STEP 2 - Choose the correct base URL:", | |
"description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')." | |
}, | |
{ | |
"title": "STEP 3 - Enter your 1Password Details:", | |
"description": "Enter the 1Password base URL & API Token below:", | |
"instructions": [ | |
{ | |
"type": "Textbox", | |
"parameters": { | |
"label": "Base Url", | |
"placeholder": "Enter your Base Url", | |
"type": "text", | |
"name": "BaseUrl" | |
} | |
}, | |
{ | |
"type": "Textbox", | |
"parameters": { | |
"label": "API Token", | |
"placeholder": "Enter your API Token", | |
"type": "password", | |
"name": "ApiToken" | |
} | |
}, | |
{ | |
"type": "ConnectionToggleButton", | |
"parameters": { | |
"connectLabel": "connect", | |
"name": "connect" | |
} | |
} | |
] | |
} | |
] | |
} | |
} | |
}, | |
{ | |
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata", | |
"apiVersion": "2022-01-01-preview", | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]", | |
"properties": { | |
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]", | |
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]", | |
"kind": "DataConnector", | |
"version": "[variables('dataConnectorCCPVersion')]", | |
"source": { | |
"sourceId": "[variables('_solutionId')]", | |
"name": "[variables('_solutionName')]", | |
"kind": "Solution" | |
}, | |
"author": { | |
"name": "Rogier Dijkman" | |
}, | |
"support": { | |
"name": "Rogier Dijkman", | |
"email": "support@securehats.nl", | |
"tier": "Partner", | |
"link": "https://www.securehats.nl" | |
}, | |
"dependencies": { | |
"criteria": [ | |
{ | |
"version": "[variables('dataConnectorCCPVersion')]", | |
"contentId": "[variables('_dataConnectorContentIdConnections1')]", | |
"kind": "ResourcesDataConnector" | |
} | |
] | |
} | |
} | |
}, | |
{ | |
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", | |
"apiVersion": "2023-04-01-preview", | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]", | |
"location": "[parameters('location')]", | |
"dependsOn": [ | |
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" | |
], | |
"properties": { | |
"contentId": "[variables('_dataConnectorContentIdConnections1')]", | |
"displayName": "OnePasswordCCP", | |
"contentKind": "ResourcesDataConnector", | |
"mainTemplate": { | |
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | |
"contentVersion": "[variables('dataConnectorCCPVersion')]", | |
"parameters": { | |
"BaseUrl": { | |
"defaultValue": "-NA-", | |
"type": "string", | |
"minLength": 1 | |
}, | |
"ApiToken": { | |
"defaultValue": "-NA-", | |
"type": "securestring", | |
"minLength": 1 | |
}, | |
"connectorDefinitionName": { | |
"defaultValue": "OnePasswordCCP", | |
"type": "string", | |
"minLength": 1 | |
}, | |
"workspace": { | |
"defaultValue": "[parameters('workspace')]", | |
"type": "string" | |
}, | |
"dcrConfig": { | |
"defaultValue": { | |
"dataCollectionEndpoint": "data collection Endpoint", | |
"dataCollectionRuleImmutableId": "data collection rule immutableId" | |
}, | |
"type": "object" | |
}, | |
"AuthorizationCode": { | |
"defaultValue": "-NA-", | |
"type": "securestring", | |
"minLength": 1 | |
} | |
}, | |
"variables": { | |
"_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]" | |
}, | |
"resources": [ | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]", | |
"apiVersion": "2022-01-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata", | |
"properties": { | |
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]", | |
"contentId": "[variables('_dataConnectorContentIdConnections1')]", | |
"kind": "ResourcesDataConnector", | |
"version": "[variables('dataConnectorCCPVersion')]", | |
"source": { | |
"sourceId": "[variables('_solutionId')]", | |
"name": "[variables('_solutionName')]", | |
"kind": "Solution" | |
}, | |
"author": { | |
"name": "Rogier Dijkman" | |
}, | |
"support": { | |
"name": "Rogier Dijkman", | |
"email": "support@securehats.nl", | |
"tier": "Partner", | |
"link": "https://www.securehats.nl" | |
} | |
} | |
}, | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordSignInEvents')]", | |
"apiVersion": "2023-02-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", | |
"location": "[parameters('location')]", | |
"kind": "RestApiPoller", | |
"properties": { | |
"connectorDefinitionName": "OnePasswordCCP", | |
"dataType": "OnePasswordEventLogs_CL", | |
"dcrConfig": { | |
"streamName": "Custom-OnePasswordEvents", | |
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", | |
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" | |
}, | |
"auth": { | |
"type": "APIKey", | |
"ApiKey": "[[parameters('ApiToken')]", | |
"ApiKeyName": "Authorization", | |
"ApiKeyIdentifier": "Bearer" | |
}, | |
"request": { | |
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/signinattempts')]", | |
"httpMethod": "Post", | |
"queryWindowInMin": 5, | |
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", | |
"rateLimitQps": 1, | |
"retryCount": 3, | |
"timeoutInSeconds": 60, | |
"headers": { | |
"Content-Type": "application/json" | |
}, | |
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", | |
"isPostPayloadJson": true | |
}, | |
"response": { | |
"format": "json", | |
"eventsJsonPaths": [ | |
"$.items" | |
] | |
}, | |
"paging": { | |
"pagingType": "NextPageToken", | |
"nextPageParaName": "cursor", | |
"nextPageTokenJsonPath": "$.cursor", | |
"hasNextFlagJsonPath": "$.has_more" | |
} | |
} | |
}, | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordAuditEvents')]", | |
"apiVersion": "2023-02-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", | |
"location": "[parameters('location')]", | |
"kind": "RestApiPoller", | |
"properties": { | |
"connectorDefinitionName": "OnePasswordCCP", | |
"dataType": "OnePasswordEventLogs_CL", | |
"dcrConfig": { | |
"streamName": "Custom-OnePasswordEvents", | |
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", | |
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" | |
}, | |
"auth": { | |
"type": "APIKey", | |
"ApiKey": "[[parameters('ApiToken')]", | |
"ApiKeyName": "Authorization", | |
"ApiKeyIdentifier": "Bearer" | |
}, | |
"request": { | |
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/auditevents')]", | |
"httpMethod": "Post", | |
"queryWindowInMin": 5, | |
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", | |
"rateLimitQps": 1, | |
"retryCount": 3, | |
"timeoutInSeconds": 60, | |
"headers": { | |
"Content-Type": "application/json" | |
}, | |
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", | |
"isPostPayloadJson": true | |
}, | |
"response": { | |
"format": "json", | |
"eventsJsonPaths": [ | |
"$.items" | |
] | |
}, | |
"paging": { | |
"pagingType": "NextPageToken", | |
"nextPageParaName": "cursor", | |
"nextPageTokenJsonPath": "$.cursor", | |
"hasNextFlagJsonPath": "$.has_more" | |
} | |
} | |
}, | |
{ | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordItemUsageEvents')]", | |
"apiVersion": "2023-02-01-preview", | |
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", | |
"location": "[parameters('location')]", | |
"kind": "RestApiPoller", | |
"properties": { | |
"connectorDefinitionName": "OnePasswordCCP", | |
"dataType": "OnePasswordEventLogs_CL", | |
"dcrConfig": { | |
"streamName": "Custom-OnePasswordEvents", | |
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]", | |
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]" | |
}, | |
"auth": { | |
"type": "APIKey", | |
"ApiKey": "[[parameters('ApiToken')]", | |
"ApiKeyName": "Authorization", | |
"ApiKeyIdentifier": "Bearer" | |
}, | |
"request": { | |
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/itemusages')]", | |
"httpMethod": "Post", | |
"queryWindowInMin": 1, | |
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ", | |
"rateLimitQps": 5, | |
"retryCount": 3, | |
"timeoutInSeconds": 60, | |
"headers": { | |
"Content-Type": "application/json" | |
}, | |
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }", | |
"isPostPayloadJson": true | |
}, | |
"response": { | |
"format": "json", | |
"eventsJsonPaths": [ | |
"$.items" | |
] | |
}, | |
"paging": { | |
"pagingType": "NextPageToken", | |
"nextPageParaName": "cursor", | |
"nextPageTokenJsonPath": "$.cursor", | |
"hasNextFlagJsonPath": "$.has_more" | |
} | |
} | |
} | |
] | |
}, | |
"packageKind": "Solution", | |
"packageVersion": "[variables('_solutionVersion')]", | |
"packageName": "[variables('_solutionName')]", | |
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]", | |
"packageId": "[variables('_solutionId')]", | |
"contentSchemaVersion": "3.0.0", | |
"version": "[variables('dataConnectorCCPVersion')]" | |
} | |
}, | |
{ | |
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", | |
"apiVersion": "2023-04-01-preview", | |
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]", | |
"location": "[parameters('location')]", | |
"properties": { | |
"version": "1.0.3", | |
"kind": "Solution", | |
"contentSchemaVersion": "1.0.0", | |
"displayName": "SecureHats", | |
"publisherDisplayName": "SecureHats", | |
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>", | |
"contentKind": "Solution", | |
"contentProductId": "[variables('_solutioncontentProductId')]", | |
"id": "[variables('_solutioncontentProductId')]", | |
"contentId": "[variables('_solutionId')]", | |
"parentId": "[variables('_solutionId')]", | |
"source": { | |
"kind": "Solution", | |
"name": "1Password", | |
"sourceId": "[variables('_solutionId')]" | |
}, | |
"author": { | |
"name": "Rogier Dijkman" | |
}, | |
"support": { | |
"name": "Rogier Dijkman", | |
"email": "support@securehats.nl", | |
"tier": "Partner", | |
"link": "https://www.securehats.nl" | |
}, | |
"dependencies": { | |
"operator": "AND", | |
"criteria": [ | |
{ | |
"kind": "DataConnector", | |
"contentId": "[variables('_dataConnectorContentIdConnections1')]", | |
"version": "[variables('dataConnectorCCPVersion')]" | |
} | |
] | |
}, | |
"firstPublishDate": "2024-03-01", | |
"providers": [ | |
"SecureHats" | |
], | |
"categories": { | |
"domains": [ | |
"Security - Threat Protection" | |
] | |
} | |
} | |
} | |
], | |
"outputs": {} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment