Skip to content

Instantly share code, notes, and snippets.

@azurekid

azurekid/1pwd-codeless.json

Last active August 23, 2024 14:10
Show Gist options
  • Save azurekid/2724e1954b5403af1be0fbe538101ab7 to your computer and use it in GitHub Desktop.
Save azurekid/2724e1954b5403af1be0fbe538101ab7 to your computer and use it in GitHub Desktop.
Download ZIP
1pwd-codeless
Raw
1pwd-codeless.json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"defaultValue": "[resourceGroup().location]",
"minLength": 1,
"type": "String",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace": {
"defaultValue": "",
"type": "String",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
}
},
"variables": {
"_solutionName": "OnePassword",
"_solutionVersion": "1.0.0",
"solutionId": "1Password_Azurekid",
"_solutionId": "[variables('solutionId')]",
"workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
"dataConnectorCCPVersion": "1.0.0",
"_dataConnectorContentIdConnectorDefinition1": "OnePasswordCCP",
"dataConnectorTemplateNameConnectorDefinition1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnectorDefinition1')))]",
"_dataConnectorContentIdConnections1": "OnePasswordAuditConnections",
"dataConnectorTemplateNameConnections1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentIdConnections1')))]",
"dataCollectionEndpointId1": "[concat('/subscriptions/', subscription().id , '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Insights/dataCollectionEndpoints/', parameters('workspace'))]",
"blanks": "[replace('b', 'b', '')]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnectorDefinition1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"displayName": "OnePasswordCCP",
"contentKind": "DataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {},
"variables": {},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
"apiVersion": "2022-09-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"location": "[parameters('location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "OnePasswordCCP",
"title": "1Password (Serverless)",
"publisher": "Azurekid",
"descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.",
"graphQueriesTableName": "OnePasswordEventLogs_CL",
"graphQueries": [
{
"metricName": "Total Sign In Attempts received",
"legend": "SignIn Attempts",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'"
},
{
"metricName": "Total Audit Events received",
"legend": "Audit Events",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'"
},
{
"metricName": "Total Item Usage Events received",
"legend": "Item Usage Events",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'"
}
],
"sampleQueries": [
{
"description": "Get Sample of 1Password events",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "OnePasswordEventLogs_CL",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "1Password API token",
"description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token."
}
]
},
"instructionSteps": [
{
"title": "STEP 1 - Create a 1Password API token",
"description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step."
},
{
"title": "STEP 2 - Choose the correct base URL",
"description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')."
},
{
"title": "STEP 3 - Enter your 1Password Details",
"description": "Enter the 1Password base URL & API Token below:",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Base Url",
"placeholder": "Enter your Base Url",
"type": "text",
"name": "BaseUrl"
}
},
{
"type": "Textbox",
"parameters": {
"label": "API Token",
"placeholder": "Enter your API Token",
"type": "password",
"name": "ApiToken"
}
},
{
"type": "ConnectionToggleButton",
"parameters": {
"connectLabel": "connect",
"name": "connect"
}
}
]
}
]
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Rogier Dijkman"
},
"support": {
"name": "Rogier Dijkman",
"email": "support@securehats.nl",
"tier": "Partner",
"link": "https://www.securehats.nl"
},
"dependencies": {
"criteria": [
{
"version": "[variables('dataConnectorCCPVersion')]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector"
}
]
}
}
},
{
"type": "Microsoft.Insights/dataCollectionRules",
"apiVersion": "2021-09-01-preview",
"name": "1Password",
"location": "[parameters('location')]",
"properties": {
"dataCollectionEndpointId": "[resourceId('Microsoft.Insights/dataCollectionEndpoints', '1Password')]",
"streamDeclarations": {
"Custom-OnePasswordEvents": {
"columns": [
{
"name": "uuid",
"type": "string"
},
{
"name": "timestamp",
"type": "datetime"
},
{
"name": "action",
"type": "string"
},
{
"name": "actor_details",
"type": "dynamic"
},
{
"name": "actor_uuid",
"type": "string"
},
{
"name": "aux_details",
"type": "dynamic"
},
{
"name": "aux_id",
"type": "int"
},
{
"name": "aux_info",
"type": "string"
},
{
"name": "aux_uuid",
"type": "string"
},
{
"name": "category",
"type": "string"
},
{
"name": "client",
"type": "dynamic"
},
{
"name": "country",
"type": "string"
},
{
"name": "details",
"type": "dynamic"
},
{
"name": "item_uuid",
"type": "string"
},
{
"name": "location",
"type": "dynamic"
},
{
"name": "object_details",
"type": "dynamic"
},
{
"name": "object_type",
"type": "string"
},
{
"name": "object_uuid",
"type": "string"
},
{
"name": "session",
"type": "dynamic"
},
{
"name": "session_uuid",
"type": "string"
},
{
"name": "type",
"type": "string"
},
{
"name": "target_user",
"type": "dynamic"
},
{
"name": "used_version",
"type": "int"
},
{
"name": "user",
"type": "dynamic"
},
{
"name": "vault_uuid",
"type": "string"
}
]
}
},
"destinations": {
"logAnalytics": [
{
"workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))]",
"name": "[parameters('workspace') ]"
}
]
},
"dataFlows": [
{
"streams": [
"Custom-OnePasswordEvents"
],
"destinations": [
"[parameters('workspace')]"
],
"outputStream": "Custom-OnePasswordEventLogs_CL",
"transformKql": "source | extend TimeGenerated = now(), log_source = case(isnotempty(used_version) or isnotempty(aux_id), 'itemusages', isnotempty(country), 'signinattempts', isempty(used_version) and isempty(aux_id) and isempty(country), 'auditevents', 'unknown')"
}
]
}
},
{
"name": "OnePasswordEventLogs_CL",
"apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/tables",
"location": "[parameters('location')]",
"kind": null,
"properties": {
"schema": {
"name": "OnePasswordEventLogs_CL",
"columns": [
{
"name": "SourceSystem",
"type": "string"
},
{
"name": "TimeGenerated",
"type": "datetime"
},
{
"name": "uuid_s",
"type": "string"
},
{
"name": "session_uuid",
"type": "string"
},
{
"name": "timestamp",
"type": "datetime"
},
{
"name": "country",
"type": "string"
},
{
"name": "category",
"type": "string"
},
{
"name": "action_type",
"type": "string"
},
{
"name": "details",
"type": "dynamic"
},
{
"name": "target_user",
"type": "dynamic"
},
{
"name": "client",
"type": "dynamic"
},
{
"name": "location",
"type": "dynamic"
},
{
"name": "actor_uuid",
"type": "string"
},
{
"name": "actor_details",
"type": "dynamic"
},
{
"name": "action",
"type": "string"
},
{
"name": "object_type",
"type": "string"
},
{
"name": "object_uuid",
"type": "string"
},
{
"name": "object_details",
"type": "dynamic"
},
{
"name": "aux_id",
"type": "int"
},
{
"name": "aux_uuid",
"type": "string"
},
{
"name": "aux_details",
"type": "dynamic"
},
{
"name": "aux_info",
"type": "string"
},
{
"name": "session",
"type": "dynamic"
},
{
"name": "used_version",
"type": "int"
},
{
"name": "vault_uuid",
"type": "string"
},
{
"name": "item_uuid",
"type": "string"
},
{
"name": "user",
"type": "dynamic"
},
{
"name": "log_source",
"type": "string"
}
]
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentIdConnectorDefinition1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"version": "[variables('dataConnectorCCPVersion')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectorDefinitions",
"apiVersion": "2022-09-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentIdConnectorDefinition1'))]",
"location": "[parameters('location')]",
"kind": "Customizable",
"properties": {
"connectorUiConfig": {
"id": "OnePasswordCCP",
"title": "1Password (Serverless)",
"publisher": "AzureKid",
"descriptionMarkdown": "The 1Password CCP connector allows the user to ingest 1Password Audit, Signin & ItemUsage events into Microsoft Sentinel.",
"graphQueriesTableName": "OnePasswordEventLogs_CL",
"graphQueries": [
{
"metricName": "Total Sign In Attempts received",
"legend": "SignIn Attempts",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'signinattempts'"
},
{
"metricName": "Total Audit Events received",
"legend": "Audit Events",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'auditevents'"
},
{
"metricName": "Total Item Usage Events received",
"legend": "Item Usage Events",
"baseQuery": "{{graphQueriesTableName}} | where log_source == 'itemusages'"
}
],
"sampleQueries": [
{
"description": "Get Sample of 1Password events",
"query": "{{graphQueriesTableName}}\n | take 10"
}
],
"dataTypes": [
{
"name": "OnePasswordEventLogs_CL",
"lastDataReceivedQuery": "{{graphQueriesTableName}}\n | where TimeGenerated > ago(7d) | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriteria": [
{
"type": "HasDataConnectors"
}
],
"availability": {
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "Read and Write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "1Password API token",
"description": "A 1Password API Token is required. See the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) on how to create an API token."
}
]
},
"instructionSteps": [
{
"title": "STEP 1 - Create a 1Password API token:",
"description": "Follow the [1Password documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) for guidance on this step."
},
{
"title": "STEP 2 - Choose the correct base URL:",
"description": "There are multiple 1Password servers which might host your events. The correct server depends on your license and region. Follow the [1Password documentation](https://developer.1password.com/docs/events-api/reference/#servers) to choose the correct server. Input the base URL as displayed by the documentation (including 'https://' and without a trailing '/')."
},
{
"title": "STEP 3 - Enter your 1Password Details:",
"description": "Enter the 1Password base URL & API Token below:",
"instructions": [
{
"type": "Textbox",
"parameters": {
"label": "Base Url",
"placeholder": "Enter your Base Url",
"type": "text",
"name": "BaseUrl"
}
},
{
"type": "Textbox",
"parameters": {
"label": "API Token",
"placeholder": "Enter your API Token",
"type": "password",
"name": "ApiToken"
}
},
{
"type": "ConnectionToggleButton",
"parameters": {
"connectLabel": "connect",
"name": "connect"
}
}
]
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnectorDefinition1')))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectorDefinitions', variables('_dataConnectorContentIdConnectorDefinition1'))]",
"contentId": "[variables('_dataConnectorContentIdConnectorDefinition1')]",
"kind": "DataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Rogier Dijkman"
},
"support": {
"name": "Rogier Dijkman",
"email": "support@securehats.nl",
"tier": "Partner",
"link": "https://www.securehats.nl"
},
"dependencies": {
"criteria": [
{
"version": "[variables('dataConnectorCCPVersion')]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector"
}
]
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('dataConnectorTemplateNameConnections1'), variables('dataConnectorCCPVersion'))]",
"location": "[parameters('location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"displayName": "OnePasswordCCP",
"contentKind": "ResourcesDataConnector",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorCCPVersion')]",
"parameters": {
"BaseUrl": {
"defaultValue": "-NA-",
"type": "string",
"minLength": 1
},
"ApiToken": {
"defaultValue": "-NA-",
"type": "securestring",
"minLength": 1
},
"connectorDefinitionName": {
"defaultValue": "OnePasswordCCP",
"type": "string",
"minLength": 1
},
"workspace": {
"defaultValue": "[parameters('workspace')]",
"type": "string"
},
"dcrConfig": {
"defaultValue": {
"dataCollectionEndpoint": "data collection Endpoint",
"dataCollectionRuleImmutableId": "data collection rule immutableId"
},
"type": "object"
},
"AuthorizationCode": {
"defaultValue": "-NA-",
"type": "securestring",
"minLength": 1
}
},
"variables": {
"_dataConnectorContentIdConnections1": "[variables('_dataConnectorContentIdConnections1')]"
},
"resources": [
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', variables('_dataConnectorContentIdConnections1')))]",
"apiVersion": "2022-01-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentIdConnections1'))]",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"kind": "ResourcesDataConnector",
"version": "[variables('dataConnectorCCPVersion')]",
"source": {
"sourceId": "[variables('_solutionId')]",
"name": "[variables('_solutionName')]",
"kind": "Solution"
},
"author": {
"name": "Rogier Dijkman"
},
"support": {
"name": "Rogier Dijkman",
"email": "support@securehats.nl",
"tier": "Partner",
"link": "https://www.securehats.nl"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordSignInEvents')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('location')]",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "OnePasswordCCP",
"dataType": "OnePasswordEventLogs_CL",
"dcrConfig": {
"streamName": "Custom-OnePasswordEvents",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('ApiToken')]",
"ApiKeyName": "Authorization",
"ApiKeyIdentifier": "Bearer"
},
"request": {
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/signinattempts')]",
"httpMethod": "Post",
"queryWindowInMin": 5,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"rateLimitQps": 1,
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Content-Type": "application/json"
},
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }",
"isPostPayloadJson": true
},
"response": {
"format": "json",
"eventsJsonPaths": [
"$.items"
]
},
"paging": {
"pagingType": "NextPageToken",
"nextPageParaName": "cursor",
"nextPageTokenJsonPath": "$.cursor",
"hasNextFlagJsonPath": "$.has_more"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordAuditEvents')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('location')]",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "OnePasswordCCP",
"dataType": "OnePasswordEventLogs_CL",
"dcrConfig": {
"streamName": "Custom-OnePasswordEvents",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('ApiToken')]",
"ApiKeyName": "Authorization",
"ApiKeyIdentifier": "Bearer"
},
"request": {
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/auditevents')]",
"httpMethod": "Post",
"queryWindowInMin": 5,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"rateLimitQps": 1,
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Content-Type": "application/json"
},
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }",
"isPostPayloadJson": true
},
"response": {
"format": "json",
"eventsJsonPaths": [
"$.items"
]
},
"paging": {
"pagingType": "NextPageToken",
"nextPageParaName": "cursor",
"nextPageTokenJsonPath": "$.cursor",
"hasNextFlagJsonPath": "$.has_more"
}
}
},
{
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', 'OnePasswordItemUsageEvents')]",
"apiVersion": "2023-02-01-preview",
"type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('location')]",
"kind": "RestApiPoller",
"properties": {
"connectorDefinitionName": "OnePasswordCCP",
"dataType": "OnePasswordEventLogs_CL",
"dcrConfig": {
"streamName": "Custom-OnePasswordEvents",
"dataCollectionEndpoint": "[[parameters('dcrConfig').dataCollectionEndpoint]",
"dataCollectionRuleImmutableId": "[[parameters('dcrConfig').dataCollectionRuleImmutableId]"
},
"auth": {
"type": "APIKey",
"ApiKey": "[[parameters('ApiToken')]",
"ApiKeyName": "Authorization",
"ApiKeyIdentifier": "Bearer"
},
"request": {
"apiEndpoint": "[[concat(parameters('BaseUrl'), '/api/v1/itemusages')]",
"httpMethod": "Post",
"queryWindowInMin": 1,
"queryTimeFormat": "yyyy-MM-ddTHH:mm:ssZ",
"rateLimitQps": 5,
"retryCount": 3,
"timeoutInSeconds": 60,
"headers": {
"Content-Type": "application/json"
},
"queryParametersTemplate": "{\"limit\": 1000, \"start_time\": \"{_QueryWindowStartTime}\", \"end_time\": \"{_QueryWindowEndTime}\" }",
"isPostPayloadJson": true
},
"response": {
"format": "json",
"eventsJsonPaths": [
"$.items"
]
},
"paging": {
"pagingType": "NextPageToken",
"nextPageParaName": "cursor",
"nextPageTokenJsonPath": "$.cursor",
"hasNextFlagJsonPath": "$.has_more"
}
}
}
]
},
"packageKind": "Solution",
"packageVersion": "[variables('_solutionVersion')]",
"packageName": "[variables('_solutionName')]",
"contentProductId": "[concat(take(variables('_solutionId'), 50),'-','rdc','-', uniqueString(concat(variables('_solutionId'),'-','ResourcesDataConnector','-',variables('_dataConnectorContentIdConnections1'),'-', variables('dataConnectorCCPVersion'))))]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
"version": "[variables('dataConnectorCCPVersion')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
"apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]",
"location": "[parameters('location')]",
"properties": {
"version": "1.0.3",
"kind": "Solution",
"contentSchemaVersion": "1.0.0",
"displayName": "SecureHats",
"publisherDisplayName": "SecureHats",
"descriptionHtml": "<p><strong>Note:</strong> <em>There may be <a href=\"https://aka.ms/sentinelsolutionsknownissues\">known issues</a> pertaining to this Solution, please refer to them before installing.</em></p>",
"contentKind": "Solution",
"contentProductId": "[variables('_solutioncontentProductId')]",
"id": "[variables('_solutioncontentProductId')]",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
"kind": "Solution",
"name": "1Password",
"sourceId": "[variables('_solutionId')]"
},
"author": {
"name": "Rogier Dijkman"
},
"support": {
"name": "Rogier Dijkman",
"email": "support@securehats.nl",
"tier": "Partner",
"link": "https://www.securehats.nl"
},
"dependencies": {
"operator": "AND",
"criteria": [
{
"kind": "DataConnector",
"contentId": "[variables('_dataConnectorContentIdConnections1')]",
"version": "[variables('dataConnectorCCPVersion')]"
}
]
},
"firstPublishDate": "2024-03-01",
"providers": [
"SecureHats"
],
"categories": {
"domains": [
"Security - Threat Protection"
]
}
}
}
],
"outputs": {}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment