...
Data source | Description | API endpoint | Collector service name | Devo table | Available from release |
---|---|---|---|---|---|
Audit Events | Returns a list of audit events from the Activity Log. |
| |
|
|
Item Usage Actions | Returns a list of account activity events. |
|
|
|
|
Sign-in Attempts | Returns a list of sign-in attempts. |
|
|
|
|
Configuration requirements
To run this collector, there are some configurations detailed below that you need to consider.
...
Configuration
...
Details
...
Cylance APP
...
You need to run a Cylance app.
...
Application ID
...
Once you create the App, it gives you an Application ID.
...
Application Secret
...
Once you create the App, it gives you an Application Secret.
...
Tenant ID
...
You can find it in your Cylance console.
Info |
---|
Refer to the Vendor setup section to know more about these configurations. |
For more information on how the events are parsed, visit our page.
Flattening preprocessing
Data source | Collector service | Optional | Flattening details |
---|---|---|---|
Source | Service |
| Flattening steps |
Vendor setup
Generate a Bearer Token
...
API limits
The Events API limits requests to 600 per minute and up to 30,000 per hour. Exceeding these limits will return an error "429 Too many requests".
The API can access data from the last 120 days. If you need to access data from more than 120 days ago, you can use the Activity Log in your 1Password account.
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Setting | Details |
---|---|
| A token can access data for one or more events, depending on which events were scoped when the token was created. Make sure the bearer token you use has access to the events you want to request. You can verify this from the Events Reporting integration details in the Integrations section of your 1Password account or through a GET request to the introspection endpoint. |
| The |
Accepted authentication methods
Every call to the 1Password Events API must be authorized with a bearer token. You must include your bearer token in the collector configuration.
For example:
Authentication method | Details |
---|---|
| You will need your |
Vendor setup
Before you can use the 1Password Events API, you'll need to:
Set up an Events Reporting integration in your account.
Create a bearer token and select the event features it can access.
To create a bearer token:
Sign in to your account on http://1Password.com and click Integrations in the sidebar.
Choose the Events Reporting integration where you want to issue a token and click “Add Add a token”token.
Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then click Issue Token.
Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
Info |
---|
Additional Information: Get started with 1Password Events Reporting | issue or revoke bearer tokens |
Identify Your 1Password Server
The URL of the server that hosts your 1Password account is required in order to make requests to the 1Password Events API.
If your account is on: | Your Events API URL is: |
| |
| |
|
Info |
---|
Additional Information: Get started with 1Password Events Reporting | Servers |
Minimum configuration required for basic pulling
Although this collector supports advanced configuration, the fields required to retrieve data with basic configuration are defined below.
Info |
---|
This minimum configuration refers exclusively to those specific parameters of this integration. There are more required parameters related to the generic behavior of the collector. Check setting sections for details. |
Setting | Details |
---|---|
| The URL of the server that hosts your 1Password account |
| Access token created in the 1Password console. |
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector).
We use a piece of software called Collector Server to host and manage all our available collectors.
To enable the collector for a customer:
In the Collector Server GUI, access the domain in which you want this instance to be created
Click Add Collector and find the one you wish to add.
In the Version field, select the latest value.
In the Collector Name field, set the value you prefer (this name must be unique inside the same Collector Server domain).
In the sending method select Direct Send. Direct Send configuration is optional for collectors that create
Table
events, but mandatory for those that createLookups
.In the Parameters section, establish the Collector Parameters as follows below:
Editing the JSON configuration
...
Treat your token like a password
The security of your 1Password application is tied to the security of your token. Secure it as you would any sensitive credential. Do not share it with unauthorized individuals or email it to anyone under any circumstances!
Connectivity requirements
The 1Password Events API is a REST-style API that follows the OpenAPI 3.0 Specifications. All communications between clients and servers are over HTTPS.
Run the collector
Once the data source is configured, you can either send us the required information if you want us to host and manage the collector for you (Cloud collector), or deploy and host the collector in your own machine using a Docker image (On-premise collector).
Rw ui tabs macro | |||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
We use a piece of software called Collector Server to host and manage all our available collectors. To enable the collector for a customer:
Editing the JSON configuration
|
Info |
---|
All defined service entities will be executed by the collector. If you do not want to run any of them, just remove the entity from the |
Please replace the placeholders with real world values following the description table below:
...
Parameter
...
Data Type
...
Type
...
Value Range / Format
...
Details
...
id
...
int
...
Mandatory
...
Minimum length: 1
Maximum length: 5
...
Use this param to give an unique id to this input service.
Note |
---|
This parameter is used to build the persistence address, do not use the same value for multiple collectors. It could cause a collision. |
...
enabled
...
bool
...
Mandatory
...
false
/ true
...
If the value is true
, the input definition will be executed. If the value is false
, the service will be ignored.
...
requests_per_second
...
int
...
Optional
...
Minimum value: 1
...
Customize the maximum number of API requests per second. If not used, the default setting will be used: 60
requests/sec.
This parameter should be removed if it is not used.
...
base_url
...
str
...
Mandatory
...
The URL must be one of the servers detailed here.
...
Use this param to define the URL used by the collector to pull data. Replace with your 1password Server URL
...
token
...
str
...
Mandatory
...
Minimum length: 1
...
Access token created in the 1Password console.
...
request_period_in_seconds_value
...
int
...
Optional
...
Minimum length: 1
...
Period in seconds used between each data pulling, this value will overwrite the default value (60 seconds)
This parameter should be removed if it is not used.
...
start_time_override
...
str
...
Optional
...
UTC with format: YYYY-mm-ddTHH:MM:SS
...
This configuration allows you to set a custom date as the beginning of the period to download. This allows downloading historical data before downloading new events.
If this setting is not set, the default value is one hour before the current time.
This parameter should be removed if it is not used.
...
tag_override
...
str
...
Optional
...
See Devo Docs on tagging format and conventions.
https://docs.devo.com/space/latest/95126204/About+Devo+tags
...
This configuration allows you to set a custom tag.
This parameter should be removed if it is not used.
...
limit_override
...
int
...
Optional
...
Minimum length: 1
Maximum length: 1000
...
How many events should be returned in a single request.
If this setting is not set, the default value is 100 events/request.
This parameter should be removed if it is not used.
...
Change log for v1.0.0
...
Release
...
Released on
...
Release type
...
Details
...
Recommendations
...
v1.0.1
...
...
Status | ||||
---|---|---|---|---|
|
...
Release Version
...
Recommended version
...
v1.0.0
...
...
Status | ||||
---|---|---|---|---|
|
...
Release Version
...
Recommended version
Change log for v0.x.x
...
Release
...
Released on
...
Release type
...
Details
...
Recommendations
...
v0.1.2
...
10/03/23
...
Status | ||||
---|---|---|---|---|
|
...
Pre-release version of collector
...
Not ready for general release
...
v0.1.1
...
02/10/23
...
Status | ||||
---|---|---|---|---|
|
...
Pre-release version of collector
...
Not ready for general release
...
v0.1.0
...
02/09/23
...
Status | ||||
---|---|---|---|---|
|
...
Pre-release version of collector
...
Please replace the placeholders with real world values following the description table below:
This data collector can be run in any machine that has the Docker service available because it should be executed as a docker container. The following sections explain how to prepare all the required setup for having the data collector running. StructureThe following directory structure should be created for being used when running the collector:
Devo credentialsIn Devo, go to Administration → Credentials → X.509 Certificates, download the Certificate, Private key and Chain CA and save them in
Editing the config.yaml file
Replace the placeholders with your required values following the description table below:
Download the Docker imageThe collector should be deployed as a Docker container. Download the Docker image of the collector as a .tgz file by clicking the link in the following table:
Use the following command to add the Docker image to the system:
The Docker image can be deployed on the following services: DockerExecute the following command on the root directory
Docker ComposeThe following Docker Compose file can be used to execute the Docker container. It must be created in the
To run the container using docker-compose, execute the following command from the
|
Collector services detail
For all the services
Devo categorization and destination
Please check the section Data Source Description to learn about the target tables for each service.
Restart the persistence
This collector uses persistent storage to download events in an orderly fashion and avoid duplicates. In case you want to re-ingest historical data or recreate the persistence, you can restart the persistence of this collector by following these steps:
Edit the configuration file.
Change the value of the
start_time_value
to a different one.Save the changes.
Restart the collector.
The collector will detect this change and will restart the persistence using the parameters of the configuration file or the default configuration in case it has not been provided.
Troubleshooting
This collector has different security layers that detect both an invalid configuration and abnormal operation. This table will help you detect and resolve the most common errors.
Configuration errors
Error type | Error ID | Error message | Cause | Solution |
---|---|---|---|---|
| 1 | The parameter configuration is missing and it is mandatory | The parameter is missing in the configuration | Check the documentation and update the configuration accordingly |
| 2 | The parameter setting must be a valid instance of < | The parameter type in the configuration is incorrect | Check the documentation and update the configuration accordingly |
| 3 | The parameter setting must not be an empty string | The parameter is present in the configuration but it is empty | Check the documentation and update the configuration accordingly |
| 200 | <Variable_text> | Some errors happened when accessing the persistence | Contact Devo Support |
| 4xx-5xx | The execution of the 1Password request is having an unexpected response | Some errors happened when accessing the 1Password API | Usually, this error gets fixed in the next iteration. If it is a repeating error, please get in touch with Devo Support |
Collector operations
Verify collector operations
This is for the standalone mode only. You can check the information in the following sections to verify the correct collector operation.
Initialization
The initialization module validates the given configuration and runs the setup, the input (pulling logic), and output (delivering logic) services. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Loading configuration using the following files: {"full_config": "config-test-local.yaml", "job_config_loc": null, "collector_config_loc": null}
2023-01-10T15:22:57.146 INFO MainProcess::MainThread -> Using the default location for "job_config_loc" file: "/etc/devo/job/job_config.json"
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> "\etc\devo\job" does not exists
2023-01-10T15:22:57.147 INFO MainProcess::MainThread -> Using the default location for "collector_config_loc" file: "/etc/devo/collector/collector_config.json"
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> "\etc\devo\collector" does not exists
2023-01-10T15:22:57.148 INFO MainProcess::MainThread -> Results of validation of config files parameters: {"config": "C:\git\collectors2\devo-collector-<name>\config\config.yaml", "config_validated": True, "job_config_loc": "/etc/devo/job/job_config.json", "job_config_loc_default": True, "job_config_loc_validated": False, "collector_config_loc": "/etc/devo/collector/collector_config.json", "collector_config_loc_default": True, "collector_config_loc_validated": False}
2023-01-10T15:22:57.171 WARNING MainProcess::MainThread -> [WARNING] Illegal global setting has been ignored -> multiprocessing: False |
Event delivery and Devo ingestion
The event delivery module is in charge of receiving the events from the internal queues where all the events are injected by the pullers and delivering them using the selected compatible delivery method. A successful run has the following output messages for the initializer module:
Code Block |
---|
2023-01-10T15:23:00.788 INFO OutputProcess::MainThread -> DevoSender(standard_senders,devo_sender_0) -> Starting thread
2023-01-10T15:23:00.789 INFO OutputProcess::MainThread -> DevoSenderManagerMonitor(standard_senders,devo_1) -> Starting thread (every 300 seconds)
2023-01-10T15:23:00.790 INFO OutputProcess::MainThread -> DevoSenderManager(standard_senders,manager,devo_1) -> Starting thread
2023-01-10T15:23:00.842 INFO OutputProcess::MainThread -> global_status: {"output_process": {"process_id": 18804, "process_status": "running", "thread_counter": 21, "thread_names": ["MainThread", "pydevd.Writer", "pydevd.Reader", "pydevd.CommandThread", "pydevd.CheckAliveThread", "DevoSender(standard_senders,devo_sender_0)", "DevoSenderManagerMonitor(standard_senders,devo_1)", "DevoSenderManager(standard_senders,manager,devo_1)", "OutputStandardConsumer(standard_senders_consumer_0)", |
Sender services
The Integrations Factory Collector SDK has 3 different sender services depending on the event type to deliver (internal, standard, and lookup). This collector uses the following Sender Services:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. This value helps detect bottlenecks and needs to increase the performance of data delivery to Devo. This last can be made by increasing the concurrent senders. |
Total number of messages sent: 44, messages sent since "2022-06-28 10:39:22.511671+00:00": 21 (elapsed 0.007 seconds) | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
By default, these traces will be shown every 10 minutes. |
Sender statistics
Each service displays its performance statistics that allow checking how many events have been delivered to Devo by type:
Logging trace | Description |
---|---|
Number of available senders: 1 | Displays the number of concurrent senders available for the given Sender Service. |
Sender manager internal queue size: 0 | Displays the items available in the internal sender queue. |
Standard - Total number of messages sent: 57, messages sent since "2023-01-10 16:09:16.116750+00:00": 0 (elapsed 0.000 seconds | Displays the number of events from the last time the collector executed the pull logic. Following the given example, the following conclusions can be obtained:
|
Check memory usage
To check the memory usage of this collector, look for the following log records in the collector which are displayed every 5 minutes by default, always after running the memory-free process.
The used memory is displayed by running processes and the sum of both values will give the total used memory for the collector.
The global pressure of the available memory is displayed in the global value.
All metrics (Global, RSS, VMS) include the value before freeing and after previous -> after freeing memory
Code Block |
---|
INFO InputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(34.50MiB -> 34.08MiB), VMS(410.52MiB -> 410.02MiB)
INFO OutputProcess::MainThread -> [GC] global: 20.4% -> 20.4%, process: RSS(28.41MiB -> 28.41MiB), VMS(705.28MiB -> 705.28MiB) |
Change log
Release | Released on | Release type | Details | Recommendations | ||||||
---|---|---|---|---|---|---|---|---|---|---|
|
|
|
|
| ||||||
|
|
|
|
| ||||||
|
|
|
|
| ||||||
|
|
| Added
Changed
|
|