[1password] Add user fields for actor_details, object_details, and aux_details.

[Jin-Dhaliwal]

What does this PR do?

We've added new details fields to the data model that we want to consumed through this integration. An example of the original message would be:

                 {
			"uuid": "2CA5O6WU4VOPE225X64BMDJ6M3",
			"timestamp": "2023-06-30T18:02:23.273264Z",
			"actor_uuid": "PPQYFXGORNDIRHFJ43QNOEKZ6A",
			"actor_details": {
				"uuid": "PPQYFXGORNDIRHFJ43QNOEKZ6A",
				"name": "Insights Test",
				"email": "jin.dhaliwal+insightstest@agilebits.com"
			},
			"action": "trvlaway",
			"object_type": "user",
			"object_uuid": "X3TLF2JNIVDKJAXU67SNSHCFBU",
			"object_details": {
				"uuid": "X3TLF2JNIVDKJAXU67SNSHCFBU",
				"name": "Member 7",
				"email": "jin.dhaliwal+m7@agilebits.com"
			},
			"session": {
				"uuid": "RD4MLUQFIZDW5G6MUFFBIYUUBM",
				"login_time": "2023-06-30T18:01:42.300478Z",
				"device_uuid": "gdbhmdzsecieklx5wmgr7qy6oe",
				"ip": "172.19.0.1"
			}
		}

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.

Author's Checklist

• Integration tests pass
• Integration includes the new details fields in processed event data

How to test this PR locally

Follow the testing steps outlined here: https://developer.1password.com/docs/events-api/reference/#post-apiv1auditevents

1. Get the elastic stack up and running.
2. Follow the integration steps to set up the 1Password integration. (You will need a 1password business account)

• You can create a test account on start.b5dev.com and use Stripe test card 4242424242424242
• You'll need to change the URL in the integration setup to events.b5dev.com

3. On your 1Password account add some members/groups/vaults/items. This will generate events that the integration will capture.
4. Confirm that the audit events dashboard contains those events and the new details fields are present.

Screenshots

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-08-03T05:02:59.463+0000

• Duration: 16 min 44 sec

Test stats 🧪

Test	Results
Failed	0
Passed	22
Skipped	0
Total	22

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

/test

[elasticmachine]

🌐 Coverage report

Name	Metrics % (covered/total)	Diff
Packages	100.0% (3/3)	💚
Files	100.0% (3/3)	💚 2.842
Classes	100.0% (3/3)	💚 2.842
Methods	90.909% (30/33)	👎 -1.208
Lines	88.182% (291/330)	👎 -2.503
Conditionals	100.0% (0/0)	💚

[kcreddy]

Thanks for the contribution!

Could you also update ingest pipeline to add User ECS mapping? For example, you could add user.name field from actor_details.name field.

More examples on User ECS field that you could map: https://www.elastic.co/guide/en/ecs/current/ecs-user-usage.html

[Jin-Dhaliwal]

Anything left on this one? Would like to get this out asap because we've released the new version of the API and customers will want to start ingesting the new fields.

[Jin-Dhaliwal]

@kcreddy is there any other changes needed here or is this ready for merge now?

[kcreddy]

/test

[kcreddy]

/test

[kcreddy]

Hey @Jin-Dhaliwal
Sincere apologies for the delay 🙏🏼 .
Looks like the CI is failing due to README being not updated. Could you please run below command and commit ?

elastic-package build && elastic-package format && elastic-package lint && elastic-package check && elastic-package build

[Jin-Dhaliwal]

@kcreddy done!

[kcreddy]

/test

[kcreddy]

@Jin-Dhaliwal
Thanks for fixing the README. Now the CI is failing on pipeline tests. Looks like after the user ECS fields are added, the pipeline tests are not updated.

Can you run pipeline tests after bringing the stack up?
eval "$(elastic-package stack shellinit)" && elastic-package test pipeline --generate and then commit.

[Jin-Dhaliwal]

@kcreddy thanks for the help. done

[kcreddy]

/test

[kcreddy]

/test

[kcreddy]

@Jin-Dhaliwal can you please fix the merge conflicts? The CI wouldn't run otherwise. Thanks!

[Jin-Dhaliwal]

/test

[Jin-Dhaliwal]

@kcreddy OK conflicts resolved

[kcreddy]

/test

[Jin-Dhaliwal]

How can I fix those failures in CI? I'm not sure what happened. Reading at face value seems like service that the test step needed failed to start?

Is there a way to restart those?

elastic-package test passes locally

[kcreddy]

/test

[kcreddy]

LGTM 👍🏼

[kcreddy]

How can I fix those failures in CI? I'm not sure what happened. Reading at face value seems like service that the test step needed failed to start?
Is there a way to restart those?

Hey, @Jin-Dhaliwal the issue was with the CI system, your changes are good.
Once again thanks so much for the contribution 😄

[elasticmachine]

Package 1password - 1.18.0 containing this change is available at https://epr.elastic.co/search?package=1password