Added doc

Content/Content Packs/1Password.htm

@@ -0,0 +1,115 @@
+<?xml version="1.0" encoding="utf-8"?>
+<html xmlns:MadCap="http://www.madcapsoftware.com/Schemas/MadCap.xsd">
+    <head>
+        <link href="../Resources/TableStyles/Alternate-Row-Color.css" rel="stylesheet" MadCap:stylesheetType="table" /><title>1Password Content Pack</title>
+        <link href="../Resources/Stylesheets/Styles.css" rel="stylesheet" />
+    </head>
+    <body>
+        <MadCap:snippetBlock src="../Resources/Snippets/IlluminateBanner.flsnp" />
+        <p>1Password is a cloud-based password management service that securely stores and manages credentials and other sensitive information for users and teams. This technology pack will process 1Password Events API logs, providing normalization and enrichment of common events such as sign-ins, item usage, and vault access.</p>
+        <p>The 1Password Spotlight comes ready to use with pre-built dashboard views including:</p>
+        <ul>
+            <li>
+                <p>1Password Overview</p>
+            </li>
+            <li>
+                <p>Sign-In Attempts</p>
+            </li>
+            <li>
+                <p>Item Usages</p>
+            </li>
+        </ul>
+        <p>These built-in views can serve as a starting point for creating custom dashboards.</p>
+        <h2 id="supported-versions">Supported Version(s)</h2>
+        <p>This Spotlight supports 1Password API version 1.4.0. </p>
+        <ul>
+        </ul>
+        <h2 id="requirements">Requirements</h2>
+        <ul>
+            <li>
+                <p>Graylog 7.0+ with a valid Enterprise license</p>
+            </li>
+            <li>
+                <p>Sign up for <a href="https://support.1password.com/events-reporting/">1Password Business</a>.</p>
+            </li>
+            <li>
+                <p>Set up an <a href="https://support.1password.com/events-reporting/">Events Reporting integration</a> in your account.</p>
+            </li>
+            <li>
+                <p><a href="https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens">Create a bearer token</a> and select the event features it can access.</p>
+            </li>
+        </ul>
+        <h2 id="stream-configuration">Stream Configuration</h2>
+        <p>This technology pack includes 1 stream:</p>
+        <ul>
+            <li>"Illuminate:1Password Messages"</li>
+        </ul>
+        <p>
+            <section class="infoBox">
+                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.</span>
+                </div>
+            </section>
+        </p>
+        <h2 id="index-set-configuration">Index Set Configuration</h2>
+        <p>This technology pack includes 1 index set definition:</p>
+        <ul>
+            <li>"1Password Logs"</li>
+        </ul>
+        <p>
+            <section class="infoBox">
+                <div class="title"><b>Hint: </b><span style="font-weight: normal;">If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.</span>
+                </div>
+            </section>
+        </p>
+        <h2 id="log-format-example">Log Format Example</h2>
+        <p><code class="linecode">{"host":"1passcarla1","event_source_product":"1password","vendor_subtype":"sign_in_attempts","version":"1.2","message":"{\"uuid\":\"MKJ222LF4VFLVJ2BYI7B6NA67Q\",\"session_uuid\":\"OY224ZWDHJFRFMQJ6MJISDTKBQ\",\"timestamp\":\"2025-08-28T12:54:26.860184645Z\",\"country\":\"US\",\"category\":\"failure\",\"type\":\"credentials_ok\",\"details\":null,\"client\":{\"app_name\":\"1Password for Web\",\"app_version\":\"2070\",\"platform_name\":\"Chrome\",\"platform_version\":\"139.0.7258.155\",\"os_name\":\"Windows\",\"os_version\":\"11.0\",\"ip_address\":\"121.98.168.15\"},\"location\":{\"country\":\"US\",\"region\":\"Georgia\",\"city\":\"Atlanta\",\"latitude\":33.7485,\"longitude\":-84.3871},\"target_user\":{\"uuid\":\"UECFLYAIR5CFVMO36T2TURYOZU\",\"name\":\"Sally Flex\",\"email\":\"[email protected]\",\"type\":\"user\"},\"account_uuid\":\"D4V22OLZ4JDNBAM7V4AVELI7FM\"}"}</code>
+        </p>
+        <h2 id="what-is-provided">What is Provided</h2>
+        <ul>
+            <li>
+                <p>Parsing rules to extract, normalize, and enrich fields 1Password logs into Graylog schema compatible fields</p>
+            </li>
+            <li>
+                <p>A spotlight providing overview dashboards for 1Password events</p>
+            </li>
+        </ul>
+        <h2 id="log-collection">Log Collection</h2>
+        <p>1Password utilizes see [1Password input] documentation the ingest multiple 1Password product type logs in JSON format.</p>
+        <h3 id="gim-categorization">GIM Categorization</h3>
+        <p>GIM categorization is provided for the following messages:</p>
+        <table cellspacing="21" style="width: 100%; mc-table-style: url('../Resources/TableStyles/Alternate-Row-Color.css');" class="TableStyle-Alternate-Row-Color">
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <col class="TableStyle-Alternate-Row-Color-Column-Column1" />
+            <thead>
+                <tr class="TableStyle-Alternate-Row-Color-Head-Header1">
+                    <th class="TableStyle-Alternate-Row-Color-HeadE-Column1-Header1">vendor_subtype</th>
+                    <th class="TableStyle-Alternate-Row-Color-HeadD-Column1-Header1">gim_event_type_code</th>
+                </tr>
+            </thead>
+            <tbody>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body1">
+                    <td class="TableStyle-Alternate-Row-Color-BodyE-Column1-Body1">sign_in_attempts</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyD-Column1-Body1">109999</td>
+                </tr>
+                <tr class="TableStyle-Alternate-Row-Color-Body-Body2">
+                    <td class="TableStyle-Alternate-Row-Color-BodyB-Column1-Body2">audit_events</td>
+                    <td class="TableStyle-Alternate-Row-Color-BodyA-Column1-Body2">229999</td>
+                </tr>
+            </tbody>
+        </table>
+        <h2 id="spotlight-content-pack">1Password Spotlight Content Pack</h2>
+        <p>This spotlight offers a dashboard with 3 tabs:</p>
+        <h3>Overview</h3>
+        <p>
+            <img src="../Resources/Images//home/cg/illuminate-documentation/Content/Resources/Images/1Password/overview.png/overview.png" />
+        </p>
+        <h3>Sign-In Attempts</h3>
+        <p>
+            <img src="../Resources/Images//home/cg/illuminate-documentation/Content/Resources/Images/1Password/signin_attempts.png/signin_attempts.png" />
+        </p>
+        <h3>Item Usages</h3>
+        <p>
+            <img src="../Resources/Images//home/cg/illuminate-documentation/Content/Resources/Images/1Password/item_usages.png/item_usages.png" />
+        </p>
+    </body>
+</html>