New 1Password XSIAM Integration

Packs/OnePassword/Integrations/OnePassword/OnePassword.yml

@@ -0,0 +1,109 @@
+category: Analytics & SIEM
+commonfields:
+  id: OnePassword
+  version: -1
+configuration:
+- defaultvalue: https://events.1password.com
+  display: Server URL
+  additionalinfo: The API server URL depends on the domain where the account is hosted. Refer to the integration Help section for more details.
+  name: url
+  required: true
+  type: 0
+  section: Connect
+- displaypassword: API Token
+  additionalinfo: The bearer token used to authenticate with the 1Password Events API. This must include the required features (scopes) that correspond to the event types to be fetched.
+  name: credentials
+  required: true
+  hiddenusername: true
+  type: 9
+  section: Connect
+- display: Trust any certificate (not secure)
+  additionalinfo: Allow connections without verifying the SSL certificate of the server.
+  name: insecure
+  type: 8
+  required: false
+  section: Connect
+  advanced: true
+- display: Use system proxy settings
+  name: proxy
+  type: 8
+  required: false
+  section: Connect
+  advanced: true
+- defaultvalue: Audit events,Item usage actions,Sign in attempts
+  display: Types of events to fetch
+  name: event_types
+  type: 16
+  options:
+  - Audit events
+  - Item usage actions
+  - Sign in attempts
+  required: true
+  section: Collect
+- defaultvalue: 5000
+  additionalinfo: If not specified, API default (100) will be used.
+  display: Maximum number of audit events per fetch
+  name: audit_events_limit
+  type: 0
+  required: false
+  section: Collect
+  advanced: true
+- defaultvalue: 5000
+  additionalinfo: If not specified, API default (100) will be used.
+  display: Maximum number of item usage actions per fetch
+  name: item_usage_actions_limit
+  type: 0
+  required: false
+  section: Collect
+  advanced: true
+- defaultvalue: 5000
+  additionalinfo: If not specified, API default (100) will be used.
+  display: Maximum number of sign-in attempts per fetch
+  name: sign_in_attempts_limit
+  required: false
+  type: 0
+  section: Collect
+  advanced: true
+description: 'Fetch events about actions performed by 1Password users within a specific account, access and modifications to items in shared vaults, and user sign-in attempts.'
+display: 1Password
+name: OnePassword
+script:
+  commands:
+  - arguments:
+    - description: 'The maximum number of events to fetch for the given event type.'
+      name: limit
+      required: false
+      defaultValue: 1000
+    - auto: PREDEFINED
+      defaultValue: 'false'
+      description: Set this argument to True in order to push events to Cortex XSIAM, otherwise the command will only display them.
+      name: should_push_events
+      predefined:
+      - 'True'
+      - 'False'
+      required: true
+    - auto: PREDEFINED
+      description: 1Password event type.
+      name: event_type
+      predefined:
+      - Audit events
+      - Item usage actions
+      - Sign in attempts
+      required: true
+    - default: false
+      description: The date from which to get events. If not specified, events from the last minute will be fetched.
+      name: from_date
+      required: false
+    description: Fetch events from 1Password. This command is intended for development and debugging purposes and should be used with caution as it may create duplicate events.
+    name: one-password-get-events
+  isfetchevents: true
+  runonce: false
+  script: '-'
+  type: python
+  subtype: python3
+  dockerimage: demisto/python3:3.11.10.115186
+marketplaces:
+- marketplacev2
+fromversion: 8.4.0
+tests:
+- No tests (auto formatted)

Packs/OnePassword/Integrations/OnePassword/OnePassword_description.md

@@ -0,0 +1,33 @@
+## 1Password
+
+### How to get the configuration parameters
+
+#### Server URL
+
+The API server URL depends on the region (domain) where the account is hosted and the pricing plan.
+
+| **Domain** | **Plan** | **API Server URL** |
+| --- | --- | --- |
+| 1Password.com | Business | https://events.1password.com |
+| 1Password.com | Enterprise | https://events.ent.1password.com |
+| 1Password.ca | Any | https://events.1password.ca |
+| 1Password.eu | Any | https://events.1password.eu |
+| {sub}.{domain}.com | Any | https://events.{domain}.com |
+
+#### API Token
+
+Every call to the 1Password Events API must be authorized with a bearer token. To issue a new bearer token:
+
+1. Sign in to your 1Password account and click **Integrations** in the sidebar.
+2. Under the **Directory** tab, choose **(•••) Other** and enter a descriptive name for the integration, such as 'Cortex XSIAM'.
+3. Enter a name for the bearer token and choose when it will expire.
+4. Ensure the token has access to the event types:
+   * Audit events (`auditevents` feature)
+   * Item usage actions (`itemusages` feature)
+   * Sign-in attempts (`signinattempts` feature)
+5. Click **Issue Token** to generate a new bearer token.
+6. Save the token in a secure location and use it in configuring this integration instance.
+
+#### Maximum Number of Events per Fetch
+
+It is recommended to configure the integration instance so that the maximum number of fetched events does not exceed **100,000 per minute per event type**. Otherwise, the 1Password Events API may raise rate limit errors (HTTP 429).