Ingest Events API logs in AWS and forward to a 3rd party SIEM
cybertom
Hello!
I am trying to ingest events from the the Events Reporting API into our SIEM (Datadog), which isn't a supported integration yet. My environment is in AWS (which I am an absolute beginner on), and the main problem I'm having is: How do I monitor the 1Password Events API endpoint in AWS, so that I can forward those events to a 3rd party?
My first thought was to create a scheduled lambda that does a REST API call to fetch events and dump them into an S3 bucket. Datadog has a pre-built AWS log forwarder which can trigger on any changes made to an S3 bucket, so that sounds like it will work.
However, after some more searching I discovered the AWS EventBridge feature, which is 90% of what I want to do, except it still can't listen to a 3rd party API endpoint to trigger events. AWS makes it fairly straightforward to become an EventBridge partner app though, which would eliminate most of the duct-tape-and-glue that I would need to deploy to do this. As far as feature requests go, this is a much lighter lift than asking for a full integration with Datadog, and I have already met with a 1Password solutions architect to make my case for this.
There are no other posts specifically about this, so I'm hoping it will spark a conversation and provide a gauge on how much general interest there is for getting 1Password events into AWS.
- Is anyone else already doing this?
- Is 1Password open to providing a general solution for ingesting event logs in AWS and forwarding to a 3rd party?
Cheers!
1Password Version: 8.9.13
Extension Version: 2.5.1
OS Version: Not Provided
Browser:_ Chrome
Referrer: forum-search:Events API
Comments
Team Member
Hiya @cybertom
Thanks for posting your current approach and for sharing it with the broader community! I've added you to the existing request for a DataDog integration and created a new request to explore the possibility of becoming an AWS EventsBridge SaaS partner. Not able to make any promises on either of those, but we're glad for the requests.
In the meantime, the Events API is documented here (which, of course, you already know, but for the benefit of other readers...) for anyone using a SIEM for which we do not yet have an integration and wants to deploy the duct tape and glue to build their own integration.
Thanks again for starting this discussion, @cybertom, and we've got the requests noted!
Cheers,
Scott
@Scott_1P please log another vote for Datadog SIEM integration from me!
Team Member
Thanks @mattmattmattmatt
Team Member
It's a 1Password Scott Tag Team Extravaganza.
Thanks @mattmattmattmatt for your added request, and thanks @ScottS1P for getting the request logged! :)
+1 for Datadog please