1Password Logs
Panther supports pulling logs directly from 1Password
Overview
Panther fetches 1Password event logs via the 1Password Events API every one minute. Panther is specifically monitoring the following 1Password events:
Sign-in attempts from a user's 1Password account
Items in shared vaults that have been modified, accessed, or used
Audit events from the Activity Log
Panther will ingest 1Password events generated while a device was offline.
How to onboard 1Password logs to Panther
To set up 1Password as a log source in Panther, you'll need to generate an access token in your 1Password account, then configure the 1Password log source in Panther.
Step 1: Generate an Access Token in 1Password
Sign in to your 1Password account, then click Integrations in the sidebar.
Click Directory at the top of the page.
Scroll down to the "Events Reporting" section then click Panther.
Enter a System Name for the integration, then click Add Integration.
Enter a name for the bearer token and choose token expiration.
Select the event types your token will have access to:
Sign-in attempts
Select this option if you plan to ingest OnePassword.SignInAttempt events into Panther.
Item usage events
Select this option if you plan to ingest OnePassword.ItemUsage events into Panther.
Audit events
Select this option if you plan to ingest OnePassword.AuditEvent events into Panther.
Click Issue Token to generate the access token key.
For additional information on issuing or revoking 1Password bearer tokens, see 1Password's documentation.
Click Save in 1Password and choose which vault to save your token to.
Click View Integration Details to view the token.
You will need this token in the next steps.
Step 2: Create a new 1Password log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “1Password,” then click its tile.
In the slide-out panel, click Start Setup.
On the next screen, enter a name for the source e.g.
My 1Password logs.Click Setup.
On the Credentials page, fill in the form:
Paste the access token key from your 1Password account into the Access Token field.
Select the region and plan of your 1Password account.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Note: By default, 1Password logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human-readable names.
Panther-Built Detections
See Panther's built in rules for 1Password in panther-analysis in Github.
Supported log types
OnePassword.ItemUsage
These are 1Password item usage events. For more information, see the 1Password Events API reference documentation.
schema: OnePassword.ItemUsage
parser:
native:
name: OnePassword.ItemUsage
description: OnePassword Item usage
referenceURL: https://support.1password.com/events-api-reference/#item-usage
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: used_version
description: The version of the item that was accessed.
type: bigint
- name: vault_uuid
description: The UUID of the vault the item is in.
type: string
- name: item_uuid
description: The UUID of the item that was accessed.
type: string
- name: action
description: Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later.
type: string
- name: user
description: The user object that accessed the item.
type: object
fields:
- name: uuid
description: The UUID of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used to accessed the item.
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ipOnePassword.SignInAttempt
These are 1Password sign-in attempts. For more information, see the 1Password Events API reference documentation.
schema: OnePassword.SignInAttempt
parser:
native:
name: OnePassword.SignInAttempt
description: OnePassword SignIn attempts
referenceURL: https://support.1password.com/events-api-reference/#sign-in-attempts
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: session_uuid
description: The UUID of the session that created the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: category
description: The category of the sign-in attempt.
type: string
- name: type
description: The type details of the sign-in attempt.
type: string
- name: country
description: The country code of from where the event happened.
type: string
- name: details
description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in.
type: object
fields:
- name: value
description: The country, continent, or IP address of the sign-in attempt
type: string
- name: target_user
description: The user object attempted sign-in.
type: object
fields:
- name: uuid
description: The UUID of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used fpr sign-in attempt
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ip
- name: location
description: The location of where the event happened.
type: object
fields:
- name: country
description: The country code of where the event happened.
type: string
- name: region
description: The region code of where the event happened.
type: string
- name: city
description: The city code of where the event happened.
type: string
- name: longitude
description: The longitude of where the event happened.
type: float
- name: latitude
description: The latitude of where the event happened.
type: floatOnePassword.AuditEvent
These are 1Password audit events from the Activity Log. For more information, see the 1Password Events Reporting audit events documentation.
schema: OnePassword.AuditEvent
description: OnePassword Audit events
referenceURL: https://developer.1password.com/docs/events-api/audit-events/
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: actor_uuid
description: ActorUUID field.
type: string
indicators:
- actor_id
- name: actor_details
description: The details of the team member that performed the action.
type: object
fields:
- name: uuid
description: The team member uuid.
type: string
indicators:
- actor_id
- name: name
description: The team member name.
type: string
indicators:
- username
- name: email
description: The team member email.
type: string
indicators:
- email
- name: action
required: true
description: The action that was performed.
type: string
- name: object_type
required: true
description: The type of object that was affected by the event.
type: string
- name: object_uuid
description: The UUID of the object that was affected by the event.
type: string
- name: object_details
description: The details of the team member that was affected by the event. This property is only returned for events where the object of the action is a team member.
type: object
fields:
- name: uuid
description: The team member uuid.
type: string
indicators:
- actor_id
- name: name
description: The team member name.
type: string
indicators:
- username
- name: email
description: The team member email.
type: string
indicators:
- email
- name: aux_id
description: The id of additional information about the activity.
type: bigint
- name: aux_uuid
description: The UUID of additional information about the activity.
type: string
- name: aux_details
description: The details of the team member who relates to the additional information about the activity. This property is only returned for events where the additional information about an activity relates to a team member.
type: object
fields:
- name: uuid
description: The team member uuid.
type: string
indicators:
- actor_id
- name: name
description: The team member name.
type: string
indicators:
- username
- name: email
description: The team member email.
type: string
indicators:
- email
- name: aux_info
description: The additional information about the activity.
type: string
- name: session
description: The session information gathered about the client.
type: object
fields:
- name: uuid
description: The UUID of the session that created the event.
type: string
- name: login_time
description: The date and time of the session login.
type: timestamp
- name: device_uuid
description: The UUID of the login device.
type: string
- name: ip
description: The IP address of the login device.
type: string
indicators:
- ip
- name: location
description: The location object of from where the event happened.
type: object
fields:
- name: country
description: The country code of where the event happened.
type: string
- name: region
description: The region code of where the event happened.
type: string
- name: city
description: The city code of where the event happened.
type: string
- name: longitude
description: The longitude of where the event happened.
type: float
- name: latitude
description: The latitude of where the event happened.
type: floatLast updated
Was this helpful?