Panther fetches 1Password event logs via the 1Password Events API every one minute. Panther is specifically monitoring the following 1Password events:
Sign-in attempts from a user's 1Password account
Items in shared vaults that have been modified, accessed, or used
Audit events from the Activity Log
Panther will ingest 1Password events generated while a device was offline.
There could be a delay of up to one day from when an action causing a OnePassword.ItemUsage event occurs to when the log is ingested into Panther. Panther pulls events as soon as they are available, however some devices sync to 1Password only once or twice per day.
How to onboard 1Password logs to Panther
To set up 1Password as a log source in Panther, you'll need to generate an access token in your 1Password account, then configure the 1Password log source in Panther.
Step 1: Generate an Access Token in 1Password
Sign in to your 1Password account, then click Integrations in the sidebar.
Click Directory at the top of the page.
Scroll down to the "Events Reporting" section then click Panther.
Enter a System Name for the integration, then click Add Integration.
Enter a name for the bearer token and choose token expiration.
Select the event types your token will have access to:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Note: By default, 1Password logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human-readable names.
schema:OnePassword.ItemUsageparser:native:name:OnePassword.ItemUsagedescription:OnePassword Item usagereferenceURL:https://support.1password.com/events-api-reference/#item-usagefields: - name:uuidrequired:truedescription:The UUID of the event.type:string - name:timestamprequired:truedescription:The date and time of the event in rfc3339 standard format.type:timestamptimeFormats: - rfc3339isEventTime:true - name:used_versiondescription:The version of the item that was accessed.type:bigint - name:vault_uuiddescription:The UUID of the vault the item is in.type:string - name:item_uuiddescription:The UUID of the item that was accessed.type:string - name:action description: Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later.
type:string - name:userdescription:The user object that accessed the item.type:objectfields: - name:uuiddescription:The UUID of the user that accessed the item or attempted to sign in to the account.type:string - name:namedescription:The name of the user, hydrated at the time the event was generated.type:string - name:emaildescription:The email address of the user, hydrated at the time the event was generated.type:stringindicators: - email - name:clientdescription:The client object used to accessed the item.type:objectfields: - name:app_namedescription:The name of the 1Password app the item was accessed from.type:string - name:app_versiondescription:The version number of the app.type:string - name:platform_namedescription:The name of the platform the item was accessed from.type:string - name:platform_version description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type:string - name:os_namedescription:The name of the operating system the item was accessed from.type:string - name:os_versiondescription:The version of the operating system the item was accessed from.type:string - name:ip_addressdescription:The IP address the item was accessed from.type:stringindicators: - ip
schema:OnePassword.SignInAttemptparser:native:name:OnePassword.SignInAttemptdescription:OnePassword SignIn attemptsreferenceURL:https://support.1password.com/events-api-reference/#sign-in-attemptsfields: - name:uuidrequired:truedescription:The UUID of the event.type:string - name:session_uuiddescription:The UUID of the session that created the event.type:string - name:timestamprequired:truedescription:The date and time of the event in rfc3339 standard format.type:timestamptimeFormats: - rfc3339isEventTime:true - name:categorydescription:The category of the sign-in attempt.type:string - name:typedescription:The type details of the sign-in attempt.type:string - name:countrydescription:The country code of from where the event happened.type:string - name:details description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in.
type:objectfields: - name:valuedescription:The country, continent, or IP address of the sign-in attempttype:string - name:target_userdescription:The user object attempted sign-in.type:objectfields: - name:uuiddescription:The UUID of the user that accessed the item or attempted to sign in to the account.type:string - name:namedescription:The name of the user, hydrated at the time the event was generated.type:string - name:emaildescription:The email address of the user, hydrated at the time the event was generated.type:stringindicators: - email - name:clientdescription:The client object used fpr sign-in attempttype:objectfields: - name:app_namedescription:The name of the 1Password app the item was accessed from.type:string - name:app_versiondescription:The version number of the app.type:string - name:platform_namedescription:The name of the platform the item was accessed from.type:string - name:platform_version description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type:string - name:os_namedescription:The name of the operating system the item was accessed from.type:string - name:os_versiondescription:The version of the operating system the item was accessed from.type:string - name:ip_addressdescription:The IP address the item was accessed from.type:stringindicators: - ip - name:locationdescription:The location of where the event happened.type:objectfields: - name:countrydescription:The country code of where the event happened.type:string - name:regiondescription:The region code of where the event happened.type:string - name:citydescription:The city code of where the event happened.type:string - name:longitudedescription:The longitude of where the event happened.type:float - name:latitudedescription:The latitude of where the event happened.type:float
schema:OnePassword.AuditEventdescription:OnePassword Audit eventsreferenceURL:https://developer.1password.com/docs/events-api/audit-events/fields: - name:uuidrequired:truedescription:The UUID of the event.type:string - name:timestamprequired:truedescription:The date and time of the event in rfc3339 standard format.type:timestamptimeFormats: - rfc3339isEventTime:true - name:actor_uuiddescription:ActorUUID field.type:stringindicators: - actor_id - name:actor_detailsdescription:The details of the team member that performed the action.type:objectfields: - name:uuiddescription:The team member uuid.type:stringindicators: - actor_id - name:namedescription:The team member name.type:stringindicators: - username - name:emaildescription:The team member email.type:stringindicators: - email - name:actionrequired:truedescription:The action that was performed.type:string - name:object_typerequired:truedescription:The type of object that was affected by the event.type:string - name:object_uuiddescription:The UUID of the object that was affected by the event.type:string - name:object_details description: The details of the team member that was affected by the event. This property is only returned for events where the object of the action is a team member.
type:objectfields: - name:uuiddescription:The team member uuid.type:stringindicators: - actor_id - name:namedescription:The team member name.type:stringindicators: - username - name:emaildescription:The team member email.type:stringindicators: - email - name:aux_iddescription:The id of additional information about the activity.type:bigint - name:aux_uuiddescription:The UUID of additional information about the activity.type:string - name:aux_details description: The details of the team member who relates to the additional information about the activity. This property is only returned for events where the additional information about an activity relates to a team member.
type:objectfields: - name:uuiddescription:The team member uuid.type:stringindicators: - actor_id - name:namedescription:The team member name.type:stringindicators: - username - name:emaildescription:The team member email.type:stringindicators: - email - name:aux_infodescription:The additional information about the activity.type:string - name:sessiondescription:The session information gathered about the client.type:objectfields: - name:uuiddescription:The UUID of the session that created the event.type:string - name:login_timedescription:The date and time of the session login.type:timestamp - name:device_uuiddescription:The UUID of the login device.type:string - name:ipdescription:The IP address of the login device.type:stringindicators: - ip - name:locationdescription:The location object of from where the event happened.type:objectfields: - name:countrydescription:The country code of where the event happened.type:string - name:regiondescription:The region code of where the event happened.type:string - name:citydescription:The city code of where the event happened.type:string - name:longitudedescription:The longitude of where the event happened.type:float - name:latitudedescription:The latitude of where the event happened.type:float
