Links

1Password Logs

Panther supports pulling logs directly from 1Password

Overview

Panther has the ability to fetch 1Password event logs by querying the 1Password Events API. Panther is specifically monitoring the following 1Password events:
  • Sign-in attempts from a user's 1Password account
  • Items in shared vaults that have been modified, accessed, or used
In order to set up 1Password as a log source in Panther, you'll need to authorize Panther in 1Password by generating an access token in your 1Password account and then set up 1Password as a log source in Panther.

How to onboard 1Password logs to Panther

Step 1: Generate an Access Token in 1Password

  1. 1.
    Sign in to your 1Password account, then click Integrations in the sidebar.
  2. 2.
    Click Directory at the top of the page.
  3. 3.
    Scroll down to the "Events Reporting" section then click Panther.
    In the "Events Reporting" section in 1Password, there is a tile labeled Panther. In the image, there is a red square around it.
  4. 4.
    Enter a System Name for the integration, then click Add Integration.
  5. 5.
    Enter a name for the bearer token and choose token expiration.
  6. 6.
    Select the following two event types to which the token has access: ItemUsage and SignInAttempts.
  7. 7.
    Click Issue Token to generate the access token key.
  8. 8.
    Click Save in 1Password and choose which vault to save your token to.
  9. 9.
    Click View Integration Details to view the token.
    • You will need this token in the next steps.

Step 2: Create a new 1Password log source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar, click Configure > Log Sources.
  3. 3.
    In the upper right corner, click Create New.
  4. 4.
    Select 1Password from the list of available log sources. Click Start Source Setup.
  5. 5.
    On the next screen, enter in a memorable name for the source e.g. My 1Password logs.
  6. 6.
    Click Continue Setup.
  7. 7.
    On the Set Credentials page, fill in the form:
    • Paste the access token key from your 1Password account into the Access Token field.
    • Select the region & plan of your 1Password account.
  8. 8.
    Click Continue Setup.
  9. 9.
    You will be directed to a confirmation screen where you can set up a log drop-off alarm.
    • This feature sends an error message if logs aren't received within a specified time interval.
  10. 10.
    Click Finish Setup.
Note: By default, 1Password logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human-readable names.

Panther-Built Detections

Supported log types

Required fields in the schemas are listed as "required: true" just below the "name" field.

OnePassword.ItemUsage

OnePassword item usage.
schema: OnePassword.ItemUsage
parser:
native:
name: OnePassword.ItemUsage
description: OnePassword Item usage
referenceURL: https://support.1password.com/events-api-reference/#item-usage
fields:
- name: uuid
required: true
description: The uuid of the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: used_version
description: The version of the item that was accessed.
type: bigint
- name: vault_uuid
description: The uuid of the vault the item is in.
type: string
- name: item_uuid
description: The uuid of the item that was accessed.
type: string
- name: action
description: Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later.
type: string
- name: user
description: The user object that accessed the item.
type: object
fields:
- name: uuid
description: The uuid of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used to accessed the item.
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ip

OnePassword.SignInAttempt

OnePassword Sign-In attempts.
schema: OnePassword.SignInAttempt
parser:
native:
name: OnePassword.SignInAttempt
description: OnePassword SignIn attempts
referenceURL: https://support.1password.com/events-api-reference/#sign-in-attempts
fields:
- name: uuid
required: true
description: The uuid of the event.
type: string
- name: session_uuid
description: The uuid of the session that created the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: category
description: The category of the sign-in attempt.
type: string
- name: type
description: The type details of the sign-in attempt.
type: string
- name: country
description: The country code of from where the event happened
type: string
- name: details
description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in.
type: object
fields:
- name: value
description: The country, continent, or IP address of the sign-in attempt
type: string
- name: target_user
description: The user object attempted sign-in
type: object
fields:
- name: uuid
description: The uuid of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used fpr sign-in attempt
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ip