# Using Custom Enrichments: 1Password UUIDs

## Overview

By default, 1Password logs do not contain human readable values for objects such as vaults and login credentials. Instead, each object is referenced by a Universally Unique Identifier (UUID). You can use a custom enrichment in Panther to translate the UUIDs to friendly names. We recommend using Command Line Interface (CLI), but it is also possible to use the API.

In the following example, we extracted a list of 1Password items and their associated UUIDs via CLI, then created a custom enrichment to translate the UUIDs into their human-readable friendly names.

### **Prerequisites**

* An existing [1Password log source](/data-onboarding/supported-logs/1password.md) with data being ingested to your Panther account
* The command line utility `jq` installed
* The [1Password command-line tool](https://1password.com/downloads/command-line/) is installed

## **Obtaining a list of 1Password items with their associated UUIDs**

1. Log in to 1Password via CLI.
2. Use the following function to extract a list of 1Password items including their associated UUIDs and save it to a JSON file called *1password\_enrichment.json*:\
   `op item list --format json | jq -c '.[] | {uuid:.id,title:.title,updatedAt:.updatedat}' >> 1password_enrichment.json`

   \
   Or, if you're using the 1Password CLI v1, use the following command:

   * `op list items | jq -c '.[] | {uuid:.uuid,title:.overview.title,updatedAt:.updatedAt}' >> 1password_enrichment.json`

{% hint style="info" %}
Note that you will need to create a schema using this 1password\_enrichment.json in a later step.

For more information on creating a schema, see [Custom Logs](/data-onboarding/custom-log-types.md#how-to-define-a-custom-schema).
{% endhint %}

## **Creating an custom enrichment in Panther**

1. Log in to your Panther Console. In the left-hand navigation, click **Configure > Enrichments**.
2. In the upper right, click **Create New**.
3. Click the **Custom Enrichment** card.
4. On the **Enrichment Basic Information** page, add an **Enrichment Name**, and optionally a description and reference.\
   ![The image shows the Lookup Table Basic Information form. The Lookup Name is set to "1Password Translation."](/files/pe6j0Zi8CK27NquF5jFG)
   * In this example, the name is “1Password Translation” and the Description is “Translates 1Password UUIDs to human readable names.”
   * The Reference field is generally used to store a hyperlink to a related internal resource.
5. Click **Continue**.
6. On the Associated Log Types page, select the Log Type **OnePassword.ItemUsage**. Under Selectors, add `item_uuid`.\
   ![On the Associated Log Types page, the Log Type is set to OnePassword.ItemUsage and the Selectors field is set to item\_uuid.](/files/qOabLtkAEL5hWe7TOMAk)
7. Click **Continue**.
8. On the Table Schema page, add the schema you created based on your 1Password JSON file. For the Primary Key Name, select `uuid`.
   * If you have not created a schema yet, please follow the documentation here to create one before moving on to the next step: [Generating a Schema for a Custom Log Type from Sample Logs](https://docs.runpanther.io/data-onboarding/custom-log-types#generating-a-custom-log-type-from-sample-logs).
9. Click **Continue**.
10. On the Import Data page, click **Select file** then select the OnePasswordItems JSON file.
11. Click **Finish Setup** to go back to the list of enrichments.

Now that you've created a custom enrichment, you can write detections based on the additional context from your enrichment. We will cover writing detections using these new values in the following sections.

## **Writing a detection**

### **Obtaining data for a detection**

1. Log in to your Panther account, and in the left-side navigation, click **Investigate > Data Explorer**.
2. Write a new query to extract the first 10 lines of your OnePassword items: `select * from your_company_logs.public.onepassword_itemusage limit 10`
3. In the "Results" table at the bottom of the page, click **View JSON** next to one of the records.
4. Copy the JSON text to your clipboard.

In the example below, we are writing a detection based on the name given to a specific set of login credentials from a 1Password vault. In this case, the login name in 1Password is labeled “Sensitive Password.”

### **Writing the detection**

1. In the left-side navigation of your Panther account, click **Build > Detections**.
2. In the upper-right corner, click **Create New**.
3. At the top of the page, click **Rule**.
4. In the Log Type field, choose "OnePasswordItems."
5. Under **Test**, click **Add New**. Paste in the JSON text you copied from Data Explorer.
6. Click **Enrich Test Data** and verify that the title is listed as a friendly name under the `p_enrichment` field:\
   ![The image shows a section of the test data, including the p\_enrichment field which contains the title "Sensitive Password."](/files/DquUi6qghH5pjPUv8Puf)
7. In the Python rule logic editor paste in the following:

   ```python
   from panther_base_helpers import deep_get
   def rule(event): 
       if deep_get(event, "p_enrichment", "1Password Translation","item_uuid", "title") == "Sensitive Password": 
           return True
       return False
   ```

   * If you are using [Simple Detections](/detections.md#simple-detections), in the YAML text editor, paste in the following:

     ```yaml
     Detection:
       - Enrichment:
           Table: 1Password Translation
           Selector: item_uuid
           FieldPath: title
         Condition: Equals
         Value: Sensitive Password
     ```
8. [Run tests](https://docs.runpanther.io/writing-detections/testing) on your new detection. When you are finished testing, click **Save** in the upper right side of the page.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/enrichment/custom/examples/1password-uuids.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.