1Password Logs

Panther supports pulling logs directly from 1Password

Overview

Panther fetches 1Password event logs via the 1Password Events API every one minute. Panther is specifically monitoring the following 1Password events:

Sign-in attempts from a user's 1Password account
Items in shared vaults that have been modified, accessed, or used
Audit events from the Activity Log

To set up 1Password as a log source in Panther, you'll need to generate an access token in your 1Password account, then configure the 1Password log source in Panther.

How to onboard 1Password logs to Panther

Step 1: Generate an Access Token in 1Password

Sign in to your 1Password account, then click Integrations in the sidebar.
Click Directory at the top of the page.
Scroll down to the "Events Reporting" section then click Panther.
Enter a System Name for the integration, then click Add Integration.
Enter a name for the bearer token and choose token expiration.
Select the event types your token will have access to:
- Sign-in attempts
  - Select this option if you plan to ingest OnePassword.SignInAttempt events into Panther.
- Item usage events
  - Select this option if you plan to ingest OnePassword.ItemUsage events into Panther.
- Audit events
  - Select this option if you plan to ingest OnePassword.AuditEvent events into Panther.
Click Issue Token to generate the access token key.
- For additional information on issuing or revoking 1Password bearer tokens, see 1Password's documentation.
Click Save in 1Password and choose which vault to save your token to.
Click View Integration Details to view the token.
- You will need this token in the next steps.

Step 2: Create a new 1Password log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “1Password,” then click its tile.
In the slide-out panel, click Start Setup.
On the next screen, enter a name for the source e.g. My 1Password logs.
Click Setup.
On the Credentials page, fill in the form:
- Paste the access token key from your 1Password account into the Access Token field.
- Select the region and plan of your 1Password account.
Click Setup. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Note: By default, 1Password logs do not contain human-readable values for objects such as vaults and login credentials. Please see our guide about using Lookup Tables to translate 1Password's Universally Unique Identifier (UUID) values into human-readable names.

Panther-Built Detections

See Panther's built in rules for 1Password in panther-analysis in Github.

Supported log types

Required fields in the schemas are listed as "required: true" just below the "name" field.

OnePassword.ItemUsage

These are 1Password item usage events. For more information, see the 1Password Events API reference documentation.

schema: OnePassword.ItemUsage
parser:
    native:
        name: OnePassword.ItemUsage
description: OnePassword Item usage
referenceURL: https://support.1password.com/events-api-reference/#item-usage
fields:
    - name: uuid
      required: true
      description: The UUID of the event.
      type: string
    - name: timestamp
      required: true
      description: The date and time of the event in rfc3339 standard format.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: used_version
      description: The version of the item that was accessed.
      type: bigint
    - name: vault_uuid
      description: The UUID of the vault the item is in.
      type: string
    - name: item_uuid
      description: The UUID of the item that was accessed.
      type: string
    - name: action
      description: Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later.
      type: string
    - name: user
      description: The user object that accessed the item.
      type: object
      fields:
        - name: uuid
          description: The UUID of the user that accessed the item or attempted to sign in to the account.
          type: string
        - name: name
          description: The name of the user, hydrated at the time the event was generated.
          type: string
        - name: email
          description: The email address of the user, hydrated at the time the event was generated.
          type: string
          indicators:
            - email
    - name: client
      description: The client object used to accessed the item.
      type: object
      fields:
        - name: app_name
          description: The name of the 1Password app the item was accessed from.
          type: string
        - name: app_version
          description: The version number of the app.
          type: string
        - name: platform_name
          description: The name of the platform the item was accessed from.
          type: string
        - name: platform_version
          description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
          type: string
        - name: os_name
          description: The name of the operating system the item was accessed from.
          type: string
        - name: os_version
          description: The version of the operating system the item was accessed from.
          type: string
        - name: ip_address
          description: The IP address the item was accessed from.
          type: string
          indicators:
            - ip

OnePassword.SignInAttempt

These are 1Password sign-in attempts. For more information, see the 1Password Events API reference documentation.

schema: OnePassword.SignInAttempt
parser:
    native:
        name: OnePassword.SignInAttempt
description: OnePassword SignIn attempts
referenceURL: https://support.1password.com/events-api-reference/#sign-in-attempts
fields:
    - name: uuid
      required: true
      description: The UUID of the event.
      type: string
    - name: session_uuid
      description: The UUID of the session that created the event.
      type: string
    - name: timestamp
      required: true
      description: The date and time of the event in rfc3339 standard format.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: category
      description: The category of the sign-in attempt.
      type: string
    - name: type
      description: The type details of the sign-in attempt.
      type: string
    - name: country
      description: The country code of from where the event happened.
      type: string
    - name: details
      description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in.
      type: object
      fields:
        - name: value
          description: The country, continent, or IP address of the sign-in attempt
          type: string
    - name: target_user
      description: The user object attempted sign-in.
      type: object
      fields:
        - name: uuid
          description: The UUID of the user that accessed the item or attempted to sign in to the account.
          type: string
        - name: name
          description: The name of the user, hydrated at the time the event was generated.
          type: string
        - name: email
          description: The email address of the user, hydrated at the time the event was generated.
          type: string
          indicators:
            - email
    - name: client
      description: The client object used fpr sign-in attempt
      type: object
      fields:
        - name: app_name
          description: The name of the 1Password app the item was accessed from.
          type: string
        - name: app_version
          description: The version number of the app.
          type: string
        - name: platform_name
          description: The name of the platform the item was accessed from.
          type: string
        - name: platform_version
          description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
          type: string
        - name: os_name
          description: The name of the operating system the item was accessed from.
          type: string
        - name: os_version
          description: The version of the operating system the item was accessed from.
          type: string
        - name: ip_address
          description: The IP address the item was accessed from.
          type: string
          indicators:
            - ip
    - name: location
      description: The location of where the event happened.
      type: object
      fields:
        - name: country
          description: The country code of where the event happened.
          type: string
        - name: region
          description: The region code of where the event happened.
          type: string
        - name: city
          description: The city code of where the event happened.
          type: string
        - name: longitude
          description: The longitude of where the event happened.
          type: float
        - name: latitude
          description: The latitude of where the event happened.
          type: float

OnePassword.AuditEvent

These are 1Password audit events from the Activity Log. For more information, see the 1Password Events Reporting audit events documentation.

schema: OnePassword.AuditEvent
description: OnePassword Audit events
referenceURL: https://developer.1password.com/docs/events-api/audit-events/
fields:
    - name: uuid
      required: true
      description: The UUID of the event.
      type: string
    - name: timestamp
      required: true
      description: The date and time of the event in rfc3339 standard format.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: actor_uuid
      description: ActorUUID field.
      type: string
      indicators:
        - actor_id
    - name: action
      required: true
      description: The action that was performed.
      type: string
    - name: object_type
      required: true
      description: The type of object that was affected by the event.
      type: string
    - name: object_uuid
      description: The UUID of the object that was affected by the event.
      type: string
    - name: aux_id
      description: The id of additional information about the activity.
      type: bigint
    - name: aux_uuid
      description: The UUID of additional information about the activity.
      type: string
    - name: aux_info
      description: The additional information about the activity.
      type: string
    - name: session
      description: The session information gathered about the client.
      type: object
      fields:
        - name: uuid
          description: The UUID of the session that created the event.
          type: string
        - name: login_time
          description: The date and time of the session login.
          type: timestamp
        - name: device_uuid
          description: The UUID of the login device.
          type: string
        - name: ip
          description: The IP address of the login device.
          type: string
          indicators:
            - ip
    - name: location
      description: The location object of from where the event happened.
      type: object
      fields:
        - name: country
          description: The country code of where the event happened.
          type: string
        - name: region
          description: The region code of where the event happened.
          type: string
        - name: city
          description: The city code of where the event happened.
          type: string
        - name: longitude
          description: The longitude of where the event happened.
          type: float
        - name: latitude
          description: The latitude of where the event happened.
          type: float

PreviousSupported Logs NextAzure Logs

Last updated 2 years ago

Was this helpful?