# 1Password Logs
## Overview
Panther fetches 1Password event logs via the [1Password Events API](https://support.1password.com/events-api-reference/) every one minute. Panther is specifically monitoring the following 1Password events:
* Sign-in attempts from a user's 1Password account
* Items in shared vaults that have been modified, accessed, or used
* Audit events from the Activity Log
To set up 1Password as a log source in Panther, you'll need to generate an access token in your 1Password account, then configure the 1Password log source in Panther.
## How to onboard 1Password logs to Panther
### Step 1: Generate an Access Token in 1Password
1. [Sign in](https://start.1password.com/signin) to your 1Password account, then click **Integrations** in the sidebar.
2. Click **Directory** at the top of the page.
3. Scroll down to the "Events Reporting" section then click **Panther**. \
4. Enter a **System Name** for the integration, then click **Add Integration**.
5. Enter a name for the bearer token and choose token expiration.
6. Select the event types your token will have access to:
* Sign-in attempts
* Select this option if you plan to ingest [OnePassword.SignInAttempt](#onepassword.signinattempt) events into Panther.
* Item usage events
* Select this option if you plan to ingest [OnePassword.ItemUsage](#onepassword.itemusage) events into Panther.
* Audit events
* Select this option if you plan to ingest [OnePassword.AuditEvent](#onepassword.auditevent) events into Panther.
7. Click **Issue Token** to generate the access token key.
* For additional information on issuing or revoking 1Password bearer tokens, see [1Password's documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens).
8. Click **Save in 1Password** and choose which vault to save your token to.
9. Click **View Integration Details** to view the token.
* You will need this token in the next steps.
### Step 2: Create a new 1Password log source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log** **Sources**.
2. Click **Create New.**
3. Search for “1Password,” then click its tile.
4. In the slide-out panel, click **Start Setup**.
5. On the next screen, enter a name for the source e.g. `My 1Password logs`.
6. Click **Setup.**
7. On the **Credentials** page, fill in the form:
* Paste the **access token key** from your 1Password account into the Access Token field.
* Select the region and plan of your 1Password account.
8. Click **Setup**. You will be directed to a success screen:
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
{% hint style="warning" %}
**Note:** By default, 1Password logs do not contain human-readable values for objects such as vaults and login credentials. Please [see our guide about using Lookup Tables](https://docs.panther.com/guides/using-lookup-tables-1password-uuids) to translate 1Password's Universally Unique Identifier (UUID) values into human-readable names.
{% endhint %}
## Panther-Built Detections
See Panther's built in [rules for 1Password in panther-analysis in Github](https://github.com/panther-labs/panther-analysis/tree/master/rules/onepassword_rules).
## Supported log types
{% hint style="info" %}
Required fields in the schemas are listed as **"required: true"** just below the "name" field.
{% endhint %}
### OnePassword.ItemUsage
These are 1Password item usage events. For more information, see the [1Password Events API reference documentation](https://developer.1password.com/docs/events-api/reference/#item-usage).
```yaml
schema: OnePassword.ItemUsage
parser:
native:
name: OnePassword.ItemUsage
description: OnePassword Item usage
referenceURL: https://support.1password.com/events-api-reference/#item-usage
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: used_version
description: The version of the item that was accessed.
type: bigint
- name: vault_uuid
description: The UUID of the vault the item is in.
type: string
- name: item_uuid
description: The UUID of the item that was accessed.
type: string
- name: action
description: Details about how the item was used. Actions are only captured from client apps using 1Password 8.4.0 or later.
type: string
- name: user
description: The user object that accessed the item.
type: object
fields:
- name: uuid
description: The UUID of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used to accessed the item.
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ip
```
### OnePassword.SignInAttempt
These are 1Password sign-in attempts. For more information, see the [1Password Events API reference documentation](https://developer.1password.com/docs/events-api/reference/#sign-in-attempts).
```yaml
schema: OnePassword.SignInAttempt
parser:
native:
name: OnePassword.SignInAttempt
description: OnePassword SignIn attempts
referenceURL: https://support.1password.com/events-api-reference/#sign-in-attempts
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: session_uuid
description: The UUID of the session that created the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: category
description: The category of the sign-in attempt.
type: string
- name: type
description: The type details of the sign-in attempt.
type: string
- name: country
description: The country code of from where the event happened.
type: string
- name: details
description: Additional information about the sign-in attempt, such as any firewall rules that prevent a user from signing in.
type: object
fields:
- name: value
description: The country, continent, or IP address of the sign-in attempt
type: string
- name: target_user
description: The user object attempted sign-in.
type: object
fields:
- name: uuid
description: The UUID of the user that accessed the item or attempted to sign in to the account.
type: string
- name: name
description: The name of the user, hydrated at the time the event was generated.
type: string
- name: email
description: The email address of the user, hydrated at the time the event was generated.
type: string
indicators:
- email
- name: client
description: The client object used fpr sign-in attempt
type: object
fields:
- name: app_name
description: The name of the 1Password app the item was accessed from.
type: string
- name: app_version
description: The version number of the app.
type: string
- name: platform_name
description: The name of the platform the item was accessed from.
type: string
- name: platform_version
description: The version of the browser or computer where 1Password is installed, or the CPU of the machine where the 1Password command-line tool is installed.
type: string
- name: os_name
description: The name of the operating system the item was accessed from.
type: string
- name: os_version
description: The version of the operating system the item was accessed from.
type: string
- name: ip_address
description: The IP address the item was accessed from.
type: string
indicators:
- ip
- name: location
description: The location of where the event happened.
type: object
fields:
- name: country
description: The country code of where the event happened.
type: string
- name: region
description: The region code of where the event happened.
type: string
- name: city
description: The city code of where the event happened.
type: string
- name: longitude
description: The longitude of where the event happened.
type: float
- name: latitude
description: The latitude of where the event happened.
type: float
```
### OnePassword.AuditEvent
These are 1Password audit events from the Activity Log. For more information, see the [1Password Events Reporting audit events documentation](https://developer.1password.com/docs/events-api/audit-events/).
```yaml
schema: OnePassword.AuditEvent
description: OnePassword Audit events
referenceURL: https://developer.1password.com/docs/events-api/audit-events/
fields:
- name: uuid
required: true
description: The UUID of the event.
type: string
- name: timestamp
required: true
description: The date and time of the event in rfc3339 standard format.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: actor_uuid
description: ActorUUID field.
type: string
indicators:
- actor_id
- name: action
required: true
description: The action that was performed.
type: string
- name: object_type
required: true
description: The type of object that was affected by the event.
type: string
- name: object_uuid
description: The UUID of the object that was affected by the event.
type: string
- name: aux_id
description: The id of additional information about the activity.
type: bigint
- name: aux_uuid
description: The UUID of additional information about the activity.
type: string
- name: aux_info
description: The additional information about the activity.
type: string
- name: session
description: The session information gathered about the client.
type: object
fields:
- name: uuid
description: The UUID of the session that created the event.
type: string
- name: login_time
description: The date and time of the session login.
type: timestamp
- name: device_uuid
description: The UUID of the login device.
type: string
- name: ip
description: The IP address of the login device.
type: string
indicators:
- ip
- name: location
description: The location object of from where the event happened.
type: object
fields:
- name: country
description: The country code of where the event happened.
type: string
- name: region
description: The region code of where the event happened.
type: string
- name: city
description: The city code of where the event happened.
type: string
- name: longitude
description: The longitude of where the event happened.
type: float
- name: latitude
description: The latitude of where the event happened.
type: float
```
4. Enter a **System Name** for the integration, then click **Add Integration**.
5. Enter a name for the bearer token and choose token expiration.
6. Select the event types your token will have access to:
* Sign-in attempts
* Select this option if you plan to ingest [OnePassword.SignInAttempt](#onepassword.signinattempt) events into Panther.
* Item usage events
* Select this option if you plan to ingest [OnePassword.ItemUsage](#onepassword.itemusage) events into Panther.
* Audit events
* Select this option if you plan to ingest [OnePassword.AuditEvent](#onepassword.auditevent) events into Panther.
7. Click **Issue Token** to generate the access token key.
* For additional information on issuing or revoking 1Password bearer tokens, see [1Password's documentation](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens).
8. Click **Save in 1Password** and choose which vault to save your token to.
9. Click **View Integration Details** to view the token.
* You will need this token in the next steps.
### Step 2: Create a new 1Password log source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log** **Sources**.
2. Click **Create New.**
3. Search for “1Password,” then click its tile.
4. In the slide-out panel, click **Start Setup**.
5. On the next screen, enter a name for the source e.g. `My 1Password logs`.
6. Click **Setup.**
7. On the **Credentials** page, fill in the form:
* Paste the **access token key** from your 1Password account into the Access Token field.
* Select the region and plan of your 1Password account.
8. Click **Setup**. You will be directed to a success screen: