1Password

With 1Password you can use the Events API to retrieve information about activity in your 1Password account – like audit events, item usage, and sign-in attempts – and send it to your security information and event management (SIEM) system.

You can send data from your 1Password account to InsightIDR; event collection through the Cloud

To set up 1Password:

  1. Read the requirements and complete any prerequisite steps.
  2. Configure 1Password to send data to InsightIDR.
  3. Configure InsightIDR to collect data from the event source.
  4. Test the configuration.

You can also:

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with InsightIDR, we recommend that you visit the third-party vendor's product documentation.

Requirements

Before you can use the 1Password Events API, you'll need to:

Configure 1Password to send data to InsightIDR

To allow for InsightIDR to receive data from 1Password, you must configure specific permissions and create an Integration from within in your 1Password account

  1. Sign into your 1Password account
  2. To create a new integration, follow the instructions for Step 1: Set up an Events Reporting integration at: https://support.1password.com/events-reporting/#step-1-set-up-an-events-reporting-integration. Ensure that all endpoints from sign in attempts and item usage and audit you want InsightIDR to gather data from are selected.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

Task 1: Select 1Password

  1. Go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
  • Search for 1Password in the event sources search bar.
  • In the Product Type filter, select Cloud Service.
  1. Select 1Password event source tile.

Task 2: Set up your collection method

There are two methods of collecting data from 1Password; through a cloud connection or through a collector.

New credentials are required for cloud event sources

You cannot reuse existing on-premise credentials to create a cloud connection with this event source. You must create new credentials.

Use the Cloud Connection method
  1. In the Add Event Source panel, select Run On Cloud.
  2. Name the event source. This will become the name of the log that contains the event data in Log Search.
  3. Optionally, select the option to send unparsed data.
  4. Select your Account Attribution preference:
    • Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
    • Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
  5. Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
  6. Click Add a New Connection.
  7. In the Create a Cloud Connection screen, enter a name for the new connection.
  8. In the URL field, select the region of the 1Password instance from the dropdown menu.
  9. In the Bearer Token field, add a new credential:
  10. Click Save Connection.
  11. Click Save.

Test the configuration

The event types that InsightIDR parses are:

  • Audit events: Information about actions performed by team members within a 1Password account. Events include when an action was performed and by whom, along with details about the type and object of the action and any other information about the activity.
  • Item Usages: Information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when the item was accessed, and the vault where the item is stored.
  • Sign in attempts: Information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure.

To test that event data is flowing into InsightIDR:

  1. From the Data Collection Management page, open the Event Sources tab.
  2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.
  3. Wait approximately 7 minutes, then open Log Search.

Next, verify that log entries are appearing in Log Search:

  1. In the Log Search filter panel, search for the event source you named in step 4 of Configure InsightIDR to collect data from the event source. 1Password logs should flow into these log sets:
    • Cloud Service
    • Ingress Authentication
  2. Select the log sets and the logs within them.
  3. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into InsightIDR in the last 10 mins. The keys and values that are displayed are helpful to know when you want to build a query and search your logs.

Sample logs

In Log Search, the log that is generated uses the name of your event source by default. The log appears under the log set(s): Cloud Service and Ingress Authentication

Here is a typical log entry that is created by the event source:

Sample audit event log

json
1
{
2
    "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
3
    "timestamp": "2023-03-15T16:33:50-03:00",
4
    "actor_uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V",
5
    "actor_details": {
6
        "uuid:": "4HCGRGYCTRQFBMGVEGTABYDU2V",
7
        "name": "Jeff Shiner",
8
        "email": "jeff_shiner@agilebits.com"
9
    },
10
    "action": "join",
11
    "object_type": "gm",
12
    "object_uuid": "pf8soyakgngrphytsyjed4ae3u",
13
    "aux_id": 9277034,
14
    "aux_uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY",
15
    "aux_details": {
16
        "uuid": "K6VFYDCJKHGGDI7QFAXX65LCDY",
17
        "name": "Wendy Appleseed",
18
        "email": "wendy_appleseed@agilebits.com"
19
    },
20
    "aux_info": "R",
21
    "session": {
22
        "uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
23
        "login_time": "2023-03-15T16:33:50-03:00",
24
        "device_uuid": "lc5fqgbrcm4plajd8mwncv2b3u",
25
        "ip": "192.0.2.254"
26
    },
27
    "location": {
28
        "country": "Canada",
29
        "region": "Ontario",
30
        "city": "Toronto",
31
        "latitude": 43.5991,
32
        "longitude": -79.4988
33
    }
34
}

Sample item usage log

json
1
{
2
    "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
3
    "timestamp": "2023-03-15T16:33:50-03:00",
4
    "used_version": 0,
5
    "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM",
6
    "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ",
7
    "user": {
8
        "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V",
9
        "name": "Wendy Appleseed",
10
        "email": "wendy_appleseed@agilebits.com"
11
    },
12
    "client": {
13
        "app_name": "1Password Browser",
14
        "app_version": "20240",
15
        "platform_name": "Chrome",
16
        "platform_version": "string",
17
        "os_name": "MacOSX",
18
        "os_version": "13.2",
19
        "ip_address": "192.0.2.254"
20
    },
21
    "location": {
22
        "country": "Canada",
23
        "region": "Ontario",
24
        "city": "Toronto",
25
        "latitude": 43.5991,
26
        "longitude": -79.4988
27
    },
28
    "action": "secure-copy"
29
}

Sample sign in attempts log

json
1
{
2
    "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
3
    "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
4
    "timestamp": "2023-03-15T16:32:50-03:00",
5
    "category": "firewall_failed",
6
    "type": "continent_blocked",
7
    "country": "France",
8
    "details": {
9
        "value": "Europe"
10
    },
11
    "target_user": {
12
        "uuid": "IR7VJHJ36JHINBFAD7V2T5MP3E",
13
        "name": "Wendy Appleseed",
14
        "email": "wendy_appleseed@agilebits.com"
15
    },
16
    "client": {
17
        "app_name": "1Password Browser",
18
        "app_version": "20240",
19
        "platform_name": "Chrome",
20
        "platform_version": "string",
21
        "os_name": "MacOSX",
22
        "os_version": "13.2",
23
        "ip_address": "192.0.2.254"
24
    },
25
    "location": {
26
        "country": "Canada",
27
        "region": "Ontario",
28
        "city": "Toronto",
29
        "latitude": 43.5991,
30
        "longitude": -79.4988
31
    }
32
}

Troubleshoot common issues

If you experience issues with the 1Password event source, try the solutions provided in this section.

Data is missing from one or more data sources

To resolve this issue, ensure that all of the correct permissions are set on 1Password to allow for all desired event sources to be pulled from.

To resolve this issue:

  1. Select the Integrations tab from the menu.
  2. Select the integration that you wish to edit the permissions for, and click the arrow in the bottom right of the integration tile.
  3. Select Add a Token and create a new token with the correct endpoints from [sign in attempts, item usage and audit] that you want InsightIDR to pull data from.

To test this resolution was successful please check the data after the next run has been completed to see if the desired data has now come in, note this can take up to 10 mins to ensure the next run has been compete