Skip to main content
Sumo Logic

1Password

1Password
1Password is a secure and convenient password manager for documents, credit card information, and addresses.

1Password is a secure and convenient password manager for documents, credit card information, and addresses. The Sumo Logic App for 1Password helps you monitor your 1Password account’s sign-in and item usage events. The dashboards provide insight into failed and successful authentications, events breakdown by client applications, type, category, users, geo-location of events, outliers, and threat analysis of sign-in events. This app helps your secure 1Password vault access by providing insights into user actions and threat intel analysis on clients accessing items in shared vaults.

Log Types 

The 1Password App uses following logs : 

Sample Log Message

Sign-in attempt Event:

{
  "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
  "session_uuid": "A5K6COGVRVEJXJW3XQZGS7VAMM",
  "timestamp": "2021-03-01T16:32:50-03:00",
  "category": "firewall_failed",
  "type": "continent_blocked",
  "country": "France",
  "details": {
    "value": "Europe"
  },
  "target_user": {
    "uuid": "IR7VJHJ36JHINBFAD7V2T5MP3E",
    "name": "Wendy Appleseed",
    "email": "wendy_appleseed@agilebits.com"
  },
  "client": {
    "app_name": "1Password Extension",
    "app_version": "20127",
    "platform_name": "Chrome",
    "platform_version": "string",
    "os_name": "MacOSX",
    "os_version": "10.15.6",
    "ip": "13.227.95.22"
  }
}

Item Usage Event:

{
  "uuid": "56YE2TYN2VFYRLNSHKPW5NVT5E",
  "timestamp": "2020-06-11T16:32:50-03:00",
  "used_version": 0,
  "vault_uuid": "VZSYVT2LGHTBWBQGUJAIZVRABM",
  "item_uuid": "SDGD3I4AJYO6RMHRK8DYVNFIDZ",
  "user": {
    "uuid": "4HCGRGYCTRQFBMGVEGTABYDU2V",
    "name": "Wendy Appleseed",
    "email": "wendy_appleseed@agilebits.com"
  },
  "client": {
    "app_name": "1Password Extension",
    "app_version": "20127",
    "platform_name": "Chrome",
    "platform_version": "string",
    "os_name": "MacOSX",
    "os_version": "10.15.6",
    "ip": "13.227.95.22"
  },
"action": "secure-copy"
}

Query sample 

Sucessful Sign-in:

_sourceCategory="1pw"
| json "type", "category", "timestamp",  "details", "target_user.name", "target_user.email", "client.app_name", "client.app_version", "client.platform_name", "client.os_name", "client.os_version", "client.ip_address", "location.country", "location.region", "location.city" as type, category, timestamp, details, target_user_name, target_user_email, client_app_name, client_app_version, client_platform, client_os, client_os_version, client_ip, country, region, city
| where category matches  "{{category}}" AND type matches  "{{type}}" AND country matches  "{{country}}" AND city matches  "{{city}}" AND target_user_name matches  "{{target_user_name}}" AND client_app_name matches  "{{client_app_name}}" AND client_platform matches  "{{client_platform}}" AND client_os matches  "{{client_os}}"
| where category matches "*succ*"
| count by timestamp, target_user_name, type, category, details,client_app_name, client_app_version, client_platform, client_os, client_os_version, client_ip, country, region, city

Failed Sign-in:

_sourceCategory="1pw"
| json "type", "category", "timestamp",  "details", "target_user.name", "target_user.email", "client.app_name", "client.app_version", "client.platform_name", "client.os_name", "client.os_version", "client.ip_address", "location.country", "location.region", "location.city" as type, category, timestamp, details, target_user_name, target_user_email, client_app_name, client_app_version, client_platform, client_os, client_os_version, client_ip, country, region, city
| where category matches  "{{category}}" AND type matches  "{{type}}" AND country matches  "{{country}}" AND city matches  "{{city}}" AND target_user_name matches  "{{target_user_name}}" AND client_app_name matches  "{{client_app_name}}" AND client_platform matches  "{{client_platform}}" AND client_os matches  "{{client_os}}"
| where !(category matches "*succ*")
| count by timestamp, target_user_name, type, category, details,client_app_name, client_app_version, client_platform, client_os, client_os_version, client_ip, country, region, city

Item Usage:

_sourceCategory=1pw action
| json "timestamp", "user.name", "client.app_name", "client.platform_name", "client.platform_version", "client.os_name", "client.os_version", "client.ip_address", "location.country", "location.region", "location.city", "action", "vault_uuid", "item_uuid" as timestamp, user_name, client_app_name, client_platform, client_platform_version, client_os, client_os_version, client_ip, country, region, city, action, vault_uuid, item_uuid
| count by timestamp, user_name, client_app_name, client_platform, client_platform_version, client_os, client_os_version, client_ip, country, region, city, action, vault_uuid, item_uuid