We run a SIEM that ingests audit log data from various apps, but are having a really tough time programmatically pulling data from out 1Password business account for a few reasons:
optool requires inputing a 2FA token, but that is tricky if we want to do an automated cron job that pulls the audit logs and puts them in an S3 bucket. Our infrastructure is ephemeral so we can't have a setup that requires a user to login and put in the 2FA token by hand each time we need to run the export job.
op signincommand, but not the password, which means the script has to handle prompts, which is burdensome.
Let's say we do get all this setup, then we run into more issues. The actual login activity of users is not available via the activity log, it is only accessible through the website UI (with no export feature) or through a Slack App.
I really enjoy 1Password and it has been great to roll it out across the organization, but I'm at a loss as to why there isn't the simple capability to get a full view of the activity in my environment via a single API endpoint? This is the only product we use that has this deficiency. I understand not wanting to expose an API endpoint, and we have encountered that with 2 other security service providers, but they at least provide an export to S3 bucket feature so we can have the logs dumped somewhere.
Lastly, the logs themselves have some issues:
deolddevalso shortening whole words to single letters like
Please spend some time thinking through the philosophy of audit logs and what they are there to accomplish, because right now they feel like a weird tacked on feature when they could be a huge value add.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided