Audit Log Suggestions

There are several audit log pools and we now ingest the two log sources available via API.

  • 1Password Log In Logs via API
  • 1Password Usage Logs via API
  • IT Admin UI Activity Logs

After reviewing the logs, the logs available via the API and the ones via the Admin UI are documented and represented differently which makes it difficult to complete a full security investigation on 1Password Activity.

For example, “Display” is the event type in the Activity Logs which doesn’t have documentation on what it explicitly represents as an action.

Additionally there is an audit logging difference between versions above and below 8.x.x. This introduces the challenge of knowing whether there is visibility into that user’s behavior or if all log events are being simplified due to an older version.

The logs do not all use universal timestamps (UTC) but rather rely on user time zone which makes creating a security timeline challenging.

Potential Log Improvements

  • Using UTC for timestamps.
  • Using identical language for event types in Usage Logs and the Admin Activity Logs.
  • Including the name of the object, and vault accessed in the logs available via the API (currently only included in Admin Activity Logs).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • ScottS1P
    edited January 2023

    Hello there @jsparksbrex

    Thanks for sharing your feedback and improvements regarding logging in 1Password. It's my pleasure to discuss this with you, and share your feedback with the team.

    “Display” is the event type in the Activity Logs which doesn’t have documentation on what it explicitly represents as an action.

    The display action indicates that an item was displayed on screen. This means the user viewed the item, but is distinct from other actions such as revealing or copying a password.

    We also document other actions which may appear in your logs here:

    I'll pass along all of your feedback verbatim, but also feel free to let me know if you have any other questions or feedback you'd like to discuss. If anything is private or specific to an account, email support@1password.com and include a link to this community post.

    Cheers,

This discussion has been closed.