1Password on Mastodon

Audit Log Suggestions

jsparksbrexjsparksbrex
Community Member
in Business and Teams

There are several audit log pools and we now ingest the two log sources available via API.

  • 1Password Log In Logs via API
  • 1Password Usage Logs via API
  • IT Admin UI Activity Logs

After reviewing the logs, the logs available via the API and the ones via the Admin UI are documented and represented differently which makes it difficult to complete a full security investigation on 1Password Activity.

For example, “Display” is the event type in the Activity Logs which doesn’t have documentation on what it explicitly represents as an action.

Additionally there is an audit logging difference between versions above and below 8.x.x. This introduces the challenge of knowing whether there is visibility into that user’s behavior or if all log events are being simplified due to an older version.

The logs do not all use universal timestamps (UTC) but rather rely on user time zone which makes creating a security timeline challenging.

Potential Log Improvements

  • Using UTC for timestamps.
  • Using identical language for event types in Usage Logs and the Admin Activity Logs.
  • Including the name of the object, and vault accessed in the logs available via the API (currently only included in Admin Activity Logs).

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided

Comments

  • ScottS1PScottS1P

    Team Member
    edited January 23

    Hello there @jsparksbrex

    Thanks for sharing your feedback and improvements regarding logging in 1Password. It's my pleasure to discuss this with you, and share your feedback with the team.

    “Display” is the event type in the Activity Logs which doesn’t have documentation on what it explicitly represents as an action.

    The display action indicates that an item was displayed on screen. This means the user viewed the item, but is distinct from other actions such as revealing or copying a password.

    We also document other actions which may appear in your logs here:

    I'll pass along all of your feedback verbatim, but also feel free to let me know if you have any other questions or feedback you'd like to discuss. If anything is private or specific to an account, email [email protected] and include a link to this community post.

    Cheers,

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Format
SpoilerCodeQuote
Heading 2Heading 1
Url
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file
Home Business and TeamsComment As ...