Flaws in Activity Log Export

aperson
aperson
Community Member

We run a SIEM that ingests audit log data from various apps, but are having a really tough time programmatically pulling data from out 1Password business account for a few reasons:

  • We have 2FA enabled and enforced on our account so any command line use of the op tool requires inputing a 2FA token, but that is tricky if we want to do an automated cron job that pulls the audit logs and puts them in an S3 bucket. Our infrastructure is ephemeral so we can't have a setup that requires a user to login and put in the 2FA token by hand each time we need to run the export job.
  • There is no way to run the 1Password login process, even if we turned off 2FA, with a single command. You can append the secret key in the op signin command, but not the password, which means the script has to handle prompts, which is burdensome.

Let's say we do get all this setup, then we run into more issues. The actual login activity of users is not available via the activity log, it is only accessible through the website UI (with no export feature) or through a Slack App.

I really enjoy 1Password and it has been great to roll it out across the organization, but I'm at a loss as to why there isn't the simple capability to get a full view of the activity in my environment via a single API endpoint? This is the only product we use that has this deficiency. I understand not wanting to expose an API endpoint, and we have encountered that with 2 other security service providers, but they at least provide an export to S3 bucket feature so we can have the logs dumped somewhere.

Lastly, the logs themselves have some issues:

  • The logs reference UUIDs for objects, but the name of a vault or user can change over time, but the UUID remains static. That means if an event occurs and a log is emitted that contains a UUID, then the name of that vault/user/item changes and then I investigate the event, I wont be able to see what the name of the vault/user/item was at the time that the original event occurred. Audit logs entries should be full records and snapshots of the state at the time, they should not require de-referencing human readable metadata that can change between the time of the event and the time of the investigation.
  • The actual information on what each of the acronyms mean is difficult to decipher. What makes it even harder is the random dropping of vowels in some places but not others for actions like: provsn and trvlback and deolddev also shortening whole words to single letters like completer and cancelr

Please spend some time thinking through the philosophy of audit logs and what they are there to accomplish, because right now they feel like a weird tacked on feature when they could be a huge value add.


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • john_m
    john_m
    1Password Alumni

    Hi @aperson! Thanks for your great feedback about your use-case for the 1Password command-line tool here. Your post deserves a proper follow-up by a member of our development team, so I've moved your post to our CLI group - I'll have someone reach out to you here as soon as possible :+1:

  • aperson
    aperson
    Community Member

    Happy to speak to someone on the issues further. Thanks!

  • cohix
    cohix
    1Password Alumni

    @aperson It's really great to see you putting the tool through the ringer. You've come across something fairly common that we are working on addressing internally. I would love to get 30m of your time to talk about your use-cases and talk about some things we're working on, could you email me (connor at agilebits.com) so we can schedule something?

  • pwarnagi
    pwarnagi
    Community Member

    I am interested in this topic as well. We have a need to audit access to passwords as well. How is this coming along?

    Thanks,
    Paul

  • Hi @pwarnagi,

    This is still an area that we're looking to improve but we have nothing to share at this time.

    Rick

This discussion has been closed.