Configuring OnePassword Integration
In the 1password portal, set up an "Events Reporting" integration and create a bearer JSON web token. The 1password administrator selects "other" to add the web token.
Find the below URL for instructions:
https://support.1password.com/events-reporting/
The below python3 script is used to send the logs to Forwarder and route to Chronicle. This python3 script can run on a Chronicle Forwarder or a Linux machine that can route to a local Chronicle forwarder.
Pre-requisites for Python3 script
- EVENTS_API_TOKEN - Every call to the 1Password Events API must be authorized with a bearer token. A token can be authorized to access data for one or more events, depending on which events were scoped when the token was created.
The bearer token that was created from the step above and is an environment variable that the script calls. It is recommended that the client sets up the 1password CLI tools so that the bearer token is not read in cleartext however that configuration is outside this scope.
For additional information on this setup please see URL: https://github.com/1Password/events-api-generic - Chronicle Forwarder IP address
- Port Number
- A cronjob will be used to schedule the regular execution of the script
Python3 Script:
=========================================
import datetime
import requests
import os
import socket
import json
# For more information, check out our support page: https://support.1password.com/events-reportingapi_token = os.environ.get('EVENTS_API_TOKEN')
url = "https://events.1password.com"
if not api_token:
print("Please set the EVENTS_API_TOKEN environment variable.")
exit(1)
start_time = datetime.datetime.now() - datetime.timedelta(hours=24)
# Define the syslog server detailssyslog_server_ip = "Forwarder IP"
syslog_server_port = 11670 # Replace with your desired syslog port
headers = {
"Content-Type": "application/json",
"Authorization": f"Bearer {api_token}"
payload = {
"limit": 20,
"start_time": start_time.astimezone().replace(microsecond=0).isoformat()
# Alternatively, use the cursor returned from previous responses to get any new events# payload = { "cursor": cursor }
try:
r = requests.post(f"{url}/api/v1/signinattempts", headers=headers, json=payload)
r.raise_for_status() # Raise an exception if the request fails
if r.status_code == requests.codes.ok:
# Send the response to syslog serversyslog_priority = 14 * 8 + 6 # Calculate the priority (e.g., LOG_INFO)
syslog_message = f"{json.dumps(r.json())}"
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
sock.connect((syslog_server_ip, syslog_server_port))
sock.sendall(f"{syslog_message}\n".encode())
else:
print(f"Error getting sign-in attempts: status code {r.status_code}")
except requests.exceptions.RequestException as e:
print(f"Request error: {e}")
except Exception as e:
print(f"Error during syslog logging: {e}")
# Repeat the same logic for item usages and audit events as needed
# For more information on the response, check out our support page: https://support.1password.com/cs/events-api-reference/
# Make sure that the config file with ONEPASSWORD data label must be added:- syslog:
common:
enabled: true
data_type: ONEPASSWORD
data_hint:
batch_n_seconds: 10
batch_n_bytes: 1048576
tcp_address: 0.0.0.0:11670
udp_address: 0.0.0.0:11670
Verifying 1Password logs in Chronicle
Once the configuration is completed, need to validate the logs in chronicle using a regular expression as (".*") this expression or with specific hostname, will provide the log source types which are ingesting to chronicle, below is the screen shot for reference.
Comments
0 comments
Please sign in to leave a comment.