Using Splunk with 1Password Business

1Password Business makes it easy to monitor events that happen on your team using the Activity Log, and you can take that to the next level by adding Splunk to the mix. Using the 1Password command-line tool, you can send your team’s 1Password activity to Splunk and keep track of it there alongside other happenings within your team.

One of Splunk’s most popular features is the ability to find events and trigger alerts based on them. For example, in your team you could set things up so the sysadmins are alerted whenever someone is added to the Owners group in 1Password. I’ll get into that example a bit more later in this post.

Set up the 1Password command-line tool

To kick things off, let’s set up the 1Password command-line tool, if you’re not using it already:

1Password command-line tool: Getting started

When setting up the tool, start by creating a custom group and giving it the View Admin Console permission so it can view the Activity Log, then add a user to that group. Once the tool is set up with that user’s account, get a session token:

$ op signin example

This will allow you to interactively enter the Master Password with secure input. Since you’re definitely putting this in a script, you’ll want to pass the Master Password through stdin to the op signin call to get your session token:

[password] | op signin example.1password.com wendy_appleseed@example.com A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX

To make things simpler, you can omit the email address and Secret Key from op signin since they are saved in ~/.op/config. You can then simplify the whole sign in step to one line by piping the Master Password to it:

gpg -q --decrypt password.enc | op signin example

To automate all this, though, you can get the Master Password from a secure storage location and pipe it to sign in. A HashiCorp vault is a good place to securely store the account’s Master Password. I’m using GPG in this example, but you can use KMS or something else that you’re comfortable with – just avoid echo. 😉

Start fetchin’ those audit events

Now that we have our session token, we can start getting some audit events. Create a script that’s run by a job scheduler such as cron at regular intervals (every 10 minutes should suffice). That script needs to:

  1. Create the session like we just did above.
  2. Read the last processed event ID from disk.
  3. Fetch events newer than that ID.
  4. Send the events to Splunk.
  5. Save the latest event ID to disk.

To do this, we’ll be working with JSON, so JQ is a good idea if you’re working with bash; you could also use a scripting language that supports JSON, such as Python or Ruby.

You can fetch up to 100 events newer than $ID. To fetch them:

op list events $ID newer

To make sure you get all the events, you’ll need to run that until nothing is returned, since only 100 events are returned each time. This command will return a JSON array of event objects like this:

 {
 "eid": 392879,
 "time": "2018-01-23T15:50:49Z",
 "actorUuid": "YJTZ3RWWFRBNTF4M2YEEY3EPOQ",
 "action": "join",
 "objectType": "gm",
 "objectUuid": "hd22y2bob6qdpap2ge6d7nn4yy",
 "auxInfo": "A",
 "auxUUID": "YJTZ3RWWFRBNTF4M2YEEY3EPOQ"
 }

You can send all of the events in the array to Splunk at this point by using something like the Splunk universal forwarder.

Next, take the eid of the first object in that array and save it to disk so it can be used for the next fetch. If the array from op list events is empty, it means there are no newer events, and you’re done here — for now.

Get alerts about important actions in your team

Earlier I mentioned one such handy use for Splunk with 1Password Business would be to see when someone is added to the Owners group. To do this, you would find an event in the Activity Log that has:

  • action: join
  • objectType: gm (Group Membership)
  • objectUuid: your Owners group’s UUID, which you can get by opening https://start.1password.com/groups, signing in, and clicking Owners, then copying the UUID from the end of the address bar in your browser.

Every audit event comes with a actorUuid field. It’s a great identifier, but when perusing, we have no idea who YJTZ3RWWFRBNTF4M2YEEY3EPOQ is. To fix this up, let’s upgrade our script a bit. Before we fetch events, let’s get a user list with op list users. This will get us all users on the account along with some basic information like their name and email address. With that we can process each event object, look up the user by UUID, then add more descriptive information for when we send things to Splunk.

In this example case of sending an alert when someone is added to the Owners group, it’s probably nice to know who was added. The auxUUID field of the audit event will be the UUID of the user who was added to the group. You can do the same lookup that we did above for the actor. For many events, auxUUID will not be a user UUID, so make sure to fail gracefully there.

Now that we’ve set things up, whenever Splunk finds an event matching this, it’ll be able to alert your sysadmins via Slack or another method and let them know that Lorraine added Bobby to the Owners group. From there, they can take action if they need to.

Try it out and tell us what you think

When it comes down to it, sending your team’s 1Password activity to Splunk gives you one place to audit any administrative action your team has been taking in 1Password, alongside all the other tools your company uses. There are a lot of things you can look out for, from the Owners group example I mentioned before to knowing when someone adds or removes a team member from a vault or changes their permissions.

We’d love to hear how you set things up, so feel free to comment below or send us a message at support+cli@agilebits.com or start a discussion in our forum with suggestions, questions, and anything else you’d like to chat about!

Learn how your business is using 1Password with reports

One of the top requests we’ve gotten from teams using 1Password over the past few years is a way to see what items their team’s been using. With 1Password Business, we’ve added item usage reports, a new tool for you to see how the people on your team are using 1Password.

Know what your team can access

An administrator or owner on your team can create a report for a team member to see what items they’ve used, how many vaults and items they have access to, and more. To create your first report for a team member:

  1. Sign in to your business account on 1Password.com.
  2. Click People in the sidebar.
  3. Click the name of a team member, then click Create Usage Report below their name.

We’ve designed reports to focus on the vaults that matter to you, so you’ll see items from shared vaults in a person’s report.

Know what’s being used in your vaults

You can also create a report for a vault to see what people have been using in it. To create a report for a vault:

  1. Click Vaults in the sidebar.
  2. Click the name of a vault, then click Create Usage Report below its name.

The handy thing about creating a report for a vault is that you can see what has been used often in that vault. Sorting by item name gives you an organized list, and each item will be shown as a separate entry for each person who has used it.

Know what to do when someone leaves your team

When someone leaves your team, you can suspend their account to revoke their access to vaults and items, then create a report to get an idea of what passwords you might need to change. Then you can click the item in the report and use 1Password to quickly change the password.

Keeping passwords in a shared vault in your team means any changes made to them will be available to the people who can access that vault right away. Then you can change the password to keep those accounts secure, and through the magic of shared vaults, everyone who needs that password will automatically get the new one so they can use it right away.

Start using reports

Usage reports are centered on the best part of any company: the people. They focus on the vaults someone has access to, as well as important dates, like when they joined the team or last signed in. And the best part is only the admins and owners of your team know which items and websites your team is using: we can’t see any of that.

The goal of reports is to help you make better judgments about whether Emmett or Lorraine really need to keep access to those potentially high-value resources. And if they don’t, you change their access to something that better suits them.

Learn more about creating reports in 1Password Business

This is only the beginning — we’d love your feedback on what else you’d like to see in the reports. Comment below to start a discussion or send us a message at business@1password.com to share some feedback.

Introducing 1Password Business

Since 2015, over 30,000 businesses have signed up for 1Password Teams and discovered how 1Password can help them be secure while also increasing their productivity.

We’ve learned a lot by working with these companies and found that what works for a team of 20 doesn’t necessarily work for a company of 20,000. So we got to work.

Today, I am thrilled to announce the results of that work: 1Password Business. 🎉

1Password Business

1Password Business provides the features you need as a larger team. It gives you the tools to protect your employees, secure your most important data, and stay compliant. Your administrators will love it for the control it gives them, and your employees will love how easy it is to use.

Control access and be compliant

GDPR, HIPAA, SOC2, PCI, PIPEDA… man, there’re enough compliance requirements to make your head spin.

Thankfully, 1Password helps by keeping you in control of who has access to what. Each employee gets a place to store their private, work-related passwords. But there are times when passwords need to be shared. For those times, it’s easy to share passwords with only the people who need them.

Fine-grained permissions – give employees exactly the access they need.
Custom Groups and Roles – organize your staff and their access.
Device Restrictions – limit where access is granted.
Managed Travel Mode – restrict employee access when travelling.

Control access and be compliant

We ourselves are growing quickly and long gone are the days where everyone worked on every project. We are looking to hire another 100 people this year, and 1Password helps us stay compliant with our SOC2 regulations as we grow.

Automated provisioning

Sometimes you are growing so fast, or have gotten so large, that no matter how simple the onboarding steps, they just aren’t fast enough. In these cases automation comes to your rescue.

Active Directory Integration – automate provisioning and de-provisioning.
Okta Integration – allow Okta to manage your team for you.
Command line Integration – integrate 1Password into your custom business flows.

Automated provisioning

Now that we are starting to use Azure AD ourselves, onboarding those next 100 people should be a breeze. 😉

Adding a second third factor

1Password protects your passwords behind both your Master Password and your Secret Key. Now you can add yet another layer of protection with our multi-factor authentication (MFA) support.

Team members can turn on two-factor authentication to further protect their 1Password accounts. Or, if your company uses Duo, you can require its use for your entire team.

Multi-factor authentication

Advanced auditing and reporting

In 1Password Business, we’ve created some super useful reports for you and your administrators. It’s never been easier to keep track of everything happening on your team.

Employee Access Report – see which shared passwords an employee has used.
Shared Password Report – audit shared passwords to see who has used them.
Activity Log – review administrative actions taken by your team.
Action Dashboard – view activities that are awaiting your action.

Advanced auditing and reporting

Free family accounts

Worth more than $50 per user

Your business data is only as safe as your employees’ habits. If anyone brings unsafe password habits from home into your work environment, they put your entire business at risk. Now, you can protect your business by keeping those you work with safe at home.

With 1Password Business, each employee on your team gets a free 1Password Families membership. This way they can learn the habits they need to protect themselves and your company.

Try 1Password Business today

Sign up today for a free 30 day trial and see for yourself how 1Password can help your company. Your data will be more secure and your employees more productive than ever.

Sign up for 1Password Business

If you have any questions or would like to schedule a demo, contact our business team. We’ll be happy to show you how 1Password can work for your business. After using 1Password for a few weeks at your company I promise you’ll wonder how you ever lived without it!