Has anyone got successful with 1password logs inge...

rahulgk-mettle · 05-09-2024 08:40 AM

Hi,

I have been struggling to find the right approach to ingest 1password audit events into Chronicle SIEM. Upon checking with Chronicle support, they mentioned they don't have a direct integration at this moment. Has anyone managed to ingest the 1password audit logs using other approaches such as GCS or webhook?

jkephsecru

You can customise/edit one of the ingestion scripts to pull the data and push to Chronicle from gcp, it is not a simple task but it is an option, currently we are using this method to pull all Events ;

https://github.com/chronicle/ingestion-scripts

rahulgk-mettle

Thank you. Did you need to build your own custom parser for 1password audit events?

jkephsecru

Correct, we needed to use a customised parser for audit events (as is often the case).

rahulgk-mettle

Thank you for your inputs. Much appreciated.

rtestahumada

Hey do you a 1password audit events parser to share?

cmorris

A parser for ONEPASSWORD_AUDIT_EVENTS log type was created back in November - https://cloud.google.com/chronicle/docs/ingestion/parser-list/onepassword-audit-events-changelog

You can check if a log type has a parser here - https://cloud.google.com/chronicle/docs/ingestion/parser-list/supported-default-parsers

Has anyone got successful with 1password logs ingestion in Chronicle SIEM?