Sign in attempts

Overview

Get a list of 1Password item usage events through the 1Password Events API using the HTTP Pull Listener.

HTTP Pull Listener configuration

In Falcon Onum, go to the Listeners area and click New Listener > HTTP Pull. Give a name to your new Listener and enter the following data:

Parameters

N/A

Secrets

You must define these credentials in Onum:

1passwordkey will reference your 1Password API key.

To do it, click Add element and enter a Name for the secret (in this case, 1passwordkey). Then, click the Value field and select New secret to create a new one:

Give the secret a Name.
Turn off the Expiration date option.
Click Add new value and paste the secret corresponding to the value.
Click Save.

You can now select the secret you just created in the Value field list.

Learn more about secrets in Onum in this article.

Setup

After entering the required parameters and secrets, you can choose to manually enter the rest of configuration fields, or simply paste the given YAML:

Toggle ON the Config as YAML option to enable a free text field where you can paste the following YAML:

withTemporalWindow: true
temporalWindow:
  duration: 1m
  offset: 1m
  tz: UTC
  format: "2006-01-02T15:04:05-07:00"
withAuthentication: false
withEnumerationPhase: false
collectionPhase:
  paginationType: cursor
  cursorSelector: ".cursor"
  initialRequest:
    responseType: json
    method: POST
    url: "https://events.1password.com/api/v2/signinattempts"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
      - name: Authorization
        value: "Bearer ${secrets.1passwordkey}"
    bodyType: raw
    bodyRaw: |
      {
        "limit": 100,
        "start_time": "${temporalWindow.from}",
        "end_time": "${temporalWindow.to}"
      }
  nextRequest:
    responseType: json
    method: POST
    url: "https://events.1password.com/api/v2/signinattempts"
    headers:
      - name: Accept
        value: application/json
      - name: Content-Type
        value: application/json
      - name: Authorization
        value: "Bearer ${secrets.1passwordkey}"
    bodyType: raw
    bodyRaw: |
      {
        "cursor": "${pagination.cursor}"
      }
  output:
    select: ".items"
    map: "."
    outputMode: element

Temporal Window

Toggle ON to add a temporal window for events. This repeatedly shifts the time window over which data is collected.

Duration - 1m
Offset - 1m
Format - RFC3339

Collection Phase

Pagination Type* - Cursor
Cursor Selector* - .cursor
Initial Request
- Response Type* - JSON
- Method* - POST
- URL* - https://events.1password.com/api/v2/signinattempts
- Headers
  - Name - Accept
  - Value - application/json
  - Name - Content-Type
  - Value - application/json
  - Name - Authorization
  - Value - Bearer ${secrets.1passwordkey}
- Body Type* - Raw
- Body Content* -

|
      {
        "limit": 100,
        "start_time": "${temporalWindow.from}",
        "end_time": "${temporalWindow.to}"
      }

Next Request
- Response Type* - JSON
- Method* - POST
- URL* - https://events.1password.com/api/v2/signinattempts
- Headers
  - Name - Accept
  - Value - application/json
  - Name - Content-Type
  - Value - application/json
  - Name - Authorization
  - Value - Bearer ${secrets.1passwordkey}
Body Type* - Raw
Body Content* -

|
      {
        "cursor": "${pagination.cursor}"
      }

Output
- Select* - .items
- Map - .
- Output Mode* - element

When you're done, click Create labels to move on to the next step and define the required Labels if needed.

PreviousItem usages NextCollect data from Abnormal

Last updated 3 days ago

Was this helpful?