From c08dba4668c813ff80eac03faccba77c116147c2 Mon Sep 17 00:00:00 2001 From: azurekid Date: Fri, 18 Apr 2025 19:05:31 +0200 Subject: [PATCH 01/19] Add KQL manifest for 1Password integration with Microsoft Sentinel --- .../1Password/KQL_Manifest_1Password.yaml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml diff --git a/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml b/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml new file mode 100644 index 00000000..322dc893 --- /dev/null +++ b/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml @@ -0,0 +1,39 @@ +Descriptor: + Name: 1Password + DisplayName: 1Password (Community) + Description: Integrates 1Password with Microsoft Sentinel via KQL queries, enabling visibility into Security Copilot Portal login activity. Provides insights into user behviour events for enhanced security monitoring. + Settings: + - Name: TenantId + Required: true + - Name: SubscriptionId + Required: true + - Name: ResourceGroupName + Required: true + - Name: WorkspaceName + Required: true + SupportedAuthTypes: + - None + +SkillGroups: + - Format: KQL + Skills: + - Name: 1PasswordEvents + DisplayName: Failed user login events + Description: Fetches failed user login events from 1Password + Settings: + Target: Sentinel + # The ID of the AAD Organization that the Sentinel workspace is in. + TenantId: '{{TenantId}}' + # The id of the Azure Subscription that the Sentinel workspace is in. + SubscriptionId: '{{SubscriptionId}}' + # The name of the Resource Group that the Sentinel workspace is in. + ResourceGroupName: '{{ResourceGroupName}}' + # The name of the Sentinel workspace. + WorkspaceName: '{{WorkspaceName}}' + + Template: |- + OnePasswordEventLogs_CL + | where object_type == "vault" + | extend + TargetUsername = actor_details.email + , SrcIpAddr = session.ip \ No newline at end of file From 41f95935178f9340ab62638fd2e782e850e1cda2 Mon Sep 17 00:00:00 2001 From: azurekid Date: Fri, 18 Apr 2025 20:39:56 +0200 Subject: [PATCH 02/19] Add 1Password plugin for Microsoft Security Copilot - Created README.md for the 1Password plugin documentation. - Added SVG icon for 1Password. - Implemented KQL manifest for 1Password integration, enabling querying of audit and event logs. - Defined settings for Azure TenantId, SubscriptionId, ResourceGroupName, and WorkspaceName. - Added skills for fetching failed user login events and integration change events with KQL templates. --- .../1Password/KQL_Manifest_1Password.yaml | 39 -------- .../1Password/data/1password.csv | 55 +++++++++++ .../1Password/docs/README.md | 2 + .../1Password/images/1password.svg | 2 + .../1Password/src/KQL_manifest_1password.yaml | 93 +++++++++++++++++++ 5 files changed, 152 insertions(+), 39 deletions(-) delete mode 100644 Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml create mode 100644 Plugins/Community Based Plugins/1Password/data/1password.csv create mode 100644 Plugins/Community Based Plugins/1Password/docs/README.md create mode 100644 Plugins/Community Based Plugins/1Password/images/1password.svg create mode 100644 Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml diff --git a/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml b/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml deleted file mode 100644 index 322dc893..00000000 --- a/Plugins/Community Based Plugins/1Password/KQL_Manifest_1Password.yaml +++ /dev/null @@ -1,39 +0,0 @@ -Descriptor: - Name: 1Password - DisplayName: 1Password (Community) - Description: Integrates 1Password with Microsoft Sentinel via KQL queries, enabling visibility into Security Copilot Portal login activity. Provides insights into user behviour events for enhanced security monitoring. - Settings: - - Name: TenantId - Required: true - - Name: SubscriptionId - Required: true - - Name: ResourceGroupName - Required: true - - Name: WorkspaceName - Required: true - SupportedAuthTypes: - - None - -SkillGroups: - - Format: KQL - Skills: - - Name: 1PasswordEvents - DisplayName: Failed user login events - Description: Fetches failed user login events from 1Password - Settings: - Target: Sentinel - # The ID of the AAD Organization that the Sentinel workspace is in. - TenantId: '{{TenantId}}' - # The id of the Azure Subscription that the Sentinel workspace is in. - SubscriptionId: '{{SubscriptionId}}' - # The name of the Resource Group that the Sentinel workspace is in. - ResourceGroupName: '{{ResourceGroupName}}' - # The name of the Sentinel workspace. - WorkspaceName: '{{WorkspaceName}}' - - Template: |- - OnePasswordEventLogs_CL - | where object_type == "vault" - | extend - TargetUsername = actor_details.email - , SrcIpAddr = session.ip \ No newline at end of file diff --git a/Plugins/Community Based Plugins/1Password/data/1password.csv b/Plugins/Community Based Plugins/1Password/data/1password.csv new file mode 100644 index 00000000..84cf4488 --- /dev/null +++ b/Plugins/Community Based Plugins/1Password/data/1password.csv @@ -0,0 +1,55 @@ +SourceSystem,"TimeGenerated [UTC]","uuid_s","session_uuid","timestamp [UTC]",country,category,"action_type",details,"target_user",client,location,"actor_uuid","actor_details",action,"object_type","object_uuid","object_details","aux_id","aux_uuid","aux_details","aux_info",session,"used_version","vault_uuid","item_uuid",user,"log_source",TenantId,Type,"_ResourceId" +,"4/18/2025, 12:55:02.901 PM",PRP3TX4DCZAIZCZ43XEXTAGRY4,3QW5AMJNGVF3FJTUQFVKKKR7MM,"4/18/2025, 12:54:18.794 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:55:02.901 PM",ICWRCZYO2BHHJGCNTTGKLVDOVE,GLXUBQ6I3JDWRPWW35PVOG26D4,"4/18/2025, 12:54:36.072 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2MZ5LG7B3AWO3KIDYRP4Z3RGW6,,"4/4/2025, 4:45:16.121 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,device,l7xfhzeajqz4p3sblvnjp6s4ky,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WL7LRUMV4CLRR6A745JOKFTLEI,,"4/4/2025, 4:48:04.321 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",view,report,,,,,,"activity-log","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",RTNVIBWEKYFI26TER3KLD7JVRV,,"4/4/2025, 4:49:05.793 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,sa,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,D,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",PLO3WHHNFLTZQT6WHYV3G7J2EB,,"4/4/2025, 4:49:05.804 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,satoken,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,"sl-microsoft-temp","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",BUFF5HHXI5NHZLHPSMHEJY5XMP,,"4/9/2025, 5:13:56.951 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",dlgsess,dlgdsess,JVPUAZQDWFBGDJRVJZDH2TDSHA,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",M6EV3JS5HID2RJH47KW2BWBNDH,,"4/9/2025, 5:13:56.963 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,device,bphjwuec4duaoc6jiiipxebzbi,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2GPZLX3RIM5DCBH6ZRTVKLIDRL,,"4/9/2025, 5:15:26.888 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,vault,dzkriehzyenlesox7gaaxv7pma,,,,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",AHDJ74VRU4AFU6NJ54G4AUJR2Z,,"4/9/2025, 5:15:26.949 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",2147483646,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",VQMFRXB7W6MLMW3P2Z6ADLLXUD,,"4/9/2025, 5:15:26.962 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527804,rghqswd6b35ud5jupjjodpns44,,1,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",72WL6YAEYNXDXICB2YJ6RQ6EYC,,"4/9/2025, 5:15:26.973 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527805,btxffna52mw3aqpchktgefx6zi,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WKNUB46HLWWF7RXFFEZY35C36B,,"4/9/2025, 5:15:26.985 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527806,7ol5ey5xurrhpjoo7gymu4pp7a,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",YBXGY3YVBIP6TDPFVT7L7BKAH7,,"4/9/2025, 5:15:32.351 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",dlgsess,dlgdsess,LMVI3756QBBVLGMGF6TBGO3NUY,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",UU76HEVBO2EO7YNIZINGOKXY5G,,"4/9/2025, 5:15:43.001 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",patch,items,dzkriehzyenlesox7gaaxv7pma,,2,,,"1,0,0,0,0","{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CAEFEKA7TFXGGWUKP3R7XNITJZ,,"4/9/2025, 5:19:13.251 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",share,item,yyznfshprnktijvsjhouufqx5i,,18311600,dzkriehzyenlesox7gaaxv7pma,,4hutefbdsrnzz75d5yfvi4yqyu,"{""uuid"":""LMVI3756QBBVLGMGF6TBGO3NUY"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""bphjwuec4duaoc6jiiipxebzbi"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",S6J3HGO6OX6NDID6F435MENUAD,,"4/10/2025, 7:08:48.817 PM",,,,,,,"{""country"":""Canada"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}",create,device,xw27aj7ayveb6ecuge3lxlxrw4,,5542660,XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}",,"{""uuid"":""C7V57KMF2BDMZFCFLEK4ND6SNY"",""login_time"":""2025-04-10T19:08:48.7986500Z"",""device_uuid"":""xw27aj7ayveb6ecuge3lxlxrw4"",""ip"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CMMLUZD4K6VACQWXW3IHS7CRM4,,"4/18/2025, 11:44:43.305 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,device,hsybmdp2dth3v5w6sxfz3fdrvu,,5547458,PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",5A5OKTJAMI3R3CVY536YAA6R6E,,"4/18/2025, 11:46:03.624 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",suspend,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Stefan Smit"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",5CLDHPJPHX4RKAHPBFBRRM2GXD,,"4/18/2025, 11:46:04.043 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,vault,v6stujbzdep5c7wjxvy7bv7wcm,,,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",ZRGO4CJHU7CX4GWA6XPXKPE7XP,,"4/18/2025, 11:46:04.052 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Stefan Smit"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",46QURC4PKKRI4MJPCYVYYSNTSF,,"4/18/2025, 11:46:28.557 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,invite,GMDEHR4LEJAQRHC2N4H2COIHMU,,,,,"info@slxndrs.com","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",GED74PQMIO7JTH65FNBXSP4VWO,,"4/18/2025, 11:47:07.830 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Development Thijs","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",AKSMVJYVYBJHTV2VRCAY7AZ2PL,,"4/18/2025, 11:47:11.940 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Production from UI","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",VI64BDVVWFZR27WWBYMF62Y2V2,,"4/18/2025, 11:47:28.194 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Copilot,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",DKDXK65DRATULJAC2BLZBYKDEZ,,"4/18/2025, 11:58:48.682 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,,,"activity-log","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",6OB56ACRRPWVCAVWLTSWHWFXWS,,"4/18/2025, 11:59:41.223 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",reactive,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WGMHKYBUT232J7RT5PDIDDMJRN,,"4/18/2025, 12:00:30.446 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",beginr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2NSLEYQQY4IBYPQSEIPAQHL2HT,,"4/18/2025, 12:02:19.428 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",completr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WQSBSGEQ67YFWXPRSKHSMS63M5,,"4/18/2025, 12:03:55.138 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",create,device,3phoep7rew5k4n45iiwqna4cfm,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",O3JU2XYEOPMBURMNEGYCPS246D,,"4/18/2025, 12:04:29.632 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,vault,xeuq3jvbbm5xtqmom37i4k2c24,,,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",BLZPGPHCLMHZ6QIFT5LFPJEWUD,,"4/18/2025, 12:04:50.571 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",changenm,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",C6DCPVY4QEU4T5PLDGY2LRZV2V,,"4/18/2025, 12:05:53.754 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",56WAGARROVUHCRP3JX5GI3EQD6,,"4/18/2025, 12:05:53.773 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,36pafghqo5a7lnfbmk62ynhdra,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",6LREFBYAOEMFHRTSKBZ6S36JER,,"4/18/2025, 12:05:53.775 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,27laikzuyzowz6mzhk7oymb7pq,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CEQZBXT6U332CPONGN7J7QP7UR,,"4/18/2025, 12:13:05.552 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",56KSTZ22RG2XZNGRRXV6GNYQRO,,"4/18/2025, 12:13:09.090 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",export,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",NH6PZIQFJLWYAH7KJLDPXMXEW7,,"4/18/2025, 12:13:20.202 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",O26RO7O5WJFGTOZO67BUALRTZS,,"4/18/2025, 12:13:25.201 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",export,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",QUYEBIL4PNV4KG4NILW662ATGL,,"4/18/2025, 12:14:52.447 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,ZXH73GV3PVFZZFQ23ONYDQJZII,"{""uuid"":""ZXH73GV3PVFZZFQ23ONYDQJZII"",""name"":""Sentinel integration"",""email"":""oqgiyj6saz5rs@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CO6OVY5Z4Y455ZH424DWZWSU34,,"4/18/2025, 12:15:10.621 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,SU3NS4P6KJDUTI5QYOOC5Y24OI,"{""uuid"":""SU3NS4P6KJDUTI5QYOOC5Y24OI"",""name"":""sl-microsoft-test"",""email"":""m6owabpqoihgo@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",ZDVBDXJHOYRHCF26PZA3HPJ6LK,,"4/18/2025, 12:15:26.125 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Pilot,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",GQU2AQROG5AJHK6YB34BPSOL6Y,UTLGFSJ3BFEXBJ6KS7I6V2M2FU,"4/4/2025, 4:45:16.126 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074012"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.189"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",NF6NGL7S6FD3XFULPKDAFLECRY,LSFGKSMJNFEUTKCX27PFS2OAVE,"4/9/2025, 5:13:51.014 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",T7IV5RBYHRBTRDBMDWZ5B5EIQU,JVPUAZQDWFBGDJRVJZDH2TDSHA,"4/9/2025, 5:13:56.967 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",SS5QW3HSRNCYHNICRWJNXI5QQA,LMVI3756QBBVLGMGF6TBGO3NUY,"4/9/2025, 5:15:32.357 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",4XOAEYUNFJGLNNUQG44AFHZSGA,C7V57KMF2BDMZFCFLEK4ND6SNY,"4/10/2025, 7:08:48.828 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",FQCRF6I5CJDUPAKVCHP47QWVFQ,TFOSOH6JCBAQRH37ZOTIWMGFYU,"4/11/2025, 1:14:19.172 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",72HSUCNG2ZGORE64PYLGULKYSY,DUI4WKZ3BJFP3PHUAEMRPMP2FU,"4/18/2025, 11:44:02.575 AM",NL,"credentials_failed","password_secret_bad",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",THAYXVGVEJH6LARQKHJZXVAKPI,5AVYJMTULJAQRDYCXJAK7W2H5Y,"4/18/2025, 11:44:43.313 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",JEVVI4GVMNCSXJBF52IXO2OM4Q,G3BMS3U6XJDP7JZ34ND7HKDM4Y,"4/18/2025, 11:57:23.319 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",HDCR3PNYARBSFE5HC6AWUPWCYI,MYV36CCVNZDEPNHXVCUXES2ADM,"4/18/2025, 12:03:55.150 PM",NL,success,"credentials_ok",,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Brave"",""platform_version"":""135.0.0.0"",""os_name"":""Windows"",""os_version"":""11.0"",""ip_address"":""86.85.254.86""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CVOHJRHF7BAXHLZNORNP6N6IMA,,"4/9/2025, 5:15:42.746 PM",,,,,,"{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,"server-create",,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",7FW55XI4JZEXZLG43WEPF7IBAY,,"4/9/2025, 5:19:13.254 PM",,,,,,"{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,share,,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", diff --git a/Plugins/Community Based Plugins/1Password/docs/README.md b/Plugins/Community Based Plugins/1Password/docs/README.md new file mode 100644 index 00000000..6243d4b3 --- /dev/null +++ b/Plugins/Community Based Plugins/1Password/docs/README.md @@ -0,0 +1,2 @@ +# 1Password plugin for Microsoft Security Copilot + diff --git a/Plugins/Community Based Plugins/1Password/images/1password.svg b/Plugins/Community Based Plugins/1Password/images/1password.svg new file mode 100644 index 00000000..0b54863b --- /dev/null +++ b/Plugins/Community Based Plugins/1Password/images/1password.svg @@ -0,0 +1,2 @@ + + \ No newline at end of file diff --git a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml new file mode 100644 index 00000000..569bfb5e --- /dev/null +++ b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml @@ -0,0 +1,93 @@ +Descriptor: + Name: 1Password + DisplayName: 1Password (Community) + Description: This integration enables Microsoft Copilot for Security to query and analyze 1Password audit and event logs using KQL (Kusto Query Language). It allows security teams to monitor failed user login attempts and integration token changes within 1Password, providing enhanced visibility and incident response capabilities directly from Microsoft Sentinel. + Category: Other + Icon: https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Logos/1password.svg + Settings: + + - Name: TenantId + Label: TenantId + Description: Azure TenantId + HintText: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + SettingType: String + Required: true + + - Name: SubscriptionId + Label: Subscription Id + Description: This is the subscription id that security copilot will use for sentinel. + HintText: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + SettingType: String + Required: true + + - Name: ResourceGroupName + Label: ResourceGroupName + Description: This is the resource group name that security copilot will use for sentinel. + HintText: rg-dev-sentinel + SettingType: String + Required: true + + - Name: WorkspaceName + Label: WorkspaceName + Description: This is the workspace name that security copilot will use for sentinel. + HintText: SentinelWorkspace + SettingType: String + Required: true + + SupportedAuthTypes: + - None + +SkillGroups: + - Format: KQL + Skills: + - Name: FailedUserLoginEvents + DisplayName: Failed user login events + Description: Fetches failed user login events from 1Password + Inputs: + - Name: days + Description: Look back x amount of days, for example 10, 20, 30. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + OnePasswordEventLogs_CL + | where TimeGenerated > ago({{days}}d) + | where category == "credentials_failed" + | where action_type == "password_secret_bad" + | project + target_user.name, + target_user.email, + location.country, + client.app_name, + + - Name: IntegrationChangeEvents + DisplayName: Integration change events + Description: Searches for changes to the integration tokens + Inputs: + - Name: days + Description: Look back x amount of days, for example 10, 20, 30. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + OnePasswordEventLogs_CL + | where TimeGenerated > ago({{days}}d) + | where log_source == "auditevents" + | where action has_any("create", "trename", "tverify", "trevoke") + | where object_type == "satoken" + | extend + ActorUsername = actor_details.email + , SrcIpAddr = session.ip + + + + + From c8b9c5d202107912a151f303684baa58380956a7 Mon Sep 17 00:00:00 2001 From: azurekid Date: Fri, 18 Apr 2025 21:32:17 +0200 Subject: [PATCH 03/19] Fix formatting in KQL manifest for 1Password integration --- .../1Password/src/KQL_manifest_1password.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml index 569bfb5e..67e843d9 100644 --- a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml +++ b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml @@ -62,7 +62,7 @@ SkillGroups: target_user.name, target_user.email, location.country, - client.app_name, + client.app_name - Name: IntegrationChangeEvents DisplayName: Integration change events From 2d8609d3acd82f2591c25f8aade9cd6eaa77371b Mon Sep 17 00:00:00 2001 From: Rogier Dijkman <40334679+azurekid@users.noreply.github.com> Date: Fri, 18 Apr 2025 22:52:01 +0200 Subject: [PATCH 04/19] Update KQL_manifest_1password.yaml --- .../1Password/src/KQL_manifest_1password.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml index 67e843d9..d8eb0c6a 100644 --- a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml +++ b/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml @@ -1,7 +1,10 @@ Descriptor: Name: 1Password DisplayName: 1Password (Community) - Description: This integration enables Microsoft Copilot for Security to query and analyze 1Password audit and event logs using KQL (Kusto Query Language). It allows security teams to monitor failed user login attempts and integration token changes within 1Password, providing enhanced visibility and incident response capabilities directly from Microsoft Sentinel. + Description: |- + This integration enables Microsoft Copilot for Security to query and analyze 1Password audit and event logs using KQL (Kusto Query Language). + It allows security teams to monitor failed user login attempts and integration token changes within 1Password, + providing enhanced visibility and incident response capabilities directly from Microsoft Sentinel. Category: Other Icon: https://raw.githubusercontent.com/Azure/Azure-Sentinel/refs/heads/master/Logos/1password.svg Settings: From 42838da1098e41f2436622f88c2d3608c4151451 Mon Sep 17 00:00:00 2001 From: azurekid Date: Sat, 19 Apr 2025 09:43:11 +0200 Subject: [PATCH 05/19] updated name values --- .../1Password/data/1password.csv | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/data/1password.csv b/Plugins/Community Based Plugins/1Password/data/1password.csv index 84cf4488..42e72379 100644 --- a/Plugins/Community Based Plugins/1Password/data/1password.csv +++ b/Plugins/Community Based Plugins/1Password/data/1password.csv @@ -1,55 +1,55 @@ SourceSystem,"TimeGenerated [UTC]","uuid_s","session_uuid","timestamp [UTC]",country,category,"action_type",details,"target_user",client,location,"actor_uuid","actor_details",action,"object_type","object_uuid","object_details","aux_id","aux_uuid","aux_details","aux_info",session,"used_version","vault_uuid","item_uuid",user,"log_source",TenantId,Type,"_ResourceId" -,"4/18/2025, 12:55:02.901 PM",PRP3TX4DCZAIZCZ43XEXTAGRY4,3QW5AMJNGVF3FJTUQFVKKKR7MM,"4/18/2025, 12:54:18.794 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:55:02.901 PM",ICWRCZYO2BHHJGCNTTGKLVDOVE,GLXUBQ6I3JDWRPWW35PVOG26D4,"4/18/2025, 12:54:36.072 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",2MZ5LG7B3AWO3KIDYRP4Z3RGW6,,"4/4/2025, 4:45:16.121 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,device,l7xfhzeajqz4p3sblvnjp6s4ky,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",WL7LRUMV4CLRR6A745JOKFTLEI,,"4/4/2025, 4:48:04.321 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",view,report,,,,,,"activity-log","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",RTNVIBWEKYFI26TER3KLD7JVRV,,"4/4/2025, 4:49:05.793 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,sa,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,D,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",PLO3WHHNFLTZQT6WHYV3G7J2EB,,"4/4/2025, 4:49:05.804 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,satoken,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,"sl-microsoft-temp","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",BUFF5HHXI5NHZLHPSMHEJY5XMP,,"4/9/2025, 5:13:56.951 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",dlgsess,dlgdsess,JVPUAZQDWFBGDJRVJZDH2TDSHA,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",M6EV3JS5HID2RJH47KW2BWBNDH,,"4/9/2025, 5:13:56.963 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,device,bphjwuec4duaoc6jiiipxebzbi,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",2GPZLX3RIM5DCBH6ZRTVKLIDRL,,"4/9/2025, 5:15:26.888 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",create,vault,dzkriehzyenlesox7gaaxv7pma,,,,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",AHDJ74VRU4AFU6NJ54G4AUJR2Z,,"4/9/2025, 5:15:26.949 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",2147483646,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",VQMFRXB7W6MLMW3P2Z6ADLLXUD,,"4/9/2025, 5:15:26.962 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527804,rghqswd6b35ud5jupjjodpns44,,1,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",72WL6YAEYNXDXICB2YJ6RQ6EYC,,"4/9/2025, 5:15:26.973 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527805,btxffna52mw3aqpchktgefx6zi,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",WKNUB46HLWWF7RXFFEZY35C36B,,"4/9/2025, 5:15:26.985 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527806,7ol5ey5xurrhpjoo7gymu4pp7a,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",YBXGY3YVBIP6TDPFVT7L7BKAH7,,"4/9/2025, 5:15:32.351 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",dlgsess,dlgdsess,LMVI3756QBBVLGMGF6TBGO3NUY,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",UU76HEVBO2EO7YNIZINGOKXY5G,,"4/9/2025, 5:15:43.001 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",patch,items,dzkriehzyenlesox7gaaxv7pma,,2,,,"1,0,0,0,0","{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",CAEFEKA7TFXGGWUKP3R7XNITJZ,,"4/9/2025, 5:19:13.251 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",share,item,yyznfshprnktijvsjhouufqx5i,,18311600,dzkriehzyenlesox7gaaxv7pma,,4hutefbdsrnzz75d5yfvi4yqyu,"{""uuid"":""LMVI3756QBBVLGMGF6TBGO3NUY"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""bphjwuec4duaoc6jiiipxebzbi"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",S6J3HGO6OX6NDID6F435MENUAD,,"4/10/2025, 7:08:48.817 PM",,,,,,,"{""country"":""Canada"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}",create,device,xw27aj7ayveb6ecuge3lxlxrw4,,5542660,XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}",,"{""uuid"":""C7V57KMF2BDMZFCFLEK4ND6SNY"",""login_time"":""2025-04-10T19:08:48.7986500Z"",""device_uuid"":""xw27aj7ayveb6ecuge3lxlxrw4"",""ip"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",CMMLUZD4K6VACQWXW3IHS7CRM4,,"4/18/2025, 11:44:43.305 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,device,hsybmdp2dth3v5w6sxfz3fdrvu,,5547458,PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",5A5OKTJAMI3R3CVY536YAA6R6E,,"4/18/2025, 11:46:03.624 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",suspend,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Stefan Smit"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",5CLDHPJPHX4RKAHPBFBRRM2GXD,,"4/18/2025, 11:46:04.043 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,vault,v6stujbzdep5c7wjxvy7bv7wcm,,,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",ZRGO4CJHU7CX4GWA6XPXKPE7XP,,"4/18/2025, 11:46:04.052 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Stefan Smit"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",46QURC4PKKRI4MJPCYVYYSNTSF,,"4/18/2025, 11:46:28.557 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,invite,GMDEHR4LEJAQRHC2N4H2COIHMU,,,,,"info@slxndrs.com","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",GED74PQMIO7JTH65FNBXSP4VWO,,"4/18/2025, 11:47:07.830 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Development Thijs","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",AKSMVJYVYBJHTV2VRCAY7AZ2PL,,"4/18/2025, 11:47:11.940 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Production from UI","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",VI64BDVVWFZR27WWBYMF62Y2V2,,"4/18/2025, 11:47:28.194 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Copilot,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",DKDXK65DRATULJAC2BLZBYKDEZ,,"4/18/2025, 11:58:48.682 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,,,"activity-log","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",6OB56ACRRPWVCAVWLTSWHWFXWS,,"4/18/2025, 11:59:41.223 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",reactive,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",WGMHKYBUT232J7RT5PDIDDMJRN,,"4/18/2025, 12:00:30.446 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",beginr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",2NSLEYQQY4IBYPQSEIPAQHL2HT,,"4/18/2025, 12:02:19.428 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",completr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",WQSBSGEQ67YFWXPRSKHSMS63M5,,"4/18/2025, 12:03:55.138 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",create,device,3phoep7rew5k4n45iiwqna4cfm,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}",,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",O3JU2XYEOPMBURMNEGYCPS246D,,"4/18/2025, 12:04:29.632 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,vault,xeuq3jvbbm5xtqmom37i4k2c24,,,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",BLZPGPHCLMHZ6QIFT5LFPJEWUD,,"4/18/2025, 12:04:50.571 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",changenm,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",,,,,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",C6DCPVY4QEU4T5PLDGY2LRZV2V,,"4/18/2025, 12:05:53.754 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",56WAGARROVUHCRP3JX5GI3EQD6,,"4/18/2025, 12:05:53.773 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,36pafghqo5a7lnfbmk62ynhdra,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",6LREFBYAOEMFHRTSKBZ6S36JER,,"4/18/2025, 12:05:53.775 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",grant,uva,27laikzuyzowz6mzhk7oymb7pq,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit"",""email"":""stefan.alexander.smit@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",CEQZBXT6U332CPONGN7J7QP7UR,,"4/18/2025, 12:13:05.552 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",56KSTZ22RG2XZNGRRXV6GNYQRO,,"4/18/2025, 12:13:09.090 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",export,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",NH6PZIQFJLWYAH7KJLDPXMXEW7,,"4/18/2025, 12:13:20.202 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",view,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",O26RO7O5WJFGTOZO67BUALRTZS,,"4/18/2025, 12:13:25.201 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",export,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",QUYEBIL4PNV4KG4NILW662ATGL,,"4/18/2025, 12:14:52.447 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,ZXH73GV3PVFZZFQ23ONYDQJZII,"{""uuid"":""ZXH73GV3PVFZZFQ23ONYDQJZII"",""name"":""Sentinel integration"",""email"":""oqgiyj6saz5rs@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",CO6OVY5Z4Y455ZH424DWZWSU34,,"4/18/2025, 12:15:10.621 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",delete,user,SU3NS4P6KJDUTI5QYOOC5Y24OI,"{""uuid"":""SU3NS4P6KJDUTI5QYOOC5Y24OI"",""name"":""sl-microsoft-test"",""email"":""m6owabpqoihgo@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",ZDVBDXJHOYRHCF26PZA3HPJ6LK,,"4/18/2025, 12:15:26.125 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Pilot,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",GQU2AQROG5AJHK6YB34BPSOL6Y,UTLGFSJ3BFEXBJ6KS7I6V2M2FU,"4/4/2025, 4:45:16.126 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074012"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.189"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",NF6NGL7S6FD3XFULPKDAFLECRY,LSFGKSMJNFEUTKCX27PFS2OAVE,"4/9/2025, 5:13:51.014 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",T7IV5RBYHRBTRDBMDWZ5B5EIQU,JVPUAZQDWFBGDJRVJZDH2TDSHA,"4/9/2025, 5:13:56.967 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",SS5QW3HSRNCYHNICRWJNXI5QQA,LMVI3756QBBVLGMGF6TBGO3NUY,"4/9/2025, 5:15:32.357 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",4XOAEYUNFJGLNNUQG44AFHZSGA,C7V57KMF2BDMZFCFLEK4ND6SNY,"4/10/2025, 7:08:48.828 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",FQCRF6I5CJDUPAKVCHP47QWVFQ,TFOSOH6JCBAQRH37ZOTIWMGFYU,"4/11/2025, 1:14:19.172 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""clarence.wong+securehats@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",72HSUCNG2ZGORE64PYLGULKYSY,DUI4WKZ3BJFP3PHUAEMRPMP2FU,"4/18/2025, 11:44:02.575 AM",NL,"credentials_failed","password_secret_bad",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",THAYXVGVEJH6LARQKHJZXVAKPI,5AVYJMTULJAQRDYCXJAK7W2H5Y,"4/18/2025, 11:44:43.313 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",JEVVI4GVMNCSXJBF52IXO2OM4Q,G3BMS3U6XJDP7JZ34ND7HKDM4Y,"4/18/2025, 11:57:23.319 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Rogier Dijkman"",""email"":""rogierdijkman@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",HDCR3PNYARBSFE5HC6AWUPWCYI,MYV36CCVNZDEPNHXVCUXES2ADM,"4/18/2025, 12:03:55.150 PM",NL,success,"credentials_ok",,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Stefan Smit (test)"",""email"":""stefan.alexander.smit@outlook.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Brave"",""platform_version"":""135.0.0.0"",""os_name"":""Windows"",""os_version"":""11.0"",""ip_address"":""86.85.254.86""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",CVOHJRHF7BAXHLZNORNP6N6IMA,,"4/9/2025, 5:15:42.746 PM",,,,,,"{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,"server-create",,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", -,"4/18/2025, 12:40:19.703 PM",7FW55XI4JZEXZLG43WEPF7IBAY,,"4/9/2025, 5:19:13.254 PM",,,,,,"{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,share,,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""Scott Lougheed"",""email"":""scott.lougheed+securehats@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:55:02.901 PM",PRP3TX4DCZAIZCZ43XEXTAGRY4,3QW5AMJNGVF3FJTUQFVKKKR7MM,"4/18/2025, 12:54:18.794 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:55:02.901 PM",ICWRCZYO2BHHJGCNTTGKLVDOVE,GLXUBQ6I3JDWRPWW35PVOG26D4,"4/18/2025, 12:54:36.072 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.96"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:dd0:2824:3c99:7d69""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2MZ5LG7B3AWO3KIDYRP4Z3RGW6,,"4/4/2025, 4:45:16.121 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",create,device,l7xfhzeajqz4p3sblvnjp6s4ky,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WL7LRUMV4CLRR6A745JOKFTLEI,,"4/4/2025, 4:48:04.321 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",view,report,,,,,,"activity-log","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",RTNVIBWEKYFI26TER3KLD7JVRV,,"4/4/2025, 4:49:05.793 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",create,sa,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,D,"{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",PLO3WHHNFLTZQT6WHYV3G7J2EB,,"4/4/2025, 4:49:05.804 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",create,satoken,SU3NS4P6KJDUTI5QYOOC5Y24OI,,,,,"sl-microsoft-temp","{""uuid"":""UTLGFSJ3BFEXBJ6KS7I6V2M2FU"",""login_time"":""2025-04-04T16:45:16.1044527Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",BUFF5HHXI5NHZLHPSMHEJY5XMP,,"4/9/2025, 5:13:56.951 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",dlgsess,dlgdsess,JVPUAZQDWFBGDJRVJZDH2TDSHA,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",M6EV3JS5HID2RJH47KW2BWBNDH,,"4/9/2025, 5:13:56.963 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",create,device,bphjwuec4duaoc6jiiipxebzbi,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2GPZLX3RIM5DCBH6ZRTVKLIDRL,,"4/9/2025, 5:15:26.888 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",create,vault,dzkriehzyenlesox7gaaxv7pma,,,,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",AHDJ74VRU4AFU6NJ54G4AUJR2Z,,"4/9/2025, 5:15:26.949 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5547344,IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",2147483646,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",VQMFRXB7W6MLMW3P2Z6ADLLXUD,,"4/9/2025, 5:15:26.962 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527804,rghqswd6b35ud5jupjjodpns44,,1,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",72WL6YAEYNXDXICB2YJ6RQ6EYC,,"4/9/2025, 5:15:26.973 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527805,btxffna52mw3aqpchktgefx6zi,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WKNUB46HLWWF7RXFFEZY35C36B,,"4/9/2025, 5:15:26.985 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",grant,gva,dzkriehzyenlesox7gaaxv7pma,,22527806,7ol5ey5xurrhpjoo7gymu4pp7a,,2,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",YBXGY3YVBIP6TDPFVT7L7BKAH7,,"4/9/2025, 5:15:32.351 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",dlgsess,dlgdsess,LMVI3756QBBVLGMGF6TBGO3NUY,,,LSFGKSMJNFEUTKCX27PFS2OAVE,,,"{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",UU76HEVBO2EO7YNIZINGOKXY5G,,"4/9/2025, 5:15:43.001 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",patch,items,dzkriehzyenlesox7gaaxv7pma,,2,,,"1,0,0,0,0","{""uuid"":""LSFGKSMJNFEUTKCX27PFS2OAVE"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""l7xfhzeajqz4p3sblvnjp6s4ky"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CAEFEKA7TFXGGWUKP3R7XNITJZ,,"4/9/2025, 5:19:13.251 PM",,,,,,,"{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",IBW4GP5NZFFBRK6IIS5SG3K4CI,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",share,item,yyznfshprnktijvsjhouufqx5i,,18311600,dzkriehzyenlesox7gaaxv7pma,,4hutefbdsrnzz75d5yfvi4yqyu,"{""uuid"":""LMVI3756QBBVLGMGF6TBGO3NUY"",""login_time"":""2025-04-09T17:13:50.9925067Z"",""device_uuid"":""bphjwuec4duaoc6jiiipxebzbi"",""ip"":""207.6.250.192""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",S6J3HGO6OX6NDID6F435MENUAD,,"4/10/2025, 7:08:48.817 PM",,,,,,,"{""country"":""Canada"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}",create,device,xw27aj7ayveb6ecuge3lxlxrw4,,5542660,XMBOV3AOFFFLNPHI7HKN2EI2XY,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}",,"{""uuid"":""C7V57KMF2BDMZFCFLEK4ND6SNY"",""login_time"":""2025-04-10T19:08:48.7986500Z"",""device_uuid"":""xw27aj7ayveb6ecuge3lxlxrw4"",""ip"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CMMLUZD4K6VACQWXW3IHS7CRM4,,"4/18/2025, 11:44:43.305 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",create,device,hsybmdp2dth3v5w6sxfz3fdrvu,,5547458,PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",5A5OKTJAMI3R3CVY536YAA6R6E,,"4/18/2025, 11:46:03.624 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",suspend,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Jack Sparrow"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",5CLDHPJPHX4RKAHPBFBRRM2GXD,,"4/18/2025, 11:46:04.043 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",delete,vault,v6stujbzdep5c7wjxvy7bv7wcm,,,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",ZRGO4CJHU7CX4GWA6XPXKPE7XP,,"4/18/2025, 11:46:04.052 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",delete,user,CPX3K36BWJA4NKLQP3KADNFXFU,"{""uuid"":""CPX3K36BWJA4NKLQP3KADNFXFU"",""name"":""Jack Sparrow"",""email"":""info@slxndrs.com""}",,,,,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",46QURC4PKKRI4MJPCYVYYSNTSF,,"4/18/2025, 11:46:28.557 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",create,invite,GMDEHR4LEJAQRHC2N4H2COIHMU,,,,,"info@slxndrs.com","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",GED74PQMIO7JTH65FNBXSP4VWO,,"4/18/2025, 11:47:07.830 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Development Thijs","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",AKSMVJYVYBJHTV2VRCAY7AZ2PL,,"4/18/2025, 11:47:11.940 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",trevoke,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,"Production from UI","{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",VI64BDVVWFZR27WWBYMF62Y2V2,,"4/18/2025, 11:47:28.194 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Copilot,"{""uuid"":""5AVYJMTULJAQRDYCXJAK7W2H5Y"",""login_time"":""2025-04-18T11:44:43.2669887Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",DKDXK65DRATULJAC2BLZBYKDEZ,,"4/18/2025, 11:58:48.682 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",view,report,,,,,,"activity-log","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",6OB56ACRRPWVCAVWLTSWHWFXWS,,"4/18/2025, 11:59:41.223 AM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",reactive,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WGMHKYBUT232J7RT5PDIDDMJRN,,"4/18/2025, 12:00:30.446 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",beginr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",2NSLEYQQY4IBYPQSEIPAQHL2HT,,"4/18/2025, 12:02:19.428 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",completr,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",WQSBSGEQ67YFWXPRSKHSMS63M5,,"4/18/2025, 12:03:55.138 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}",create,device,3phoep7rew5k4n45iiwqna4cfm,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}",,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",O3JU2XYEOPMBURMNEGYCPS246D,,"4/18/2025, 12:04:29.632 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",delete,vault,xeuq3jvbbm5xtqmom37i4k2c24,,,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",BLZPGPHCLMHZ6QIFT5LFPJEWUD,,"4/18/2025, 12:04:50.571 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow"",""email"":""jack.sparrow@outlook.com""}",changenm,user,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow"",""email"":""jack.sparrow@outlook.com""}",,,,,"{""uuid"":""MYV36CCVNZDEPNHXVCUXES2ADM"",""login_time"":""2025-04-18T12:03:55.0983200Z"",""device_uuid"":""3phoep7rew5k4n45iiwqna4cfm"",""ip"":""86.85.254.86""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",C6DCPVY4QEU4T5PLDGY2LRZV2V,,"4/18/2025, 12:05:53.754 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",grant,uva,dzkriehzyenlesox7gaaxv7pma,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow"",""email"":""jack.sparrow@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",56WAGARROVUHCRP3JX5GI3EQD6,,"4/18/2025, 12:05:53.773 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",grant,uva,36pafghqo5a7lnfbmk62ynhdra,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow"",""email"":""jack.sparrow@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",6LREFBYAOEMFHRTSKBZ6S36JER,,"4/18/2025, 12:05:53.775 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",grant,uva,27laikzuyzowz6mzhk7oymb7pq,,5622552,OBVNU7G3JNED5PYYGVQY6FM65Q,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow"",""email"":""jack.sparrow@outlook.com""}",15730672,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CEQZBXT6U332CPONGN7J7QP7UR,,"4/18/2025, 12:13:05.552 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",view,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",56KSTZ22RG2XZNGRRXV6GNYQRO,,"4/18/2025, 12:13:09.090 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",export,report,,,,36pafghqo5a7lnfbmk62ynhdra,,"vault-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",NH6PZIQFJLWYAH7KJLDPXMXEW7,,"4/18/2025, 12:13:20.202 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",view,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",O26RO7O5WJFGTOZO67BUALRTZS,,"4/18/2025, 12:13:25.201 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",export,report,,,,OBVNU7G3JNED5PYYGVQY6FM65Q,,"user-usage-report","{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",QUYEBIL4PNV4KG4NILW662ATGL,,"4/18/2025, 12:14:52.447 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",delete,user,ZXH73GV3PVFZZFQ23ONYDQJZII,"{""uuid"":""ZXH73GV3PVFZZFQ23ONYDQJZII"",""name"":""Sentinel integration"",""email"":""oqgiyj6saz5rs@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CO6OVY5Z4Y455ZH424DWZWSU34,,"4/18/2025, 12:15:10.621 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",delete,user,SU3NS4P6KJDUTI5QYOOC5Y24OI,"{""uuid"":""SU3NS4P6KJDUTI5QYOOC5Y24OI"",""name"":""sl-microsoft-test"",""email"":""m6owabpqoihgo@1passwordserviceaccounts.com""}",,,,,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",ZDVBDXJHOYRHCF26PZA3HPJ6LK,,"4/18/2025, 12:15:26.125 PM",,,,,,,"{""country"":""The Netherlands"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",PVXZMHITIFHG3FNMW4WERJEOCA,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}",create,satoken,B4DGXVKQGNHW3HAW2NRSEJCWOU,,,,,Pilot,"{""uuid"":""G3BMS3U6XJDP7JZ34ND7HKDM4Y"",""login_time"":""2025-04-18T11:57:23.3069882Z"",""device_uuid"":""hsybmdp2dth3v5w6sxfz3fdrvu"",""ip"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}",,,,,auditevents,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",GQU2AQROG5AJHK6YB34BPSOL6Y,UTLGFSJ3BFEXBJ6KS7I6V2M2FU,"4/4/2025, 4:45:16.126 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074012"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.189"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",NF6NGL7S6FD3XFULPKDAFLECRY,LSFGKSMJNFEUTKCX27PFS2OAVE,"4/9/2025, 5:13:51.014 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",T7IV5RBYHRBTRDBMDWZ5B5EIQU,JVPUAZQDWFBGDJRVJZDH2TDSHA,"4/9/2025, 5:13:56.967 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",SS5QW3HSRNCYHNICRWJNXI5QQA,LMVI3756QBBVLGMGF6TBGO3NUY,"4/9/2025, 5:15:32.357 PM",CA,success,"credentials_ok",,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}","{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""CA"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",4XOAEYUNFJGLNNUQG44AFHZSGA,C7V57KMF2BDMZFCFLEK4ND6SNY,"4/10/2025, 7:08:48.828 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",FQCRF6I5CJDUPAKVCHP47QWVFQ,TFOSOH6JCBAQRH37ZOTIWMGFYU,"4/11/2025, 1:14:19.172 PM",CA,success,"credentials_ok",,"{""uuid"":""XMBOV3AOFFFLNPHI7HKN2EI2XY"",""name"":""Clarence Wong"",""email"":""axel.rose@agilebits.com""}","{""app_name"":""1Password Browser Extension"",""app_version"":""81070027"",""platform_name"":""Chrome extension"",""platform_version"":""135.0.7049.85"",""os_name"":""MacOSX"",""os_version"":""15.3.2"",""ip_address"":""2607:fea8:52a2:e300:ec42:517a:6903:6487""}","{""country"":""CA"",""region"":""Ontario"",""city"":""Markham"",""latitude"":43.8455,""longitude"":-79.2635}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",72HSUCNG2ZGORE64PYLGULKYSY,DUI4WKZ3BJFP3PHUAEMRPMP2FU,"4/18/2025, 11:44:02.575 AM",NL,"credentials_failed","password_secret_bad",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",THAYXVGVEJH6LARQKHJZXVAKPI,5AVYJMTULJAQRDYCXJAK7W2H5Y,"4/18/2025, 11:44:43.313 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",JEVVI4GVMNCSXJBF52IXO2OM4Q,G3BMS3U6XJDP7JZ34ND7HKDM4Y,"4/18/2025, 11:57:23.319 AM",NL,success,"credentials_ok",,"{""uuid"":""PVXZMHITIFHG3FNMW4WERJEOCA"",""name"":""Peter Pan"",""email"":""peter.pan@hotmail.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Safari"",""platform_version"":""18.4"",""os_name"":""MacOSX"",""os_version"":""10.15.7"",""ip_address"":""2a02:a44f:4345:0:801b:87ab:a162:a10f""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Amersfoort"",""latitude"":52.1592,""longitude"":5.3849}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",HDCR3PNYARBSFE5HC6AWUPWCYI,MYV36CCVNZDEPNHXVCUXES2ADM,"4/18/2025, 12:03:55.150 PM",NL,success,"credentials_ok",,"{""uuid"":""OBVNU7G3JNED5PYYGVQY6FM65Q"",""name"":""Jack Sparrow (test)"",""email"":""jack.sparrow@outlook.com""}","{""app_name"":""1Password for Web"",""app_version"":""1982"",""platform_name"":""Brave"",""platform_version"":""135.0.0.0"",""os_name"":""Windows"",""os_version"":""11.0"",""ip_address"":""86.85.254.86""}","{""country"":""NL"",""region"":""Utrecht"",""city"":""Utrecht"",""latitude"":52.1083,""longitude"":5.1423}",,,,,,,,,,,,,,,,signinattempts,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",CVOHJRHF7BAXHLZNORNP6N6IMA,,"4/9/2025, 5:15:42.746 PM",,,,,,"{""app_name"":""1Password Browser Extension"",""app_version"":""81074017"",""platform_name"":""Chrome extension"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,"server-create",,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", +,"4/18/2025, 12:40:19.703 PM",7FW55XI4JZEXZLG43WEPF7IBAY,,"4/9/2025, 5:19:13.254 PM",,,,,,"{""app_name"":""1Password for Web"",""app_version"":""1975"",""platform_name"":""Chrome"",""platform_version"":""134.0.6998.199"",""os_name"":""MacOSX"",""os_version"":""15.4.0"",""ip_address"":""207.6.250.192""}","{""country"":""Canada"",""region"":""British Columbia"",""city"":""Kelowna"",""latitude"":49.8956,""longitude"":-119.4897}",,,share,,,,,,,,,1,dzkriehzyenlesox7gaaxv7pma,yyznfshprnktijvsjhouufqx5i,"{""uuid"":""IBW4GP5NZFFBRK6IIS5SG3K4CI"",""name"":""John Doe"",""email"":""john.doe@agilebits.com""}",itemusages,"8ffcf5f0-cf26-483b-8d8a-b7b1544bb815","OnePasswordEventLogs_CL", From 1320b5408ad30044ba9214aadda5ae49d77b5726 Mon Sep 17 00:00:00 2001 From: azurekid Date: Sat, 19 Apr 2025 09:50:19 +0200 Subject: [PATCH 06/19] Enhance README.md with detailed installation and usage instructions for 1Password plugin --- .../1Password/docs/README.md | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/1Password/docs/README.md b/Plugins/Community Based Plugins/1Password/docs/README.md index 6243d4b3..0b00b1e0 100644 --- a/Plugins/Community Based Plugins/1Password/docs/README.md +++ b/Plugins/Community Based Plugins/1Password/docs/README.md @@ -1,2 +1,26 @@ -# 1Password plugin for Microsoft Security Copilot +# 1Password Plugin for Microsoft Security Copilot +## Overview + + The 1Password plugin enables Microsoft Security Copilot to securely access and retrieve secrets, credentials, and other sensitive information stored in 1Password vaults. This integration allows security analysts and automation workflows to leverage 1Password as a trusted source for secrets management within the Security Copilot environment. + +## Installation + + 1. Ensure you have access to the 1Password account with the necessary permissions to read vaults and items via 1Password Connect. + 2. Download or clone the plugin repository into your Security Copilot Community Plugins directory. + 3. Follow the standard plugin registration process for Microsoft Security Copilot, referencing this plugin's manifest file (`KQL_manifest_1password.yaml`). + 4. Ensure your 1Password Connect server is running and accessible from the Security Copilot environment. + +## Setup Parameters + + + +## Usage + + Once installed and configured, use Security Copilot prompts or workflows to query secrets from 1Password. + +## Example prompt + "Get secret details for item 'Database Credentials' in vault 'Production Secrets' using 1Password." + The plugin will securely interact with your 1Password Connect server to fetch and return the requested information. + + For more details on 1Password Connect, refer to the official 1Password documentation. For plugin specifics, consult the manifest file. From efec9c8dd6ddab8b83e1da99c063f5ba7a4783fa Mon Sep 17 00:00:00 2001 From: azurekid Date: Sat, 19 Apr 2025 09:58:54 +0200 Subject: [PATCH 07/19] Refactor code structure for improved readability and maintainability --- Plugins/Community Based Plugins/1Password/{docs => KQL}/README.md | 0 .../1Password/{images => KQL/logo}/1password.svg | 0 .../manifest/1password_manifest.yaml} | 0 .../1Password/{data => KQL/sampledata}/1password.csv | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename Plugins/Community Based Plugins/1Password/{docs => KQL}/README.md (100%) rename Plugins/Community Based Plugins/1Password/{images => KQL/logo}/1password.svg (100%) rename Plugins/Community Based Plugins/1Password/{src/KQL_manifest_1password.yaml => KQL/manifest/1password_manifest.yaml} (100%) rename Plugins/Community Based Plugins/1Password/{data => KQL/sampledata}/1password.csv (100%) diff --git a/Plugins/Community Based Plugins/1Password/docs/README.md b/Plugins/Community Based Plugins/1Password/KQL/README.md similarity index 100% rename from Plugins/Community Based Plugins/1Password/docs/README.md rename to Plugins/Community Based Plugins/1Password/KQL/README.md diff --git a/Plugins/Community Based Plugins/1Password/images/1password.svg b/Plugins/Community Based Plugins/1Password/KQL/logo/1password.svg similarity index 100% rename from Plugins/Community Based Plugins/1Password/images/1password.svg rename to Plugins/Community Based Plugins/1Password/KQL/logo/1password.svg diff --git a/Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml similarity index 100% rename from Plugins/Community Based Plugins/1Password/src/KQL_manifest_1password.yaml rename to Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml diff --git a/Plugins/Community Based Plugins/1Password/data/1password.csv b/Plugins/Community Based Plugins/1Password/KQL/sampledata/1password.csv similarity index 100% rename from Plugins/Community Based Plugins/1Password/data/1password.csv rename to Plugins/Community Based Plugins/1Password/KQL/sampledata/1password.csv From 4ae173f7f1d59284eb44fa2b1fb5cfb829691401 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Sun, 20 Apr 2025 21:15:17 +0200 Subject: [PATCH 08/19] Added FailedSignInAttempts --- .../KQL/manifest/1password_manifest.yaml | 65 +++++++++++++++++-- 1 file changed, 59 insertions(+), 6 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index d8eb0c6a..49f38acc 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -67,6 +67,64 @@ SkillGroups: location.country, client.app_name + - Name: FailedSignInAttempts + DisplayName: Failed sign-in events + Description: Fetches failed sign-in events from 1Password + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + | where log_source == "signinattempts" + | where category != "success" + | extend + target_user_email = tostring(target_user.email) + , target_user_name = tostring(target_user.name) + , target_user_uuid = tostring(target_user.uuid) + , client_app_name = tostring(client.app_name) + , client_ip_address = tostring(client.ip_address) + , client_os_name = tostring(client.os_name) + , location_country = tostring(location.country) + , location_region = tostring(location.region) + | summarize + arg_max( + TimeGenerated + , target_user_email + , target_user_name + , category + , action_type + , client_ip_address + , client_app_name + , client_os_name + , location_country + , location_region + ) by + target_user_uuid + , session_uuid + | project-reorder + TimeGenerated + , target_user_email + , target_user_name + , target_user_uuid + , session_uuid + , category + , action_type + , client_ip_address + , client_app_name + , client_os_name + , location_country + , location_region + - Name: IntegrationChangeEvents DisplayName: Integration change events Description: Searches for changes to the integration tokens @@ -88,9 +146,4 @@ SkillGroups: | where object_type == "satoken" | extend ActorUsername = actor_details.email - , SrcIpAddr = session.ip - - - - - + , SrcIpAddr = session.ip \ No newline at end of file From 8bd5e95068015b0ec2439e492bf18219686936d3 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Sat, 26 Apr 2025 20:15:11 +0200 Subject: [PATCH 09/19] Added AnomalousActivity --- .../KQL/manifest/1password_manifest.yaml | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 49f38acc..b245293d 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -125,6 +125,107 @@ SkillGroups: , location_country , location_region + - Name: AnomalousActivity + DisplayName: Anomalous activity after infrequent amount of sign-ins + Description: Fetches anomalous activity after infrequent amount of sign-ins + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + let highRiskEventsTable = datatable(action:string, object_type:string, risk_level:string) [ + "activate", "account", "high" + , "update", "account", "medium" + , "delete", "account", "high" + , "dlgsess", "dlgdsess", "high" + , "create", "device", "high" + , "update", "device", "medium" + , "delete", "device", "high" + , "updatfw", "account", "high" + , "create", "group", "high" + , "delete", "group", "high" + , "join", "gm", "high" + , "leave", "gm", "high" + , "role", "gm", "high" + , "grant", "gva", "high" + , "revoke", "gva", "high" + , "update", "gva", "high" + , "create", "invite", "high" + , "update", "invite", "medium" + , "share", "item", "high" + , "delshare", "item", "high" + , "uisas", "account", "high" + , "create", "mngdacc", "high" + , "launchi", "mngdacc", "high" + , "unlink", "mngdacc", "high" + , "enblmfa", "user", "high" + , "updatmfa", "user", "high" + , "disblmfa", "user", "high" + , "disblmfa", "account", "high" + , "sendpkg", "user", "high" + , "create", "sa", "high" + , "create", "satoken", "high" + , "trename", "satoken", "high" + , "tverify", "satoken", "high" + , "trevoke", "satoken", "high" + , "ssotknv", "ssotkn", "high" + , "disblsso", "sso", "high" + , "chngpsso", "sso", "high" + , "chngasso", "sso", "high" + , "chngdsso", "sso", "high" + , "addgsso", "sso", "high" + , "delgsso", "sso", "high" + , "verify", "user", "high" + , "join", "user", "high" + , "activate", "user", "high" + , "suspend", "user", "high" + , "delete", "user", "high" + , "changemp", "user", "high" + , "changesk", "user", "high" + , "tdvcsso", "user", "high" + , "sdvcsso", "user", "high" + , "grant", "uva", "high" + , "revoke", "uva", "high" + , "update", "uva", "high" + , "create", "vault", "high" + , "delete", "vault", "high" + , "update", "vault", "high" + , "export", "vault", "high" + , "vrfydmn", "account", "high" + , "uvrfydmn", "account", "high" + , "dvrfydmn", "account", "high" + ]; + let signinBaselineEvents = + OnePasswordEventLogs_CL + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + | where log_source == "signinattempts" + | extend + target_user_email = tostring(target_user.email) + , target_user_uuid = tostring(target_user.uuid) + , client_ip_address = tostring(client.ip_address) + | summarize count() by target_user_uuid, client_ip_address + | extend targetIdentifier = base64_encode_tostring(strcat(target_user_uuid, client_ip_address)) + | where count_ > 5 + | summarize make_list(targetIdentifier) + ; + OnePasswordEventLogs_CL + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + | lookup kind=inner highRiskEventsTable on $left.action == $right.action and $left.object_type == $right.object_type + | extend + actor_ip = tostring(session.ip) + , actor_details_email = tostring(actor_details.email) + | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) + | where actor_details_email !endswith "1passwordserviceaccounts.com" + | where targetIdentifier !in (signinBaselineEvents) + - Name: IntegrationChangeEvents DisplayName: Integration change events Description: Searches for changes to the integration tokens From 8dc34cee39375d4a95b20d2eb59be36c83e4fdc2 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Wed, 30 Apr 2025 14:10:33 +0200 Subject: [PATCH 10/19] base functionality added --- .../KQL/manifest/1password_manifest.yaml | 483 ++++++++++++++++-- 1 file changed, 446 insertions(+), 37 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index b245293d..37b16e59 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -43,12 +43,300 @@ Descriptor: SkillGroups: - Format: KQL Skills: - - Name: FailedUserLoginEvents - DisplayName: Failed user login events - Description: Fetches failed user login events from 1Password + +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - signinattempts (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + + - Name: usersigninattempts + DisplayName: user signin attempts + Description: Fetches a summarized list of specific user signin attempts for the provided month (current_month/last_month) + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + - Name: user + Description: Filter for the user based on their UserPrincipalName (email). + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + | where log_source == "signinattempts" + // user filter + | where tostring(target_user.email) == "{{user}}" + // target_user variables + | extend + target_user_email = tostring(target_user.email) + , target_user_name = tostring(target_user.name) + , target_user_uuid = tostring(target_user.uuid) + // client variables + | extend + client_app_name = tostring(client.app_name) + , client_ip_address = tostring(client.ip_address) + , client_os_name = tostring(client.os_name) + , client_platform_name = tostring(client.platform_name) + // location variables + | extend + location_city = tostring(location.city) + , location_country = tostring(location.country) + , location_region = tostring(location.region) + | summarize by + target_user_email + , client_ip_address + , target_user_name + , target_user_uuid + , category + , action_type + , client_app_name + , client_os_name + , client_platform_name + , location_country + , location_region + , location_city + | sort by + target_user_email asc + , client_ip_address asc + + - Name: summarizedsigninattempts + DisplayName: summarized signin attempts + Description: Fetches a summarized list of user signin attempts for the provided month (current_month/last_month) + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + | where log_source == "signinattempts" + // target_user variables + | extend + target_user_email = tostring(target_user.email) + , target_user_name = tostring(target_user.name) + , target_user_uuid = tostring(target_user.uuid) + // client variables + | extend + client_app_name = tostring(client.app_name) + , client_ip_address = tostring(client.ip_address) + , client_os_name = tostring(client.os_name) + , client_platform_name = tostring(client.platform_name) + // location variables + | extend + location_city = tostring(location.city) + , location_country = tostring(location.country) + , location_region = tostring(location.region) + | summarize by + target_user_email + , client_ip_address + , target_user_name + , target_user_uuid + , category + , action_type + , client_app_name + , client_os_name + , client_platform_name + , location_country + , location_region + , location_city + | sort by + target_user_email asc + , client_ip_address asc + +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - auditevents (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + + - Name: userauditevents + DisplayName: user audit events + Description: Fetches a summarized list of specific user audit events for the provided month (current_month/last_month) + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + - Name: user + Description: Filter for the user based on their UserPrincipalName (email). + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + // temporary addition of itemusages due to logging bug + | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share")) + // user filter + | where tostring(actor_details.email) == "{{user}}" + // location variables + | extend + location_country = tostring(location.country) + , location_region = tostring(location.region) + , location_city = tostring(location.city) + // actor_details variables + | extend + actor_details_uuid = tostring(actor_details.uuid) + , actor_details_name = tostring(actor_details.name) + , actor_details_email = tostring(actor_details.email) + // session variables + | extend + session_device_uuid = tostring(session.device_uuid) + , session_ip_address = tostring(session.ip) + | summarize by + actor_details_email + , session_ip_address + , actor_details_name + , actor_details_uuid + , action + , object_type + , aux_info + , session_device_uuid + , location_country + , location_region + , location_city + | sort by + actor_details_email asc + , session_ip_address asc + + - Name: summarizedauditevents + DisplayName: summarized audit events + Description: Fetches a summarized list of user audit events for the provided month (current_month/last_month) + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + // temporary addition of itemusages due to logging bug + | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share")) + // location variables + | extend + location_country = tostring(location.country) + , location_region = tostring(location.region) + , location_city = tostring(location.city) + // actor_details variables + | extend + actor_details_uuid = tostring(actor_details.uuid) + , actor_details_name = tostring(actor_details.name) + , actor_details_email = tostring(actor_details.email) + // session variables + | extend + session_device_uuid = tostring(session.device_uuid) + , session_ip_address = tostring(session.ip) + | summarize by + actor_details_email + , session_ip_address + , actor_details_name + , actor_details_uuid + , action + , object_type + , aux_info + , session_device_uuid + , location_country + , location_region + , location_city + | sort by + actor_details_email asc + , session_ip_address asc + +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - itemusages (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + + - Name: useritemusages + DisplayName: user item usages + Description: Fetches a summarized list of specific user item usages for the provided month (current_month/last_month) + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + - Name: user + Description: Filter for the user based on their UserPrincipalName (email). + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + let current_month = -0; + let last_month = -1; + OnePasswordEventLogs_CL + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + // temporary addition of itemusages due to logging bug + | where log_source == "itemusages" and action in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share") + // user filter + | where tostring(user.email) == "{{user}}" + // client variables + | extend + client_app_name = tostring(client.app_name) + , client_platform_name = tostring(client.platform_name) + , client_os_name = tostring(client.os_name) + , client_ip_address = tostring(client.ip_address) + // location variables + | extend + location_country = tostring(location.country) + , location_region = tostring(location.region) + , location_city = tostring(location.city) + // user variables + | extend + user_uuid = tostring(user.uuid) + , user_name = tostring(user.name) + , user_email = tostring(user.email) + | summarize by + user_email + , client_ip_address + , user_name + , user_uuid + , action + , vault_uuid + , item_uuid + , location_country + , location_region + , location_city + | sort by + user_email asc + , client_ip_address asc + + - Name: summarizeditemusages + DisplayName: summarized item usages + Description: Fetches a summarized list of user item usages for the provided month (current_month/last_month) Inputs: - - Name: days - Description: Look back x amount of days, for example 10, 20, 30. + - Name: month + Description: Look back to the current_month or last_month. Required: true Settings: Target: Sentinel @@ -57,15 +345,159 @@ SkillGroups: ResourceGroupName: '{{ResourceGroupName}}' WorkspaceName: '{{WorkspaceName}}' Template: |- + let current_month = -0; + let last_month = -1; OnePasswordEventLogs_CL - | where TimeGenerated > ago({{days}}d) - | where category == "credentials_failed" - | where action_type == "password_secret_bad" - | project - target_user.name, - target_user.email, - location.country, - client.app_name + // time filter + | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + // temporary addition of itemusages due to logging bug + | where log_source == "itemusages" and action in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share") + // client variables + | extend + client_app_name = tostring(client.app_name) + , client_platform_name = tostring(client.platform_name) + , client_os_name = tostring(client.os_name) + , client_ip_address = tostring(client.ip_address) + // location variables + | extend + location_country = tostring(location.country) + , location_region = tostring(location.region) + , location_city = tostring(location.city) + // user variables + | extend + user_uuid = tostring(user.uuid) + , user_name = tostring(user.name) + , user_email = tostring(user.email) + | summarize by + user_email + , client_ip_address + , user_name + , user_uuid + , action + , vault_uuid + , item_uuid + , location_country + , location_region + , location_city + | sort by + user_email asc + , client_ip_address asc + +# ----------------------------------------------------------------------------------------------------------------------------- +# extra functionality - () +# ----------------------------------------------------------------------------------------------------------------------------- + + - Name: AnomalousUserSignin + DisplayName: Anomalous User Sign-in + Description: Fetches anomalous user sign-ins + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: AnomalousDeviceRegistration + DisplayName: Anomalous Device Registration + Description: Fetches anomalous device registrations + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: AnomalousDelegatedSessionCreation + DisplayName: Anomalous Delegated Session Creation + Description: Fetches anomalous delegated session creations + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: AnomalousVaultAccessGrant + DisplayName: Anomalous Vault Access Grant + Description: Fetches anomalous vault access granting + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: MassVaultItemViewing + DisplayName: Mass Vault Item Viewing + Description: Fetches mass vault item viewing activity + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: MassVaultItemViewing + DisplayName: Mass Vault Item Viewing + Description: Fetches mass vault item viewing activity + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + + + - Name: AnomalousGrouporUserModification + DisplayName: Anomalous Group or user Modification + Description: Fetches anomalous group or use modifcations + Inputs: + - Name: month + Description: Look back to the current_month or last_month. + Required: true + Settings: + Target: Sentinel + TenantId: '{{TenantId}}' + SubscriptionId: '{{SubscriptionId}}' + ResourceGroupName: '{{ResourceGroupName}}' + WorkspaceName: '{{WorkspaceName}}' + Template: |- + - Name: FailedSignInAttempts DisplayName: Failed sign-in events @@ -224,27 +656,4 @@ SkillGroups: , actor_details_email = tostring(actor_details.email) | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) | where actor_details_email !endswith "1passwordserviceaccounts.com" - | where targetIdentifier !in (signinBaselineEvents) - - - Name: IntegrationChangeEvents - DisplayName: Integration change events - Description: Searches for changes to the integration tokens - Inputs: - - Name: days - Description: Look back x amount of days, for example 10, 20, 30. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- - OnePasswordEventLogs_CL - | where TimeGenerated > ago({{days}}d) - | where log_source == "auditevents" - | where action has_any("create", "trename", "tverify", "trevoke") - | where object_type == "satoken" - | extend - ActorUsername = actor_details.email - , SrcIpAddr = session.ip \ No newline at end of file + | where targetIdentifier !in (signinBaselineEvents) \ No newline at end of file From 5d4e398e02e4c55c50ec6d7b214d986696ff9ddf Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Wed, 30 Apr 2025 15:44:49 +0200 Subject: [PATCH 11/19] comment adjustments --- .../KQL/manifest/1password_manifest.yaml | 24 ------------------- 1 file changed, 24 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 37b16e59..6e98d00b 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -43,11 +43,6 @@ Descriptor: SkillGroups: - Format: KQL Skills: - -# ----------------------------------------------------------------------------------------------------------------------------- -# base functionality - signinattempts (user and summarized) -# ----------------------------------------------------------------------------------------------------------------------------- - - Name: usersigninattempts DisplayName: user signin attempts Description: Fetches a summarized list of specific user signin attempts for the provided month (current_month/last_month) @@ -159,10 +154,6 @@ SkillGroups: target_user_email asc , client_ip_address asc -# ----------------------------------------------------------------------------------------------------------------------------- -# base functionality - auditevents (user and summarized) -# ----------------------------------------------------------------------------------------------------------------------------- - - Name: userauditevents DisplayName: user audit events Description: Fetches a summarized list of specific user audit events for the provided month (current_month/last_month) @@ -270,10 +261,6 @@ SkillGroups: actor_details_email asc , session_ip_address asc -# ----------------------------------------------------------------------------------------------------------------------------- -# base functionality - itemusages (user and summarized) -# ----------------------------------------------------------------------------------------------------------------------------- - - Name: useritemusages DisplayName: user item usages Description: Fetches a summarized list of specific user item usages for the provided month (current_month/last_month) @@ -383,10 +370,6 @@ SkillGroups: user_email asc , client_ip_address asc -# ----------------------------------------------------------------------------------------------------------------------------- -# extra functionality - () -# ----------------------------------------------------------------------------------------------------------------------------- - - Name: AnomalousUserSignin DisplayName: Anomalous User Sign-in Description: Fetches anomalous user sign-ins @@ -402,7 +385,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: AnomalousDeviceRegistration DisplayName: Anomalous Device Registration Description: Fetches anomalous device registrations @@ -418,7 +400,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: AnomalousDelegatedSessionCreation DisplayName: Anomalous Delegated Session Creation Description: Fetches anomalous delegated session creations @@ -434,7 +415,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: AnomalousVaultAccessGrant DisplayName: Anomalous Vault Access Grant Description: Fetches anomalous vault access granting @@ -450,7 +430,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: MassVaultItemViewing DisplayName: Mass Vault Item Viewing Description: Fetches mass vault item viewing activity @@ -466,7 +445,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: MassVaultItemViewing DisplayName: Mass Vault Item Viewing Description: Fetches mass vault item viewing activity @@ -482,7 +460,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: AnomalousGrouporUserModification DisplayName: Anomalous Group or user Modification Description: Fetches anomalous group or use modifcations @@ -498,7 +475,6 @@ SkillGroups: WorkspaceName: '{{WorkspaceName}}' Template: |- - - Name: FailedSignInAttempts DisplayName: Failed sign-in events Description: Fetches failed sign-in events from 1Password From d88d61667cd6cba20b16b9ad36e4a072c1f4d993 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Wed, 30 Apr 2025 15:52:51 +0200 Subject: [PATCH 12/19] comment adjustments --- .../KQL/manifest/1password_manifest.yaml | 220 ++++++++++-------- 1 file changed, 122 insertions(+), 98 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 6e98d00b..7de2290b 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -43,6 +43,11 @@ Descriptor: SkillGroups: - Format: KQL Skills: + +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - signinattempts (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + - Name: usersigninattempts DisplayName: user signin attempts Description: Fetches a summarized list of specific user signin attempts for the provided month (current_month/last_month) @@ -154,6 +159,10 @@ SkillGroups: target_user_email asc , client_ip_address asc +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - auditevents (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + - Name: userauditevents DisplayName: user audit events Description: Fetches a summarized list of specific user audit events for the provided month (current_month/last_month) @@ -261,6 +270,10 @@ SkillGroups: actor_details_email asc , session_ip_address asc +# ----------------------------------------------------------------------------------------------------------------------------- +# base functionality - itemusages (user and summarized) +# ----------------------------------------------------------------------------------------------------------------------------- + - Name: useritemusages DisplayName: user item usages Description: Fetches a summarized list of specific user item usages for the provided month (current_month/last_month) @@ -370,110 +383,121 @@ SkillGroups: user_email asc , client_ip_address asc - - Name: AnomalousUserSignin - DisplayName: Anomalous User Sign-in - Description: Fetches anomalous user sign-ins - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- +# ----------------------------------------------------------------------------------------------------------------------------- +# extra functionality - () +# ----------------------------------------------------------------------------------------------------------------------------- - - Name: AnomalousDeviceRegistration - DisplayName: Anomalous Device Registration - Description: Fetches anomalous device registrations - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- + # - Name: AnomalousUserSignin + # DisplayName: Anomalous User Sign-in + # Description: Fetches anomalous user sign-ins + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- - - Name: AnomalousDelegatedSessionCreation - DisplayName: Anomalous Delegated Session Creation - Description: Fetches anomalous delegated session creations - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- - - Name: AnomalousVaultAccessGrant - DisplayName: Anomalous Vault Access Grant - Description: Fetches anomalous vault access granting - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- + # - Name: AnomalousDeviceRegistration + # DisplayName: Anomalous Device Registration + # Description: Fetches anomalous device registrations + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- - - Name: MassVaultItemViewing - DisplayName: Mass Vault Item Viewing - Description: Fetches mass vault item viewing activity - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- - - Name: MassVaultItemViewing - DisplayName: Mass Vault Item Viewing - Description: Fetches mass vault item viewing activity - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- + # - Name: AnomalousDelegatedSessionCreation + # DisplayName: Anomalous Delegated Session Creation + # Description: Fetches anomalous delegated session creations + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- + + + # - Name: AnomalousVaultAccessGrant + # DisplayName: Anomalous Vault Access Grant + # Description: Fetches anomalous vault access granting + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- + + + # - Name: MassVaultItemViewing + # DisplayName: Mass Vault Item Viewing + # Description: Fetches mass vault item viewing activity + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- + + + # - Name: MassVaultItemViewing + # DisplayName: Mass Vault Item Viewing + # Description: Fetches mass vault item viewing activity + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- + + + # - Name: AnomalousGrouporUserModification + # DisplayName: Anomalous Group or user Modification + # Description: Fetches anomalous group or use modifcations + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- - - Name: AnomalousGrouporUserModification - DisplayName: Anomalous Group or user Modification - Description: Fetches anomalous group or use modifcations - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- - Name: FailedSignInAttempts DisplayName: Failed sign-in events From daa0a0fe35d1454837beb8925615b73293856c18 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Mon, 5 May 2025 17:20:37 +0200 Subject: [PATCH 13/19] session_uuid functionality --- .../KQL/manifest/1password_manifest.yaml | 208 +++++------------- 1 file changed, 52 insertions(+), 156 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 7de2290b..c4356c06 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -387,124 +387,15 @@ SkillGroups: # extra functionality - () # ----------------------------------------------------------------------------------------------------------------------------- - # - Name: AnomalousUserSignin - # DisplayName: Anomalous User Sign-in - # Description: Fetches anomalous user sign-ins - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: AnomalousDeviceRegistration - # DisplayName: Anomalous Device Registration - # Description: Fetches anomalous device registrations - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: AnomalousDelegatedSessionCreation - # DisplayName: Anomalous Delegated Session Creation - # Description: Fetches anomalous delegated session creations - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: AnomalousVaultAccessGrant - # DisplayName: Anomalous Vault Access Grant - # Description: Fetches anomalous vault access granting - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: MassVaultItemViewing - # DisplayName: Mass Vault Item Viewing - # Description: Fetches mass vault item viewing activity - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: MassVaultItemViewing - # DisplayName: Mass Vault Item Viewing - # Description: Fetches mass vault item viewing activity - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - # - Name: AnomalousGrouporUserModification - # DisplayName: Anomalous Group or user Modification - # Description: Fetches anomalous group or use modifcations - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - - - - Name: FailedSignInAttempts - DisplayName: Failed sign-in events - Description: Fetches failed sign-in events from 1Password + - Name: SessionCollection + DisplayName: Session information for session_uuid + Description: Fetches all information related to a specific session_uuid Inputs: - - Name: month - Description: Look back to the current_month or last_month. + - Name: days + Description: Look back to the specified days (1, 3, 7, 30, or more days). + Required: true + - Name: session_uuid + Description: Session UUID Required: true Settings: Target: Sentinel @@ -513,49 +404,54 @@ SkillGroups: ResourceGroupName: '{{ResourceGroupName}}' WorkspaceName: '{{WorkspaceName}}' Template: |- - let current_month = -0; - let last_month = -1; + let signinattempts_categories = dynamic(["success", "credentials_failed", "mfa_failed", "sso_failed", "modern_version_failed", "firewall_failed", "firewall_reported_success"]); + let auditevents_actions = dynamic(["activate","addgsso","begin","beginr","cancel","cancelr","changeks","changeks","changela","changemp","changenm","changesk","chngasso","chngdsso","chngpsso","complete","completr","convert","create","dealldev","delete","delgsso","delshare","deolddev","detchild","disblduo","disblmfa","disblsso","dlgsess","dvrfydmn","enblduo","enblmfa","enblsso","expire","export","grant","hide","join","launchi","leave","musercom","muserdec","patch","propose","provsn","prsndall","purge","rdmchild","reactive","reauth","replace","replace","resendts","revoke","role","sdvcsso","sendpkg","sendts","share","ssotknv","suspend","tdvcsso","trename","trevoke","trvlaway","trvlback","tverify","uisas","unhide","unknown","unlink","updatduo","update","updatea","updatfw","updatmfa","upguest","uvrfydmn","verify","view","vrfydmn"]); + let itemusages_actions = dynamic(["enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share"]); OnePasswordEventLogs_CL - | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) - | where log_source == "signinattempts" - | where category != "success" + | where TimeGenerated >= ago({{day}}d) + | where user.email !endswith "1passwordserviceaccounts.com" + // session variables and filter | extend - target_user_email = tostring(target_user.email) - , target_user_name = tostring(target_user.name) - , target_user_uuid = tostring(target_user.uuid) - , client_app_name = tostring(client.app_name) + session_uuid = case( + isempty(session), session_uuid + , tostring(session.uuid) + ) + | where isnotempty(session_uuid) + | where session_uuid =~ "{{session_uuid}}" + // actor variables + | extend + actor_uuid = case( + log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.uuid) + , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.uuid) + , log_source == "itemusages" and action in (itemusages_actions), tostring(user.uuid) + , "Unknown actor_uuid" + ) + , actor_name = case( + log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.name) + , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.name) + , log_source == "itemusages" and action in (itemusages_actions), tostring(user.name) + , "Unknown actor_uuid" + ) + , actor_email = case( + log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.email) + , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.email) + , log_source == "itemusages" and action in (itemusages_actions), tostring(user.email) + , "Unknown actor_uuid" + ) + // location variables + | extend + location_country = tostring(location.country) + , location_region = tostring(location.region) + , location_city = tostring(location.city) + // client variables + | extend + client_app_name = tostring(client.app_name) , client_ip_address = tostring(client.ip_address) , client_os_name = tostring(client.os_name) - , location_country = tostring(location.country) - , location_region = tostring(location.region) - | summarize - arg_max( - TimeGenerated - , target_user_email - , target_user_name - , category - , action_type - , client_ip_address - , client_app_name - , client_os_name - , location_country - , location_region - ) by - target_user_uuid - , session_uuid - | project-reorder - TimeGenerated - , target_user_email - , target_user_name - , target_user_uuid - , session_uuid - , category - , action_type - , client_ip_address - , client_app_name - , client_os_name - , location_country - , location_region + , client_platform_name = tostring(client.platform_name) + | project-away session, actor_details, target_user, user, location, client, country, object_uuid, aux_uuid + | project-reorder timestamp, session_uuid, log_source, category, action_type, action, object_type, actor_email, actor_uuid, actor_name, location_country, location_region, location_city, client_ip_address, client_os_name, client_platform_name, client_app_name, TimeGenerated, Type, TenantId + | sort by timestamp asc - Name: AnomalousActivity DisplayName: Anomalous activity after infrequent amount of sign-ins From 883a404c784d2b708921836850aec99d19d8cd04 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Mon, 5 May 2025 17:38:10 +0200 Subject: [PATCH 14/19] comment adjustments --- .../KQL/manifest/1password_manifest.yaml | 205 +++++++++--------- 1 file changed, 105 insertions(+), 100 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index c4356c06..c5c58eae 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -385,6 +385,11 @@ SkillGroups: # ----------------------------------------------------------------------------------------------------------------------------- # extra functionality - () +# TODO: +# - SessionCollection +# - UserCollection +# - ClientCollection +# - LocationCollection # ----------------------------------------------------------------------------------------------------------------------------- - Name: SessionCollection @@ -453,103 +458,103 @@ SkillGroups: | project-reorder timestamp, session_uuid, log_source, category, action_type, action, object_type, actor_email, actor_uuid, actor_name, location_country, location_region, location_city, client_ip_address, client_os_name, client_platform_name, client_app_name, TimeGenerated, Type, TenantId | sort by timestamp asc - - Name: AnomalousActivity - DisplayName: Anomalous activity after infrequent amount of sign-ins - Description: Fetches anomalous activity after infrequent amount of sign-ins - Inputs: - - Name: month - Description: Look back to the current_month or last_month. - Required: true - Settings: - Target: Sentinel - TenantId: '{{TenantId}}' - SubscriptionId: '{{SubscriptionId}}' - ResourceGroupName: '{{ResourceGroupName}}' - WorkspaceName: '{{WorkspaceName}}' - Template: |- - let current_month = -0; - let last_month = -1; - let highRiskEventsTable = datatable(action:string, object_type:string, risk_level:string) [ - "activate", "account", "high" - , "update", "account", "medium" - , "delete", "account", "high" - , "dlgsess", "dlgdsess", "high" - , "create", "device", "high" - , "update", "device", "medium" - , "delete", "device", "high" - , "updatfw", "account", "high" - , "create", "group", "high" - , "delete", "group", "high" - , "join", "gm", "high" - , "leave", "gm", "high" - , "role", "gm", "high" - , "grant", "gva", "high" - , "revoke", "gva", "high" - , "update", "gva", "high" - , "create", "invite", "high" - , "update", "invite", "medium" - , "share", "item", "high" - , "delshare", "item", "high" - , "uisas", "account", "high" - , "create", "mngdacc", "high" - , "launchi", "mngdacc", "high" - , "unlink", "mngdacc", "high" - , "enblmfa", "user", "high" - , "updatmfa", "user", "high" - , "disblmfa", "user", "high" - , "disblmfa", "account", "high" - , "sendpkg", "user", "high" - , "create", "sa", "high" - , "create", "satoken", "high" - , "trename", "satoken", "high" - , "tverify", "satoken", "high" - , "trevoke", "satoken", "high" - , "ssotknv", "ssotkn", "high" - , "disblsso", "sso", "high" - , "chngpsso", "sso", "high" - , "chngasso", "sso", "high" - , "chngdsso", "sso", "high" - , "addgsso", "sso", "high" - , "delgsso", "sso", "high" - , "verify", "user", "high" - , "join", "user", "high" - , "activate", "user", "high" - , "suspend", "user", "high" - , "delete", "user", "high" - , "changemp", "user", "high" - , "changesk", "user", "high" - , "tdvcsso", "user", "high" - , "sdvcsso", "user", "high" - , "grant", "uva", "high" - , "revoke", "uva", "high" - , "update", "uva", "high" - , "create", "vault", "high" - , "delete", "vault", "high" - , "update", "vault", "high" - , "export", "vault", "high" - , "vrfydmn", "account", "high" - , "uvrfydmn", "account", "high" - , "dvrfydmn", "account", "high" - ]; - let signinBaselineEvents = - OnePasswordEventLogs_CL - | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) - | where log_source == "signinattempts" - | extend - target_user_email = tostring(target_user.email) - , target_user_uuid = tostring(target_user.uuid) - , client_ip_address = tostring(client.ip_address) - | summarize count() by target_user_uuid, client_ip_address - | extend targetIdentifier = base64_encode_tostring(strcat(target_user_uuid, client_ip_address)) - | where count_ > 5 - | summarize make_list(targetIdentifier) - ; - OnePasswordEventLogs_CL - | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) - | lookup kind=inner highRiskEventsTable on $left.action == $right.action and $left.object_type == $right.object_type - | extend - actor_ip = tostring(session.ip) - , actor_details_email = tostring(actor_details.email) - | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) - | where actor_details_email !endswith "1passwordserviceaccounts.com" - | where targetIdentifier !in (signinBaselineEvents) \ No newline at end of file + # - Name: AnomalousActivity + # DisplayName: Anomalous activity after infrequent amount of sign-ins + # Description: Fetches anomalous activity after infrequent amount of sign-ins + # Inputs: + # - Name: month + # Description: Look back to the current_month or last_month. + # Required: true + # Settings: + # Target: Sentinel + # TenantId: '{{TenantId}}' + # SubscriptionId: '{{SubscriptionId}}' + # ResourceGroupName: '{{ResourceGroupName}}' + # WorkspaceName: '{{WorkspaceName}}' + # Template: |- + # let current_month = -0; + # let last_month = -1; + # let highRiskEventsTable = datatable(action:string, object_type:string, risk_level:string) [ + # "activate", "account", "high" + # , "update", "account", "medium" + # , "delete", "account", "high" + # , "dlgsess", "dlgdsess", "high" + # , "create", "device", "high" + # , "update", "device", "medium" + # , "delete", "device", "high" + # , "updatfw", "account", "high" + # , "create", "group", "high" + # , "delete", "group", "high" + # , "join", "gm", "high" + # , "leave", "gm", "high" + # , "role", "gm", "high" + # , "grant", "gva", "high" + # , "revoke", "gva", "high" + # , "update", "gva", "high" + # , "create", "invite", "high" + # , "update", "invite", "medium" + # , "share", "item", "high" + # , "delshare", "item", "high" + # , "uisas", "account", "high" + # , "create", "mngdacc", "high" + # , "launchi", "mngdacc", "high" + # , "unlink", "mngdacc", "high" + # , "enblmfa", "user", "high" + # , "updatmfa", "user", "high" + # , "disblmfa", "user", "high" + # , "disblmfa", "account", "high" + # , "sendpkg", "user", "high" + # , "create", "sa", "high" + # , "create", "satoken", "high" + # , "trename", "satoken", "high" + # , "tverify", "satoken", "high" + # , "trevoke", "satoken", "high" + # , "ssotknv", "ssotkn", "high" + # , "disblsso", "sso", "high" + # , "chngpsso", "sso", "high" + # , "chngasso", "sso", "high" + # , "chngdsso", "sso", "high" + # , "addgsso", "sso", "high" + # , "delgsso", "sso", "high" + # , "verify", "user", "high" + # , "join", "user", "high" + # , "activate", "user", "high" + # , "suspend", "user", "high" + # , "delete", "user", "high" + # , "changemp", "user", "high" + # , "changesk", "user", "high" + # , "tdvcsso", "user", "high" + # , "sdvcsso", "user", "high" + # , "grant", "uva", "high" + # , "revoke", "uva", "high" + # , "update", "uva", "high" + # , "create", "vault", "high" + # , "delete", "vault", "high" + # , "update", "vault", "high" + # , "export", "vault", "high" + # , "vrfydmn", "account", "high" + # , "uvrfydmn", "account", "high" + # , "dvrfydmn", "account", "high" + # ]; + # let signinBaselineEvents = + # OnePasswordEventLogs_CL + # | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + # | where log_source == "signinattempts" + # | extend + # target_user_email = tostring(target_user.email) + # , target_user_uuid = tostring(target_user.uuid) + # , client_ip_address = tostring(client.ip_address) + # | summarize count() by target_user_uuid, client_ip_address + # | extend targetIdentifier = base64_encode_tostring(strcat(target_user_uuid, client_ip_address)) + # | where count_ > 5 + # | summarize make_list(targetIdentifier) + # ; + # OnePasswordEventLogs_CL + # | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) + # | lookup kind=inner highRiskEventsTable on $left.action == $right.action and $left.object_type == $right.object_type + # | extend + # actor_ip = tostring(session.ip) + # , actor_details_email = tostring(actor_details.email) + # | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) + # | where actor_details_email !endswith "1passwordserviceaccounts.com" + # | where targetIdentifier !in (signinBaselineEvents) \ No newline at end of file From ad2166b7328f51c3a1da93d2159532f72e7d5bbb Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Mon, 5 May 2025 17:41:15 +0200 Subject: [PATCH 15/19] session_uuid functionality adjustment --- .../1Password/KQL/manifest/1password_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index c5c58eae..1f491a28 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -396,7 +396,7 @@ SkillGroups: DisplayName: Session information for session_uuid Description: Fetches all information related to a specific session_uuid Inputs: - - Name: days + - Name: day Description: Look back to the specified days (1, 3, 7, 30, or more days). Required: true - Name: session_uuid From 0e1b6e1a911a7993e1797d141222dafad0f9eff2 Mon Sep 17 00:00:00 2001 From: Steeeeeef Date: Mon, 5 May 2025 18:28:13 +0200 Subject: [PATCH 16/19] session_uuid functionality adjustment --- .../KQL/manifest/1password_manifest.yaml | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 1f491a28..33d91f49 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -426,22 +426,22 @@ SkillGroups: // actor variables | extend actor_uuid = case( - log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.uuid) - , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.uuid) - , log_source == "itemusages" and action in (itemusages_actions), tostring(user.uuid) + log_source == "signinattempts" or category in (signinattempts_categories), tostring(target_user.uuid) + , log_source == "auditevents" or action in (auditevents_actions), tostring(actor_details.uuid) + , log_source == "itemusages" or action in (itemusages_actions), tostring(user.uuid) , "Unknown actor_uuid" ) , actor_name = case( - log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.name) - , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.name) - , log_source == "itemusages" and action in (itemusages_actions), tostring(user.name) - , "Unknown actor_uuid" + log_source == "signinattempts" or category in (signinattempts_categories), tostring(target_user.name) + , log_source == "auditevents" or action in (auditevents_actions), tostring(actor_details.name) + , log_source == "itemusages" or action in (itemusages_actions), tostring(user.name) + , "Unknown actor_name" ) , actor_email = case( - log_source == "signinattempts" and category in (signinattempts_categories), tostring(target_user.email) - , log_source == "auditevents" and action in (auditevents_actions), tostring(actor_details.email) - , log_source == "itemusages" and action in (itemusages_actions), tostring(user.email) - , "Unknown actor_uuid" + log_source == "signinattempts" or category in (signinattempts_categories), tostring(target_user.email) + , log_source == "auditevents" or action in (auditevents_actions), tostring(actor_details.email) + , log_source == "itemusages" or action in (itemusages_actions), tostring(user.email) + , "Unknown actor_email" ) // location variables | extend From e8319778ead6c3a8e6ad0bba12441fc8a0056ec4 Mon Sep 17 00:00:00 2001 From: Rogier Dijkman <40334679+azurekid@users.noreply.github.com> Date: Wed, 7 May 2025 20:27:31 +0200 Subject: [PATCH 17/19] Update 1password_manifest.yaml added arrays for `itemusages_actions` for readability --- .../KQL/manifest/1password_manifest.yaml | 36 +++++++++++++++---- 1 file changed, 30 insertions(+), 6 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 33d91f49..0011f666 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -182,11 +182,12 @@ SkillGroups: Template: |- let current_month = -0; let last_month = -1; + let itemusages_actions = dynamic(["enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share"]); OnePasswordEventLogs_CL // time filter | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) // temporary addition of itemusages due to logging bug - | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share")) + | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ (itemusages_actions)) // user filter | where tostring(actor_details.email) == "{{user}}" // location variables @@ -235,11 +236,12 @@ SkillGroups: Template: |- let current_month = -0; let last_month = -1; + let itemusages_actions = dynamic(["enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share"]); OnePasswordEventLogs_CL // time filter | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) // temporary addition of itemusages due to logging bug - | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share")) + | where log_source == "auditevents" or (log_source == "itemusages" and action !in~ (itemusages_actions)) // location variables | extend location_country = tostring(location.country) @@ -293,11 +295,12 @@ SkillGroups: Template: |- let current_month = -0; let last_month = -1; + let itemusages_actions = dynamic(["enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share"]); OnePasswordEventLogs_CL // time filter | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) // temporary addition of itemusages due to logging bug - | where log_source == "itemusages" and action in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share") + | where log_source == "itemusages" and action in~ (itemusages_actions) // user filter | where tostring(user.email) == "{{user}}" // client variables @@ -347,11 +350,12 @@ SkillGroups: Template: |- let current_month = -0; let last_month = -1; + let itemusages_actions = dynamic(["enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share"]); OnePasswordEventLogs_CL // time filter | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) // temporary addition of itemusages due to logging bug - | where log_source == "itemusages" and action in~ ("enter-item-edit-mode", "export", "fill", "other", "reveal", "secure-copy", "select-sso-provider", "server-create", "server-fetch", "server-update", "share") + | where log_source == "itemusages" and action in~ (itemusages_actions) // client variables | extend client_app_name = tostring(client.app_name) @@ -455,7 +459,27 @@ SkillGroups: , client_os_name = tostring(client.os_name) , client_platform_name = tostring(client.platform_name) | project-away session, actor_details, target_user, user, location, client, country, object_uuid, aux_uuid - | project-reorder timestamp, session_uuid, log_source, category, action_type, action, object_type, actor_email, actor_uuid, actor_name, location_country, location_region, location_city, client_ip_address, client_os_name, client_platform_name, client_app_name, TimeGenerated, Type, TenantId + | project-reorder + timestamp + , session_uuid + , log_source + , category + , action_type + , action + , object_type + , actor_email + , actor_uuid + , actor_name + , location_country + , location_region + , location_city + , client_ip_address + , client_os_name + , client_platform_name + , client_app_name + , TimeGenerated + , Type + , TenantId | sort by timestamp asc # - Name: AnomalousActivity @@ -557,4 +581,4 @@ SkillGroups: # , actor_details_email = tostring(actor_details.email) # | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) # | where actor_details_email !endswith "1passwordserviceaccounts.com" - # | where targetIdentifier !in (signinBaselineEvents) \ No newline at end of file + # | where targetIdentifier !in (signinBaselineEvents) From b3fdc60867b72f1b30b5f5dd839f0474e5b21771 Mon Sep 17 00:00:00 2001 From: Rogier Dijkman <40334679+azurekid@users.noreply.github.com> Date: Wed, 7 May 2025 20:34:33 +0200 Subject: [PATCH 18/19] Update Plugins/Community Based Plugins/1Password/KQL/README.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- Plugins/Community Based Plugins/1Password/KQL/README.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/Plugins/Community Based Plugins/1Password/KQL/README.md b/Plugins/Community Based Plugins/1Password/KQL/README.md index 0b00b1e0..ba3888c5 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/README.md +++ b/Plugins/Community Based Plugins/1Password/KQL/README.md @@ -13,8 +13,13 @@ ## Setup Parameters + The following parameters must be configured for the plugin to function correctly: + - **1Password Connect Server URL**: The URL of your 1Password Connect server. This is required for the plugin to communicate with 1Password. + - **1Password API Token**: A valid API token with permissions to access the necessary vaults and items in your 1Password account. + - **Vault and Item Identifiers**: The identifiers for the vaults and items you wish to query. These can be specified in your prompts or workflows. + Ensure these parameters are correctly set up in the plugin's configuration file or environment variables before use. ## Usage Once installed and configured, use Security Copilot prompts or workflows to query secrets from 1Password. From cd1c2294094f19969e068fcbddf661635fe0c4bc Mon Sep 17 00:00:00 2001 From: Rogier Dijkman <40334679+azurekid@users.noreply.github.com> Date: Wed, 7 May 2025 20:38:00 +0200 Subject: [PATCH 19/19] Update 1password_manifest.yaml --- .../KQL/manifest/1password_manifest.yaml | 101 ------------------ 1 file changed, 101 deletions(-) diff --git a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml index 0011f666..6e4cd349 100644 --- a/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml +++ b/Plugins/Community Based Plugins/1Password/KQL/manifest/1password_manifest.yaml @@ -481,104 +481,3 @@ SkillGroups: , Type , TenantId | sort by timestamp asc - - # - Name: AnomalousActivity - # DisplayName: Anomalous activity after infrequent amount of sign-ins - # Description: Fetches anomalous activity after infrequent amount of sign-ins - # Inputs: - # - Name: month - # Description: Look back to the current_month or last_month. - # Required: true - # Settings: - # Target: Sentinel - # TenantId: '{{TenantId}}' - # SubscriptionId: '{{SubscriptionId}}' - # ResourceGroupName: '{{ResourceGroupName}}' - # WorkspaceName: '{{WorkspaceName}}' - # Template: |- - # let current_month = -0; - # let last_month = -1; - # let highRiskEventsTable = datatable(action:string, object_type:string, risk_level:string) [ - # "activate", "account", "high" - # , "update", "account", "medium" - # , "delete", "account", "high" - # , "dlgsess", "dlgdsess", "high" - # , "create", "device", "high" - # , "update", "device", "medium" - # , "delete", "device", "high" - # , "updatfw", "account", "high" - # , "create", "group", "high" - # , "delete", "group", "high" - # , "join", "gm", "high" - # , "leave", "gm", "high" - # , "role", "gm", "high" - # , "grant", "gva", "high" - # , "revoke", "gva", "high" - # , "update", "gva", "high" - # , "create", "invite", "high" - # , "update", "invite", "medium" - # , "share", "item", "high" - # , "delshare", "item", "high" - # , "uisas", "account", "high" - # , "create", "mngdacc", "high" - # , "launchi", "mngdacc", "high" - # , "unlink", "mngdacc", "high" - # , "enblmfa", "user", "high" - # , "updatmfa", "user", "high" - # , "disblmfa", "user", "high" - # , "disblmfa", "account", "high" - # , "sendpkg", "user", "high" - # , "create", "sa", "high" - # , "create", "satoken", "high" - # , "trename", "satoken", "high" - # , "tverify", "satoken", "high" - # , "trevoke", "satoken", "high" - # , "ssotknv", "ssotkn", "high" - # , "disblsso", "sso", "high" - # , "chngpsso", "sso", "high" - # , "chngasso", "sso", "high" - # , "chngdsso", "sso", "high" - # , "addgsso", "sso", "high" - # , "delgsso", "sso", "high" - # , "verify", "user", "high" - # , "join", "user", "high" - # , "activate", "user", "high" - # , "suspend", "user", "high" - # , "delete", "user", "high" - # , "changemp", "user", "high" - # , "changesk", "user", "high" - # , "tdvcsso", "user", "high" - # , "sdvcsso", "user", "high" - # , "grant", "uva", "high" - # , "revoke", "uva", "high" - # , "update", "uva", "high" - # , "create", "vault", "high" - # , "delete", "vault", "high" - # , "update", "vault", "high" - # , "export", "vault", "high" - # , "vrfydmn", "account", "high" - # , "uvrfydmn", "account", "high" - # , "dvrfydmn", "account", "high" - # ]; - # let signinBaselineEvents = - # OnePasswordEventLogs_CL - # | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) - # | where log_source == "signinattempts" - # | extend - # target_user_email = tostring(target_user.email) - # , target_user_uuid = tostring(target_user.uuid) - # , client_ip_address = tostring(client.ip_address) - # | summarize count() by target_user_uuid, client_ip_address - # | extend targetIdentifier = base64_encode_tostring(strcat(target_user_uuid, client_ip_address)) - # | where count_ > 5 - # | summarize make_list(targetIdentifier) - # ; - # OnePasswordEventLogs_CL - # | where TimeGenerated between (startofmonth(now(), {{month}}) .. endofmonth(now(), {{month}})) - # | lookup kind=inner highRiskEventsTable on $left.action == $right.action and $left.object_type == $right.object_type - # | extend - # actor_ip = tostring(session.ip) - # , actor_details_email = tostring(actor_details.email) - # | extend targetIdentifier = base64_encode_tostring(strcat(actor_uuid, actor_ip)) - # | where actor_details_email !endswith "1passwordserviceaccounts.com" - # | where targetIdentifier !in (signinBaselineEvents)