1Password vault export attempt by user
Set up the 1password integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect possible exfiltration attempts from 1Password through a vault export.
Strategy
This rule monitors 1Password audit logs to determine when the export item usage action occurs on a vault. This could indicate exfiltration attempts from 1Password by downloading or exporting items within a vault.
Triage & response
- Investigate the
{{@usr.email}} attempting to download or export vault {{@vault_uuid}}. - If this action was unintended by the user:
- Rotate the user’s 1Password master password
- Identify all the items within the vault that were exported and rotate the necessary authentication credentials
