If you use the 1Password Business password manager, you can get account activity in LimaCharlie using 1Password Events Reporting.

Once configured, you'll be able to set up LimaCharlie D&R rules to alert you when suspicious activity occurs.

For example, you can have a detection occur when there are more than five failed login attempts within 1 minute.

Five Failed Logins within 1 Minute

event: credentials_failed
path: routing/hostname
value: 1password
op: is
with events:
event: credentials_failed
op: is
path: routing/hostname
value: 1password
count: 5
within: 60

You can also be alerted when users have an outdated version of 1Password using the rule below.

Outdated Version

event: modern_version_failed
op: is
path: routing/hostname
value: 1password

Refer to the 1Password Event API reference for other data you can use to create detections.

Did this answer your question?