published on in security

(Ab)using Slack to detect interesting 1Password events

picture of 1password notification in slack

If you use 1Password Business in your organisation, you might be aware that you can get notifications and alerts for various events pushed to your Slack1.

This is quite useful, but I found the notification quickly get overwhelmingly noisy because a notification is generated for every time anyone unlocks 1Password.

This is too bad, because mixed in the notification spam about unlock’s are notifications for when someone logs in from a new device or adds a new trusted device.2 To fix this, I did a little hack.

It consists of two parts, first a go-bot slacker, second the reacji which is a slack app that automatically copies messages with certain emoji to another channel.

The idea is that the slack-bot watches #security-spam for messages that contains “was added as a new device”. When it sees a message that matches this, it will add a 🔏 emoji to the message, and reacji will then copy this to #security-notifications.

You can view a minimal go-bot sample here, figuring out how to install reacji and how to get and configure a bot-token is outside the scope of this post. There are lots of good guides on how to do that available. Just remember to keep the slack-bot permissions to a minimal.

Using these two parts, you can now mute the #security-spam in Slack and stay on top of when any team members or someone more malicious logs in to 1Password.

  1. [return]
  2. I tried reaching out to 1Password to see if it was possible to separate these, but their response was that currently it is not possible. [return]