Get started

Get started with 1Password Events Reporting and Microsoft Sentinel

Learn how to send your 1Password account activity to Microsoft Sentinel.

With 1Password Business, you can send your account activity to Microsoft Sentinel using the 1Password Events Reporting API. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location.

With the 1Password for Microsoft Sentinel solution , you can:

  • Get real-time alerts for login attempts and account or billing changes.
  • Track item usage to gain insights into user adoption, file uploads, and item modifications.
  • Identify potential security threats and attacks with actionable suggestions.
  • Streamline reporting by consolidating 1Password account activity with Microsoft Sentinel.

You can set up Events Reporting if you’re an owner, administrator, or part of a group with the View Administrative Sidebar permission.

Step 1: Enter project and instance details

To get started with the 1Password for Microsoft Sentinel solution:

  1. Sign in to Azure and go to the “1Password Custom deployment” page.
  2. Choose your Azure subscription and resource group.
  3. Once you’ve chosen your subscription and resource group, choose your workspace from the list.
  4. Select Next.


If you’re new to Sentinel, you may need to create a workspace and associate it with Sentinel before you can customize the deployment.

Step 2: Enter 1Password Events API information

  1. Enter your 1Password Events API Key, also known as a bearer token, and choose your 1Password Region. You can issue or revoke bearer tokens at any time.
  2. Select Next.

Step 3: Review and create the integration

After you set up 1Password for Microsoft Sentinel, you’ll see a summary of the results from the deployed templates.

After about five minutes, Microsoft Sentinel will start receiving data from the 1Password Events API and the data connector will show as connected.


1Password server URLs

If your account is on:Your Events API URL is:
1Password.com (1Password Business) (1Password Enterprise)


Using watchlists with 1Password for Microsoft Sentinel helps you monitor activities and manage alerts.

Some analytics rules require you to specify information, like the 1Password groups or vaults that you consider privileged. We recommend using watchlists to do this because they scale efficiently, you can use the same watchlist for multiple rules, and the query for each rule is set to use the watchlist by default.

You can create a watchlist for certain objects, like group or vault UUIDs. Name the watchlist PG1PW. If you’d like to use a different name, update the query to use the preferred name.

let watchlist =
    | project SearchKey

Alternatively, you can hard-code the objects as a dynamic list in the query itself.

let groups = dynamic ([""]);

If you prefer to hard-code the UUIDs, you can comment or uncomment the relevant lines in the query itself.

// | where object_uuid in (groups)

You can find the UUIDs for objects in a few ways:

  • You can use 1Password CLI and run op vault list or op group list.
  • Alternatively, you can view the group or vault in your browser and find the UUID in your address bar. For instance, in the UUID is 8DF960SQG789C7D608D60.

Included resources

1Password for Microsoft Sentinel includes the following resources to support your data analysis:

Azure Workbook

The Azure Workbook offers insights into how your team is using 1Password. It includes two sections: All Data and User Data.

The All Data section provides an overview of organizational usage. You’ll see graphs of frequently accessed locations, user activity, and 1Password version information.

The User Data section offers insights into individual user activity within 1Password. It includes metrics like patterns, application versions, authentication attempts, IP addresses, and more.

Analytics rules

The solution includes 18 Microsoft Sentinel analytics rules designed to detect and respond to potential security threats or suspicious activities within your organization’s 1Password environment, allowing you to monitor overall security.

Get help

If there’s no logging in the logging table

After deploying 1Password for Microsoft Sentinel, it can take up to 30 minutes for the first log events to be processed.

If you still don’t see events displayed after this time, check that the Function App is running.

If you’re only seeing healthevents

By default, the 1Password Events API doesn’t provide health information. 1Password for Microsoft Sentinel runs every 5 minutes to check for new information. If no new information is available, you’ll only see a timestamp written to the workspace.

If your API key is invalid

After retrieving the API key from Azure Key Vault , Microsoft Sentinel establishes a connection with the 1Password Events API to verify the key’s validity. To update the 1Password Events API key, you can redeploy the 1Password for Microsoft Sentinel solution with the correct key. If that doesn’t work, try manually adding a new API key in the designated field within Azure Key Vault.

If an invalid endpoint is provided during the solution setup, you may see an “API Key Invalid” message in the logs. This happens when the details in the OAuth token do not include the correct audience. To verify this, you can paste the OAuth token into the utility. The API Endpoint can be manually updated in the Environment Variables section of the Function App.

To get help with Events Reporting, or to share feedback, contact 1Password Support.

Learn more