With 1Password Business, you can send your account activity to your security information and event management (SIEM) system using the 1Password Events API. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location.
With 1Password Events Reporting and your SIEM, you can:
- Control your 1Password data retention
- Build custom graphs and dashboards
- Set up custom alerts that trigger specific actions
- Cross-reference 1Password events with the data from other services
You can set up Events Reporting if you’re an owner or administrator.
Step 1: Set up an Events Reporting integration
To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose your SIEM:
Then follow these steps to add the integration to your 1Password account and create a bearer JSON web token:
- Enter a name for the integration, then click Add Integration.
- Enter a name for the bearer token and choose when the token will expire. Select or deselect the event types the token has access to, then click Issue Token.
- Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
You can now use your bearer token in your SIEM applications or services to authenticate with the 1Password Events API.
You can issue or revoke bearer tokens at any time.
Step 2: Connect your 1Password account to your SIEM
SIEM applications and services collect information from 1Password through requests to the Events REST API. Requests are authenticated with a bearer token. Issue a token for each application or service you use.
User Guide
Learn how to connect your 1Password account to your SIEM applications or services:
* You'll need to sign in to read CrowdStrike's documentation.
If your SIEM isn’t listed, you can build your own client using the 1Password Events API.
Appendix: Issue or revoke bearer tokens
To issue a bearer token:
- Sign in to your account on 1Password.com and click Integrations in the sidebar.
- Choose the Events Reporting integration where you want to issue a token and click Add a token.
- Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then click Issue Token.
- Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
To revoke a bearer token:
- Sign in to your account on 1Password.com and click Integrations in the sidebar.
- Choose the Events Reporting integration where you want to revoke a token.
- Click the gear button next to the token you want to revoke, then click Revoke.
Important
Your SIEM will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.
Get help
To change the event types a token has access to, issue a new token.
Integration support
- To get help with a Datadog integration, contact Datadog Support.
- To get help with a Panther integration, contact Panther Support.
- To get help with a Sumo Logic integration, contact Sumo Logic Support.
- To get help with an Elastic, Microsoft, or Splunk integration, or to share feedback about 1Password Events Reporting, contact the 1Password Business team.