Teams and business

Get started with 1Password Events Reporting

Learn how to send your 1Password account activity to your security information and event management (SIEM) system using the 1Password Events API.

With 1Password Business, you can send your account activity to your security information and event management (SIEM) system using the 1Password Events API. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location.

With 1Password Events Reporting and your SIEM, you can:

  • Control your 1Password data retention
  • Build custom graphs and dashboards
  • Set up custom alerts that trigger specific actions
  • Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner or administrator.

Step 1: Set up an Events Reporting integration

To get started, sign in to your 1Password account, select Integrations in the sidebar, and choose your SIEM:

Blackpoint Cyber icon Blackpoint Cyber Blumira icon Blumira CrowdStrike icon CrowdStrike Datadog icon Datadog
Elastic icon Elastic Huntress icon Huntress LevelBlue icon LevelBlue Microsoft Sentinel icon Microsoft Sentinel
Palo Alto Networks icon Palo Alto Networks Panther icon Panther Rapid7 icon Rapid7 Splunk icon Splunk
Stellar Cyber icon Stellar Cyber Sumo Logic icon Sumo Logic Todyl icon Todyl Other events reporting integrations icon Other

Then follow these steps to add the integration to your 1Password account and create a bearer JSON web token:

  1. Enter a name for the integration, then select Add Integration.
  2. Enter a name for the bearer token and choose when the token will expire. Select or deselect the event types the token has access to, then select Issue Token.
  3. Select Save in 1Password and choose which vault to save your token to. Then select View Integration Details.

You can now use your bearer token in your SIEM applications or services to authenticate with the 1Password Events API.

You can issue or revoke bearer tokens at any time.

Step 2: Connect your 1Password account to your SIEM

SIEM applications and services collect information from 1Password through requests to the Events REST API. Requests are authenticated with a bearer token. Issue a token for each application or service you use.

Learn how to connect your 1Password account to your SIEM applications or services:

Blackpoint Cyber icon Blackpoint Cyber* Blumira icon Blumira CrowdStrike icon CrowdStrike* Datadog icon Datadog
Elastic icon Elastic Huntress icon Huntress LevelBlue icon LevelBlue Microsoft Sentinel icon Microsoft Sentinel
Palo Alto Networks icon Palo Alto Networks Panther icon Panther Rapid7 icon Rapid7 Splunk icon Splunk
Stellar Cyber icon Stellar Cyber Sumo Logic icon Sumo Logic Todyl icon Todyl*

* You'll need to sign in to read this documentation.

If your SIEM isn’t listed, you can build your own client using the 1Password Events API.

Appendix: Issue or revoke bearer tokens

To issue a bearer token:

  1. Sign in to your account on 1Password.com and select Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to issue a token and select Add a token.
  3. Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then select Issue Token.
  4. Select Save in 1Password and choose which vault to save your token to. Then select View Integration Details.

To revoke a bearer token:

  1. Sign in to your account on 1Password.com and select Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to revoke a token.
  3. Select the gear button next to the token you want to revoke, then select Revoke.

Important

Your SIEM will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

Get help

To change the event types a token has access to, issue a new token.

Integration support

Learn more


Published: