Get started with 1Password Events Reporting and Elastic

Learn how to send your 1Password account activity to Elasticsearch using the 1Password Events API Beat.

With 1Password Business, you can send your account activity to Elasticsearch using the 1Password Events API Beat. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location. With 1Password Events Reporting and Elastic, you can:

Control your 1Password data retention
Build custom graphs and dashboards
Set up custom alerts that trigger specific actions
Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner, administrator, or part of a group with the View Administrative Sidebar permission.

Step 1: Set up an Events Reporting integration

To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose Elastic.

Then follow these steps to add an Elastic integration to your 1Password account and create a bearer JSON web token:

Enter a name for the integration, then click Add Integration.
Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

You can now use your bearer token to authenticate the 1Password Events API Beat with Elasticsearch.

You can issue or revoke bearer tokens at any time.

Step 2: Connect your 1Password account to Elastic

You can connect your 1Password account to Elastic using either the 1Password Elastic Integration or the 1Password Events API Beat.

If you want to use pre-configured Kibana dashboards to monitor events for your 1Password account, follow the steps to use the Elastic integration.

If you want to run requests from the command line to send event information from your 1Password account to Elasticsearch, follow the steps to use the Events API Beat.

Use 1Password Elastic Integration

The 1Password Elastic integration requires Elastic Stack with at least one Elastic Agent installed and enrolled and Kibana 7.16 or later.

Step 1: Add the 1Password integration

Sign in to your Kibana instance and navigate to the Home page.
Open the menu and go to Management > Add integrations.
Choose 1Password from the list of integrations, then select Add 1Password.

Step 2: Configure the 1Password integration

After you add the 1Password integration, you’ll need to adjust the settings in the Configure integration section.

Fill out the following field(s) to identify the integration:
- Integration name: Enter a name for the integration. For example, 1password.
- Description: (Optional) Enter a description for the integration.
Make sure the Collect events from 1Password Events API setting is turned on, then fill out the following fields:
- URL of 1Password Events API server: Enter your Events API URL. For example: https://events.1password.com.
- 1Password Authorization Token: Enter the bearer token you saved when you set up the integration in your 1Password account.
Make sure one or more of the following 1Password events are turned on:
- Collect 1Password audit events
- Collect 1Password item usages events
- Collect 1Password sign-in attempt events
The events you choose to collect should match the events you chose when you created your bearer token. If an event type is turned on that you don’t want to collect, turn it off.
(Optional) If you want to keep a raw copy of the original event, turn on Preserve original event for an event type.
(Optional) If you want to adjust the default settings for an event type, select Advanced options for that event. You can make changes to the following fields:
- Limit*: Adjust the number of events to fetch with each request. The default limit is 1000.
- Interval to query 1Password Events API*: Adjust the query interval using the GO duration syntax . The default interval is 10s.
- Tags: (Optional) Add tags that can help you filter and perform operations.
- Processors: (Optional) Add processors to parse, filter, transform, and enrich data at the source.
  * 1Password Events API limits requests to 600 per minute and 30,000 per hour.

Step 3: Choose an Elastic agent policy

The Elastic agent policy defines the data the Elastic Agent will collect. In the Where to add this integration? section, follow these steps.

Choose the agent policy you want to use for the integration:
- If you want to create a new agent policy, choose New hosts and enter a name for the policy.
- If you want to use an existing policy, choose Existing hosts and select the agent policy you want to use.
Select Save and continue.
Select Save and deploy changes and wait a few moments for your changes to save.

The 1Password integration will now be in your installed integrations, and you’ll be able to access the integration’s built-in Kibana dashboards to monitor events from your 1Password account. The returned data will follow the Elastic Common Schema specifications.

Learn more about how to install Elastic Agents.

Use 1Password Events API Beat

The 1Password Events API Beat returns information from 1Password through requests to the Events API and sends that data securely to Elasticsearch. Requests are authenticated with a bearer token. Issue a token for each application or service you use.

To connect your 1Password account to Elastic:

Download and install the 1Password Events API Elastic Beat from the 1Password GitHub repository.
Rename the eventsapibeat-sample.yml configuration file to eventsapibeat.yaml.
Configure the YAML file for the Beat:
- Add your bearer token to theauth_token fields for each 1Password event type you want to monitor.
- Configure the output to send events directly to Elasticsearch or through Logstash, the Console, and more.
- Customize any other configuration options you need.

Run the following command:

 ./eventsapibeat -c eventsapibeat.yml -e

You can now use Elasticsearch with the 1Password Events API Beat to monitor events from your 1Password account. The returned data will follow the Elastic Common Schema specifications.

Appendix: Issue or revoke bearer tokens

Issue a bearer token

Sign in to your account on 1Password.com and click Integrations in the sidebar.
Choose the Events Reporting integration where you want to issue a token and click Add a token.
Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

Revoke a bearer token

Important

Elasticsearch will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

Sign in to your account on 1Password.com and click Integrations in the sidebar.
Choose the Events Reporting integration where you want to revoke a token.
Click next to the token you want to revoke, then click Revoke.

Update a bearer token in Elastic

If you issue a new bearer token in 1Password, you’ll need to update the token in the eventsapibeat.yml file, then restart the Beat.

Appendix: List of 1Password server URLs

If your account is on:	Your Events API URL is:
1Password.com	`https://events.1password.com` (1Password Business) `https://events.ent.1password.com` (1Password Enterprise)
1Password.ca	`https://events.1password.ca`
1Password.eu	`https://events.1password.eu`

Appendix: List of 1Password event types

Event type	Description
Audit events	Returns information about actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.
Item usage	Returns information about items in shared vaults that have been modified, accessed, or used.
Sign-in attempts	Returns information about sign-in attempts (successful and failed).

Get help

To change the event types a token has access to, issue a new token.

To get help with Events Reporting, or to share feedback, contact the 1Password Business team.