Teams and Businesses

Get started with 1Password Events Reporting and Splunk Cloud Classic Experience

Learn how to send your 1Password account activity to Splunk using the 1Password Events Reporting for Splunk add-on.

Tip

If you’re using Splunk Enterprise or Splunk Cloud Victoria Experience, there’s a different way to get started with 1Password Events Reporting. If you’re not sure which version of Splunk Cloud you’re using, determine your Platform Experience.

With 1Password Business, you can send your account activity to Splunk using the 1Password Events Reporting for Splunk add-on. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.

With 1Password Events Reporting and Splunk, you can:

  • Control your 1Password data retention
  • Build custom graphs and dashboards
  • Set up custom alerts that trigger specific actions
  • Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner or administrator.

You’ll also need an Inputs Data Manager (IDM) to use the 1Password Events Reporting for Splunk add-on with Splunk Cloud Classic Experience. If you don’t have an IDM, contact Splunk Support and ask them to provision one for you.

Step 1: Create an index for each event type

Help

If you want to index on main instead of creating an index for each event type, you can skip to the steps to set up the 1Password add-on.

Sign in to Splunk Web for your search head, then create an index for each event type you want to get reports for. Repeat these steps if you’re creating more than one index.

  1. Click Settings in the Splunk bar, then choose Indexes from the Data section.
  2. Click New Index and enter an index name. You can leave the default values for all other fields, or you can enter custom values as needed.
  3. Click Save.

Step 2: Set up the 1Password add-on

Contact Splunk Support to install the add-on

Before you can set up the 1Password Events Reporting for Splunk add-on, it will need be to installed in your Splunk search head and IDM. Splunk Cloud Classic Experience doesn’t support self-service installation, so you’ll need to contact Splunk Support to have them install the add-on for you.

  1. Sign in to your account on Splunk.com.

  2. Click the Support menu and choose Support Portal.

  3. Click Submit a Case in the sidebar, then choose Cloud App/Add-on Requests and fill in all necessary fields.

    Cloud Maintenance Request: Choose Install.

    App or Add-on: Enter “1Password Events Reporting for Splunk add-on”.

    Select Cloud Stack: Select your Cloud stack.

    Expected Install Location: Select both Searchhead and Inputs Data Manager.

    Description: Add as much detail as needed for your installation. Make sure to include the following:

    • Configuration flags and inputs need to be disabled on the search head. Request that the isConfigured flag be set to true.
    • If you created your own indexes for the 1Password event types, ask Splunk Support to sync your index configurations after the add-on is installed in your IDM.

After Splunk Support has installed the 1Password add-on and synced your indexes, you can finish setting it up.

Set up the add-on and connect it to your 1Password account

Sign in to Splunk Web for your IDM. Click next to the Apps menu in the sidebar, and search for the 1Password Events Reporting for Splunk add-on. Click Set up from the Actions column, then follow these steps:

  1. Click Generate an Events API token. A new browser tab or window will open.
  2. Sign in to your 1Password account.
  3. Enter a system name for the integration (or use the default suggestion), then click Add Integration.
  4. Enter a name for the bearer token (or use the default suggestion) and choose when it will expire.
  5. Select or deselect the event types the token has access to, then click Issue Token.
  6. Click Save in 1Password and choose which vault to save your token to. Then copy your token.
  7. In Splunk Web for your IDM, enter the token you copied from 1Password.com, then click Next.
  8. Choose which index to use for each event type. Click Submit, then click Finish.

Step 3: Create a search macro

Sign in to Splunk Web for your search head to create a search macro for each event type. Repeat these steps if you’re creating a search macro for more than one event type.

  1. Click Settings in the Splunk bar, then choose Advanced Search from the Knowledge section.

  2. Click Add new beside “Search macros”.

  3. Configure the destination app, name, and definition for the macro:

    Destination app: Choose onepassword_events_api from the list.

    Name: Enter a name for the search macro:

    • For audit events, enter 1password_audit_events_index.
    • For item usage events, enter 1password_item_usages_index.
    • For sign-in attempt events, enter 1password_signin_attempts_index.

    Definition: Enter a definition for your index. If you indexed on main, enter index=main. If you created an index for each event type, enter a definition for that index:

    • For audit events, enter index=onepassword_audit_events.
    • For item usage events, enter index=onepassword_item_usages.
    • For sign-in attempt events, enter index=onepassword_signin_attempts.

  4. Click Save, then choose Permissions from the Sharing column for the search macro you created and select This app only (onepassword_events_api).

  5. Select the permissions for each role, then click Save.

    Read permission should be given to every role. Write permission should be given to the admin role and anyone else who needs it.

All your searches should be performed on your search head instead of your IDM.

You can now use Splunk to monitor events from your 1Password account.

Appendix: Determine your Splunk Cloud Platform Experience

If you’re not sure which version of Splunk Cloud you’re using, determine your Platform Experience.

If you’re on the Victoria Experience, there’s a different way to get started with 1Password Events Reporting.

If you don’t see your Experience listed, check your version. If you’re on 8.1 or earlier, you’re using the Classic Experience.

Appendix: List of 1Password event types

Event typeIndex nameDescription
Audit eventsonepassword_audit_eventsReturns information about actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.
Item usageonepassword_item_usagesReturns information about items in shared vaults that have been modified, accessed, or used.
Sign-in attemptsonepassword_signin_attemptsReturns information about sign-in attempts (successful and failed).

Appendix: Issue or revoke bearer tokens

Issue a bearer token

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to issue a token and click Add a token.
  3. Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
  4. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

Revoke a bearer token

Important

Splunk will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to revoke a token.
  3. Click next to the token you want to revoke, then click Revoke.

Update a bearer token in Splunk

If you issue a bearer token in 1Password, you’ll need to update the token in Splunk. Copy your token from 1Password, then follow these steps:

  1. Sign in to your account on Splunk Web.
  2. Click the next to the Apps menu in the sidebar.
  3. Search for the 1Password Events Reporting for Splunk add-on, then click Launch app from the Actions column.
  4. Click the Configurations tab, then click I already have my Events API token.
  5. Paste the bearer token you copied previously, then click Next.
  6. Select or deselect the event types the token has access to and choose which index to use for each event type.
  7. Click Submit, then click Finish.

Get help

To change the event types a token has access to, issue a new token, then update the token in Splunk.

To get help with Events Reporting, or to share feedback, contact the 1Password Business team.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: