Teams and Businesses

Get started with 1Password Events Reporting and Splunk

Learn how to send your 1Password account activity to Splunk using the 1Password Events API add-on.

With 1Password Business, you can send your account activity to Splunk using the 1Password Events API add-on. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.

With 1Password Events Reporting and Splunk, you can:

  • Control your 1Password data retention
  • Build custom graphs and dashboards
  • Set up custom alerts that trigger specific actions
  • Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner, administrator, or part of a group with the View Administrative Sidebar permission.

Step 1: Set up an Events Reporting integration

To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose Splunk.

Then follow these steps to add a Splunk integration to your 1Password account and create a bearer JSON web token:

  1. Enter a name for the integration, then click Add Integration.
  2. Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
  3. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

You can now use your bearer token to authenticate the 1Password Events API add-on in Splunk.

You can issue or revoke bearer tokens at any time.

Step 2: Connect your 1Password account to Splunk

Splunk returns information from 1Password through requests to the Events REST API. Requests are authenticated with a bearer token. Issue a token for each application or service you use.

To connect your 1Password account to Splunk:

  1. Install the 1Password Events API add-on  from Splunkbase.
  2. Open the add-on and click “Set up now”.
  3. Copy the bearer token you saved previously and paste it in the Events API Token field, then click Submit.

If you’re using forwarders in a distributed Splunk Enterprise deployment, you’ll also need to install the add-on to your forwarders  .

Step 3: Set up the 1Password Events API add-on

After you’ve installed the 1Password Events API add-on in Splunk, you can create an index for each 1Password event type you plan to monitor. Then configure and turn on the scripted inputs.

Create an index for each event type

Help

If you want to index on main instead of creating an index for each event type, you can skip to the steps to turn on the scripted input.

Repeat these steps for each index you want to create:

  1. Sign in to your account on Splunk Web.
  2. Click Settings in the Splunk bar and choose Indexes.
  3. Click New Index and enter an index name. Leave the default values for all other fields and click Save.

Configure the scripted input

To map 1Password events to an index, configure the scripted input. Repeat these steps for each script you want to configure:

  1. Click Settings in the Splunk bar and choose “Data inputs”, then select Scripts from the list.
  2. Choose the script you want to configure (for example: $SPLUNK_HOME/etc/apps/onepassword_events_api/bin/item_usages), then turn on More Settings.
  3. In the Index section, select the name of the index you created from the drop-down menu, then click Save.

Turn on the scripted input

Repeat these steps for each script you want to turn on:

  1. Click Settings in the Splunk bar and choose “Data inputs”.
  2. Choose Scripts from the list of data inputs.
  3. Click Enable in the Status column for the script you want to turn on (for example: $SPLUNK_HOME/etc/apps/onepassword_events_api/bin/item_usages).

You can now use Splunk to monitor events from your 1Password account.

Appendix: Issue or revoke bearer tokens

Issue a bearer token

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to issue a token and click “Add a token”.
  3. Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
  4. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

Revoke a bearer token

Important

Splunk will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to revoke a token.
  3. Click next to the token you want to revoke, then click Revoke.

Update a bearer token in Splunk

If you issue a bearer token in 1Password, you’ll need to update the token in Splunk. You’ll also need to turn off, then turn on, any scripted inputs.

  1. Sign in to your account on Splunk Web.
  2. Click Apps in the Splunk bar and choose Manage Apps.
  3. Click Setup in the Actions column for the 1Password Events API.
  4. Copy the bearer token you saved previously and paste it in the Events API Token field, then click Submit..
  5. Click Settings in the Splunk bar and choose “Data inputs”, then select Scripts from the list.
  6. Click Disable in the Status column for each script you want to turn off (for example: $SPLUNK_HOME/etc/apps/onepassword_events_api/bin/item_usages). It may take a moment.
  7. Click Enable in the Status column for each script you want to turn back on.

Appendix: List of 1Password event types

Event type Example index name Description
Item usage onepassword_item_usages Returns information about items in shared vaults that have been modified, accessed, or used.
Sign-in attempts onepassword_signin_attempts Returns information about sign-in attempts (successful and failed).

Get help

To change the event types a token has access to, issue a new token.

If you’re using Splunk Cloud and self-service installation isn’t supported, contact Splunk Support  to help install the 1Password Events API add-on.

To get help with Events Reporting, or to share feedback, contact the 1Password Business team.

Learn more

Published: