Tip
If you’re using Splunk Cloud Classic Experience, there’s a different way to get started with 1Password Events Reporting. If you’re not sure which version of Splunk Cloud you’re using, determine your Platform Experience.
With 1Password Business, you can send your account activity to Splunk using the 1Password Events Reporting for Splunk add-on. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.
With 1Password Events Reporting and Splunk, you can:
- Control your 1Password data retention
- Build custom graphs and dashboards
- Set up custom alerts that trigger specific actions
- Cross-reference 1Password events with the data from other services
You can set up Events Reporting if you’re an owner or administrator.
To get started, sign in to Splunk Web, then follow these steps.
Step 1: Create an index for each event type
Help
If you want to index on main
instead of creating an index for each event type, you can skip to the steps to set up the 1Password add-on.
Create an index in Splunk Web for each event type you want to get reports for. Repeat these steps if you’re creating more than one index.
- Click Settings in the Splunk bar, then choose Indexes from the Data section.
- Click New Index and enter an index name. You can leave the default values for all other fields, or you can enter custom values as needed for Splunk Enterprise or Splunk Cloud .
- Click Save.
Step 2: Set up the 1Password add-on
Download the 1Password Events Reporting for Splunk add-on from Splunkbase. Next, install the add-on in Splunk Web. Then click “Set up now” and follow these steps:
- Click “+ Generate an Events API token”. A new browser tab or window will open.
- Sign in to your 1Password account.
- Enter a system name for the integration (or use the default suggestion), then click Add Integration.
- Enter a name for the bearer token (or use the default suggestion) and choose when it will expire.
- Select or deselect the event types the token has access to, then click Issue Token.
- Click Save in 1Password and choose which vault to save your token to. Then copy your token.
- In Splunk Web, enter the token you copied from 1Password.com, then click Next.
- Choose which index to use for each event type. Click Submit, then click Finish.
If you’re using forwarders in a distributed Splunk Enterprise deployment, you’ll also need to install the add-on to your forwarders .
Step 3: Create a search macro
Create a search macro in Splunk Web for each event type. Repeat these steps if you’re creating a search macro for more than one event type.
Click Settings in the Splunk bar, then choose Advanced Search from the Knowledge section.
Click “+ Add new” beside “Search macros”.
Configure the destination app, name, and definition for the macro, then click Save.
Destination app: Choose
onepassword_events_api
from the list.Name: Enter a name for the search macro. For item usage events, enter
1password_item_usages_index
. For sign-in attempt events, enter1password_signin_attempts_index
.Definition: Enter a definition for your index.
- If you indexed on
main
, enterindex=main
. - If you created an index for each event type, enter a definition for that index. For item usage events, enter
index=onepassword_item_usages
. For sign-in attempt events, enterindex=onepassword_signin_attempts
.
- If you indexed on
Click Permissions from the Sharing column for the search macro you created, then select “This app only (onepassword_events_api)”.
Select the permissions for each role, then click Save.
Read permission should be given to every role. Write permission should be given to the admin role and anyone else who needs it.
You can now use Splunk to monitor events from your 1Password account.
Appendix: Determine your Splunk Cloud Platform Experience
If you’re not sure which version of Splunk Cloud you’re using, determine your Platform ExperienceÂ
If you’re on the Victoria Experience, there’s a different way to get started with 1Password Events Reporting.
If you don’t see your Experience listed, check your version. If you’re on 8.1 or earlier, you’re using the Classic Experience and there’s a different way to get started with 1Password Events Reporting.
Appendix: List of 1Password event types
Event type | Index name | Description |
---|---|---|
Item usage | onepassword_item_usages | Returns information about items in shared vaults that have been modified, accessed, or used. |
Sign-in attempts | onepassword_signin_attempts | Returns information about sign-in attempts (successful and failed). |
Appendix: Issue or revoke bearer tokens
Issue a bearer token
- Sign in to your account on 1Password.com and click Integrations in the sidebar.
- Choose the Events Reporting integration where you want to issue a token and click “Add a token”.
- Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
- Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.
Revoke a bearer token
Important
Splunk will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.
- Sign in to your account on 1Password.com and click Integrations in the sidebar.
- Choose the Events Reporting integration where you want to revoke a token.
- Click next to the token you want to revoke, then click Revoke.
Update a bearer token in Splunk
If you issue a bearer token in 1Password, you’ll need to update the token in Splunk. Copy your token from 1Password, then follow these steps:
- Sign in to Splunk Web.
- Click the next to the Apps menu in the sidebar.
- Search for the 1Password Events Reporting for Splunk add-on, then click “Launch app” from the Actions column.
- Click the Configurations tab, then click “I already have my Events API token”.
- Paste the bearer token you copied previously, then click Next.
- Select or deselect the event types the token has access to and choose which index to use for each event type.
- Click Submit, then click Finish.
Get help
To change the event types a token has access to, issue a new token, then update the token in Splunk.
To get help with Events Reporting, or to share feedback, contact the 1Password Business team.