Teams and Businesses

Get started with 1Password Events Reporting and Splunk Enterprise or Splunk Cloud Victoria Experience

Learn how to send your 1Password account activity to Splunk using the 1Password Events Reporting for Splunk add-on.

Tip

If you’re using Splunk Cloud Classic Experience, there’s a different way to get started with 1Password Events Reporting. If you’re not sure which version of Splunk Cloud you’re using, determine your Platform Experience.

With 1Password Business, you can send your account activity to Splunk using the 1Password Events Reporting for Splunk add-on. Get reports about 1Password activity like sign-in attempts and item usage while you manage all your company’s applications and services from a central location.

With 1Password Events Reporting and Splunk, you can:

  • Control your 1Password data retention
  • Build custom graphs and dashboards
  • Set up custom alerts that trigger specific actions
  • Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner or administrator.

To get started, sign in to Splunk Web, then follow these steps.

Step 1: Create an index for each event type

Help

If you want to index on main instead of creating an index for each event type, you can skip to the steps to set up the 1Password add-on.

Create an index in Splunk Web for each event type you want to get reports for. Repeat these steps if you’re creating more than one index.

  1. Click Settings in the Splunk bar, then choose Indexes from the Data section.
  2. Click New Index and enter an index name. You can leave the default values for all other fields, or you can enter custom values as needed for Splunk Enterprise or Splunk Cloud.
  3. Click Save.

Step 2: Set up the 1Password add-on

Download the 1Password Events Reporting for Splunk add-on from Splunkbase. Next, install the add-on in Splunk Web. Then click Set up now and follow these steps:

  1. Click Generate an Events API token. A new browser tab or window will open.
  2. Sign in to your 1Password account.
  3. Enter a system name for the integration (or use the default suggestion), then click Add Integration.
  4. Enter a name for the bearer token (or use the default suggestion) and choose when it will expire.
  5. Select or deselect the event types the token has access to, then click Issue Token.
  6. Click Save in 1Password and choose which vault to save your token to. Then copy your token.
  7. In Splunk Web, enter the token you copied from 1Password.com, then click Next.
  8. Choose which index to use for each event type. Click Submit, then click Finish.

If you’re using forwarders in a distributed Splunk Enterprise deployment, you’ll also need to install the add-on to your forwarders.

Step 3: Create a search macro

Create a search macro in Splunk Web for each event type. Repeat these steps if you’re creating a search macro for more than one event type.

  1. Click Settings in the Splunk bar, then choose Advanced Search from the Knowledge section.

  2. Click Add new beside “Search macros”.

  3. Configure the destination app, name, and definition for the macro, then click Save.

    Destination app: Choose onepassword_events_api from the list.

    Name: Enter a name for the search macro. For item usage events, enter 1password_item_usages_index. For sign-in attempt events, enter 1password_signin_attempts_index.

    Definition: Enter a definition for your index.

    • If you indexed on main, enter index=main.
    • If you created an index for each event type, enter a definition for that index. For item usage events, enter index=onepassword_item_usages. For sign-in attempt events, enter index=onepassword_signin_attempts.
  4. Click Permissions from the Sharing column for the search macro you created, then select This app only (onepassword_events_api).

  5. Select the permissions for each role, then click Save.

    Read permission should be given to every role. Write permission should be given to the admin role and anyone else who needs it.

You can now use Splunk to monitor events from your 1Password account.

Appendix: Determine your Splunk Cloud Platform Experience

If you’re not sure which version of Splunk Cloud you’re using, determine your Platform Experience.

If you don’t see your Experience listed, check your version. If you’re on 8.1 or earlier, you’re using the Classic Experience and there’s a different way to get started with 1Password Events Reporting.

Appendix: List of 1Password event types

Event typeIndex nameDescription
Item usageonepassword_item_usagesReturns information about items in shared vaults that have been modified, accessed, or used.
Sign-in attemptsonepassword_signin_attemptsReturns information about sign-in attempts (successful and failed).

Appendix: Issue or revoke bearer tokens

Issue a bearer token

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to issue a token and click Add a token.
  3. Enter a name for the bearer token and choose when it will expire. Select the event types the token has access to, then click Issue Token.
  4. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

Revoke a bearer token

Important

Splunk will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to revoke a token.
  3. Click next to the token you want to revoke, then click Revoke.

Update a bearer token in Splunk

If you issue a bearer token in 1Password, you’ll need to update the token in Splunk. Copy your token from 1Password, then follow these steps:

  1. Sign in to Splunk Web.
  2. Click the next to the Apps menu in the sidebar.
  3. Search for the 1Password Events Reporting for Splunk add-on, then click Launch app from the Actions column.
  4. Click the Configurations tab, then click I already have my Events API token.
  5. Paste the bearer token you copied previously, then click Next.
  6. Select or deselect the event types the token has access to and choose which index to use for each event type.
  7. Click Submit, then click Finish.

Get help

To change the event types a token has access to, issue a new token, then update the token in Splunk.

To get help with Events Reporting, or to share feedback, contact the 1Password Business team.

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: