Teams and Businesses

Get started with 1Password Events Reporting

Learn how to send your 1Password account activity to your security information and event management (SIEM) system using the 1Password Events API.

With 1Password Business, you can send your account activity to your security information and event management (SIEM) system using the 1Password Events API. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location.

With 1Password Events Reporting and your SIEM, you can:

  • Control your 1Password data retention
  • Build custom graphs and dashboards
  • Set up custom alerts that trigger specific actions
  • Cross-reference 1Password events with the data from other services

You can set up Events Reporting if you’re an owner or administrator.

Step 1: Set up an Events Reporting integration

To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose your SIEM:

Datadog icon Datadog

Splunk

Elastic

Sumo Logic

Panther

Other

Then follow these steps to add the integration to your 1Password account and create a bearer JSON web token:

  1. Enter a name for the integration, then click Add Integration.
  2. Enter a name for the bearer token and choose when the token will expire. Select or deselect the event types the token has access to, then click Issue Token.
  3. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

You can now use your bearer token in your SIEM applications or services to authenticate with the 1Password Events API.

You can issue or revoke bearer tokens at any time.

Step 2: Connect your 1Password account to your SIEM

SIEM applications and services collect information from 1Password through requests to the Events REST API. Requests are authenticated with a bearer token. Issue a token for each application or service you use.

User Guide

Learn how to connect your 1Password account to your SIEM applications or services:

If your SIEM isn’t listed, you can build your own client using the 1Password Events API.

Appendix: Issue or revoke bearer tokens

To issue a bearer token:

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to issue a token and click Add a token.
  3. Enter a name for the bearer token and choose when it will expire. Select or deselect the event types the token has access to, then click Issue Token.
  4. Click Save in 1Password and choose which vault to save your token to. Then click View Integration Details.

To revoke a bearer token:

  1. Sign in to your account on 1Password.com and click Integrations in the sidebar.
  2. Choose the Events Reporting integration where you want to revoke a token.
  3. Click next to the token you want to revoke, then click Revoke.

Important

Your SIEM will stop ingesting events after a token is revoked. To minimize downtime, issue a replacement token before you revoke one.

Get help

To change the event types a token has access to, issue a new token.

Integration support

Learn more

Still need help?

If this article didn't answer your question, contact 1Password Support.

Published: