1Password Events Reporting
<div class="condensed-table">
| | |
| --- | --- |
| Version | 1.31.0 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher |
| Supported Serverless project types
What’s this? | Security
Observability |
| Subscription level
What’s this? | Basic |
| Level of support
What’s this? | Partner |
</div>
With 1Password Business, you can send your account activity to your security information and event management (SIEM) system, using the 1Password Events API.
Get reports about 1Password activity, such as sign-in attempts and item usage, while you manage all your company’s applications and services from a central location.
With 1Password Events Reporting and Elastic SIEM, you can:
- Control your 1Password data retention
- Build custom graphs and dashboards
- Set up custom alerts that trigger specific actions
- Cross-reference 1Password events with the data from other services
You can set up Events Reporting if you’re an owner or administrator.
Ready to get started? Learn how to set up the Elastic Events Reporting integration.
Use the 1Password Events API to retrieve information about sign-in attempts. Events include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and – for failed attempts – the cause of the failure.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| input.type | Input type | keyword |
| onepassword.client.app_name | The name of the 1Password app that attempted to sign in to the account | keyword |
| onepassword.client.app_version | The version number of the 1Password app | keyword |
| onepassword.client.platform_name | The name of the platform running the 1Password app | keyword |
| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
| onepassword.country | The country code of the event. Uses the ISO 3166 standard | keyword |
| onepassword.details.value | keyword | |
| onepassword.session_uuid | The UUID of the session that created the event | keyword |
| onepassword.type | Details about the sign-in attempt | keyword |
| onepassword.uuid | The UUID of the event | keyword |
**Example**
An example event for signin_attempts looks as following:
{
"@timestamp": "2021-08-11T14:28:03.000Z",
"agent": {
"ephemeral_id": "ad3b6f25-cc74-4188-90f5-5eb58cac50e6",
"id": "20d847f6-71da-42b9-88c7-07d421e00fbb",
"name": "elastic-agent-17935",
"type": "filebeat",
"version": "8.16.0"
},
"data_stream": {
"dataset": "1password.signin_attempts",
"namespace": "94013",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "20d847f6-71da-42b9-88c7-07d421e00fbb",
"snapshot": false,
"version": "8.16.0"
},
"event": {
"action": "success",
"agent_id_status": "verified",
"category": [
"authentication"
],
"created": "2024-11-22T16:13:30.707Z",
"dataset": "1password.signin_attempts",
"ingested": "2024-11-22T16:13:33Z",
"kind": "event",
"original": "{\"category\":\"success\",\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"ip_address\":\"1.1.1.1\",\"os_name\":\"Android\",\"os_version\":\"10\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\"},\"country\":\"AR\",\"details\":null,\"session_uuid\":\"UED4KFZ5BH37IQWTJ7LG4VPWK7\",\"target_user\":{\"email\":\"email@1password.com\",\"name\":\"Name\",\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\"},\"timestamp\":\"2021-08-11T14:28:03Z\",\"type\":\"credentials_ok\",\"uuid\":\"HGIF4OEWXDTVWKEQDIWTKV26HU\"}",
"outcome": "success",
"type": [
"info"
]
},
"host": {
"os": {
"name": "Android",
"version": "10"
}
},
"input": {
"type": "httpjson"
},
"onepassword": {
"client": {
"app_name": "1Password Browser Extension",
"app_version": "1109",
"platform_name": "Chrome",
"platform_version": "93.0.4577.62"
},
"country": "AR",
"session_uuid": "UED4KFZ5BH37IQWTJ7LG4VPWK7",
"type": "credentials_ok",
"uuid": "HGIF4OEWXDTVWKEQDIWTKV26HU"
},
"related": {
"ip": [
"1.1.1.1"
],
"user": [
"OJQGU46KAPROEJLCK674RHSAY5",
"email@1password.com",
"Name"
]
},
"source": {
"ip": "1.1.1.1"
},
"tags": [
"preserve_original_event",
"forwarded",
"1password-signin_attempts"
],
"user": {
"email": "email@1password.com",
"full_name": "Name",
"id": "OJQGU46KAPROEJLCK674RHSAY5",
"name": "Name"
}
}
This uses the 1Password Events API to retrieve information about items in shared vaults that have been modified, accessed, or used. Events include the name and IP address of the user who accessed the item, when it was accessed, and the vault where the item is stored.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| input.type | Input type | keyword |
| onepassword.client.app_name | The name of the 1Password app the item was accessed from | keyword |
| onepassword.client.app_version | The version number of the 1Password app | keyword |
| onepassword.client.platform_name | The name of the platform the item was accessed from | keyword |
| onepassword.client.platform_version | The version of the browser or computer where the 1Password app is installed, or the CPU of the machine where the 1Password command-line tool is installed | keyword |
| onepassword.item_uuid | The UUID of the item that was accessed | keyword |
| onepassword.used_version | The version of the item that was accessed | integer |
| onepassword.uuid | The UUID of the event | keyword |
| onepassword.vault_uuid | The UUID of the vault the item is in | keyword |
**Example**
An example event for item_usages looks as following:
{
"@timestamp": "2021-08-30T18:57:42.484Z",
"agent": {
"ephemeral_id": "21b6cbdd-1425-431c-9084-3acfc9545ac6",
"id": "20659717-b9a7-45e9-86fe-616ccc8958c8",
"name": "elastic-agent-67856",
"type": "filebeat",
"version": "8.16.0"
},
"data_stream": {
"dataset": "1password.item_usages",
"namespace": "45938",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "20659717-b9a7-45e9-86fe-616ccc8958c8",
"snapshot": false,
"version": "8.16.0"
},
"event": {
"action": "reveal",
"agent_id_status": "verified",
"category": [
"file"
],
"created": "2024-11-22T16:12:31.651Z",
"dataset": "1password.item_usages",
"ingested": "2024-11-22T16:12:34Z",
"kind": "event",
"original": "{\"action\":\"reveal\",\"client\":{\"app_name\":\"1Password Browser Extension\",\"app_version\":\"1109\",\"ip_address\":\"1.1.1.1\",\"os_name\":\"Android\",\"os_version\":\"10\",\"platform_name\":\"Chrome\",\"platform_version\":\"93.0.4577.62\"},\"item_uuid\":\"bvwmmwxisuca7wbehrbyqhag54\",\"location\":{\"city\":\"Toronto\",\"country\":\"Canada\",\"latitude\":43.64,\"longitude\":-79.433,\"region\":\"Ontario\"},\"timestamp\":\"2021-08-30T18:57:42.484Z\",\"used_version\":1,\"user\":{\"email\":\"email@1password.com\",\"name\":\"Name\",\"uuid\":\"OJQGU46KAPROEJLCK674RHSAY5\"},\"uuid\":\"MCQODBBWJD5HISKYNP3HJPV2DV\",\"vault_uuid\":\"jaqxqf5qylslqiitnduawrndc5\"}",
"type": [
"access"
]
},
"host": {
"os": {
"name": "Android",
"version": "10"
}
},
"input": {
"type": "httpjson"
},
"onepassword": {
"client": {
"app_name": "1Password Browser Extension",
"app_version": "1109",
"platform_name": "Chrome",
"platform_version": "93.0.4577.62"
},
"item_uuid": "bvwmmwxisuca7wbehrbyqhag54",
"used_version": 1,
"uuid": "MCQODBBWJD5HISKYNP3HJPV2DV",
"vault_uuid": "jaqxqf5qylslqiitnduawrndc5"
},
"related": {
"ip": [
"1.1.1.1"
],
"user": [
"OJQGU46KAPROEJLCK674RHSAY5",
"email@1password.com",
"Name"
]
},
"source": {
"ip": "1.1.1.1"
},
"tags": [
"preserve_original_event",
"forwarded",
"1password-item_usages"
],
"user": {
"email": "email@1password.com",
"full_name": "Name",
"id": "OJQGU46KAPROEJLCK674RHSAY5",
"name": "Name"
}
}
This uses the 1Password Events API to retrieve information about audit events. Events includes information about actions performed by team members such as account updates, access and invitations, device authorization, changes to vault permissions, and more.
**Exported fields**
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| data_stream.dataset | Data stream dataset. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| input.type | Input type | keyword |
| onepassword.actor_details.email | The email of the actor. | keyword |
| onepassword.actor_details.name | The name of the actor. | keyword |
| onepassword.actor_details.uuid | The UUID of the actor. | keyword |
| onepassword.actor_uuid | The UUID of the actor. | keyword |
| onepassword.aux_details.email | The email of the aux resource. | keyword |
| onepassword.aux_details.name | The name of the aux resource. | keyword |
| onepassword.aux_details.uuid | The UUID of the aux resource. | keyword |
| onepassword.aux_id | Any auxilary id related to the event. | long |
| onepassword.aux_info | Any auxilary info related to the event. | text |
| onepassword.aux_uuid | Any auxilary uuid related to the event. | keyword |
| onepassword.object_details.email | The email of the object. | keyword |
| onepassword.object_details.name | The name of the object. | keyword |
| onepassword.object_details.uuid | The UUID of the object. | keyword |
| onepassword.object_type | The type of object changed by the event. | keyword |
| onepassword.object_uuid | The UUID of the object changed by the event. | keyword |
| onepassword.session.device_uuid | The device uuid of the session used to create the event. | keyword |
| onepassword.session.login_time | The login time of the session used to create the event. | date |
| onepassword.session.uuid | The session uuid of the session used to create the event. | keyword |
| onepassword.uuid | The UUID of the event. | keyword |
**Example**
An example event for audit_events looks as following:
{
"@timestamp": "2022-10-24T21:16:52.827Z",
"agent": {
"ephemeral_id": "995e038d-40af-4750-b916-48c4055eed99",
"id": "fe01c3ff-fdb0-4ba7-be38-980c260f9cdb",
"name": "elastic-agent-21286",
"type": "filebeat",
"version": "8.16.0"
},
"data_stream": {
"dataset": "1password.audit_events",
"namespace": "55736",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "fe01c3ff-fdb0-4ba7-be38-980c260f9cdb",
"snapshot": false,
"version": "8.16.0"
},
"event": {
"action": "suspend",
"agent_id_status": "verified",
"category": [
"configuration"
],
"created": "2024-11-22T16:09:59.842Z",
"dataset": "1password.audit_events",
"ingested": "2024-11-22T16:10:02Z",
"kind": "event",
"original": "{\"action\":\"suspend\",\"actor_uuid\":\"GLF6WUEKS5CSNDJ2OG6TCZD3M4\",\"location\":{\"city\":\"Toronto\",\"country\":\"Canada\",\"latitude\":43.64,\"longitude\":-79.433,\"region\":\"Ontario\"},\"object_type\":\"user\",\"object_uuid\":\"ZRQCUD6A65AKHFETOUFO7NL4OM\",\"session\":{\"device_uuid\":\"rqtd557fn2husnstp5nc66w2xa\",\"ip\":\"89.160.20.156\",\"login_time\":\"2022-10-24T21:07:34.703106271Z\",\"uuid\":\"ODOHXUYQCJBUJKRGZNNPBJURPE\"},\"timestamp\":\"2022-10-24T21:16:52.827288935Z\",\"uuid\":\"3UQOGUC7DVOCN4OZP2MDKHFLSG\"}",
"type": [
"access"
]
},
"input": {
"type": "httpjson"
},
"onepassword": {
"object_type": "user",
"object_uuid": "ZRQCUD6A65AKHFETOUFO7NL4OM",
"session": {
"device_uuid": "rqtd557fn2husnstp5nc66w2xa",
"login_time": "2022-10-24T21:07:34.703106271Z",
"uuid": "ODOHXUYQCJBUJKRGZNNPBJURPE"
},
"uuid": "3UQOGUC7DVOCN4OZP2MDKHFLSG"
},
"related": {
"ip": [
"89.160.20.156"
],
"user": [
"GLF6WUEKS5CSNDJ2OG6TCZD3M4",
"ZRQCUD6A65AKHFETOUFO7NL4OM"
]
},
"source": {
"as": {
"number": 29518,
"organization": {
"name": "Bredband2 AB"
}
},
"geo": {
"city_name": "Linköping",
"continent_name": "Europe",
"country_iso_code": "SE",
"country_name": "Sweden",
"location": {
"lat": 58.4167,
"lon": 15.6167
},
"region_iso_code": "SE-E",
"region_name": "Östergötland County"
},
"ip": "89.160.20.156"
},
"tags": [
"preserve_original_event",
"forwarded",
"1password-audit_events"
],
"user": {
"id": "GLF6WUEKS5CSNDJ2OG6TCZD3M4"
}
}
**Changelog**
| Version | Details | Kibana version(s) |
|---|---|---|
| 1.31.0 | pass:[] Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.30.2 | pass:[] Bug fix (View pull request) Unify the use of user.full_name and user.name in all data streams. |
8.13.0 or higher |
| 1.30.1 | pass:[] Bug fix (View pull request) Use triple-brace Mustache templating when referencing variables in ingest pipelines. |
8.13.0 or higher |
| 1.30.0 | pass:[] Enhancement (View pull request) Allow @custom pipeline access to event.original without setting preserve_original_event. |
8.13.0 or higher |
| 1.29.0 | pass:[] Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.28.0 | pass:[] Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.27.0 | pass:[] Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.26.1 | pass:[] Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.26.0 | pass:[] Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.25.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.24.0 | pass:[] Enhancement (View pull request) Improve event.original check to avoid errors if set. |
8.7.1 or higher |
| 1.23.1 | pass:[] Bug fix (View pull request) Fix mapping for onepassword.details field |
8.7.1 or higher |
| 1.23.0 | pass:[] Enhancement (View pull request) Set partner owner type. |
8.7.1 or higher |
| 1.22.0 | pass:[] Enhancement (View pull request) Update the package format_version to 3.0.0. |
8.7.1 or higher |
| 1.21.0 | pass:[] Bug fix (View pull request) Correct invalid ECS field usages at root-level. |
8.7.1 or higher |
| 1.20.0 | pass:[] Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.19.0 | pass:[] Enhancement (View pull request) Add tags.yml file so that integration’s dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.18.0 | pass:[] Enhancement (View pull request) Add user detail fields to actor, object, and aux_info. |
8.7.1 or higher |
| 1.17.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.16.0 | pass:[] Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 1.15.0 | pass:[] Enhancement (View pull request) Convert dashboard to lens. |
8.7.1 or higher |
| 1.14.0 | pass:[] Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.13.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.8.0 and package-spec 2.7.0. |
8.7.1 or higher |
| 1.12.0 | pass:[] Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.11.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.7.0. |
8.6.1 or higher |
| 1.10.0 | pass:[] Enhancement (View pull request) Add audit events to 1Password Events Reporting |
8.6.1 or higher |
| 1.9.0 | pass:[] Enhancement (View pull request) Allow configuration of HTTP keep-alive to allow for connection reuse. |
8.6.1 or higher |
| 1.8.2 | pass:[] Enhancement (View pull request) Added categories and/or subcategories. |
8.1.0 or higher |
| 1.8.1 | pass:[] Bug fix (View pull request) Fix pagination termination when response contains has_more=false. |
8.1.0 or higher |
| 1.8.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.6.0. |
8.1.0 or higher |
| 1.7.1 | pass:[] Enhancement (View pull request) Migrate the visualizations to by value in dashboards to minimize the saved object clutter and reduce time to load |
8.1.0 or higher |
| 1.7.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.5.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.6.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.4.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.5.3 | pass:[] Bug fix (View pull request) Fix proxy URL documentation rendering. |
7.16.0 or higher 8.0.0 or higher |
| 1.5.2 | pass:[] Enhancement (View pull request) Update package name and description to align with standard wording |
7.16.0 or higher 8.0.0 or higher |
| 1.5.1 | pass:[] Enhancement (View pull request) Update readme to improve English |
7.16.0 or higher 8.0.0 or higher |
| 1.5.0 | pass:[] Enhancement (View pull request) Update package to ECS 8.3.0. |
7.16.0 or higher 8.0.0 or higher |
| 1.4.0 | pass:[] Enhancement (View pull request) Change name of package |
7.16.0 or higher 8.0.0 or higher |
| 1.3.0 | pass:[] Enhancement (View pull request) Update to ECS 8.2 |
7.16.0 or higher 8.0.0 or higher |
| 1.2.2 | pass:[] Bug fix (View pull request) Fix typo in config template for ignoring host enrichment |
7.16.0 or higher 8.0.0 or higher |
| 1.2.1 | pass:[] Enhancement (View pull request) Add documentation for multi-fields |
7.16.0 or higher 8.0.0 or higher |
| 1.2.0 | pass:[] Enhancement (View pull request) Add new "event.action" to item_usages events. |
7.16.0 or higher 8.0.0 or higher |
| 1.1.1 | pass:[] Bug fix (View pull request) Fix field mapping conflict for ECS event.created. |
7.16.0 or higher 8.0.0 or higher |
| 1.1.0 | pass:[] Enhancement (View pull request) Update to ECS 8.0 |
7.16.0 or higher 8.0.0 or higher |
| 1.0.0 | pass:[] Enhancement (View pull request) GA integration |
7.16.0 or higher 8.0.0 or higher |
| 0.2.2 | pass:[] Bug fix (View pull request) Regenerate test files using the new GeoIP database |
— |
| 0.2.1 | pass:[] Bug fix (View pull request) Change test public IPs to the supported subset |
— |
| 0.2.0 | pass:[] Enhancement (View pull request) Add 8.0.0 version constraint |
— |
| 0.1.1 | pass:[] Bug fix (View pull request) Update Title and Description. |
— |
| 0.1.0 | pass:[] Enhancement (View pull request) Initial draft of the package |
— |