Introducing the 1Password Events API

In addition to the events that have always been available to admins, item usage and successful and failed sign-in attempts can now be routed to third-party platforms to create dashboards, alerts, and much more.

With greater visibility, security and IT teams can now correlate 1Password events with other data sources to gain a deeper understanding of how workers are using 1Password.

We’ve built the API with SOC (Security Operations Center) and SIEM (Security Information and Event Management) tools in mind – database tools which analyze and present time series event data with alerts, dashboards, visualization, and search. In fact, we’ve already created pre-built integrations with Splunk and Elastic (more on those in a minute).

What can I do with Events API?

With Events API streaming to a third-party tool, you can:

• Take decisive action using deeper forensic analysis with data correlation and enrichment from multiple apps.
• Prevent attacks with proactive threat detection using custom, automated alerts.
• Get valuable insights into 1Password usage via data visualization.

What events does Events API include?

1Password already logs and provides access to some events: failed sign-in attempts, and the most recent instance of someone accessing each item in a vault. All that is available as reports in 1Password Business.

Events API broadens and deepens that access, providing events for both successful and failed sign-in attempts, and a historical log that details each and every time an item is used.

How does it work?

The Events API works in much the same way other 1Password integrations do. Admins and owners can access the Events API by generating an access token, either from the Integrations Hub or the command line interface (CLI). Once created, you can create your own scripts to ingest the events into a SIEM or analytics tool of your choice. Or, you can use one of our pre-built integrations with Splunk or Elastic.

Of course, all this is done the 1Password way, with security as our top priority.

Get started with 1Password for Splunk and Elastic

Right now, each event included in the Events API returns the event itself (sign-in attempts and item usage) with contextual data. Many customers have been asking for this, and those customers can put the Events API to work right now (in fact, our beta partners have been doing so for months).

But we’re not stopping there. This release is only the first step in empowering security teams with greater visibility and actionable insights – and the existing Splunk and Elastic integrations make that possible right now. As of today, you can use Splunk triggers to level up your threat detection, compliance, and breach investigation.

Here are a few examples of what you could do with Splunk triggers and the Events API:

• Receive an alert when a 1Password login exceeds set parameters
• Receive an alert when a secret is copied, shared, used on a site, or accessed on the last day of a worker’s employment
• Monitor usage of a particular item
• Automate access control monitoring and reporting
• Monitor user adoption
• Correlate 1Password events like logins and secret usage with suspicious or malicious events to aid investigation

More to come

This is just the beginning for the Events API. In the near future, we plan to include more event types like changes to owner/admin groups and vault permissions (basically: audit events). And we’ll continue to build on this foundation with your feedback.

If you build something amazing, or just want to bounce ideas off of us, we’d love to hear about it. Give us a shout on Twitter @1Password, or head over to the 1Password community to share your ideas.

You can get started today with the Splunk and Elastic integrations. Or, you can try out this small Python script to see how to make calls to the API to fetch sign-in and item usage events.

Akshay Bhargava

Chief Product Officer