1Password Content Pack

The following content pack is available for use with a Graylog Illuminate license and Graylog Enterprise or Graylog Security. Contact sales to learn more about obtaining Illuminate.

1Password is a cloud-based password management service that securely stores and manages credentials and other sensitive information for users and teams. This technology pack processes 1Password Events API logs, providing normalization and enrichment of common events such as sign-ins, item usage, and vault access.

The 1Password Spotlight comes ready to use with pre-built dashboard views including:

1Password Overview
Sign-In Attempts
Item Usages

These built-in views can serve as a starting point for creating custom dashboards.

Supported Version(s)

This Spotlight supports 1Password API version 1.4.0.

Requirements

Graylog 7.0+ with a valid Enterprise license
Sign up for 1Password Business.
Set up an Events Reporting integration in your account.
Create a bearer token and select the event features it can access.

Stream Configuration

This technology pack includes 1 stream:

"Illuminate:1Password Messages"

Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.

Index Set Configuration

This technology pack includes 1 index set definition:

"1Password Logs"

Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.

Log Format Example

{"host":"1passcarla1","event_source_product":"1password","vendor_subtype":"sign_in_attempts","version":"1.2","message":"{\"uuid\":\"MKJ222LF4VFLVJ2BYI7B6NA67Q\",\"session_uuid\":\"OY224ZWDHJFRFMQJ6MJISDTKBQ\",\"timestamp\":\"2025-08-28T12:54:26.860184645Z\",\"country\":\"US\",\"category\":\"failure\",\"type\":\"credentials_ok\",\"details\":null,\"client\":{\"app_name\":\"1Password for Web\",\"app_version\":\"2070\",\"platform_name\":\"Chrome\",\"platform_version\":\"139.0.7258.155\",\"os_name\":\"Windows\",\"os_version\":\"11.0\",\"ip_address\":\"121.98.168.15\"},\"location\":{\"country\":\"US\",\"region\":\"Georgia\",\"city\":\"Atlanta\",\"latitude\":33.7485,\"longitude\":-84.3871},\"target_user\":{\"uuid\":\"UECFLYAIR5CFVMO36T2TURYOZU\",\"name\":\"Sally Flex\",\"email\":\"test@graylog.com\",\"type\":\"user\"},\"account_uuid\":\"D4V22OLZ4JDNBAM7V4AVELI7FM\"}"}

What is Provided

Parsing rules to extract, normalize, and enrich fields 1Password logs into Graylog schema compatible fields
A spotlight providing overview dashboards for 1Password events

Log Collection

1Password utilizes the 1Password Input to ingest multiple 1Password product logs in JSON format.

GIM Categorization

GIM categorization is provided for the following messages:

vendor_subtype	gim_event_type_code
sign_in_attempts	109999
audit_events	229999

Supported Version(s)

Requirements

Stream Configuration

Index Set Configuration

Log Format Example

What is Provided

Log Collection

GIM Categorization

1Password Spotlight Content Pack

Overview

Sign-In Attempts

Item Usages