1Password is a cloud-based password management service that securely stores and manages credentials and other sensitive information for users and teams. This technology pack will process 1Password Events API logs, providing normalization and enrichment of common events such as sign-ins, item usage, and vault access.
Supported Version(s)
-
1Password API version 1.4.0
Requirements
-
Graylog 7.0+ with a valid Enterprise license
-
Sign up for 1Password Business.
-
Set up an Events Reporting integration in your account.
-
Create a bearer token and select the event features it can access.
Stream Configuration
This technology pack includes 1 stream:
- "Illuminate:1Password Messages"
Index Set Configuration
This technology pack includes 1 index set definition:
- "1Password Logs"
Log Format Example
{"host":"1passcarla1","event_source_product":"1password","vendor_subtype":"sign_in_attempts","version":"1.2","message":"{\"uuid\":\"MKJ222LF4VFLVJ2BYI7B6NA67Q\",\"session_uuid\":\"OY224ZWDHJFRFMQJ6MJISDTKBQ\",\"timestamp\":\"2025-08-28T12:54:26.860184645Z\",\"country\":\"US\",\"category\":\"failure\",\"type\":\"credentials_ok\",\"details\":null,\"client\":{\"app_name\":\"1Password for Web\",\"app_version\":\"2070\",\"platform_name\":\"Chrome\",\"platform_version\":\"139.0.7258.155\",\"os_name\":\"Windows\",\"os_version\":\"11.0\",\"ip_address\":\"121.98.168.15\"},\"location\":{\"country\":\"US\",\"region\":\"Georgia\",\"city\":\"Atlanta\",\"latitude\":33.7485,\"longitude\":-84.3871},\"target_user\":{\"uuid\":\"UECFLYAIR5CFVMO36T2TURYOZU\",\"name\":\"Sally Flex\",\"email\":\"test@graylog.com\",\"type\":\"user\"},\"account_uuid\":\"D4V22OLZ4JDNBAM7V4AVELI7FM\"}"}
What is Provided
-
Parsing rules to extract, normalize, and enrich 1Password logs into Graylog schema compatible fields
-
GIM event type categorization and enforcement fields for supported 1Password events
-
A spotlight providing overview dashboards for 1Password events
Events Processed by This Technology Pack
The content pack supports the following 1Password event types:
-
Sign-In Attempts
-
Audit Events
-
Item Usages
Log Collection
1Password utilizes the 1Password Input to ingest multiple 1Password logs in JSON format.
GIM Categorization
GIM categorization is provided for the following event types.
| Event Type | gim_event_type_code | GIM Category | GIM Subcategory | GIM Event Type |
|---|---|---|---|---|
| Sign-in success | 100000 | authentication | authentication.logon | logon |
| Sign-in success (credential validation) | 100500 | authentication | authentication.credential validation | credential validation |
| Sign-in credentials failed | 100500 | authentication | authentication.credential validation | credential validation |
| Sign-in MFA failed | 100502 | authentication | authentication.credential validation | mfa |
| Sign-in firewall/SSO failed | 101500 | authentication | authentication.access notice | access notice |
| Sign-in version check failed | 101501 | authentication | authentication.access notice | access denied |
| Sign-in (other) | 109999 | authentication | authentication.default | authentication message |
| Audit: account created (invite) | 110000 | iam | iam.object create | account created |
| Audit: privileges assigned | 111001 | iam | iam.object modify | privileges assigned |
| Audit: password change (complete user) | 111004 | iam | iam.object modify | password change |
| Audit: group member added (join) | 111007 | iam | iam.object modify | group member added |
| Audit: account enabled (activate) | 112001 | iam | iam.object enable | account enabled |
| Audit (other) | 229999 | audit | audit.default | audit event |
1Password Spotlight Content Pack
This spotlight offers a dashboard with 3 tabs:
Overview
Sign-In Attempts
Item Usages
