1Password

Overview

With 1Password Business, you can send your account events to Datadog Cloud SIEM using the 1Password Events API. In addition, you can:

  • Control your 1Password data retention.
  • Build custom widgets and dashboards.
  • Set up detection rules that trigger specific actions.
  • Cross-reference 1Password events with the data from other services.

Datadog’s integration with 1Password collects logs using 1Password Events API, which generates three types of logs:

  • Sign-in attempts: These logs include the name and IP address of the user who attempted to sign in to the account, when the attempt was made, and for failed attempts, the cause of the failure, such as an incorrect password, key, or second factor.
  • Item usage: This type of log contains actions that describe how an item—for example, a password or other credential—was used. Possible values for action include fill, enter-item-edit-mode, export, share, secure-copy, reveal, select-sso-provider, server-create, server-update, and server-fetch.
  • Audit events: These logs include actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.

After parsing your 1Password logs, Datadog then populates the out-of-the-box 1Password overview dashboard with insights into security-related events from your 1Password values, items, and users. Widgets include toplists showing the most frequent and infrequent events, and a geolocation map that shows you the country of origin of sign-in attempts.

Setup

Step 1: Generate an Access Token in 1Password

To get started, sign in to your 1Password account, click Integrations in the sidebar, and choose Datadog.

Next, add the integration to your 1Password account and create a bearer JSON web token:

  1. Enter a Name for the integration, then click Add Integration.
  2. Enter a Name for the bearer token and choose when the token will expire.
  3. Select the event types your token will have access to: a. Sign-in attempts b. Item usage events c. Audit events
  4. Click Issue Token to generate the access token key. For additional information on issuing or revoking 1Password bearer tokens, see 1Password’s documentation.
  5. Click Save in 1Password and choose which vault to save your token to.
  6. Click View Integration Details to view the token.

You will need this token in the next step.

Step 2: Connect your 1Password account to Datadog

To get started, copy the access token key from the previous step.

  1. Enter a Name for the account.
  2. Paste the access token key from your 1Password account into the Access Token field.
  3. Under host type, select the region & plan of your 1Password account.
  4. Optionally, you can define tags for these logs.
  5. Click Save.

Validation

Search your Datadog logs with source:1password. If you installed the integration correctly, you should be able to see 1Password events.

Data Collected

Metrics

The 1Password integration does not include any metrics.

Service Checks

The 1Password integration does not include any service checks.

Events

The 1Password integration does not include any events.

Troubleshooting

Need help from Datadog? Contact Datadog support. Alternatively, if you need help from 1Password, contact 1Password support.

PREVIEWING: Cyril-Bouchiat/add-vm-package-explorer-doc