Get started with 1Password Events Reporting and Microsoft Sentinel

With 1Password Business, you can send your account activity to Microsoft Sentinel using the 1Password Events Reporting API. Get reports about 1Password activity like sign-in attempts, item usage, and audit events while you manage all your company’s applications and services from a central location.

With the 1Password for Microsoft Sentinel solution, you can:

• Get real-time alerts for login attempts and account or billing changes.
• Track item usage to gain insights into user adoption, file uploads, and item modifications.
• Identify potential security threats and attacks with actionable suggestions.
• Streamline reporting by consolidating 1Password account activity with Microsoft Sentinel.

Eventberichte einrichten, wenn du Eigentümer, Administrator oder Teil einer Gruppe mit der Berechtigung „Administrative Seitenleiste anzuzeigen“ bist.

These steps were recorded in June 2025 and may have changed since. Refer to the Microsoft Sentinel documentation  for the most up-to-date steps.

Step 1: Install the 1Password for Microsoft Sentinel solution

To get started with the 1Password for Microsoft Sentinel solution:

1. Sign in to Azure and go to the Microsoft Sentinel page.
2. In the sidebar, select Content Management > Content Hub.
3. In the search field on the Content Hub page, enter “1Password” and select it.
4. Select Install in the bottom-right corner of the page.

Step 2: Activate the 1Password serverless connector

1. In the sidebar, select Configuration > Data connectors.
2. Choose 1Password (Serverless).
3. Select Open connector page in the bottom-right corner.
4. In the Base URL field, enter your server URL. For example: https://events.1password.com.
5. In the API Token field, enter your 1Password Events API token, also known as a bearer token. You can issue or revoke bearer tokens at any time.
6. Select Connect.

After about five minutes, Microsoft Sentinel will start receiving data from the 1Password Events API, and the data connector will show as connected. You’ll begin to see events data within 10-15 minutes.

Appendix

1Password server URLs

Watchlists

Using watchlists with 1Password for Microsoft Sentinel helps you monitor activities and manage alerts.

Some analytics rules require you to specify information, like the 1Password groups or vaults that you consider privileged. We recommend using watchlists to do this because they scale efficiently, you can use the same watchlist for multiple rules, and the query for each rule is set to use the watchlist by default.

You can create a watchlist for certain objects, like group or vault UUIDs. Name the watchlist PG1PW. If you’d like to use a different name, update the query to use the preferred name.

let watchlist =
    _GetWatchlist("PG1PW")
    | project SearchKey

Alternatively, you can hard-code the objects as a dynamic list in the query itself.

let groups = dynamic ([""]);

If you prefer to hard-code the UUIDs, you can comment or uncomment the relevant lines in the query itself.

// | where object_uuid in (groups)

You can find the UUIDs for objects in a few ways:

• You can use 1Password CLI and run op vault list or op group list.
• Alternatively, you can view the group or vault in your browser and find the UUID in your address bar. For instance, in company.1password.com/vault/8DF960SQG789C7D608D60/ the UUID is 8DF960SQG789C7D608D60.

Included resources

1Password for Microsoft Sentinel includes the following resources to support your data analysis:

Azure Workbook

The Azure Workbook offers insights into how your team is using 1Password. It includes two sections: All Data and User Data.

The All Data section provides an overview of organizational usage. You’ll see graphs of frequently accessed locations, user activity, and 1Password version information.

The User Data section offers insights into individual user activity within 1Password. It includes metrics like patterns, application versions, authentication attempts, IP addresses, and more.

Analytics rules

The solution includes 18 Microsoft Sentinel analytics rules designed to detect and respond to potential security threats or suspicious activities within your organization’s 1Password environment, allowing you to monitor overall security.

Get help

If there’s no logging in the logging table

After deploying 1Password for Microsoft Sentinel, it can take up to 30 minutes for the first log events to be processed.

If you still don’t see events displayed after this time, check that the Function App is running.

If you’re only seeing healthevents

By default, the 1Password Events API doesn’t provide health information. 1Password for Microsoft Sentinel runs every 5 minutes to check for new information. If no new information is available, you’ll only see a timestamp written to the workspace.

If your API key is invalid

After retrieving the API key from Azure Key Vault , Microsoft Sentinel establishes a connection with the 1Password Events API to verify the key’s validity. To update the 1Password Events API key, you can redeploy the 1Password for Microsoft Sentinel solution with the correct key. If that doesn’t work, try manually adding a new API key in the designated field within Azure Key Vault.

If an invalid endpoint is provided during the solution setup, you may see an “API Key Invalid” message in the logs. This happens when the details in the OAuth token do not include the correct audience. To verify this, you can paste the OAuth token into the jwt.ms utility. The API Endpoint can be manually updated in the Environment Variables section of the Function App.

To get help with Events Reporting, or to share feedback, contact 1Password Support.

Learn more

• 1Password Events API-Referenz
• 1Password CLI-Referenz

Glad to hear it! If you have anything you'd like to add, feel free to contact us.

Sorry to hear that. Please contact us if you'd like to provide more details.