1Password
1Password logs allow you to view audit events in your 1Password organization, sign in attempts from users in your 1Password, and item usage attempts.
RunReveal will backfill the last 7 days of logs when setting up your source, and will poll for new logs every 60 seconds.
Setup
To setup your 1Password source you will need to create an API token in your 1Password organization.
- First you will navigate to your integrations settings in 1Password.
- Next you need to setup an integration, scroll down to Events Reporting and select the option that says other.
- Give the integration a name and click
Add Integration.
- Now setup the token that will be used by RunReveal to read your events. Give the token a name and select which event type you want RunReveal to ingest. You can select as many or few event types as you wish.
- Copy the token that is provided and save it for later.
- Navigate to RunReveal and create a new 1Password source.
- Give the source a name and add in the token saved from step 5.
- In the drop down select the type of account that you have. The account type determines where your 1Password data is stored and changes how it is accessed.
Your data should start importing within a minute.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: one_password_logs (66 columns)
one_password_logs (66 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
| Column | Type |
|---|---|
readOnly | Bool |
rawLog | String |
logType | String |
actor.uuid | String |
actor.email | String |
actor.name | Nullable(String) |
location.country | String |
location.region | String |
location.city | String |
location.latitude | Float64 |
location.longitude | Float64 |
session.uuid | Nullable(String) |
session.loginTime | Nullable(DateTime) |
session.deviceUUID | Nullable(String) |
client.appName | Nullable(String) |
client.appVersion | Nullable(String) |
client.platformName | Nullable(String) |
client.platformVersion | Nullable(String) |
client.osName | Nullable(String) |
client.osVersion | Nullable(String) |
signin.category | Nullable(String) |
signin.country | Nullable(String) |
signin.detail | Nullable(String) |
usage.vault | Nullable(String) |
usage.item | Nullable(String) |
usage.version | Nullable(String) |
audit.objectType | Nullable(String) |
audit.object | Nullable(String) |
audit.auxID | Nullable(String) |
audit.auxUUID | Nullable(String) |
audit.auxName | Nullable(String) |
audit.auxEmail | Nullable(String) |
audit.auxInfo | Nullable(String) |