Bitwarden Security Logs
Bitwarden logs provide comprehensive audit trails of password management activities, including user authentication events, password changes, vault access, and administrative actions. These logs are essential for security monitoring, compliance auditing, and detecting potential unauthorized access to sensitive credential data.
Ingest Methods
Setup the ingestion of this source using the following method:
API Polling Setup
Bitwarden integration uses OAuth2 client credentials flow with 60-second polling intervals to collect audit logs. The integration supports global, EU, or self-hosted Bitwarden domains.
Required Credentials
To connect your Bitwarden account, you’ll need to provide:
- Client ID - Your Bitwarden organization API client ID
- Client Secret - Your Bitwarden organization API client secret
- Domain - Your Bitwarden domain (global, EU, or self-hosted)
Getting Your API Credentials
- Log into your Bitwarden Admin Console
- Navigate to Settings → Organization info
- Click View API key (you’ll be prompted to re-enter your master password)
- Copy the
client_idandclient_secretvalues from your organization’s API key
Domain Configuration
Choose the appropriate domain based on your Bitwarden deployment:
- Global:
https://api.bitwarden.com(default) - EU:
https://api.bitwarden.eu - Self-hosted: Your custom Bitwarden API endpoint
Source Configuration
When setting up your Bitwarden source, provide:
- Source Name: A descriptive name for your Bitwarden source (defaults to “bitwarden”)
- Client ID: Your Bitwarden organization API client ID
- Client Secret: Your Bitwarden organization API client secret
- Domain: Your Bitwarden API domain
- Health Check Duration: Configure how often to check source health (default: 1 day)
- Notification Channels: Set up alerts for when the source stops receiving events
Verification
After entering your credentials, use the “Verify Settings” button to test the connection and ensure your organization API key has the correct permissions to access Bitwarden audit logs.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: bitwarden_logs (46 columns)
bitwarden_logs (46 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
eventType | UInt32 |
itemId | String |
collectionId | String |
groupId | String |
policyId | String |
memberId | String |
actingUserId | String |
device | UInt32 |
ipAddress | String |
date | DateTime |