+ 1Password is a cloud-based password management service that securely stores and manages credentials and other sensitive information for users and teams. This technology pack will process 1Password Events API logs, providing normalization and enrichment of common events such as sign-ins, item usage, and vault access.
+The 1Password Spotlight comes ready to use with pre-built dashboard views including:
+1Password Overview
+Sign-In Attempts
+Item Usages
+These built-in views can serve as a starting point for creating custom dashboards.
+This Spotlight supports 1Password API version 1.4.0.
+Graylog 7.0+ with a valid Enterprise license
+Sign up for 1Password Business.
+Set up an Events Reporting integration in your account.
+Create a bearer token and select the event features it can access.
+This technology pack includes 1 stream:
+
+ Hint: If this stream does not exist prior to the activation of this pack then it will be created and configured to route messages to this stream and the associated index set. There should not be any stream rules configured for this stream.
+
+
This technology pack includes 1 index set definition:
+
+ Hint: If this index set is already defined, then nothing will be changed. If this index set does not exist, then it will be created with retention settings of a daily rotation and 90 days of retention. These settings can be adjusted as required after installation.
+
+
{"host":"1passcarla1","event_source_product":"1password","vendor_subtype":"sign_in_attempts","version":"1.2","message":"{\"uuid\":\"MKJ222LF4VFLVJ2BYI7B6NA67Q\",\"session_uuid\":\"OY224ZWDHJFRFMQJ6MJISDTKBQ\",\"timestamp\":\"2025-08-28T12:54:26.860184645Z\",\"country\":\"US\",\"category\":\"failure\",\"type\":\"credentials_ok\",\"details\":null,\"client\":{\"app_name\":\"1Password for Web\",\"app_version\":\"2070\",\"platform_name\":\"Chrome\",\"platform_version\":\"139.0.7258.155\",\"os_name\":\"Windows\",\"os_version\":\"11.0\",\"ip_address\":\"121.98.168.15\"},\"location\":{\"country\":\"US\",\"region\":\"Georgia\",\"city\":\"Atlanta\",\"latitude\":33.7485,\"longitude\":-84.3871},\"target_user\":{\"uuid\":\"UECFLYAIR5CFVMO36T2TURYOZU\",\"name\":\"Sally Flex\",\"email\":\"test@graylog.com\",\"type\":\"user\"},\"account_uuid\":\"D4V22OLZ4JDNBAM7V4AVELI7FM\"}"}
+
Parsing rules to extract, normalize, and enrich fields 1Password logs into Graylog schema compatible fields
+A spotlight providing overview dashboards for 1Password events
+1Password utilizes see [1Password input] documentation the ingest multiple 1Password product type logs in JSON format.
+GIM categorization is provided for the following messages:
+| vendor_subtype | +gim_event_type_code | +
|---|---|
| sign_in_attempts | +109999 | +
| audit_events | +229999 | +
This spotlight offers a dashboard with 3 tabs:
+
+
+
+ 
+
+ 
+