1password

Visualize 1Password audit logs, vaults, and user activities in the JupiterOne graph. Track audit events, item usage, sign-in attempts, and secrets, and map users to their associated actions and vaults. Monitor changes and unusual behavior through custom queries and alerts.

Installation

1Password Integration Installation in JupiterOne

Overview

This guide walks you through how to connect your 1Password Business or Enterprise account with JupiterOne to monitor and manage your security data.

The integration pulls data from 1Password using two components:

1. Events API – sends security-related activities (like sign-ins, item access, etc.) to JupiterOne.
2. Connect Server – allows JupiterOne to read vault and item information from your 1Password account securely.

Prerequisites:

• A 1Password Business or Enterprise account.
• Admin access in 1Password (you’ll need this to generate tokens).
• Access to JupiterOne with permission to configure integrations.

Set Up in 1Password

You will generate two tokens: one for Events API and one for Connect Server.

Generate Events API Token (for activity logs)

This token lets JupiterOne collect logs of important security events from 1Password.

Steps:

1. Log in to your 1Password account as an admin.

2. Look at the URL — it shows your account region. Example:

   • If URL is https://my.1password.com, your region is 1password.com.

3. In the left menu, click Integration.

4. Go to the Directory tab.

5. Under Events Reporting, click the monitoring service you want to connect (choose JupiterOne or similar).

6. Enter a System Name (e.g., “JupiterOne Integration”) and click Add Integration.

7. On the next screen:

   • Enter a Token Name (e.g., “J1 Events API”).

   • Choose when the token should expire.

   • Enable these event types:

     • Sign-in attempts
     • Item usage events
     • Audit events

8. Click Issue Token and copy the token — save it securely! You’ll use it in JupiterOne.

9. Based on your region, find the correct Events API Base URL:

   Region	Base URL
   1password.com	https://events.1password.com
   ent.1password.com	https://events.ent.1password.com
   1password.ca	https://events.1password.ca
   1password.eu	https://events.1password.eu

Generate Connect Server Token (for vault data)

The Connect Server lets JupiterOne access vaults and items you specify.

What is Connect Server?

A lightweight 1Password service you run yourself (usually in the cloud or internally). It gives access to vaults and items through a secure API.

Steps:

1. Go back to the 1Password admin dashboard.

2. Click Developer from the left menu.

3. Open the Connect Server tab.

4. Click New Connect Server.

5. Enter a name for your environment (e.g., “JupiterOne Env”).

6. Click Add Vaults – select the vaults this server should have access to.

7. Click Add Environment.

8. On the next screen:

   • Enter a Token Name (e.g., “J1 Connect Token”).
   • Set the token’s expiry.
   • Choose vaults that this token should access.

9. Click Issue Token and copy the token — save it securely.

10. Follow the official 1Password Connect Server deployment guide to:

    • Deploy the Connect Server (usually on a VM, container, or cloud service).
    • Get the Connect Server Base URL.

Configure Integration in JupiterOne

Now that you have both tokens and URLs, let’s connect everything in JupiterOne.

Steps:

1. In JupiterOne, go to the left navigation menu and click Integrations.

2. Scroll down and click the 1Password integration tile.

3. Click Add Configuration and fill in the fields:

   Field	What to Enter
   Reporting Event Base URL	Use the Base URL from earlier (based on your region)
   Reporting Event Access Token	Paste your Events API token here
   Connect Server Base URL	The URL where your Connect Server is running
   Connect Server Access Token	Paste your Connect Server token here
   Account Name	A friendly name (e.g., “1Password - US Region”)
   Description	Optional – notes to identify this setup
   Polling Interval	How often to collect data (or choose DISABLED to run manually)

4. Click Create Configuration to save it.

That’s it! JupiterOne will now start pulling data from 1Password based on the schedule you set.

Useful Links

• 1Password Connect Server Setup Guide: Link

Next steps

Now that your integration instance has been configured, it will begin running on the polling interval you provided, populating data within JupiterOne. Continue on to our Instance management guide to learn more about working with and editing integration instances.

Data Model

Entities

The following entities are created:

Resources	Entity _type	Entity _class
Audit Event	one_password_audit_event	Record
Audit Event Actor Details	one_password_audit_event_actor_details	User
Audit Event Aux Details	one_password_audit_event_aux_details	User
Audit Event Object Details	one_password_audit_event_object_details	User
Item Usage Event	one_password_item_usage_event	Record
Item Usage User	one_password_item_usage_user	User
Secret	one_password_secret	Secret
Signin Attempt Event	one_password_signin_attempt_event	Record
Signin Attempt Target User	one_password_signin_attempt_target_user	User
Vault	one_password_vault	Vault

Relationships

The following relationships are created:

Source Entity _type	Relationship _class	Target Entity _type
one_password_audit_event	UPDATED	one_password_audit_event_aux_details
one_password_audit_event	UPDATED	one_password_audit_event_object_details
one_password_audit_event_actor_details	PERFORMED	one_password_audit_event
one_password_audit_event_actor_details	PERFORMED	one_password_vault
one_password_item_usage_user	PERFORMED	one_password_item_usage_event
one_password_signin_attempt_target_user	PERFORMED	one_password_item_usage_event
one_password_vault	HAS	one_password_secret

Types

One Password Audit Event

one_password_audit_event inherits from Record

Property	Type	Description	Specifications
accountUUID	string
action	string
actorAccountUUID	string
actorType	string
actorUUID	string
auxId	string
auxInfo	string
auxUUID	string
city	string
country	string
latitude	number
longitude	number
objectType	string
objectUUID	string
region	string
sessionDeviceUUID	string
sessionIP	string
sessionLoginOn	string
sessionUUID	string

---

One Password Audit Event Actor Details

one_password_audit_event_actor_details inherits from User

Property	Type	Description	Specifications
mspUserAccountId	string
mspUserType	string

---

One Password Audit Event Aux Details

one_password_audit_event_aux_details inherits from User

---

One Password Audit Event Object Details

one_password_audit_event_object_details inherits from User

---

One Password Item Usage Event

one_password_item_usage_event inherits from Record

Property	Type	Description	Specifications
action	string
appName	string
appVersion	string
city	string
country	string
ipAddress	string
itemUUID	string
latitude	number
longitude	number
mspAccountUUID	string
osName	string
osVersion	string
platformName	string
platformVersion	string
region	string
usedVersion	number
userUUID	string
vaultUUID	string

---

One Password Item Usage User

one_password_item_usage_user inherits from User

---

One Password Secret

one_password_secret inherits from Secret

Property	Type	Description	Specifications
favorite	boolean
fileNames	array of strings
lastEditedBy	string
sectionLabels	array of strings
vaultId	string
vaultName	string
version	number

---

One Password Signin Attempt Event

one_password_signin_attempt_event inherits from Record

Property	Type	Description	Specifications
appName	string
appVersion	string
category	string
city	string
country	string
details	string
ipAddress	string
latitude	number
longitude	number
mspAccountUUID	string
osName	string
osVersion	string
platformName	string
platformVersion	string
region	string
sessionUUID	string
targetUserUUID	string
type	string

---

One Password Signin Attempt Target User

one_password_signin_attempt_target_user inherits from User

---

One Password Vault

one_password_vault inherits from Vault

Property	Type	Description	Specifications
attributeVersion	number
contentVersion	number
description	string
itemsCount	number
type	string

---