1Password
Integrate Query with 1Password to surface details on Audit and Authentication events
TL;DRTo integrate 1Password with the Query Security Data Mesh platform:
- Generate a Developer API bearer token.
- Configure a 1Password in the Query Security Data Mesh.
- Use Query Search to parallelize searches and surface details about (details_and_shit) for incident response (IR), threat hunting, investigations, and other security and observability use cases.
Overview
1Password is a secure, enterprise-grade password manager designed to centralize and protect authentication secrets, credentials, and sensitive records across teams and infrastructure. It offers capabilities for managing user access, sharing vaults securely, enforcing strong password policies, and monitoring sign-in activity through its Events API. Organizations can integrate 1Password with identity providers and security tools to ensure compliance, minimize credential sprawl, and gain visibility into account usage. Its developer-friendly APIs and event streams make it ideal for inclusion in security analytics and data mesh platforms where identity and authentication telemetry play a critical role in threat detection and auditability.
All federated searches have their searches and results expressed in the terms of the Query Data Model (QDM), which is based on the Open Cybersecurity Schema Framework (OCSF). Each API source is normalized into a specific QDM/OCSF Event Class to standardize and normalize the data for increased situational awareness, ease of aggregation of filtering, and easy pivoting.
API Name | QDM/OCSF Event Class | Entities/Observables |
|---|---|---|
| /api/v2/auditevents | API Activity | Email Address ( |
| /api/v2/signinattempts | Authentication | Email Address ( |
Integrating 1Password into the Query Security Data Mesh enables unified visibility across authentication and account activity without centralizing sensitive data. Through federated search, all results from 1Password’s Events API are normalized into the Query Data Model (QDM), which aligns with the Open Cybersecurity Schema Framework (OCSF). This allows audit events (/api/v2/auditevents) and sign-in attempts (/api/v2/signinattempts) to be represented as API Activity and Authentication event classes respectively, making them consistent with other integrated sources. As a result, analysts can filter, correlate, and pivot across observables such as email addresses, IPs, user IDs, and device UUIDs with ease. This standardization enhances situational awareness by connecting identity-centric telemetry from 1Password to other security domains; helping teams detect anomalous logins, privilege misuse, or compromised accounts in real time.
Some details on searchesQuery will paginate events 1000 results at a time with no upper limit besides normal Connector timeouts after 5 minutes. To limit requests against you API limits, use Entities or other filters and tighter time windows to fulfill your search intent instead of broad-ranged unfiltered searches.
Prerequisites
To connect 1Password with the Query Security Data Mesh you'll need to execute the following steps. Note, that you must have a Business tier license or above to use the Developer API in 1Password.
- Follow the instructions in the Get Started section of the 1Password Developer documentation to generate a bearer token for API access.
To learn how to configure a 1Password Connector, proceed to the next section.
On NHI securityNHI - or, Non-Human Identities - such as your 1Password Developer SDK API key is extremely sensitive. Query securely stores the Client Secret in a dedicated AWS Secrets Manager Secret per Connector per Tenant.
Setting up the 1Password Connector
Use the following steps to create a new Query Federated Search Connector for 1Password.
-
Navigate to the Connectors page, select Add Connector, and select1Password from the
Identity and HRcategory as shown below (FIG. 1). You can also search for 1Password using the search bar in the Add Connector page.
FIG. 1 - Locating the 1Password Connector in the Query Security Data Mesh platform
-
In the Configure Connector tab, add the following detail as shown below (FIG. 2):
FIG. 2 - Setting parameters for the 1Password Connector
- Connector Alias Name: The human-readable name you want to give to this connector, you can provide the name of your organization, or a specific tenant if you have multiple.
- API Key: Your 1Password Developer API bearer token, copied in Step 1 of the Prerequisites section.
-
Select Save to save and activate the Connector.
-
Select Test Connection from the bottom-right of the connection pane to ensure that your bearer token is valid, that we can connect to your tenant, and at least 1 of each event is available.
You will now see 1Password added as an available Connector within the Query Search and Query Summary Insights UI.
Querying 1Password Connectors
Within the Query Search UI, all Connectors are enabled by default. To check that your specified Connector(s) for 1Password are enabled, navigate to the Identity & HR section of the Selected Connectors dropdown and ensure that your specified 1Password Connector(s) are are selected (denoted by a checkbox) before running your searches as shown below (FIG. 3).
FIG. 3 - Locating the 1Password Connector in the Connectors picker menu
Resources
Troubleshooting Steps
- Ensure that you are on at least Business tier of 1Password
- By default, Query uses the
https://events.1password.combase URL, if you run into connectivity issues contact your Query Account Executive and provide a preferred URL. - Ensure that your bearer token is still active and valid
If you have exhausted the above Troubleshooting list, please contact your designated Query Sales Engineer or Customer Success Manager. If you are using a free tenant, please contact Query Customer Success via the Support email in the Help section, or via Intercom within your tenant.
Updated 4 days ago