Skip to main content

1Password Events Reporting audit events

You can use the 1Password Events API to return audit events from the Activity Log of your 1Password Business account and send them to your security information and event management (SIEM) system. Audit event data includes actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.

Read an event object

When you use the 1Password Events API to fetch audit events from your 1Password Business account, the API will return a JSON array of audit event objects. Event objects can include the following properties:

  • uuid: The unique identifier for the event.
  • timestamp: When the action was performed.
  • actor_uuid: The unique identifier for the team member who performed the action.
  • actor_details: The details of the team member who performed the action (including their UUID, name, and email address).
  • action: The type of action that was performed.
  • object_type: The type of object that the action was performed on.
  • object_uuid: The unique identifier for the object the action was performed on.
  • object_details: The details of the team member who is the object of the action (including their UUID, name, and email address). This property is only returned for events where the object of the action is a team member.
  • aux_id: The identifier that relates to additional information about the activity.
  • aux_uuid: The unique identifier that relates to additional information about the activity.
  • aux_details: The details of the team member who relates to the additional information about the activity (including their UUID, name, and email address). This property is only returned for events where the additional information about an activity relates to a team member.
  • aux_info: Additional information about the activity.
  • session: The information about the session, including the date and time the client signed in and started the session, the unique identifier of the device that signed into the session, and the IP address used.
  • location: The geolocation information of the client based on their IP address at the time the event was performed.

To understand the activity an audit event object is describing, look at the action, actor, and object fields, as well as any aux fields that may be included. For example:

Example audit event object

This example event shows that Jeff Shiner is the actor who performed the "join" action on a group membership (Jeff added someone to a group). And Wendy Appleseed is the team member who joined (was added to) the Administrator group as a group manager.

To get more information about an object, such as the name of a group, you can check the description of the event in the Activity Log, or use the object UUID to retrieve information about an object with 1Password CLI.

Use the audit event tables below to learn more about what the different actions and objects mean and what output is returned for each type of event. A complete list of actions and objects can be found in the appendix.

Audit events

Accounts

Actions related to updating and confirming accounts.

EventDescriptionActionObject TypeAux Info
Activate AccountThe account was activated.activateaccount
Update AccountAccount attributes, such as the name, were changed.updateaccount
Delete AccountThe account was deleted.deleteaccount
Update Account DomainThe account domain was changed.updateaccountdomain
Change Account TypeThe account type was changed.convertaccountold account type, new account type
  • I: Individual account
  • F: Family account
  • B: Business account
Enable DuoDuo was enabled for the account.enblduoaccount
Update Duo ConfigurationThe Duo configuration for the account was updated.updatduoaccount
Disable DuoDuo was disabled for the account.disblduoaccount

Delegate sessions

Actions related to delegating sessions.

EventDescriptionActionObject typeAux info
Delegate SessionA new delegated session was added.dlgsessdlgdsesssession UUID

Devices

Actions related to authorizing and removing devices.

EventDescriptionActionObject TypeAux Info
Add DeviceA device was added to the account.createdeviceuser ID, user UUID, user name, user email
Update DeviceA device was updated.updatedeviceuser ID, user UUID, user name, user email
Delete DeviceA device was deleted.deletedeviceuser ID, user UUID, user name, user email
Delete Old DevicesOld devices were deleted.deolddevuser
Delete All DevicesAll devices were deleted.dealldevuser
Reauthorize DeviceA device was reauthorized after being deauthorizedreauthdeviceuser ID, user UUID, user name, user email

Email changes

Actions related to beginning and completing email changes for team members.

EventDescriptionActionObject TypeAux Info
Begin Email ChangeAn email change was requested by a user.beginec
Complete Email ChangeA user's email was changed.completeec
Propose Email ChangeAn email change was proposed by an admin.proposeec

Family accounts

Actions related to linking and unlinking family accounts.

EventDescriptionActionObject TypeAux Info
Add Family Member AccountA team member linked their free family account.rdmchildfamchild
Remove Family Member AccountA team member unlinked their free family account.detchildfamchild

Files

Actions related to creating documents.

EventDescriptionActionObject TypeAux Info
Add FileA file was uploaded to the account.createfile

Firewall rules

Actions related to firewall settings.

EventDescriptionActionObject typeAux info
Update Firewall RulesA firewall rule was added or updated.updatfwaccount

Groups

Actions related to creating, updating, and removing groups.

EventDescriptionActionObject TypeAux Info
Create GroupA group was created.creategroupgroup name
Delete GroupA group was deleted.deletegroupgroup name
Update GroupA group was updated.updategroupgroup name
Purge Deleted GroupA group was marked to be purged.purgegroup
Update Group KeysetA group keyset was replaced.changeksgroup

Group membership

Actions related to updating team members' group membership.

EventDescriptionActionObject TypeAux Info
Join GroupA user joined a group.joingmuser ID, user UUID, user name, user email, user role
  • R: Group member
  • A: Group manager
Leave GroupA user left a group.leavegmuser ID, user UUID, user name, user email
Change Group Membership RoleA user's group membership role was changed.rolegmuser ID, user UUID, user name, user email, user role
  • R: Group member
  • A: Group manager

Group vault access

Actions related to modifying groups' access to vaults.

EventDescriptionActionObject TypeAux Info
Grant Group Vault AccessA group was granted access to a vault.grantgvagroup ID, group UUID
Revoke Group Vault AccessA group's access to a vault was revoked.revokegvagroup ID, group UUID
Update Group Vault AccessA group's vault access was updated.updategvagroup ID, group UUID, Access Control List

Invites

Actions related to inviting team members and guests.

EventDescriptionActionObjectTypeAuxInfo
Create InviteAn invite was created.createinviteThe email address the invite was sent to.
Update InviteAn invite was updated.updateinviteThe email address the invite was sent to.

Items

Actions related to creating, editing, archiving, and deleting items.

EventDescriptionActionObjectTypeAuxInfo
Patch Vault ItemsVault items were added or updated.patchitemsVault Content Version, number of items added or updated.
Delete Trashed Vault ItemsVault items in the trash were deleted.deleteitemsVault Content Version, number of items deleted.
Purge Deleted Vault ItemsDeleted vault items were marked to be purged.purgeitemsNumber of items that were marked to be purged.
Purge Vault Item HistoryArchived vault items were marked to be purged.purgeitemhistitem ID, item UUID

Item sharing

Actions related to sharing items.

EventDescriptionActionObject TypeAux Info
Share ItemAn item was shared externally.shareitemvault ID, vault UUID, shared item UUID
Delete Item ShareA shared item link was deleted.delshareitemvault ID, vault UUID, shared item UUID
Update Item Share SettingsThe account's item sharing settings were updated.uisasaccount

Multi-factor authentication

Actions related to enabling, updating, and removing multi-factor authentication.

EventDescriptionActionObject TypeAux Info
Enable Multi-Factor AuthenticationMulti-factor authentication was enabled.enblmfausermulti-factor authentication ID, multi-factor authentication type
Update Multi-Factor AuthenticationMulti-factor authentication was updated.updatmfausermulti-factor authentication ID, multi-factor authentication type
Disable Multi-Factor AuthenticationMulti-factor authentication was disabled.disblmfausermulti-factor authentication ID, multi-factor authentication type
Disable Multi-Factor Authentication For All UsersMulti-factor authentication was disabled for everyone in the account.disblmfaaccount
Disable Multi-Factor Authentication Type For All UsersMulti-factor authentication of a certain type was disabled for everyone in the account.disblmfaaccountmulti-factor authentication type

Packages

Actions related to team members sending a copy of an item within 1Password.

EventDescriptionActionObject TypeAux Info
Send PackageA user sent an item to another user.sendpkguserpackage UUID

Provisioning

Actions related to provisioning new team members.

EventDescriptionActionObject TypeAux Info
Send Provisioning EmailA provisioning email was sent.sendtsuser
Resend Provisioning EmailA provisioning email was resent.resendtsuser
Resend All Provisioning EmailsAll provisioning emails were resent.prsndallinvite

Reports

Actions related to viewing and exporting reports.

EventDescriptionActionObjectTypeAuxInfo
Export ReportA user exported a report.exportreportreport UUID, report type
View ReportA user viewed a report.viewreportreport UUID, report type

Service accounts

Actions related to adding integrations.

EventDescriptionActionObject TypeAux Info
Create IntegrationAn integration was created.createsaintegration type

Service account tokens

Actions related to registering, updating, and revoking access tokens for integrations.

EventDescriptionActionObject TypeAux Info
Create TokenAn integration token was registered.createsatokentoken name
Rename TokenAn integration token name was updated.trenamesatokentoken name
Verify TokenAn integration token signature was registered.tverifysatokentoken name
Revoke TokenAn integration token was revoked.trevokesatokentoken name

Sign-in tokens

Actions related to creating, ratcheting, and signing in with sign-in tokens for Unlock with SSO.

EventDescriptionActionObject TypeAux Info
Sign In With Sign-In TokenA sign-in token was used to log in.ssotknvssotkn

Slack app

Actions related to connecting or removing a Slack app.

EventDescriptionActionObject TypeAux Info
Enable Slack AppA Slack app was connected to the account.createslackapp
Disable Slack AppA Slack app was removed from the account.deleteslackapp
Update Slack AppA connected Slack app was updated.updateslackapp

SSO settings

Actions related to setting up Unlock with SSO.

EventDescriptionActionObject TypeAux Info
Enable SSOUnlock with SSO was enabled.enblssosso
Disable SSOUnlock with SSO was disabled.disblssosso
Change SSO Authentication PolicyThe SSO authentication policy was changed.chngpssosso
Change SSO Grace Period Authentication CountThe SSO grace period authentication count was changed.chngassosso
Change SSO Grace Period DurationThe SSO grace period duration was changed.chngdssosso
Add an SSO Group.An SSO group was added.addgssossogroup UUID
Delete an SSO Group.An SSO group was deleted.delgssossogroup UUID

Stripe cards

Actions related to creating, updating, and removing Stripe cards.

EventDescriptionActionObject TypeAux Info
Add CardA new Stripe card was created.createcardcard ID, card UID
Update CardA Stripe card was updated.updatecardcard ID, card UID
Delete CardA Stripe card was deleted.deletecardcard ID, card UID

Stripe payment methods

Actions related to adding Stripe payment methods.

EventDescriptionActionObject TypeAux Info
Add Payment MethodA new Stripe payment method was created.createpmpayment method ID, payment method UUID
Delete Payment MethodA Stripe payment method was deleted.deletepmpayment method ID, payment method UUID

Stripe subscriptions

Actions related to creating, updating, and canceling Stripe subscriptions.

EventDescriptionActionObject TypeAux Info
Create SubscriptionA new Stripe subscription was created.createsubsubscription ID, subscription UUID
Update SubscriptionA Stripe subscription was updated.updatesubsubscription ID, subscription UUID
Cancel SubscriptionA Stripe subscription was canceled.cancelsubsubscription ID, subscription UUID

Templates

Actions related to adding, updating, hiding, and deleting templates.

EventDescriptionActionObject TypeAux Info
Add TemplateA template was added.createtemplatetemplate name
Update TemplateA template was updated.updatetemplatetemplate name
Hide TemplateA template was hidden.hidetemplatetemplate name
Unhide TemplateA template was shown (after being hidden).unhidetemplatetemplate name
Delete TemplateA template was deleted.deletetemplatetemplate name

Unknown

Unknown events.

EventDescriptionActionObjectTypeAuxInfo
Unknown EventsAn unknown action occurred.unknownunknown

Users

Actions related to changes to team members' accounts attributes.

EventDescriptionActionObject TypeAux Info
Upgrade UserA guest was promoted to a family or team member.upguestuser
Change User State FromA user's state was changed.verify, join, activate, reactive, suspend, delete, or beginruser
Begin User RecoveryA user recovery was initiated.beginruser
Complete User RecoveryA user recovery was completed.completruser
Cancel User RecoveryA user recovery was canceled.cancelruser
Mark User Away For TravelA user was marked as away for travel.trvlawayuser
Mark User Back From TravelA user was marked as back from travel.trvlbackuser
Change User KeysetA user's keyset changed.changeksuser
Change 1Password Account PasswordA user changed their 1Password account password.changempuser
Change Secret KeyA user changed their Secret Key.changeskuser
Change NameA user changed their name.changenmuser
Change LanguageA user changed their preferred language.changelauser
Enroll Trusted DeviceA user set up a trusted device to unlock with SSO.tdvcssouser
Set up Single Sign-On AuthenticationA user set up their 1Password account to unlock with SSO.sdvcssouser

User migration

Actions related to migrating users.

EventDescriptionActionObject TypeAux Info
Migrating User CreatedA user migration was started.createmiguseruser email
Migrating User CompleteA user migration was marked complete.musercommiguser
Migrating User DeclinedA user migration was marked declined.muserdecmiguser

User vault access

Actions related to changes to team members' access to vaults.

EventDescriptionActionObject TypeAux Info
Grant User Vault AccessA user was granted access to a vault.grantuvauser ID, user UUID, user name, user email
Revoke User Vault AccessA user's access to a vault was revoked.revokeuvauser ID, user UUID, user name, user email
Update User Vault AccessA user's vault access was updated.updateuvauser ID, user UUID, user name, user email, Access Control List

Vaults

Actions related to creating, updating, and removing vaults.

EventDescriptionActionObject TypeAux Info
Add VaultA vault was added.createvault
Delete VaultA vault was deleted.deletevault
Mark Vault To Be PurgedA vault was marked for purging.purgevault
Update Client AccessThe client access value for a vault was updated.updatevaultThe new client access value.
Update AttributesA vault name or description was changed.updateavault
Export VaultA vault was exported.exportvault

Verified domain

Actions related to verifying domains.

EventDescriptionActionObjectTypeAuxInfo
Add Verified DomainA domain was verified.vrfydmnaccountdomain
Update Verified DomainA verified domain was updated.uvrfydmnaccountdomain
Delete Verified DomainA verified domain was removed.dvrfydmnaccountdomain

Appendix

Action values

Possible values for action include:

API outputAction
activateActivate
addgssoAdd an SSO group
beginBegin
beginrBegin recovery
cancelCancel
cancelrCancel recovery
changeksChange keyset
changelaChange language
changempChange 1Password account password
changenmChange name
changeskChange Secret Key
chngassoChange SSO grace period authentication count
chngdssoChange SSO authentication policy
chngpssoChange SSO grace period duration
completeComplete
completrComplete recovery
convertConvert
createCreate
dealldevDeauthorize all devices
deleteDelete
delgssoDelete an SSO Group
delshareDelete shared item link
deolddevDeauthorize old devices
detchildRemove family member account
disblduoDisable Duo
disblmfaDisable multi-factor authentication
disblssoDisable SSO
dlgsessDelegate a new session
dvrfydmnDelete verified domain
enblduoEnable Duo
enablmfaEnable multi-factor authentication
enblssoEnable SSO
exportExport
grantGrant
hideHide
joinJoin
leaveLeave
musercomComplete migrating user
muserdecDecline migrating user
API outputAction
patchModify or update
proposePropose
provsnProvision
prsndallResend all provisioning emails
purgePermanently delete
rdmchildAdd family member account
reactiveReactivate
reauthReauthorize
resendtsResend provisioning email
revokeRevoke
roleUpdate group membership role
sdvcssoSet up SSO authentication
sendpkgSend an item to another user
sendtsSend provisioning email
shareShare an item externally
ssotknCreate sign-in token
ssotknrRatchet sign-in token
ssotknvSign in with sign-in token
suspendSuspend
tdvcssoEnroll trusted device
trenameRename token
trevokeRevoke token
trvlawaySet as away for travel
trvlbackSet as back from travel
tverifyVerify token signature
uisasUpdate item sharing administrator settings
unhideUnhide
unknownUnknown
updatduoUpdate Duo
updateUpdate
updateaUpdate attributes
updatfwUpdate firewall rules
updatmfaUpdate multi-factor authentication
upguestUpdate guest
uvrfydmnUpdate verified domain
viewView
verifyVerify
vrfydmnAdd verified domain

Object values

Possible values for objectType include:

API outputObject
account1Password account
cardStripe card
deviceDevice
dlgdsessDelegated session
ecEmail change
famchildLinked family account
fileFile
gmGroup membership
groupGroup
gvaGroup vault access
inviteInvite
itemItem
itemhistItem history
itemsItems
miguserMigrating user
planPlan
pmStripe payment method
API outputObject
reportReport
saService account
satokenService account token
slackappSlack app
ssoSSO
ssotknSSO token
subStripe subscription
templateTemplate
userUser
uvaUser vault access
vaultVault
vaultkeyVault key

Was this page helpful?