1Password Events Reporting audit events
You can use the 1Password Events API to return audit events from the Activity Log of your 1Password Business account and send them to your security information and event management (SIEM) system. Audit event data includes actions performed by team members in a 1Password account, such as changes made to the account, vaults, groups, users, and more.
Read an event object
When you use the 1Password Events API to fetch audit events from your 1Password Business account, the API will return a JSON array of audit event objects. Event objects can include the following properties:
uuid
: The unique identifier for the event.timestamp
: When the action was performed.actor_uuid
: The unique identifier for the team member who performed the action.actor_details
: The details of the team member who performed the action (including their UUID, name, and email address).action
: The type of action that was performed.object_type
: The type of object that the action was performed on.object_uuid
: The unique identifier for the object the action was performed on.object_details
: The details of the team member who is the object of the action (including their UUID, name, and email address). This property is only returned for events where the object of the action is a team member.aux_id
: The identifier that relates to additional information about the activity.aux_uuid
: The unique identifier that relates to additional information about the activity.aux_details
: The details of the team member who relates to the additional information about the activity (including their UUID, name, and email address). This property is only returned for events where the additional information about an activity relates to a team member.aux_info
: Additional information about the activity.session
: The information about the session, including the date and time the client signed in and started the session, the unique identifier of the device that signed into the session, and the IP address used.location
: The geolocation information of the client based on their IP address at the time the event was performed.
To understand the activity an audit event object is describing, look at the action
, actor
, and object
fields, as well as any aux
fields that may be included. For example:
Example audit event object
This example event shows that Jeff Shiner is the actor who performed the "join" action on a group membership (Jeff added someone to a group). And Wendy Appleseed is the team member who joined (was added to) the Administrator group as a group manager.
To get more information about an object, such as the name of a group, you can check the description of the event in the Activity Log, or use the object UUID to retrieve information about an object with 1Password CLI.
Use the audit event tables below to learn more about what the different actions and objects mean and what output is returned for each type of event. A complete list of actions and objects can be found in the appendix.
Audit events
Accounts
Actions related to updating and confirming accounts.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Activate Account | The account was activated. | activate | account | |
Update Account | Account attributes, such as the name, were changed. | update | account | |
Delete Account | The account was deleted. | delete | account | |
Update Account Domain | The account domain was changed. | update | account | domain |
Change Account Type | The account type was changed. | convert | account | old account type, new account type
|
Enable Duo | Duo was enabled for the account. | enblduo | account | |
Update Duo Configuration | The Duo configuration for the account was updated. | updatduo | account | |
Disable Duo | Duo was disabled for the account. | disblduo | account |
Delegate sessions
Actions related to delegating sessions.
Event | Description | Action | Object type | Aux info |
---|---|---|---|---|
Delegate Session | A new delegated session was added. | dlgsess | dlgdsess | session UUID |
Devices
Actions related to authorizing and removing devices.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Device | A device was added to the account. | create | device | user ID, user UUID, user name, user email |
Update Device | A device was updated. | update | device | user ID, user UUID, user name, user email |
Delete Device | A device was deleted. | delete | device | user ID, user UUID, user name, user email |
Delete Old Devices | Old devices were deleted. | deolddev | user | |
Delete All Devices | All devices were deleted. | dealldev | user | |
Reauthorize Device | A device was reauthorized after being deauthorized | reauth | device | user ID, user UUID, user name, user email |
Email changes
Actions related to beginning and completing email changes for team members.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Begin Email Change | An email change was requested by a user. | begin | ec | |
Complete Email Change | A user's email was changed. | complete | ec | |
Propose Email Change | An email change was proposed by an admin. | propose | ec |
Family accounts
Actions related to linking and unlinking family accounts.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Family Member Account | A team member linked their free family account. | rdmchild | famchild | |
Remove Family Member Account | A team member unlinked their free family account. | detchild | famchild |
Files
Actions related to creating documents.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add File | A file was uploaded to the account. | create | file |
Firewall rules
Actions related to firewall settings.
Event | Description | Action | Object type | Aux info |
---|---|---|---|---|
Update Firewall Rules | A firewall rule was added or updated. | updatfw | account |
Groups
Actions related to creating, updating, and removing groups.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Create Group | A group was created. | create | group | group name |
Delete Group | A group was deleted. | delete | group | group name |
Update Group | A group was updated. | update | group | group name |
Purge Deleted Group | A group was marked to be purged. | purge | group | |
Update Group Keyset | A group keyset was replaced. | changeks | group |
Group membership
Actions related to updating team members' group membership.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Join Group | A user joined a group. | join | gm | user ID, user UUID, user name, user email, user role
|
Leave Group | A user left a group. | leave | gm | user ID, user UUID, user name, user email |
Change Group Membership Role | A user's group membership role was changed. | role | gm | user ID, user UUID, user name, user email, user role
|
Group vault access
Actions related to modifying groups' access to vaults.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Grant Group Vault Access | A group was granted access to a vault. | grant | gva | group ID, group UUID |
Revoke Group Vault Access | A group's access to a vault was revoked. | revoke | gva | group ID, group UUID |
Update Group Vault Access | A group's vault access was updated. | update | gva | group ID, group UUID, Access Control List |
Invites
Actions related to inviting team members and guests.
Event | Description | Action | ObjectType | AuxInfo |
---|---|---|---|---|
Create Invite | An invite was created. | create | invite | The email address the invite was sent to. |
Update Invite | An invite was updated. | update | invite | The email address the invite was sent to. |
Items
Actions related to creating, editing, archiving, and deleting items.
Event | Description | Action | ObjectType | AuxInfo |
---|---|---|---|---|
Patch Vault Items | Vault items were added or updated. | patch | items | Vault Content Version, number of items added or updated. |
Delete Trashed Vault Items | Vault items in the trash were deleted. | delete | items | Vault Content Version, number of items deleted. |
Purge Deleted Vault Items | Deleted vault items were marked to be purged. | purge | items | Number of items that were marked to be purged. |
Purge Vault Item History | Archived vault items were marked to be purged. | purge | itemhist | item ID, item UUID |
Item sharing
Actions related to sharing items.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Share Item | An item was shared externally. | share | item | vault ID, vault UUID, shared item UUID |
Delete Item Share | A shared item link was deleted. | delshare | item | vault ID, vault UUID, shared item UUID |
Update Item Share Settings | The account's item sharing settings were updated. | uisas | account |
Multi-factor authentication
Actions related to enabling, updating, and removing multi-factor authentication.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Enable Multi-Factor Authentication | Multi-factor authentication was enabled. | enblmfa | user | multi-factor authentication ID, multi-factor authentication type |
Update Multi-Factor Authentication | Multi-factor authentication was updated. | updatmfa | user | multi-factor authentication ID, multi-factor authentication type |
Disable Multi-Factor Authentication | Multi-factor authentication was disabled. | disblmfa | user | multi-factor authentication ID, multi-factor authentication type |
Disable Multi-Factor Authentication For All Users | Multi-factor authentication was disabled for everyone in the account. | disblmfa | account | |
Disable Multi-Factor Authentication Type For All Users | Multi-factor authentication of a certain type was disabled for everyone in the account. | disblmfa | account | multi-factor authentication type |
Packages
Actions related to team members sending a copy of an item within 1Password.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Send Package | A user sent an item to another user. | sendpkg | user | package UUID |
Provisioning
Actions related to provisioning new team members.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Send Provisioning Email | A provisioning email was sent. | sendts | user | |
Resend Provisioning Email | A provisioning email was resent. | resendts | user | |
Resend All Provisioning Emails | All provisioning emails were resent. | prsndall | invite |
Reports
Actions related to viewing and exporting reports.
Event | Description | Action | ObjectType | AuxInfo |
---|---|---|---|---|
Export Report | A user exported a report. | export | report | report UUID, report type |
View Report | A user viewed a report. | view | report | report UUID, report type |
Service accounts
Actions related to adding integrations.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Create Integration | An integration was created. | create | sa | integration type |
Service account tokens
Actions related to registering, updating, and revoking access tokens for integrations.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Create Token | An integration token was registered. | create | satoken | token name |
Rename Token | An integration token name was updated. | trename | satoken | token name |
Verify Token | An integration token signature was registered. | tverify | satoken | token name |
Revoke Token | An integration token was revoked. | trevoke | satoken | token name |
Sign-in tokens
Actions related to creating, ratcheting, and signing in with sign-in tokens for Unlock with SSO.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Sign In With Sign-In Token | A sign-in token was used to log in. | ssotknv | ssotkn |
Slack app
Actions related to connecting or removing a Slack app.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Enable Slack App | A Slack app was connected to the account. | create | slackapp | |
Disable Slack App | A Slack app was removed from the account. | delete | slackapp | |
Update Slack App | A connected Slack app was updated. | update | slackapp |
SSO settings
Actions related to setting up Unlock with SSO.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Enable SSO | Unlock with SSO was enabled. | enblsso | sso | |
Disable SSO | Unlock with SSO was disabled. | disblsso | sso | |
Change SSO Authentication Policy | The SSO authentication policy was changed. | chngpsso | sso | |
Change SSO Grace Period Authentication Count | The SSO grace period authentication count was changed. | chngasso | sso | |
Change SSO Grace Period Duration | The SSO grace period duration was changed. | chngdsso | sso | |
Add an SSO Group. | An SSO group was added. | addgsso | sso | group UUID |
Delete an SSO Group. | An SSO group was deleted. | delgsso | sso | group UUID |
Stripe cards
Actions related to creating, updating, and removing Stripe cards.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Card | A new Stripe card was created. | create | card | card ID, card UID |
Update Card | A Stripe card was updated. | update | card | card ID, card UID |
Delete Card | A Stripe card was deleted. | delete | card | card ID, card UID |
Stripe payment methods
Actions related to adding Stripe payment methods.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Payment Method | A new Stripe payment method was created. | create | pm | payment method ID, payment method UUID |
Delete Payment Method | A Stripe payment method was deleted. | delete | pm | payment method ID, payment method UUID |
Stripe subscriptions
Actions related to creating, updating, and canceling Stripe subscriptions.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Create Subscription | A new Stripe subscription was created. | create | sub | subscription ID, subscription UUID |
Update Subscription | A Stripe subscription was updated. | update | sub | subscription ID, subscription UUID |
Cancel Subscription | A Stripe subscription was canceled. | cancel | sub | subscription ID, subscription UUID |
Templates
Actions related to adding, updating, hiding, and deleting templates.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Template | A template was added. | create | template | template name |
Update Template | A template was updated. | update | template | template name |
Hide Template | A template was hidden. | hide | template | template name |
Unhide Template | A template was shown (after being hidden). | unhide | template | template name |
Delete Template | A template was deleted. | delete | template | template name |
Unknown
Unknown events.
Event | Description | Action | ObjectType | AuxInfo |
---|---|---|---|---|
Unknown Events | An unknown action occurred. | unknown | unknown |
Users
Actions related to changes to team members' accounts attributes.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Upgrade User | A guest was promoted to a family or team member. | upguest | user | |
Change User State From | A user's state was changed. | verify , join , activate , reactive , suspend , delete , or beginr | user | |
Begin User Recovery | A user recovery was initiated. | beginr | user | |
Complete User Recovery | A user recovery was completed. | completr | user | |
Cancel User Recovery | A user recovery was canceled. | cancelr | user | |
Mark User Away For Travel | A user was marked as away for travel. | trvlaway | user | |
Mark User Back From Travel | A user was marked as back from travel. | trvlback | user | |
Change User Keyset | A user's keyset changed. | changeks | user | |
Change 1Password Account Password | A user changed their 1Password account password. | changemp | user | |
Change Secret Key | A user changed their Secret Key. | changesk | user | |
Change Name | A user changed their name. | changenm | user | |
Change Language | A user changed their preferred language. | changela | user | |
Enroll Trusted Device | A user set up a trusted device to unlock with SSO. | tdvcsso | user | |
Set up Single Sign-On Authentication | A user set up their 1Password account to unlock with SSO. | sdvcsso | user |
User migration
Actions related to migrating users.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Migrating User Created | A user migration was started. | create | miguser | user email |
Migrating User Complete | A user migration was marked complete. | musercom | miguser | |
Migrating User Declined | A user migration was marked declined. | muserdec | miguser |
User vault access
Actions related to changes to team members' access to vaults.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Grant User Vault Access | A user was granted access to a vault. | grant | uva | user ID, user UUID, user name, user email |
Revoke User Vault Access | A user's access to a vault was revoked. | revoke | uva | user ID, user UUID, user name, user email |
Update User Vault Access | A user's vault access was updated. | update | uva | user ID, user UUID, user name, user email, Access Control List |
Vaults
Actions related to creating, updating, and removing vaults.
Event | Description | Action | Object Type | Aux Info |
---|---|---|---|---|
Add Vault | A vault was added. | create | vault | |
Delete Vault | A vault was deleted. | delete | vault | |
Mark Vault To Be Purged | A vault was marked for purging. | purge | vault | |
Update Client Access | The client access value for a vault was updated. | update | vault | The new client access value. |
Update Attributes | A vault name or description was changed. | updatea | vault | |
Export Vault | A vault was exported. | export | vault |
Verified domain
Actions related to verifying domains.
Event | Description | Action | ObjectType | AuxInfo |
---|---|---|---|---|
Add Verified Domain | A domain was verified. | vrfydmn | account | domain |
Update Verified Domain | A verified domain was updated. | uvrfydmn | account | domain |
Delete Verified Domain | A verified domain was removed. | dvrfydmn | account | domain |
Appendix
Action values
Possible values for action
include:
API output | Action |
---|---|
activate | Activate |
addgsso | Add an SSO group |
begin | Begin |
beginr | Begin recovery |
cancel | Cancel |
cancelr | Cancel recovery |
changeks | Change keyset |
changela | Change language |
changemp | Change 1Password account password |
changenm | Change name |
changesk | Change Secret Key |
chngasso | Change SSO grace period authentication count |
chngdsso | Change SSO authentication policy |
chngpsso | Change SSO grace period duration |
complete | Complete |
completr | Complete recovery |
convert | Convert |
create | Create |
dealldev | Deauthorize all devices |
delete | Delete |
delgsso | Delete an SSO Group |
delshare | Delete shared item link |
deolddev | Deauthorize old devices |
detchild | Remove family member account |
disblduo | Disable Duo |
disblmfa | Disable multi-factor authentication |
disblsso | Disable SSO |
dlgsess | Delegate a new session |
dvrfydmn | Delete verified domain |
enblduo | Enable Duo |
enablmfa | Enable multi-factor authentication |
enblsso | Enable SSO |
export | Export |
grant | Grant |
hide | Hide |
join | Join |
leave | Leave |
musercom | Complete migrating user |
muserdec | Decline migrating user |
API output | Action |
---|---|
patch | Modify or update |
propose | Propose |
provsn | Provision |
prsndall | Resend all provisioning emails |
purge | Permanently delete |
rdmchild | Add family member account |
reactive | Reactivate |
reauth | Reauthorize |
resendts | Resend provisioning email |
revoke | Revoke |
role | Update group membership role |
sdvcsso | Set up SSO authentication |
sendpkg | Send an item to another user |
sendts | Send provisioning email |
share | Share an item externally |
ssotkn | Create sign-in token |
ssotknr | Ratchet sign-in token |
ssotknv | Sign in with sign-in token |
suspend | Suspend |
tdvcsso | Enroll trusted device |
trename | Rename token |
trevoke | Revoke token |
trvlaway | Set as away for travel |
trvlback | Set as back from travel |
tverify | Verify token signature |
uisas | Update item sharing administrator settings |
unhide | Unhide |
unknown | Unknown |
updatduo | Update Duo |
update | Update |
updatea | Update attributes |
updatfw | Update firewall rules |
updatmfa | Update multi-factor authentication |
upguest | Update guest |
uvrfydmn | Update verified domain |
view | View |
verify | Verify |
vrfydmn | Add verified domain |
Object values
Possible values for objectType
include:
API output | Object |
---|---|
account | 1Password account |
card | Stripe card |
device | Device |
dlgdsess | Delegated session |
ec | Email change |
famchild | Linked family account |
file | File |
gm | Group membership |
group | Group |
gva | Group vault access |
invite | Invite |
item | Item |
itemhist | Item history |
items | Items |
miguser | Migrating user |
plan | Plan |
pm | Stripe payment method |
API output | Object |
---|---|
report | Report |
sa | Service account |
satoken | Service account token |
slackapp | Slack app |
sso | SSO |
ssotkn | SSO token |
sub | Stripe subscription |
template | Template |
user | User |
uva | User vault access |
vault | Vault |
vaultkey | Vault key |