Share via

1Password

Important

Some information in this article relates to a prerelease product that may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Note

This article contains information about third-party plugins. This guidance is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.

The 1Password plugin for Microsoft Copilot for Security leverages audit data collected by Microsoft Sentinel to provide security teams with insights into 1Password usage, potential security events, and anomalous behaviors. This plugin does not retrieve secrets or credentials from 1Password, but rather analyzes the audit logs and events to enhance security monitoring and incident response capabilities.

Prerequisites

  • 1Password Business or Enterprise subscription with audit logging capability.
  • Microsoft Sentinel deployed and configured in your Azure environment.
  • 1Password Events Reporting integration set up to send audit logs to Microsoft Sentinel.
  • Microsoft Sentinel 1Password data connector configured and actively ingesting 1Password audit data.
  • Administrative access to Microsoft Security Copilot.
  • Linked Microsoft Sentinel workspace in Security Copilot.
  • Familiarity with Kusto Query Language (KQL) for custom queries.

Know before you begin

Integration with Microsoft Security Copilot works by connecting to your Microsoft Sentinel workspace where 1Password events are stored.

You'll need to take the following steps before using the plugin.

Step 1: Configure 1Password Audit Logging

To enable audit logging in 1Password, follow the Events Reporting documentation or complete these steps:

  1. Sign in to 1Password.com as an owner or administrator.
  2. Click Integrations in the sidebar.
  3. Click Directory at the top of the page.
  4. Find the Microsoft Sentinel integration and select Set Up.
  5. Enter a name for your integration (for example, "Microsoft Sentinel Connector").
  6. Choose between:
    • Send events from all vaults to report events for your entire account.
    • Choose vaults to select specific vaults for event reporting.
  7. Select Add Integration.
  8. Save the bearer token that's displayed - you'll need this to configure the Microsoft Sentinel connector.
  9. Follow the 1Password Sentinel integration guide to activate the serverless connector.
  10. Configure the appropriate log retention policies.
  11. Verify that user activities, authentication events, and admin actions are being logged.

For detailed configuration options and troubleshooting, refer to the Events Reporting setup guide.

Step 2: Set up Microsoft Sentinel Connector for 1Password

  1. Access your Microsoft Sentinel workspace.
  2. Navigate to the Data Connectors section.
  3. Locate and select the 1Password data connector.
  4. Follow the configuration wizard to connect to your 1Password environment.
  5. Validate that audit logs are being successfully ingested into Microsoft Sentinel.

Step 3: Install and configure the plugin

  1. Sign in to Microsoft Security Copilot.
  2. Access Manage Plugins by selecting the Sources button from the prompt bar.
  3. Next to 1Password, select Set up.
  4. Upload the 1Password plugin package or specify its repository location.
  5. Configure the plugin to connect to your Microsoft Sentinel workspace.

Configuration guide

Required parameters

Configure the following parameters for the plugin to function correctly:

  1. Microsoft Entra Tenant ID

    • The unique identifier of your Microsoft Entra environment
    • Format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  2. Subscription ID

    • The unique identifier of the Azure Subscription of Microsoft Sentinel
    • Format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

  3. ResourceGroup Name

    • This is the resource group name that security copilot will use for sentinel.

  4. Workspace Name

    • This is the workspace name that security copilot will use for sentinel.

Configuration methods

  1. Plugin Configuration Portal
    • Configure settings directly in the Microsoft Copilot for Security plugin interface
    • Specify workspace connection parameters
    • Test connectivity before saving

Sample 1Password prompts

The following section provides example prompts to try.

1. Natural Language Queries

Use conversational language to analyze 1Password audit data:

  • "Show me all failed login attempts in 1Password over the past week"
  • "Who accessed sensitive vaults in 1Password outside of business hours?"
  • "Has anyone created new shared vaults in the last month?"

2. Structured Commands

For more precise control, use structured command syntax:

  • analyze-events -type:"item.view" -timeframe:"last 7 days" -user:"admin"
  • detect-anomalies -dataset:"authentication" -baseline:"30 days"
  • report-activity -vault:"Finance" -action:"create,delete,modify"

3. Workflow Integration

Include 1Password audit analysis as part of larger security workflows:

  • "Investigate this user account and check for unusual 1Password activity"
  • "Analyze login patterns across our SSO providers including 1Password"
  • "Generate a compliance report showing all access to regulated data in 1Password"

Response Formatting

The plugin formats responses to provide clear security insights:

  • Event Timelines: Chronological view of related security events
  • User Activity Profiles: Aggregated view of user behaviors
  • Anomaly Highlighting: Clear identification of outlier events
  • Visual Analytics: Charts and graphs for pattern recognition

Advanced usage

Security Incident Investigation

The plugin enables advanced investigation of security incidents involving 1Password usage:

Example Investigation Workflow

  1. Receive alert about suspicious access to sensitive vault
  2. Query 1Password audit logs for all actions by the flagged user
  3. Analyze access patterns and compare to historical baseline
  4. Correlate with other security telemetry (network logs, endpoint data)
  5. Generate comprehensive incident timeline and recommended actions

Troubleshoot the 1Password plugin

Errors occur

If you encounter errors, such as Couldn't complete your request, or An unknown error occurred. Make sure the plugin is turned on. This error may occur if the lookback period is too long, causing the query to attempt to retrieve an excessive amount of data. If the issue persists, sign out of Copilot for Security, and then sign back in.

Data Ingestion Issues

Issue Possible Causes Resolution Steps
Missing Audit Data Connector misconfiguration, Ingestion pipeline issues 1. Verify Microsoft Sentinel connector status
2. Check 1Password audit logging settings
3. Review data connector logs
4. Validate Log Analytics agent functionality
Data Delay Ingestion latency, High data volume, Processing bottlenecks 1. Check ingestion pipeline status
2. Review Microsoft Sentinel health metrics
3. Optimize data collection rules
4. Consider dedicated capacity for critical data

Query Issues

Issue Possible Causes Resolution Steps
Query Timeout Complex queries, Large data volume, Resource constraints 1. Optimize query complexity
2. Add appropriate filters
3. Use time-based partitioning
4. Consider materialized views
Schema Mismatch Custom field mappings, Schema evolution, Parser errors 1. Review schema definitions
2. Update field mappings
3. Check for data format changes
4. Update custom parsers if needed

Plugin Access Issues

Feature Common Problems Troubleshooting Steps
Workspace Access Permission issues, Misconfigured workspace ID 1. Verify workspace access permissions
2. Check workspace connection string
3. Review Microsoft Copilot for Security configuration
4. Validate Microsoft Entra ID permissions
KQL Functions Function registration failure, Syntax errors, Execution timeout 1. Check function registration status
2. Validate KQL syntax
3. Review function permissions
4. Optimize function logic

Performance Optimization

  • Use efficient KQL patterns and avoid cross-joins on large datasets
  • Implement appropriate time filters to limit data processing
  • Consider materialized views for frequently run analytical queries
  • Monitor query performance and optimize resource-intensive operations

Prompts aren't invoking the correct capabilities

If prompts aren't invoking the correct capabilities, or prompts are invoking some other capability set, you might have custom plugins or other plugins that have similar functionality as the capability set you want to use.

Provide feedback

To provide feedback, contact https://support.1password.com/.

See also

Other plugins for Microsoft Copilot for Security Manage plugins in Microsoft Copilot for Security

  • Last updated on