Ingest Events API logs in AWS and forward to a 3rd party SIEM
Hello!
I am trying to ingest events from the the Events Reporting API into our SIEM (Datadog), which isn't a supported integration yet. My environment is in AWS (which I am an absolute beginner on), and the main problem I'm having is: How do I monitor the 1Password Events API endpoint in AWS, so that I can forward those events to a 3rd party?
My first thought was to create a scheduled lambda that does a REST API call to fetch events and dump them into an S3 bucket. Datadog has a pre-built AWS log forwarder which can trigger on any changes made to an S3 bucket, so that sounds like it will work.
However, after some more searching I discovered the AWS EventBridge feature, which is 90% of what I want to do, except it still can't listen to a 3rd party API endpoint to trigger events. AWS makes it fairly straightforward to become an EventBridge partner app though, which would eliminate most of the duct-tape-and-glue that I would need to deploy to do this. As far as feature requests go, this is a much lighter lift than asking for a full integration with Datadog, and I have already met with a 1Password solutions architect to make my case for this.
There are no other posts specifically about this, so I'm hoping it will spark a conversation and provide a gauge on how much general interest there is for getting 1Password events into AWS.
- Is anyone else already doing this?
- Is 1Password open to providing a general solution for ingesting event logs in AWS and forwarding to a 3rd party?
Cheers!
1Password Version: 8.9.13
Extension Version: 2.5.1
OS Version: Not Provided
Browser:_ Chrome
Referrer: forum-search:Events API
Comments
-
Hiya @cybertom
Thanks for posting your current approach and for sharing it with the broader community! I've added you to the existing request for a DataDog integration and created a new request to explore the possibility of becoming an AWS EventsBridge SaaS partner. Not able to make any promises on either of those, but we're glad for the requests.
In the meantime, the Events API is documented here (which, of course, you already know, but for the benefit of other readers...) for anyone using a SIEM for which we do not yet have an integration and wants to deploy the duct tape and glue to build their own integration.
Thanks again for starting this discussion, @cybertom, and we've got the requests noted!
Cheers,
Scott0 -
@Scott_1P please log another vote for Datadog SIEM integration from me!
0 -
please log another vote for Datadog SIEM integration from me!
Thanks @mattmattmattmatt
0 -
It's a 1Password Scott Tag Team Extravaganza.
Thanks @mattmattmattmatt for your added request, and thanks @ScottS1P for getting the request logged! :)
0 -
+1 for Datadog please
0 -
Any update on 1Password activity log reporting to Datadog? Is there any early signups available?
0 -
Datadog SIEM already has integrations and opinionated rules for Okta, OneLogin & Auth0, so I'd prefer to have a direct integration which can be 1st party supported rather than use EventBridge
0 -
Hi @anthonyangel,
Thanks for adding your voice to the conversation. I can see why using default rules provided by an existing integration would be an easier option to help get started with 1Passwords Events API.
Cheers,
Scott Swezey
Customer Support Specialist @ 1PasswordServer status | Support hub | Release notes | Passkeys
Get a free 1Password Families membership when you use 1Password Business.0 -
I don't know how I missed this, but the 1Password integration is published in Datadog! (The 1Password events reporting page now has instructions for Datadog as well).
Big thanks to the integrations team!
0