1Password vault export attempt by user

Set up the 1password integration.


Detect possible exfiltration attempts from 1Password through a vault export.


This rule monitors 1Password audit logs to determine when the export item usage action occurs on a vault. This could indicate exfiltration attempts from 1Password by downloading or exporting items within a vault.

Triage & response

  1. Investigate the {{@usr.email}} attempting to download or export vault {{@vault_uuid}}.
  2. If this action was unintended by the user:
    • Rotate the user’s 1Password master password
    • Identify all the items within the vault that were exported and rotate the necessary authentication credentials