---
title: Unusual 1Password item usage action observed from user
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Unusual 1Password item usage action
  observed from user
---

# Unusual 1Password item usage action observed from user
Classification:attackTactic:[TA0006-credential-access](https://attack.mitre.org/tactics/TA0006)Technique:[T1555-credentials-from-password-stores](https://attack.mitre.org/techniques/T1555) 
## Goal{% #goal %}

Detect when 1Password item usage activity is observed.

## Strategy{% #strategy %}

This rule monitors 1Password audit logs for the following item usage actions

- [enter-item-edit-mode](https://developer.1password.com/docs/events-api/item-usage-actions/#enter-item-edit-mode)
- [export](https://developer.1password.com/docs/events-api/item-usage-actions/#export)
- [fill](https://developer.1password.com/docs/events-api/item-usage-actions/#fill)
- [reveal](https://developer.1password.com/docs/events-api/item-usage-actions/#reveal)
- [select-sso-provider](https://developer.1password.com/docs/events-api/item-usage-actions/#select-sso-provider)
- [secure-copy](https://developer.1password.com/docs/events-api/item-usage-actions/#secure-copy)
- [server-create](https://developer.1password.com/docs/events-api/item-usage-actions/#server-create)
- [server-fetch](https://developer.1password.com/docs/events-api/item-usage-actions/#server-fetch)
- [server-update](https://developer.1password.com/docs/events-api/item-usage-actions/#server-update)
- [share](https://developer.1password.com/docs/events-api/item-usage-actions/#share)

**Note:** This rule uses the `New Value` detection method, to determine when a previously unseen item usage action is observed.

## Triage & response{% #triage--response %}

Investigate `{{@usr.email}}` attempting an item usage action: `{{@evt.name}}` that they haven't performed recently with item `{{@item_uuid}}` within vault `{{@vault_uuid}}`.