The community project that lets you analyze 1Password data using Microsoft Security Copilot
Most IT and security teams don’t lack data. They lack time – and a quick way to get meaningful insights out of SIEM logs to identify, understand, and act on potential security threats.
This challenge was the motivation behind a new 1Password community project developed by Rogier Dijkman (a Microsoft Security MVP) and Stefan Smit. The Microsoft Security Copilot plugin for 1Password Enterprise Password Manager (EPM) enables security teams to leverage 1Password audit data that’s been collected in Microsoft Sentinel, and query that data via Microsoft Security Copilot. You can ask Copilot questions related to your organization’s logs in plain language, and get actionable insights in response. For example, you could ask Microsoft Security Copilot to generate an executive compliance report for your 1Password audit events.
SIEM (security information and event management) tools like Microsoft Sentinel allow IT and security teams to monitor and detect security threats across their tool stack, including information available through 1Password EPM.
With 1Password’s new Microsoft Security Copilot plugin, monitoring and analyzing EPM SIEM data has never been easier. In this article, you'll learn how the project came together, and how you can start using the plugin to get insights into 1Password usage, potential security events, and anomalous behaviors.
Creating the building blocks for the Microsoft Security Copilot plugin
The road to building the Microsoft Security Copilot plugin had two main phases: integrating 1Password EPM with Microsoft Sentinel, and then extending that foundation to connect Microsoft Security Copilot.
Rogier and Stefan – both cloud security consultants at Rubicon, a Microsoft security service provider in the Netherlands – already knew and loved 1Password EPM before they started this project. Initially, the pair were tasked with advising their employer at the time on which password manager to adopt. After a thorough assessment, they landed on 1Password EPM.
But introducing 1Password to the team wasn’t enough. Rogier and Stefan wanted to integrate the password manager with a SIEM tool to more easily track and monitor 1Password interactions. For example, they wanted a fast, streamlined way to identify and internally flag unauthorized sign-in attempts. Rogier and Stefan knew Microsoft Sentinel could handle this piece, but that created a new challenge: how to connect the SIEM platform to 1Password EPM.
In true developer fashion, they built an integration in their free time to enable Microsoft Sentinel to ingest and monitor 1Password Business event data. They launched the Microsoft Sentinel Event Reporting integration in the 1Password Marketplace in 2024, allowing other security professionals with similar tooling to detect, investigate, and respond to potential threats faster.
Extending the 1Password Microsoft Sentinel integration to use Microsoft Security Copilot
After their success with the Microsoft Sentinel integration, Rogier and Stefan saw a new opportunity.
They had both been part of a preview program for Microsoft Security Copilot – a generative AI-powered security assistant that can summarize Microsoft Sentinel incidents in natural language. And they had already established a relationship with 1Password’s team through the first integration.
They asked themselves: could they build on their existing project and bring 1Password EPM event data into the Microsoft Security Copilot workflow?
Rogier and Stefan defined the scope for the Microsoft Security Copilot plugin, pitched it to the 1Password team, and set themselves a two-month deadline to deliver an MVP that could demonstrate the concept’s utility.
"Understanding the API [is] always the most important starting point when you want to do anything from an automation point of view"
The security consultants got started by diving into 1Password’s developer docs. “Understanding the API [is] always the most important starting point when you want to do anything from an automation point of view,” Rogier shared, adding that 1Password’s developer docs were one of the biggest advantages for hitting their deadline. “What I really loved is that 1Password’s one of the few products that has an awesome community, and very good and extensive documentation about how the solution works, how the API works, and what information is available.”
How 1Password’s Microsoft Security Copilot plugin works
So how is it possible to have a conversation with Microsoft Security Copilot about your 1Password data?
First, your company’s 1Password Business audit events, sign-in activity, and shared item usage are securely shared with Microsoft Sentinel via the 1Password Events API. That data is ingested by Microsoft Sentinel, which the Microsoft Security Copilot plugin can then query whenever you ask a question about your 1Password Business account activity. Rogier shares that a key factor in getting the most value out of the plugin is creating a specific enough prompt for the information you need: “The model is smart enough to answer your questions, but you need to ask it the right ones.”
“The model is smart enough to answer your questions, but you need to ask it the right ones.”
Stefan and Rogier’s biggest challenge was one that anyone with a side project will be familiar with: time. In an ideal world, where Rogier and Stefan hadn’t been working to a short deadline in their spare time, they would have connected the 1Password Events API directly to Microsoft Security Copilot. But with a make it work first approach, they completed the plugin so it could be shared with the 1Password community.
This is only the start for Rogier and Stefan, who have many more ideas for how to continue building on this foundation. The pair’s dream roadmap includes integrating additional security tools and building out agentic AI security features to make smart detections based on multiple inputs.
Next steps and how to get involved
To try it out, head over to the Microsoft Security Copilot plugin for 1Password documentation and follow their comprehensive instructions to get 1Password Business account insights via Microsoft Security Copilot.
Rogier and Stefan say they’re most interested in getting community feedback on how to further expand the plugin. To share your experiences with the Microsoft Security Copilot plugin, connect with the 1Password team in 1Password Community.
Have your own integration ideas? Rogier and Stefan’s advice is to get started and try to build it. “Failing isn’t a bad thing,” Stefan assures. “Just try. Try and get better over time.” Reach out in the 1Password Community if you would like support from our team on any of your own 1Password projects.
Further reading
To learn more about the 1Password Events API, Microsoft Sentinel, and the integrations discussed above, check out:
- Microsoft Security Copilot: 1Password plugin documentation
- Available on the 1Password Marketplace: Microsoft Security Copilot Plugin for 1Password
- 1Password Developer docs: Audit events | 1Password Developer
- More information on Microsoft Security Copilot
- Rogier and Stefan’s first 1Password integration: Microsoft Sentinel Event Reporting | 1Password Marketplace
- A 1Password blog post on their first integration: New 1Password SIEM integration with Microsoft Sentinel now generally available
