This article helps you connect 1Password to Workbench.

Before you start

Step 1: Create the 1Password token

Step 2: Configure the technology in Workbench

Viewing security device details

You must have admin permissions in 1Password.

Step 1: Create the 1Password token


Expel secures all login information our SOC analysts need about your devices in an MFA password product. Access to this login information is protected using our internal MFA processes. To learn more about the IP addresses all Expel traffic comes from, go here.

  1. In 1Password, log into the web dashboard and open the Integrations tab on the right panel.

  2. Locate the Events Reporting tab and click Other.

  3. Name the integration Expel. Set the Expires After field to Never.

  4. In the Events to Report area, select:

    • Audit events

    • Items usage events

    • Sign-in attempts

  5. Click Issue Token. Save the token for later use.

Step 2: Configure the technology in Workbench

  1. Log into The Add Security device screen for 1Password appears.

  2. Fill out the fields like this:

    • Name: Expel.

    • Location: the location of your server.

    • API token: the token created in Step 1.

    • Server address: select your server URL from the list.

  3. Your device is now connected. To check device health, follow the Viewing security device details instructions below.

Viewing security device details

After your devices are connected to Workbench, you can view details about them. To open the device details, click Organization Settings > Security Devices. Locate the device you want more details for. Click the arrow next to the name and click View details.


The side panel that appears looks like this:


The side panel contains the following sections:

  • Device Health: you see an Alerts Analysis dashboard snapshot for the selected device along with the device’s health status, connection, data, and alerts data. This at-a-glance information let's you stay on top of the device and what it's doing.


    If you have a AWS CloudTrail device, you also see a Last data received time stamp that shows you when we last polled for log data. You also see a Last successful poll time stamp. These help you know if your AWS CloudTrail device is communicating with Workbench, even if alerts aren't being generated. We're working on deploying the last data received capability to other devices.

    If you have a AWS CloudTrail, you also see View Inaccessible Accounts. Clicking this button shows you the AWS accounts that are inaccessible to Workbench. This can highlight gaps in service delivery for AWS CloudTrail. To provide access, login to your AWS environment associated with the device and grant permission.

  • Information: you see general device data, including the device name, location, GUID, and so on. These are the data points associated with creating or editing a device.

  • History: you see the history of changes in health status or edits made by a Workbench user. You know what changed, who made the change, and when.

In these sections you can click buttons to copy information or go directly to other areas in Workbench. Additionally, we include tool tips to help you understand what you're seeing.

In the side panel, you can edit the selected device by clicking Edit Device. You can also navigate to the previous or next device in the list by clicking the arrows.



This article was accurate at the time of writing, but changes happen. If you find the instructions are outdated, leave a description in the comment field below and let us know!