Monitoring Event Logs
Event monitoring with SIEM (system information and event management) integration is an important tool for monitoring your organization to maintain best security practices and ensure compliance. The following sections highlight several monitoring reference points that will provide increased observability of your Bitwarden solutions. This monitoring includes enabling insights into user actions in the vault, and providing examples of targets for automated alerting.
These events have been selected from the Bitwarden Event logs. By configuring a combination of instant alerts with alerting-over-time against the events that matter to your business, you will be able to audit your organization's use of Bitwarden in accordance with your unique security landscape.
Understanding Logs
Various SIEM platforms integrate with Bitwarden to review critical information on day to day vault usage.
SIEM event monitoring platforms will provide specific fields which should be monitored to maintain high security standards:
Value | Description |
|---|---|
| The email of the user performing the action. |
| Unique id of user performing action. |
| Name of the user performing an action. |
| Organization collection id. |
| Numerical id of device. Exact mapping can be located here. |
| The ip address that performed the event. |
| Vault item (cipher, secure note, etc..) of the organization vault. |
| Organization policy update. See organization events here. |
Concerning trends
Tracking Bitwarden usage trends can identify questionable activity, or potential security threats:
Abnormal Rate of failed login attempts
Failed Login attempts
1005Login attempt failed with incorrect password1006Login attempt failed with incorrect two step login.
Abnormal rate of viewing sensitive or hidden fields
Viewing item
1107Viewed itemitem-identifier1108Viewed password for itemitem-identifier1109Viewed hidden field for itemitem-identifier1110Viewed security code for itemitem-identifier
Copying item fields
1111Copied password for itemitem-identifier1112Copied security code for itemitem-identifier
Usage trends
Monitor usage trends to identify users engaging with Bitwarden and maintaining security practices:
Monitor user frequency
Vault usage
1000Logged in1010User requested device approval
Critical vault actions
Specific events may be monitored in order to track critical actions made by high-level users, or changes made to critical vault items:
Super-user activities
Individual account activity
1000Logged in1001Changed account password1002Enabled/updated two-step login1003Disabled two-step login1007User exported their individual vault items1603Organization vault access by a managing provider
Organization activities
1500Invited useruser-identifier1501Confirmed useruser-identifier1502Edited useruser-identifier1504Edited groups for useruser-identifier1511Revoked organization access for useruser-identifier1512Restored organization access foruser-identifier1513Approved device foruser-identifier1600Edited organization settings1609Modified collection management setting1700Modified policypolicy-identifier2001Removed domaindomain-name
Exporting organization vault information
1602Exported organization vault
Critical item activities
Changes made to items that have been identified to be critical
1101Edited itemitem-identifier1105Moved itemitem-identifierto an organization1106Edited collections for itemitem-identifier1107Viewed itemitem-identifier1108Viewed password for itemitem-identifier1109Viewed hidden field for itemitem-identifier1110Viewed security code for itemitem-identifier1111Copied password for itemitem-identifier1112Copied hidden field for itemitem-identifier1113Copied security code for itemitem-identifier1114Autofilled itemitem-identifier1117Viewed card number for itemitem-identifier