What Changed

All three RestApiPoller connectors in the 1Password CCF solution (signinattempts, auditevents, itemusages) were switched from time-window paging (pagingType: NextPageToken with start_time/end_time bounds in queryParametersTemplate) to cursor-persistent polling (pagingType: PersistentToken).

Key config changes across 1Password_PollingConfig.json and azuredeploy_1Password_poller_connector.json:

  • pagingType: NextPageToken -> PersistentToken
  • queryParametersTemplate: time-windowed JSON body -> {}
  • Added pagingInfoPlacement: RequestBody so the cursor token is sent in the POST body
  • Removed queryTimeFormat (no longer needed)

Solution bumped from 3.0.2 -> 3.0.3; data connector version 1.0.0 -> 1.0.1.

Security Impact (Visibility & Fidelity)

Deployments running the 1Password connector at v3.0.2 or earlier have been silently dropping item usage events – specifically reveal and secure-copy actions – whenever a 1Password client sync was delayed by approximately 10 minutes or more.

The root cause: 1Password item usage events are generated client-side and carry the original event timestamp, but only appear in the Events API when the client syncs. With time-window polling, the CCF query window (start_time/end_time) advances on each poll cycle. When a client synced late, its events carried timestamps already behind the advancing window and were filtered out permanently – never ingested into OnePasswordEventLogs_CL.

Impact: SOC teams relying on this connector for credential access monitoring (vault item reveals, secure-copy of secrets) have an unquantified historical gap proportional to how frequently their users experience delayed client syncs. The itemusages poller had a 1-minute queryWindowInMin – any sync delay beyond 1 minute was sufficient to drop events from that cycle.

PersistentToken polling persists the 1Password API cursor across poll cycles. Because the cursor is arrival-ordered rather than timestamp-filtered, late-synced events are returned on the next continuation request rather than silently dropped.

To confirm historical gap and validate the fix:

OnePasswordEventLogs_CL
| where log_source == "itemusages"
| where action_type in ("reveal", "secure-copy")
| sort by timestamp_t desc

Affected Files

Solutions/1Password/Data Connectors/1Password_ccpv2/1Password_PollingConfig.json
Solutions/1Password/Data Connectors/1Password_ccpv2/azuredeploy_1Password_poller_connector.json
(packaging artefacts: 3.0.3.zip, ReleaseNotes.md, Solution_1Password.json, createUiDefinition.json, mainTemplate.json)