Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
bitwarden-members | ✅ | bitwarden_members | Json | S3 list / API | |||
bitwarden-events | ✅ | bitwarden_events | Json | S3 list / API | |||
bitwarden-groups | ✅ | bitwarden_groups | Json | S3 list / API |
Overview
Bitwarden is a popular open-source password management solution designed to securely store and manage credentials across personal and organizational environments. Ingesting Events, Members, and Groups data from Bitwarden into Hunters’ SIEM platform allows organizations to centralize visibility over access and usage patterns. By monitoring events such as logins, vault access, member changes, and group modifications, security teams can detect suspicious behavior, enforce compliance requirements, and quickly respond to potential insider threats or unauthorized access. This integration enhances the overall security posture by correlating Bitwarden activities with other data sources in the Hunters SIEM, providing a more comprehensive picture of identity and access management risks.
Supported data types
Bitwarden Members
Table name: bitwarden_members
Member logs in Bitwarden represent the directory of all users within an organization, detailing each member’s identity, access level, and permissions. These records include attributes such as user status, two-factor authentication status, collection memberships, and administrative capabilities. They are critical for managing access control, conducting privilege audits, and correlating user identities to specific security events captured in the event logs.
Bitwarden Events
Table name: bitwarden_events
Bitwarden events provide a detailed audit trail of all actions performed within the Bitwarden environment, including user logins, vault item changes, policy updates, and administrative operations. These logs capture key contextual information - such as the acting user, affected object, timestamp, device, and IP address - allowing organizations to monitor user activity, investigate incidents, and maintain compliance through precise activity tracking.
Bitwarden Groups
Table name: bitwarden_groups
Bitwarden group logs define role-based access structures used to organize users and streamline permission management. Each group record includes the group’s name, associated collections, and permission settings for read, write, or management access. These logs are essential for enforcing consistent access policies, simplifying user provisioning, and ensuring least-privilege principles across organizational vault collections.
Send data to Hunters
Hunters supports the ingestion of Bitwarden logs using a S3 bucket.
To send data to Hunters:
Contact Bitwarden support to learn how to route your Security logs to S3.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Hunters expects Bitwarden logs to be in json format. The following is an example of a typical log line:
Bitwarden-Members
{"type": 0, "accessAll": true, "externalId": "external_id_123456", "resetPasswordEnrolled": true, "permissions": {"accessEventLogs": true, "accessImportExport": true, "accessReports": true, "createNewCollections": true, "editAnyCollection": true, "deleteAnyCollection": true, "manageGroups": true, "managePolicies": true, "manageSso": true, "manageUsers": true, "manageResetPassword": true, "manageScim": true}, "object": "member", "id": "539a36c5-e0d2-4cf9-979e-51ecf5cf6593", "userId": "48b47ee1-493e-4c67-aef7-014996c40eca", "name": "John Smith", "email": "jsmith@example.com", "twoFactorEnabled": true, "status": 0, "collections": [{"id": "bfbc8338-e329-4dc0-b0c9-317c2ebf1a09", "readOnly": true, "hidePasswords": true, "manage": true}], "ssoExternalId": "sso_external_id_123456"}Bitwarden-Events
{"object": "event", "type": 1107, "itemId": "11111111-aaaa-bbbb-cccc-000000000001", "collectionId": null, "groupId": null, "policyId": null, "memberId": null, "actingUserId": "22222222-aaaa-bbbb-cccc-000000000002", "installationId": null, "date": "2023-01-01T12:00:00.000Z", "device": 6, "ipAddress": "2001:0db8:85a3:0000:0000:8a2e:0370:7334", "secretId": null, "serviceAccountId": null}Bitwarden-Groups
{"object": "group", "id": "11111111-aaaa-bbbb-cccc-000000000001", "collections": [{"id": "22222222-aaaa-bbbb-cccc-000000000002", "readOnly": false, "hidePasswords": false, "manage": false}, {"id": "33333333-aaaa-bbbb-cccc-000000000003", "readOnly": false, "hidePasswords": false, "manage": false}], "name": "Group Name", "externalId": null}