1Password

Step 1: Create a New Source

In the Scanner UI, go to the Collect tab.

  • Click Create New Source.

  • Click Select a Source Type.

  • Choose 1Password.

  • Choose the specific 1Password log type (the instructions below apply to all log types).

You’ll be prompted to choose an Ingest Method:

  • Select API Pull.

  • Then, choose a Destination: Select Scanner.

Click Next.

Step 2: Configure the Source

Set a Display Name, such as my-1password-logs.

Click Next.

Step 3: Authenticate with 1Password

  • If you’ve previously created an 1Password connection, select it from the list.

  • Otherwise, select New 1Password Connection and fill in the required fields:

    • Connection Name: Give the connection a recognizable name.

    • Base URL: eg. https://events.1password.com/

    • Token: Generate this from your 1Password admin console.

For help finding these values:

Click Next.

Step 4: Configure the Destination

  • Choose the S3 Bucket where the raw 1Password logs should be stored.

  • (Optional) Enter a Key Prefix to organize the data path in your bucket.

  • Choose the Scanner Index where logs will be made searchable.

  • Leave the Source Label as 1password:<log_type>.

Click Next.

Step 5: Transform and Enrich

  • (Optional) Add additional transformation or enrichment steps if needed.

Click Next.

Step 6: Timestamp Extraction

Leave the default setting: Extract timestamp from field timestamp.

This field is included in every 1Password event and reflects when the event occurred.

Click Next.

Step 7: Review and Create

  • Review all configuration settings.

  • Click Create Source.

What Happens Next

Once created:

  • Scanner will poll the 1Password Events API every 5 minutes.

  • New events will be written to your S3 bucket, under the specified key prefix.

  • Logs will then be indexed for search and detections using your selected Scanner index.

PreviousSourcesNextAuth0

Last updated

Was this helpful?