# 1Password ### Step 1: Create a New Source In the Scanner UI, go to the Collect tab. * From the Overview page click the '+' icon in the upper right corner * Select create new **Collect Rule** * Click **Select a Source Type**. * Choose **1Password**. * Choose the specific 1Password log type (the instructions below apply to all log types). You’ll be prompted to choose an Ingest Method: * Select **API Pull**. * Then, choose a Destination: Select **Scanner**. Click Next. ### Step 2: Configure the Source Set a Display Name, such as `my-1password-logs`. Click Next. ### Step 3: Authenticate with 1Password * If you’ve previously created an 1Password connection, select it from the list. * Otherwise, select **New 1Password Connection** and fill in the required fields: * Connection Name: Give the connection a recognizable name. * Base URL: eg. `https://events.1password.com/` * Token: Generate this from your 1Password admin console. For help finding these values: * [Find your 1Password base URL](https://developer.1password.com/docs/events-api/servers) * [Create a 1Password API Token](https://developer.1password.com/docs/events-api/authorization#issue-a-bearer-token) Click Next. ### Step 4: Configure the Destination * Choose the S3 Bucket where the raw 1Password logs should be stored. * (Optional) Enter a Key Prefix to organize the data path in your bucket. * Choose the Scanner Index where logs will be made searchable. * Leave the Source Label as `1password:`. Click Next. ### Step 5: Transform and Enrich * (Optional) Add additional transformation or enrichment steps if needed. Click Next. ### Step 6: Timestamp Extraction Leave the default setting: Extract timestamp from field `timestamp`. This field is included in every 1Password event and reflects when the event occurred. Click Next. ### Step 7: Review and Create * Review all configuration settings. * Click **Create Source**. ### What Happens Next Once created: * Scanner will poll the 1Password Events API every **5 minutes**. * New events will be written to your S3 bucket, under the specified key prefix. * Logs will then be indexed for search and detections using your selected Scanner index.