Intake (Machine Reports)
Intake groups receive machine-generated reports — vulnerability scans, billing summaries, DMARC reports, compliance feeds, and vendor status updates. They’re designed for archiving and periodic human review, not real-time action.
Pattern
Section titled “Pattern”prv-{owner}-intake-{source}[-{topic}]@{domain}Flavors
Section titled “Flavors”| Flavor | Sender | Volume | Moderation |
|---|---|---|---|
| Vendor feed | SaaS/vendor system | Scheduled (daily/weekly) | Allowlisted senders |
| Audit log | Internal systems | Continuous/batched | Allowlisted senders |
| Compliance | Scanners, GRC tools | Periodic | Allowlisted + moderated |
Common Intake Lists
Section titled “Common Intake Lists”| Purpose | |
|---|---|
prv-sec-intake-wks-dlp | Workspace DLP scan results |
prv-sec-intake-dmarc | DMARC aggregate reports |
prv-plt-intake-aws-billing | AWS billing/cost reports |
prv-plt-intake-wks-admin | Workspace admin notifications |
prv-sec-intake-op-events | 1Password audit events |
prv-ops-intake-vendor-status | Vendor status page updates |
Settings
Section titled “Settings”- Who can post: Anyone +
MODERATE_ALL_MESSAGES+ allowlisted senders - Members: Minimal (often archive-only with no human subscribers)
- External posting: ON (senders are external systems)
- External members: ON (for sender allowlisting, not actual membership)
- Archive: ON (always — intake archives are audit records)
- Security label: OFF
- Subject prefix: Recommended (e.g.,
[DLP],[DMARC],[BILLING])
Wiring Pattern
Section titled “Wiring Pattern”Intake groups are often the first hop in a processing chain:
Vendor system → Intake (archive + classify) ↓ Digest script → Mail (humans review weekly)For urgent items that come through intake but need escalation:
Intake → Filter/classifier → Alerts (on-call)Lifecycle
Section titled “Lifecycle”Create
Section titled “Create”- Identify the source system and expected sender addresses/domains.
- Set email/name/description.
- Labels: Mailing=ON, Security=OFF.
- Set
MODERATE_ALL_MESSAGES+ seed allowlisted senders. - Add minimum 2 owners (PLT + relevant team).
- Add subject prefix.
Operate
Section titled “Operate”- Monitor: blocked/quarantined messages (new sender not yet allowlisted).
- Quarterly: review allowlist, add/remove senders as vendor landscape changes.
- Archive maintenance: ensure retention policy matches compliance needs.
Retire
Section titled “Retire”- Disable external posting. Export archive per policy. Delete after hold.
Anti-Patterns
Section titled “Anti-Patterns”- Humans subscribing to high-volume intake lists (noise exhaustion)
- Using intake groups on ACLs
- Skipping allowlisting (spam floods the archive)
- Mixing intake and alerts in one group (different urgency models)
Metrics
Section titled “Metrics”| Metric | Target |
|---|---|
| Blocked/quarantined messages (allowlist gap) | < 5% of volume |
| Archive completeness (no gaps in feed) | 100% |
| Allowlist review cadence | Quarterly |