1Password - Non-privileged vault user permission change

Back


Id	327e0579-7c03-4ec7-acf5-a29dcc4a12b6
Rulename	1Password - Non-privileged vault user permission change
Description	This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	1Password
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml
Version	1.0.0
Arm template	327e0579-7c03-4ec7-acf5-a29dcc4a12b6.json

KQL

let watchlist =
    _GetWatchlist("PV1PW")
    | project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("grant", "revoke", "update")
| where object_type == "uva"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid !in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid !in (vaults)
| extend
    TargetUsername = aux_details.email
    , ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml
query: |-
  let watchlist =
      _GetWatchlist("PV1PW")
      | project SearchKey
  ;
  // Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
  let vaults = dynamic([""]);
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action has_any("grant", "revoke", "update")
  | where object_type == "uva"
  | where tostring(actor_details.email) != tostring(aux_details.email)
  // Enable the line below when using the "Privileged Vaults - 1PW" watchlist
  | where object_uuid !in (watchlist)
  // Enable the line below when using the dynamic vaults list within the analytics rule itself
  // | where object_uuid !in (vaults)
  | extend
      TargetUsername = aux_details.email
      , ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
description: |-
  This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
severity: Medium
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
incidentConfiguration:
  groupingConfiguration:
    lookbackDuration: 1h
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities
  createIncident: true
eventGroupingSettings:
  aggregationKind: SingleAlert
name: 1Password - Non-privileged vault user permission change
triggerThreshold: 0
suppressionDuration: 5h
tactics:
- Persistence
version: 1.0.0
relevantTechniques:
- T1098
triggerOperator: gt
kind: Scheduled
id: 327e0579-7c03-4ec7-acf5-a29dcc4a12b6
suppressionEnabled: false
queryFrequency: 5m
queryPeriod: 5m

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
      "properties": {
        "alertRuleTemplateName": "327e0579-7c03-4ec7-acf5-a29dcc4a12b6",
        "customDetails": null,
        "description": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
        "displayName": "1Password - Non-privileged vault user permission change",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml",
        "query": "let watchlist =\n    _GetWatchlist(\"PV1PW\")\n    | project SearchKey\n;\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\nlet vaults = dynamic([\"\"]);\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action has_any(\"grant\", \"revoke\", \"update\")\n| where object_type == \"uva\"\n| where tostring(actor_details.email) != tostring(aux_details.email)\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\n| where object_uuid !in (watchlist)\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\n// | where object_uuid !in (vaults)\n| extend\n    TargetUsername = aux_details.email\n    , ActorUsername = actor_details.email\n    , SrcIpAddr = session.ip",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}