1Password - Non-privileged vault user permission change
Id | 327e0579-7c03-4ec7-acf5-a29dcc4a12b6 |
Rulename | 1Password - Non-privileged vault user permission change |
Description | This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
Severity | Medium |
Tactics | Persistence |
Techniques | T1098 |
Required data connectors | 1Password |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml |
Version | 1.0.0 |
Arm template | 327e0579-7c03-4ec7-acf5-a29dcc4a12b6.json |
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("grant", "revoke", "update")
| where object_type == "uva"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid !in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid !in (vaults)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
kind: Scheduled
suppressionEnabled: false
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
- entityType: Account
fieldMappings:
- columnName: TargetUsername
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
query: |-
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("grant", "revoke", "update")
| where object_type == "uva"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid !in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid !in (vaults)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
relevantTechniques:
- T1098
suppressionDuration: 5h
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 5m
tactics:
- Persistence
id: 327e0579-7c03-4ec7-acf5-a29dcc4a12b6
requiredDataConnectors:
- dataTypes:
- OnePasswordEventLogs_CL
connectorId: 1Password
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml
description: |-
This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
queryFrequency: 5m
name: 1Password - Non-privileged vault user permission change
severity: Medium
version: 1.0.0
eventGroupingSettings:
aggregationKind: SingleAlert
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
"properties": {
"alertRuleTemplateName": "327e0579-7c03-4ec7-acf5-a29dcc4a12b6",
"customDetails": null,
"description": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"displayName": "1Password - Non-privileged vault user permission change",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml",
"query": "let watchlist =\n _GetWatchlist(\"PV1PW\")\n | project SearchKey\n;\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\nlet vaults = dynamic([\"\"]);\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action has_any(\"grant\", \"revoke\", \"update\")\n| where object_type == \"uva\"\n| where tostring(actor_details.email) != tostring(aux_details.email)\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\n| where object_uuid !in (watchlist)\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\n// | where object_uuid !in (vaults)\n| extend\n TargetUsername = aux_details.email\n , ActorUsername = actor_details.email\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}