1Password - User account MFA settings changed
| Id | 3c8140eb-e946-4bf2-8c61-03e4df56d400 |
| Rulename | 1Password - User account MFA settings changed |
| Description | This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
| Severity | Medium |
| Tactics | Persistence DefenseEvasion |
| Techniques | T1556 |
| Required data connectors | 1Password |
| Kind | Scheduled |
| Query frequency | 30m |
| Query period | 30m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User account MFA settings changed.yaml |
| Version | 1.0.0 |
| Arm template | 3c8140eb-e946-4bf2-8c61-03e4df56d400.json |
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblmfa", "updatmfa", "disblmfa")
| where object_type == "user"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
kind: Scheduled
incidentConfiguration:
groupingConfiguration:
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
createIncident: true
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
relevantTechniques:
- T1556
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblmfa", "updatmfa", "disblmfa")
| where object_type == "user"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User account MFA settings changed.yaml
suppressionEnabled: false
queryPeriod: 30m
tactics:
- Persistence
- DefenseEvasion
name: 1Password - User account MFA settings changed
eventGroupingSettings:
aggregationKind: SingleAlert
description: |-
This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
id: 3c8140eb-e946-4bf2-8c61-03e4df56d400
version: 1.0.0
triggerOperator: gt
queryFrequency: 30m
severity: Medium
suppressionDuration: 5h