1Password - User account MFA settings changed

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblmfa", "updatmfa", "disblmfa")
| where object_type == "user"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

suppressionEnabled: false
relevantTechniques:
- T1556
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 1h
  createIncident: true
version: 1.0.0
suppressionDuration: 5h
id: 3c8140eb-e946-4bf2-8c61-03e4df56d400
description: |-
  This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User account MFA settings changed.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
queryFrequency: 30m
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action has_any("enblmfa", "updatmfa", "disblmfa")
  | where object_type == "user"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
severity: Medium
queryPeriod: 30m
name: 1Password - User account MFA settings changed
tactics:
- Persistence
- DefenseEvasion
kind: Scheduled