Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

1Password - Changes to firewall rules

Back
Id54e6bb8e-2935-422f-9387-dba1961abfd7
Rulename1Password - Changes to firewall rules
DescriptionThis will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.



Ref: https://1password.com/

Ref: https://github.com/securehats/
SeverityMedium
TacticsDefenseEvasion
TechniquesT1562
Required data connectors1Password
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
Version1.0.0
Arm template54e6bb8e-2935-422f-9387-dba1961abfd7.json
Deploy To Azure
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip
description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
queryPeriod: 5m
suppressionDuration: 5h
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
kind: Scheduled
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
tactics:
- DefenseEvasion
severity: Medium
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
subTechniques:
- T1562.007
version: 1.0.0
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1h
    enabled: true
  createIncident: true
queryFrequency: 5m
suppressionEnabled: false
relevantTechniques:
- T1562
name: 1Password - Changes to firewall rules
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
      "properties": {
        "alertRuleTemplateName": "54e6bb8e-2935-422f-9387-dba1961abfd7",
        "customDetails": null,
        "description": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
        "displayName": "1Password - Changes to firewall rules",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml",
        "query": "OnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action == \"updatfw\"\n| where object_type == \"account\"\n| extend\n    ActorUsername = actor_details.email\n    , SrcIpAddr = session.ip",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}