1Password - Changes to firewall rules

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

suppressionEnabled: false
relevantTechniques:
- T1562
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    enabled: true
    lookbackDuration: 1h
  createIncident: true
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
suppressionDuration: 5h
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
triggerThreshold: 0
subTechniques:
- T1562.007
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
queryFrequency: 5m
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
severity: Medium
queryPeriod: 5m
name: 1Password - Changes to firewall rules
tactics:
- DefenseEvasion
kind: Scheduled