1Password - Changes to firewall rules

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

relevantTechniques:
- T1562
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
suppressionDuration: 5h
description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
tactics:
- DefenseEvasion
severity: Medium
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
suppressionEnabled: false
subTechniques:
- T1562.007
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
name: 1Password - Changes to firewall rules