1Password - Changes to firewall rules

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
tactics:
- DefenseEvasion
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: 1h
    reopenClosedIncident: false
    matchingMethod: AllEntities
  createIncident: true
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
severity: Medium
subTechniques:
- T1562.007
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
kind: Scheduled
queryPeriod: 5m
eventGroupingSettings:
  aggregationKind: SingleAlert
name: 1Password - Changes to firewall rules
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1562
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
triggerOperator: gt