1Password - Changes to firewall rules

Back


Id	54e6bb8e-2935-422f-9387-dba1961abfd7
Rulename	1Password - Changes to firewall rules
Description	This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1562
Required data connectors	1Password
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
Version	1.0.0
Arm template	54e6bb8e-2935-422f-9387-dba1961abfd7.json

KQL

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

YAML

requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
subTechniques:
- T1562.007
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
triggerOperator: gt
queryPeriod: 5m
triggerThreshold: 0
kind: Scheduled
suppressionEnabled: false
relevantTechniques:
- T1562
name: 1Password - Changes to firewall rules
description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
severity: Medium
version: 1.0.0
tactics:
- DefenseEvasion
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1h
    enabled: true
  createIncident: true
suppressionDuration: 5h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
queryFrequency: 5m
eventGroupingSettings:
  aggregationKind: SingleAlert
id: 54e6bb8e-2935-422f-9387-dba1961abfd7

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
      "properties": {
        "alertRuleTemplateName": "54e6bb8e-2935-422f-9387-dba1961abfd7",
        "customDetails": null,
        "description": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
        "displayName": "1Password - Changes to firewall rules",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT1H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml",
        "query": "OnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action == \"updatfw\"\n| where object_type == \"account\"\n| extend\n    ActorUsername = actor_details.email\n    , SrcIpAddr = session.ip",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1562"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}