1Password - Changes to firewall rules

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

relevantTechniques:
- T1562
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
suppressionDuration: 5h
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 5m
description: |-
  This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
subTechniques:
- T1562.007
triggerOperator: gt
name: 1Password - Changes to firewall rules
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "updatfw"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities