1Password - Privileged vault permission change
| Id | 76e386eb-f51a-4600-97d1-f0db3b7e41f1 |
| Rulename | 1Password - Privileged vault permission change |
| Description | This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
| Severity | High |
| Tactics | Persistence |
| Techniques | T1098 |
| Required data connectors | 1Password |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Privileged vault permission change.yaml |
| Version | 1.0.0 |
| Arm template | 76e386eb-f51a-4600-97d1-f0db3b7e41f1.json |
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where
(action has_any("grant", "revoke", "update") and object_type == "uva") or
(action has_any("grant", "revoke", "update") and object_type == "gva")
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid in (vaults)
| extend
TargetUsername = case(isnotempty(aux_details), aux_details.email, "")
, TargetGroupUUID = case(isempty(aux_details), aux_uuid, "")
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
description: |-
This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: false
lookbackDuration: 1h
enabled: true
matchingMethod: AllEntities
createIncident: true
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Privileged vault permission change.yaml
severity: High
name: 1Password - Privileged vault permission change
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
queryPeriod: 5m
query: |-
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where
(action has_any("grant", "revoke", "update") and object_type == "uva") or
(action has_any("grant", "revoke", "update") and object_type == "gva")
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid in (vaults)
| extend
TargetUsername = case(isnotempty(aux_details), aux_details.email, "")
, TargetGroupUUID = case(isempty(aux_details), aux_uuid, "")
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
relevantTechniques:
- T1098
id: 76e386eb-f51a-4600-97d1-f0db3b7e41f1
queryFrequency: 5m
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
- entityType: Account
fieldMappings:
- columnName: TargetUsername
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
triggerOperator: gt
version: 1.0.0