Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. 1Password - User added to privileged group

1Password - User added to privileged group

Back
Id849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
Rulename1Password - User added to privileged group
DescriptionThis will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.



Ref: https://1password.com/

Ref: https://github.com/securehats/
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectors1Password
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
Version1.0.0
Arm template849ea271-cd9c-4afe-a13b-ddbbac5fc6d3.json
Deploy To Azure
let watchlist =
    _GetWatchlist("PG1PW")
    | project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
    TargetUsername = aux_details.email
    , ActorUsername = actor_details.email
    , SrcIpAddr = session.ip
    , GroupRole = case(
        aux_info == "R", "Group member"
        , aux_info == "A", "Group manager"
        , aux_info
    )

triggerOperator: gt
triggerThreshold: 0
name: 1Password - User added to privileged group
suppressionEnabled: false
queryFrequency: 5m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
queryPeriod: 5m
severity: Medium
eventGroupingSettings:
  aggregationKind: SingleAlert
suppressionDuration: 5h
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
tactics:
- Persistence
relevantTechniques:
- T1098
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
    lookbackDuration: 30m
  createIncident: true
description: |-
  This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
query: |-
  let watchlist =
      _GetWatchlist("PG1PW")
      | project SearchKey
  ;
  let groups = dynamic([""]);
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "join"
  | where object_type == "gm"
  | where tostring(actor_details.email) != tostring(aux_details.email)
  // Enable the line below when using the "Privileged Groups - 1PW" watchlist
  | where object_uuid in (watchlist)
  // Enable the line below when using the dynamic groups list within the analytics rule itself
  // | where object_uuid in (groups)
  | extend
      TargetUsername = aux_details.email
      , ActorUsername = actor_details.email
      , SrcIpAddr = session.ip
      , GroupRole = case(
          aux_info == "R", "Group member"
          , aux_info == "A", "Group manager"
          , aux_info
      )  
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
version: 1.0.0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
      "properties": {
        "alertRuleTemplateName": "849ea271-cd9c-4afe-a13b-ddbbac5fc6d3",
        "customDetails": null,
        "description": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
        "displayName": "1Password - User added to privileged group",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT30M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml",
        "query": "let watchlist =\n    _GetWatchlist(\"PG1PW\")\n    | project SearchKey\n;\nlet groups = dynamic([\"\"]);\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action == \"join\"\n| where object_type == \"gm\"\n| where tostring(actor_details.email) != tostring(aux_details.email)\n// Enable the line below when using the \"Privileged Groups - 1PW\" watchlist\n| where object_uuid in (watchlist)\n// Enable the line below when using the dynamic groups list within the analytics rule itself\n// | where object_uuid in (groups)\n| extend\n    TargetUsername = aux_details.email\n    , ActorUsername = actor_details.email\n    , SrcIpAddr = session.ip\n    , GroupRole = case(\n        aux_info == \"R\", \"Group member\"\n        , aux_info == \"A\", \"Group manager\"\n        , aux_info\n    )",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}