1Password - User added to privileged group

Back


Id	849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
Rulename	1Password - User added to privileged group
Description	This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/
Severity	Medium
Tactics	Persistence
Techniques	T1098
Required data connectors	1Password
Kind	Scheduled
Query frequency	5m
Query period	5m
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
Version	1.0.0
Arm template	849ea271-cd9c-4afe-a13b-ddbbac5fc6d3.json

KQL

let watchlist =
    _GetWatchlist("PG1PW")
    | project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
    TargetUsername = aux_details.email
    , ActorUsername = actor_details.email
    , SrcIpAddr = session.ip
    , GroupRole = case(
        aux_info == "R", "Group member"
        , aux_info == "A", "Group manager"
        , aux_info
    )

YAML

tactics:
- Persistence
suppressionDuration: 5h
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
severity: Medium
queryFrequency: 5m
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
relevantTechniques:
- T1098
queryPeriod: 5m
name: 1Password - User added to privileged group
kind: Scheduled
suppressionEnabled: false
triggerThreshold: 0
triggerOperator: gt
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: Account
  fieldMappings:
  - columnName: TargetUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
eventGroupingSettings:
  aggregationKind: SingleAlert
description: |-
  This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
query: |-
  let watchlist =
      _GetWatchlist("PG1PW")
      | project SearchKey
  ;
  let groups = dynamic([""]);
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "join"
  | where object_type == "gm"
  | where tostring(actor_details.email) != tostring(aux_details.email)
  // Enable the line below when using the "Privileged Groups - 1PW" watchlist
  | where object_uuid in (watchlist)
  // Enable the line below when using the dynamic groups list within the analytics rule itself
  // | where object_uuid in (groups)
  | extend
      TargetUsername = aux_details.email
      , ActorUsername = actor_details.email
      , SrcIpAddr = session.ip
      , GroupRole = case(
          aux_info == "R", "Group member"
          , aux_info == "A", "Group manager"
          , aux_info
      )  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 30m
    reopenClosedIncident: false
    enabled: true
    matchingMethod: AllEntities

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
      "properties": {
        "alertRuleTemplateName": "849ea271-cd9c-4afe-a13b-ddbbac5fc6d3",
        "customDetails": null,
        "description": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
        "displayName": "1Password - User added to privileged group",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "ActorUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUsername",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "lookbackDuration": "PT30M",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml",
        "query": "let watchlist =\n    _GetWatchlist(\"PG1PW\")\n    | project SearchKey\n;\nlet groups = dynamic([\"\"]);\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action == \"join\"\n| where object_type == \"gm\"\n| where tostring(actor_details.email) != tostring(aux_details.email)\n// Enable the line below when using the \"Privileged Groups - 1PW\" watchlist\n| where object_uuid in (watchlist)\n// Enable the line below when using the dynamic groups list within the analytics rule itself\n// | where object_uuid in (groups)\n| extend\n    TargetUsername = aux_details.email\n    , ActorUsername = actor_details.email\n    , SrcIpAddr = session.ip\n    , GroupRole = case(\n        aux_info == \"R\", \"Group member\"\n        , aux_info == \"A\", \"Group manager\"\n        , aux_info\n    )",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}