1Password - User added to privileged group
| Id | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3 |
| Rulename | 1Password - User added to privileged group |
| Description | This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1098 |
| Required data connectors | 1Password |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml |
| Version | 1.0.0 |
| Arm template | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3.json |
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
entityMappings:
- fieldMappings:
- columnName: ActorUsername
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: TargetUsername
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
triggerOperator: gt
tactics:
- Persistence
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 30m
enabled: true
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
severity: Medium
triggerThreshold: 0
relevantTechniques:
- T1098
queryPeriod: 5m
query: |-
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
version: 1.0.0
kind: Scheduled
name: 1Password - User added to privileged group
queryFrequency: 5m
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
description: |-
This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
suppressionEnabled: false
requiredDataConnectors:
- dataTypes:
- OnePasswordEventLogs_CL
connectorId: 1Password