1Password - User added to privileged group
Id | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3 |
Rulename | 1Password - User added to privileged group |
Description | This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
Severity | Medium |
Tactics | Persistence |
Techniques | T1098 |
Required data connectors | 1Password |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml |
Version | 1.0.0 |
Arm template | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3.json |
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
name: 1Password - User added to privileged group
severity: Medium
queryFrequency: 5m
query: |-
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
relevantTechniques:
- T1098
version: 1.0.0
description: |-
This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: ActorUsername
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: TargetUsername
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
triggerOperator: gt
queryPeriod: 5m
tactics:
- Persistence
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 30m
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
kind: Scheduled
eventGroupingSettings:
aggregationKind: SingleAlert
triggerThreshold: 0
suppressionDuration: 5h
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
"properties": {
"alertRuleTemplateName": "849ea271-cd9c-4afe-a13b-ddbbac5fc6d3",
"customDetails": null,
"description": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"displayName": "1Password - User added to privileged group",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT30M",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml",
"query": "let watchlist =\n _GetWatchlist(\"PG1PW\")\n | project SearchKey\n;\nlet groups = dynamic([\"\"]);\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action == \"join\"\n| where object_type == \"gm\"\n| where tostring(actor_details.email) != tostring(aux_details.email)\n// Enable the line below when using the \"Privileged Groups - 1PW\" watchlist\n| where object_uuid in (watchlist)\n// Enable the line below when using the dynamic groups list within the analytics rule itself\n// | where object_uuid in (groups)\n| extend\n TargetUsername = aux_details.email\n , ActorUsername = actor_details.email\n , SrcIpAddr = session.ip\n , GroupRole = case(\n aux_info == \"R\", \"Group member\"\n , aux_info == \"A\", \"Group manager\"\n , aux_info\n )",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}