1Password - User added to privileged group
| Id | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3 |
| Rulename | 1Password - User added to privileged group |
| Description | This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1098 |
| Required data connectors | 1Password |
| Kind | Scheduled |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml |
| Version | 1.0.0 |
| Arm template | 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3.json |
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
description: |-
This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
tactics:
- Persistence
suppressionEnabled: false
suppressionDuration: 5h
requiredDataConnectors:
- dataTypes:
- OnePasswordEventLogs_CL
connectorId: 1Password
incidentConfiguration:
groupingConfiguration:
enabled: true
lookbackDuration: 30m
reopenClosedIncident: false
matchingMethod: AllEntities
createIncident: true
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
severity: Medium
eventGroupingSettings:
aggregationKind: SingleAlert
query: |-
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml
kind: Scheduled
queryPeriod: 5m
name: 1Password - User added to privileged group
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1098
version: 1.0.0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
triggerOperator: gt