1Password - Disable MFA factor or type for all user accounts

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "disblmfa"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: 1h
    reopenClosedIncident: false
    enabled: true
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
relevantTechniques:
- T1556
triggerOperator: gt
version: 1.0.0
queryFrequency: 5m
severity: High
description: |-
  This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
triggerThreshold: 0
suppressionDuration: 5h
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
name: 1Password - Disable MFA factor or type for all user accounts
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "disblmfa"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
tactics:
- DefenseEvasion
queryPeriod: 5m
kind: Scheduled
id: 92ab0938-1e7c-4671-9810-392e8b9714da
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml
eventGroupingSettings:
  aggregationKind: SingleAlert