1Password - Disable MFA factor or type for all user accounts

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "disblmfa"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml
kind: Scheduled
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    matchingMethod: AllEntities
    reopenClosedIncident: false
tactics:
- DefenseEvasion
suppressionDuration: 5h
suppressionEnabled: false
triggerThreshold: 0
version: 1.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
eventGroupingSettings:
  aggregationKind: SingleAlert
queryFrequency: 5m
name: 1Password - Disable MFA factor or type for all user accounts
description: |-
  This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "disblmfa"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
queryPeriod: 5m
triggerOperator: gt
id: 92ab0938-1e7c-4671-9810-392e8b9714da
relevantTechniques:
- T1556
severity: High
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password