1Password - Disable MFA factor or type for all user accounts

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "disblmfa"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

relevantTechniques:
- T1556
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
suppressionDuration: 5h
id: 92ab0938-1e7c-4671-9810-392e8b9714da
suppressionEnabled: false
severity: High
kind: Scheduled
queryFrequency: 5m
description: |-
  This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
triggerOperator: gt
name: 1Password - Disable MFA factor or type for all user accounts
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml
triggerThreshold: 0
queryPeriod: 5m
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "disblmfa"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities