1Password - Disable MFA factor or type for all user accounts

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "disblmfa"
| where object_type == "account"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

relevantTechniques:
- T1556
queryPeriod: 5m
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: SingleAlert
version: 1.0.0
suppressionDuration: 5h
description: |-
  This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
tactics:
- DefenseEvasion
severity: High
kind: Scheduled
triggerThreshold: 0
queryFrequency: 5m
requiredDataConnectors:
- dataTypes:
  - OnePasswordEventLogs_CL
  connectorId: 1Password
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    reopenClosedIncident: false
    matchingMethod: AllEntities
    lookbackDuration: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml
suppressionEnabled: false
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: ActorUsername
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
id: 92ab0938-1e7c-4671-9810-392e8b9714da
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action == "disblmfa"
  | where object_type == "account"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
name: 1Password - Disable MFA factor or type for all user accounts