1Password - Changes to SSO configuration
Id | 9406f5ab-1197-4db9-8042-9f3345be061c |
Rulename | 1Password - Changes to SSO configuration |
Description | This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
Severity | Medium |
Tactics | Persistence |
Techniques | T1556 |
Required data connectors | 1Password |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to SSO configuration.yaml |
Version | 1.0.1 |
Arm template | 9406f5ab-1197-4db9-8042-9f3345be061c.json |
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdsso", "addgsso", "delgsso")
| where object_type == "sso"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
id: 9406f5ab-1197-4db9-8042-9f3345be061c
triggerThreshold: 0
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 1h
matchingMethod: AllEntities
enabled: true
reopenClosedIncident: false
suppressionDuration: 5h
version: 1.0.1
queryPeriod: 5m
eventGroupingSettings:
aggregationKind: SingleAlert
name: 1Password - Changes to SSO configuration
suppressionEnabled: false
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
alertDetailsOverride:
alertDynamicProperties: []
triggerOperator: gt
relevantTechniques:
- T1556
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdsso", "addgsso", "delgsso")
| where object_type == "sso"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
queryFrequency: 5m
description: |-
This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
entityMappings:
- entityType: Account
fieldMappings:
- columnName: ActorUsername
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to SSO configuration.yaml
kind: Scheduled
severity: Medium
tactics:
- Persistence
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9406f5ab-1197-4db9-8042-9f3345be061c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9406f5ab-1197-4db9-8042-9f3345be061c')]",
"properties": {
"alertDetailsOverride": {
"alertDynamicProperties": []
},
"alertRuleTemplateName": "9406f5ab-1197-4db9-8042-9f3345be061c",
"customDetails": null,
"description": "This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"displayName": "1Password - Changes to SSO configuration",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to SSO configuration.yaml",
"query": "OnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action has_any(\"enblsso\", \"disblsso\", \"chngpsso\", \"chngasso\", \"chngdsso\", \"addgsso\", \"delgsso\")\n| where object_type == \"sso\"\n| extend\n ActorUsername = actor_details.email\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1556"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}