1Password - Changes to SSO configuration

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdsso", "addgsso", "delgsso")
| where object_type == "sso"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

eventGroupingSettings:
  aggregationKind: SingleAlert
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Changes to SSO configuration.yaml
triggerThreshold: 0
description: |-
  This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
relevantTechniques:
- T1556
queryPeriod: 5m
name: 1Password - Changes to SSO configuration
suppressionEnabled: false
alertDetailsOverride:
  alertDynamicProperties: []
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: AllEntities
    lookbackDuration: 1h
    enabled: true
    reopenClosedIncident: false
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
queryFrequency: 5m
triggerOperator: gt
kind: Scheduled
tactics:
- Persistence
severity: Medium
version: 1.0.1
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdsso", "addgsso", "delgsso")
  | where object_type == "sso"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
id: 9406f5ab-1197-4db9-8042-9f3345be061c