1Password - Successful anomalous sign-in

let rulefrequency = 1h;
let lookback = 14d;
let onePasswordSigninBaseline =
    OnePasswordEventLogs_CL
    | where TimeGenerated between (ago(lookback) .. now())
    | where log_source == "signinattempts"
    | where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
    | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)
    | extend identifier = strcat(target_user_uuid, client_ip_address)
    | summarize make_list(identifier)
;
OnePasswordEventLogs_CL
| where TimeGenerated between (ago(rulefrequency) .. now())
| where log_source == "signinattempts"
| where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
// limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins
// | where country !in~ ("CA", "US")
| extend identifier = strcat(target_user.uuid, client.ip_address)
| where identifier !in (onePasswordSigninBaseline)
| extend
    TargetUsername = target_user.email
    , SrcIpAddr = client.ip_address

triggerThreshold: 0
query: |-
  let rulefrequency = 1h;
  let lookback = 14d;
  let onePasswordSigninBaseline =
      OnePasswordEventLogs_CL
      | where TimeGenerated between (ago(lookback) .. now())
      | where log_source == "signinattempts"
      | where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
      | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)
      | extend identifier = strcat(target_user_uuid, client_ip_address)
      | summarize make_list(identifier)
  ;
  OnePasswordEventLogs_CL
  | where TimeGenerated between (ago(rulefrequency) .. now())
  | where log_source == "signinattempts"
  | where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
  // limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins
  // | where country !in~ ("CA", "US")
  | extend identifier = strcat(target_user.uuid, client.ip_address)
  | where identifier !in (onePasswordSigninBaseline)
  | extend
      TargetUsername = target_user.email
      , SrcIpAddr = client.ip_address  
eventGroupingSettings:
  aggregationKind: SingleAlert
kind: Scheduled
id: ceb20a5c-adce-4eba-9728-541361d47d87
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
suppressionDuration: 1h
alertDetailsOverride:
  alertDynamicProperties: []
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: TargetUsername
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
queryPeriod: 14d
severity: Low
queryFrequency: 1h
triggerOperator: gt
name: 1Password - Successful anomalous sign-in
relevantTechniques:
- T1078
tactics:
- InitialAccess
description: |-
  This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.
  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    reopenClosedIncident: false
    enabled: false
    lookbackDuration: 1h
  createIncident: true
suppressionEnabled: false
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Successful anomalous sign-in.yaml
version: 1.0.0