1Password - Service account integration token adjustment
Id | d54a3cf9-6169-449c-83f1-e7def3359702 |
Rulename | 1Password - Service account integration token adjustment |
Description | This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
Severity | Medium |
Tactics | DefenseEvasion |
Techniques | T1134 |
Required data connectors | 1Password |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml |
Version | 1.0.0 |
Arm template | d54a3cf9-6169-449c-83f1-e7def3359702.json |
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
entityMappings:
- fieldMappings:
- columnName: ActorUsername
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
triggerThreshold: 0
severity: Medium
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 1h
enabled: true
matchingMethod: AllEntities
reopenClosedIncident: false
queryFrequency: 5m
queryPeriod: 5m
suppressionEnabled: false
relevantTechniques:
- T1134
triggerOperator: gt
id: d54a3cf9-6169-449c-83f1-e7def3359702
subTechniques:
- T1134.003
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
version: 1.0.0
name: 1Password - Service account integration token adjustment
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
description: |-
This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
tactics:
- DefenseEvasion
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"properties": {
"alertRuleTemplateName": "d54a3cf9-6169-449c-83f1-e7def3359702",
"customDetails": null,
"description": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"displayName": "1Password - Service account integration token adjustment",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml",
"query": "OnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action has_any(\"create\", \"trename\", \"tverify\", \"trevoke\")\n| where object_type == \"satoken\"\n| extend\n ActorUsername = actor_details.email\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}