1Password - Service account integration token adjustment

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action has_any("create", "trename", "tverify", "trevoke")
  | where object_type == "satoken"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
- entityType: IP
  fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
triggerThreshold: 0
name: 1Password - Service account integration token adjustment
severity: Medium
relevantTechniques:
- T1134
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    lookbackDuration: 1h
    matchingMethod: AllEntities
    enabled: true
    reopenClosedIncident: false
queryPeriod: 5m
tactics:
- DefenseEvasion
kind: Scheduled
queryFrequency: 5m
version: 1.0.0
suppressionEnabled: false
subTechniques:
- T1134.003
id: d54a3cf9-6169-449c-83f1-e7def3359702
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
description: |-
  This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml
suppressionDuration: 5h
triggerOperator: gt