1Password - Service account integration token adjustment
Id | d54a3cf9-6169-449c-83f1-e7def3359702 |
Rulename | 1Password - Service account integration token adjustment |
Description | This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same. Ref: https://1password.com/ Ref: https://github.com/securehats/ |
Severity | Medium |
Tactics | DefenseEvasion |
Techniques | T1134 |
Required data connectors | 1Password |
Kind | Scheduled |
Query frequency | 5m |
Query period | 5m |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml |
Version | 1.0.0 |
Arm template | d54a3cf9-6169-449c-83f1-e7def3359702.json |
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
incidentConfiguration:
groupingConfiguration:
enabled: true
reopenClosedIncident: false
matchingMethod: AllEntities
lookbackDuration: 1h
createIncident: true
id: d54a3cf9-6169-449c-83f1-e7def3359702
eventGroupingSettings:
aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml
version: 1.0.0
suppressionDuration: 5h
triggerOperator: gt
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
severity: Medium
triggerThreshold: 0
name: 1Password - Service account integration token adjustment
subTechniques:
- T1134.003
tactics:
- DefenseEvasion
description: |-
This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
queryPeriod: 5m
kind: Scheduled
relevantTechniques:
- T1134
queryFrequency: 5m
suppressionEnabled: false
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: ActorUsername
entityType: Account
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"properties": {
"alertRuleTemplateName": "d54a3cf9-6169-449c-83f1-e7def3359702",
"customDetails": null,
"description": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"displayName": "1Password - Service account integration token adjustment",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "ActorUsername",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"reopenClosedIncident": false
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml",
"query": "OnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where action has_any(\"create\", \"trename\", \"tverify\", \"trevoke\")\n| where object_type == \"satoken\"\n| extend\n ActorUsername = actor_details.email\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}