1Password - Service account integration token adjustment

OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
    ActorUsername = actor_details.email
    , SrcIpAddr = session.ip

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml
suppressionEnabled: false
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    matchingMethod: AllEntities
    lookbackDuration: 1h
    reopenClosedIncident: false
  createIncident: true
suppressionDuration: 5h
queryPeriod: 5m
name: 1Password - Service account integration token adjustment
eventGroupingSettings:
  aggregationKind: SingleAlert
entityMappings:
- fieldMappings:
  - columnName: ActorUsername
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: SrcIpAddr
    identifier: Address
  entityType: IP
version: 1.0.0
description: |-
  This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.

  Ref: https://1password.com/
  Ref: https://github.com/securehats/  
severity: Medium
id: d54a3cf9-6169-449c-83f1-e7def3359702
tactics:
- DefenseEvasion
requiredDataConnectors:
- connectorId: 1Password
  dataTypes:
  - OnePasswordEventLogs_CL
queryFrequency: 5m
triggerThreshold: 0
subTechniques:
- T1134.003
query: |-
  OnePasswordEventLogs_CL
  | where log_source == "auditevents"
  | where action has_any("create", "trename", "tverify", "trevoke")
  | where object_type == "satoken"
  | extend
      ActorUsername = actor_details.email
      , SrcIpAddr = session.ip  
relevantTechniques:
- T1134
kind: Scheduled
triggerOperator: gt