Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Commit reset 

unable to pull latest committs
This commit is contained in:
PrasadBoke 2024-04-25 14:37:38 +05:30
Родитель 9aaeda5b94
Коммит 31e6792484
51 изменённых файлов: 4223 добавлений и 407 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

53
Solutions/1Password/Analytics Rules/1Password - Changes to SSO configuration.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: 9406f5ab-1197-4db9-8042-9f3345be061c
name: 1Password - Changes to SSO configuration
version: 1.0.0
kind: Scheduled
description: |-
This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1556
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdssoo", "addgsso", "delgsso")
| where object_type == "sso"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
alertDetailsOverride:
alertDynamicProperties: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

53
Solutions/1Password/Analytics Rules/1Password - Changes to firewall rules.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
name: 1Password - Changes to firewall rules
version: 1.0.0
kind: Scheduled
description: |-
This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "updatfw"
| where object_type == "account"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
subTechniques:
- T1562.007
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

51
Solutions/1Password/Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml Normal file
Просмотреть файл

@ -0,0 +1,51 @@
id: 92ab0938-1e7c-4671-9810-392e8b9714da
name: 1Password - Disable MFA factor or type for all user accounts
version: 1.0.0
kind: Scheduled
description: |-
This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: High
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1556
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "disblmfa"
| where object_type == "account"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

42
Solutions/1Password/Analytics Rules/1Password - Log Ingestion Failure.yaml Normal file
Просмотреть файл

@ -0,0 +1,42 @@
id: bf9132c7-9d4d-4244-98c7-7d994703c208
name: 1Password - Log Ingestion Failure
version: 1.0.0
kind: Scheduled
description: |-
This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.
Log ingestion troubleshooting:
<insert URL>
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: Equal
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1562
query: |-
OnePasswordEventLogs_CL
| where log_source == "healthevents"
subTechniques:
- T1562.008
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert

57
Solutions/1Password/Analytics Rules/1Password - Manual account creation.yaml Normal file
Просмотреть файл

@ -0,0 +1,57 @@
id: 9a264487-bcb8-4c7f-a461-b289a46377b8
name: 1Password - Manual account creation
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.
Ref: https://support.1password.com/scim/
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136
query: |-
OnePasswordEventLogs_CL
| where action == "create"
| where object_type == "invite"
| where actor_details.email !endswith "@1passwordserviceaccounts.com"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, TargetUsername = aux_info
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AnyAlert
suppressionDuration: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername

53
Solutions/1Password/Analytics Rules/1Password - New service account integration created.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: 26daed54-cea5-469c-9b6e-0d85a40dc463
name: 1Password - New service account integration created
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "create"
| where object_type == "sa"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
subTechniques:
- T1136.003
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

67
Solutions/1Password/Analytics Rules/1Password - Non-privileged vault user permission change.yaml Normal file
Просмотреть файл

@ -0,0 +1,67 @@
id: 327e0579-7c03-4ec7-acf5-a29dcc4a12b6
name: 1Password - Non-privileged vault user permission change
version: 1.0.0
kind: Scheduled
description: |-
This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1098
query: |-
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("grant", "revoke", "update")
| where object_type == "uva"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid !in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid !in (vaults)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

64
Solutions/1Password/Analytics Rules/1Password - Potential insider privilege escalation via group.yaml Normal file
Просмотреть файл

@ -0,0 +1,64 @@
id: 398a1cf1-f56f-4700-912c-9bf4c8409ebc
name: 1Password - Potential insider privilege escalation via group
version: 1.0.0
kind: Scheduled
description: |-
This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("join", "role")
| where object_type == "gm"
| where tostring(actor_details.email) == tostring(aux_details.email)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
subTechniques:
- T1078.004
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

59
Solutions/1Password/Analytics Rules/1Password - Potential insider privilege escalation via vault.yaml Normal file
Просмотреть файл

@ -0,0 +1,59 @@
id: a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed
name: 1Password - Potential insider privilege escalation via vault
version: 1.0.0
kind: Scheduled
description: |-
This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1078
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("grant", "update")
| where object_type == "uva"
| where tostring(actor_details.email) == tostring(aux_details.email)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
subTechniques:
- T1078.004
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

68
Solutions/1Password/Analytics Rules/1Password - Privileged vault permission change.yaml Normal file
Просмотреть файл

@ -0,0 +1,68 @@
id: 76e386eb-f51a-4600-97d1-f0db3b7e41f1
name: 1Password - Privileged vault permission change
version: 1.0.0
kind: Scheduled
description: |-
This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: High
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1098
query: |-
let watchlist =
_GetWatchlist("PV1PW")
| project SearchKey
;
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
let vaults = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where
(action has_any("grant", "revoke", "update") and object_type == "uva") or
(action has_any("grant", "revoke", "update") and object_type == "gva")
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic vaults list within the analytics rule itself
// | where object_uuid in (vaults)
| extend
TargetUsername = case(isnotempty(aux_details), aux_details.email, "")
, TargetGroupUUID = case(isempty(aux_details), aux_uuid, "")
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

15
Solutions/1Password/Analytics Rules/1Password - Secret Extraction Post Vault Access Change By Administrator.yaml
Просмотреть файл

@ -1,13 +1,16 @@
id: 395db1d2-fb5a-44a8-9f8c-bf539d4d26ce
id: 6711b747-16d7-4df4-9f61-8633617f45d7
name: 1Password - Secret extraction post vault access change by administrator
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: High
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 1h
triggerOperator: gt
@ -17,11 +20,10 @@ tactics:
relevantTechniques:
- T1555
query: |-
let ruleFrequency = 5m;
let lookback = 1h;
let secretExtractionActivity =
OnePasswordEventLogs_CL
| where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))
| where TimeGenerated between (ago(lookback) .. now())
| where log_source == "itemusages"
| where action has_any("server-fetch", "reveal", "secure-copy")
;
@ -62,9 +64,7 @@ incidentConfiguration:
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
suppressionDuration: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
@ -76,5 +76,4 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
suppressionDuration: 5h

53
Solutions/1Password/Analytics Rules/1Password - Service account integration token adjustment.yaml Normal file
Просмотреть файл

@ -0,0 +1,53 @@
id: d54a3cf9-6169-449c-83f1-e7def3359702
name: 1Password - Service account integration token adjustment
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1134
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("create", "trename", "tverify", "trevoke")
| where object_type == "satoken"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
subTechniques:
- T1134.003
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

67
Solutions/1Password/Analytics Rules/1Password - Successful anomalous sign-in.yaml Normal file
Просмотреть файл

@ -0,0 +1,67 @@
id: ceb20a5c-adce-4eba-9728-541361d47d87
name: 1Password - Successful anomalous sign-in
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Low
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |-
let rulefrequency = 1h;
let lookback = 14d;
let onePasswordSigninBaseline =
OnePasswordEventLogs_CL
| where TimeGenerated between (ago(lookback) .. now())
| where log_source == "signinattempts"
| where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
| summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)
| extend identifier = strcat(target_user_uuid, client_ip_address)
| summarize make_list(identifier)
;
OnePasswordEventLogs_CL
| where TimeGenerated between (ago(rulefrequency) .. now())
| where log_source == "signinattempts"
| where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
// limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins
// | where country !in~ ("CA", "US")
| extend identifier = strcat(target_user.uuid, client.ip_address)
| where identifier !in (onePasswordSigninBaseline)
| extend
TargetUsername = target_user.email
, SrcIpAddr = client.ip_address
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDynamicProperties: []
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

52
Solutions/1Password/Analytics Rules/1Password - User account MFA settings changed.yaml Normal file
Просмотреть файл

@ -0,0 +1,52 @@
id: 3c8140eb-e946-4bf2-8c61-03e4df56d400
name: 1Password - User account MFA settings changed
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
- DefenseEvasion
relevantTechniques:
- T1556
query: |-
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action has_any("enblmfa", "updatmfa", "disblmfa")
| where object_type == "user"
| extend
ActorUsername = actor_details.email
, SrcIpAddr = session.ip
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

70
Solutions/1Password/Analytics Rules/1Password - User added to privileged group.yaml Normal file
Просмотреть файл

@ -0,0 +1,70 @@
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
name: 1Password - User added to privileged group
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 5m
queryPeriod: 5m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1098
query: |-
let watchlist =
_GetWatchlist("PG1PW")
| project SearchKey
;
let groups = dynamic([""]);
OnePasswordEventLogs_CL
| where log_source == "auditevents"
| where action == "join"
| where object_type == "gm"
| where tostring(actor_details.email) != tostring(aux_details.email)
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
| where object_uuid in (watchlist)
// Enable the line below when using the dynamic groups list within the analytics rule itself
// | where object_uuid in (groups)
| extend
TargetUsername = aux_details.email
, ActorUsername = actor_details.email
, SrcIpAddr = session.ip
, GroupRole = case(
aux_info == "R", "Group member"
, aux_info == "A", "Group manager"
, aux_info
)
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 30m
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: ActorUsername
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcIpAddr

29
Solutions/1Password/Analytics Rules/1Password - Vault Export Post Account Creation.yaml
Просмотреть файл

@ -1,4 +1,4 @@
id: 969e2e5c-9cc6-423c-a3de-514f7ad75fe7
id: 969e2e5c-9cc6-423c-a3de-514f7ad75fe7
name: 1Password - Vault export post account creation
version: 1.0.0
kind: Scheduled
@ -8,6 +8,10 @@ description: |-
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -38,19 +42,6 @@ query: |-
| extend
TargetUsername = object_details1.email
, SrcIpAddr = session1.ip_address
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
@ -60,5 +51,15 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert

19
Solutions/1Password/Analytics Rules/1Password - Vault Export.yaml
Просмотреть файл

@ -1,13 +1,16 @@
id: cb23d6cb-4b2e-44a7-b48e-040dd043147b
id: dae4c601-51c9-47f5-83d3-e6eaef929cf6
name: 1Password - Vault export
version: 1.0.0
kind: Scheduled
description: |-
This will alert when a successful vault export has occurred within 1Password.
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Low
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
@ -18,7 +21,8 @@ relevantTechniques:
- T1555
query: |-
OnePasswordEventLogs_CL
| where action == "export" and object_type == "vault"
| where action == "export"
| where object_type == "vault"
| extend
TargetUsername = actor_details.email
, SrcIpAddr = session.ip
@ -26,13 +30,11 @@ suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
enabled: true
reopenClosedIncident: false
lookbackDuration: 5h
lookbackDuration: 1h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
suppressionDuration: 1h
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
@ -44,5 +46,4 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
suppressionDuration: 5h

29
Solutions/1Password/Analytics Rules/1Password - Vault export prior to account suspension or deletion.yaml
Просмотреть файл

@ -1,4 +1,4 @@
id: 51617533-cf51-4415-9020-b15bd47d69d2
id: 51617533-cf51-4415-9020-b15bd47d69d2
name: 1Password - Vault export prior to account suspension or deletion
version: 1.0.0
kind: Scheduled
@ -8,6 +8,10 @@ description: |-
Ref: https://1password.com/
Ref: https://github.com/securehats/
severity: Medium
requiredDataConnectors:
- connectorId: 1Password
dataTypes:
- OnePasswordEventLogs_CL
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
@ -46,19 +50,6 @@ query: |-
, exported_vault = object_details
, TargetUsername
, SrcIpAddr
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
@ -68,5 +59,15 @@ entityMappings:
fieldMappings:
- identifier: Address
columnName: SrcIpAddr
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 1h
matchingMethod: AllEntities
suppressionDuration: 5h
eventGroupingSettings:
aggregationKind: SingleAlert

81
Solutions/1Password/Analytics Rules/arm/1Password - Changes to SSO configuration.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9406f5ab-1197-4db9-8042-9f3345be061c')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9406f5ab-1197-4db9-8042-9f3345be061c')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Changes to SSO configuration",
"description": "This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"enblsso\", \"disblsso\", \"chngpsso\", \"chngasso\", \"chngdssoo\", \"addgsso\", \"delgsso\")\r\n| where object_type == \"sso\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence"
],
"techniques": [
"T1556"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": {
"alertDynamicProperties": []
},
"customDetails": {},
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

81
Solutions/1Password/Analytics Rules/arm/1Password - Changes to firewall rules.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Changes to firewall rules",
"description": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"updatfw\"\r\n| where object_type == \"account\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1562"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1562.007"
]
}
}
]
}

79
Solutions/1Password/Analytics Rules/arm/1Password - Disable MFA factor or type for all user accounts.json Normal file
Просмотреть файл

@ -0,0 +1,79 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/92ab0938-1e7c-4671-9810-392e8b9714da')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/92ab0938-1e7c-4671-9810-392e8b9714da')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Disable MFA factor or type for all user accounts",
"description": "This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "High",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"disblmfa\"\r\n| where object_type == \"account\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1556"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

62
Solutions/1Password/Analytics Rules/arm/1Password - Log Ingestion Failure.json Normal file
Просмотреть файл

@ -0,0 +1,62 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf9132c7-9d4d-4244-98c7-7d994703c208')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf9132c7-9d4d-4244-98c7-7d994703c208')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Log Ingestion Failure",
"description": "This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.\n\nLog ingestion troubleshooting:\n<insert URL>\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"healthevents\"",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "Equal",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1562"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": null,
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1562.008"
]
}
}
]
}

30
Solutions/1Password/Analytics Rules/arm/1Password - Manual account creation.json
Просмотреть файл

@ -8,22 +8,22 @@
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef8a4e9-1d08-4743-939f-c995c795c5e8')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef8a4e9-1d08-4743-939f-c995c795c5e8')]",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a264487-bcb8-4c7f-a461-b289a46377b8')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a264487-bcb8-4c7f-a461-b289a46377b8')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Manual account creation",
"description": "This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where actor_details.email !endswith \"@1passwordserviceaccounts.com\"\r\n| where action == \"create\"\r\n and object_type == \"invite\"\r\n| extend\r\n TargetUsername = target_user.email\r\n , SrcIpAddr = client.ip_address",
"query": "OnePasswordEventLogs_CL\n| where action == \"create\"\n| where object_type == \"invite\"\n| where actor_details.email !endswith \"@1passwordserviceaccounts.com\"\n| extend\n ActorUsername = actor_details.email\n , SrcIpAddr = session.ip\n , TargetUsername = aux_info",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
@ -32,14 +32,14 @@
"techniques": [
"T1136"
],
"alertRuleTemplateName": null,
"alertRuleTemplateName": "4ef8a4e9-1d08-4743-939f-c995c795c5e8",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5M",
"matchingMethod": "AllEntities",
"lookbackDuration": "PT1H",
"matchingMethod": "AnyAlert",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
@ -56,7 +56,7 @@
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
"columnName": "ActorUsername"
}
]
},
@ -68,10 +68,20 @@
"columnName": "SrcIpAddr"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
"templateVersion": "1.0.0",
"subTechniques": []
}
}
]

81
Solutions/1Password/Analytics Rules/arm/1Password - New service account integration created.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26daed54-cea5-469c-9b6e-0d85a40dc463')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26daed54-cea5-469c-9b6e-0d85a40dc463')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - New service account integration created",
"description": "This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"create\"\r\n| where object_type == \"sa\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence"
],
"techniques": [
"T1136"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1136.003"
]
}
}
]
}

88
Solutions/1Password/Analytics Rules/arm/1Password - Non-privileged vault user permission change.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Non-privileged vault user permission change",
"description": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "let watchlist =\r\n _GetWatchlist(\"PV1PW\")\r\n | project SearchKey\r\n;\r\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\r\nlet vaults = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"grant\", \"revoke\", \"update\")\r\n| where object_type == \"uva\"\r\n| where tostring(actor_details.email) != tostring(aux_details.email)\r\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\r\n| where object_uuid !in (watchlist)\r\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\r\n// | where object_uuid !in (vaults)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

90
Solutions/1Password/Analytics Rules/arm/1Password - Potential insider privilege escalation via group.json Normal file
Просмотреть файл

@ -0,0 +1,90 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/398a1cf1-f56f-4700-912c-9bf4c8409ebc')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/398a1cf1-f56f-4700-912c-9bf4c8409ebc')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Potential insider privilege escalation via group",
"description": "This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"join\", \"role\")\r\n| where object_type == \"gm\"\r\n| where tostring(actor_details.email) == tostring(aux_details.email)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip\r\n , GroupRole = case(\r\n aux_info == \"R\", \"Group member\"\r\n , aux_info == \"A\", \"Group manager\"\r\n , aux_info\r\n )",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1078.004"
]
}
}
]
}

90
Solutions/1Password/Analytics Rules/arm/1Password - Potential insider privilege escalation via vault.json Normal file
Просмотреть файл

@ -0,0 +1,90 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Potential insider privilege escalation via vault",
"description": "This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"grant\", \"update\")\r\n| where object_type == \"uva\"\r\n| where tostring(actor_details.email) == tostring(aux_details.email)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1078.004"
]
}
}
]
}

88
Solutions/1Password/Analytics Rules/arm/1Password - Privileged vault permission change.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/76e386eb-f51a-4600-97d1-f0db3b7e41f1')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/76e386eb-f51a-4600-97d1-f0db3b7e41f1')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Privileged vault permission change",
"description": "This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "High",
"enabled": true,
"query": "let watchlist =\r\n _GetWatchlist(\"PV1PW\")\r\n | project SearchKey\r\n;\r\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\r\nlet vaults = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where\r\n (action has_any(\"grant\", \"revoke\", \"update\") and object_type == \"uva\") or\r\n (action has_any(\"grant\", \"revoke\", \"update\") and object_type == \"gva\")\r\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\r\n| where object_uuid in (watchlist)\r\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\r\n// | where object_uuid in (vaults)\r\n| extend\r\n TargetUsername = case(isnotempty(aux_details), aux_details.email, \"\")\r\n , TargetGroupUUID = case(isempty(aux_details), aux_uuid, \"\")\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

17
Solutions/1Password/Analytics Rules/arm/1Password - Secret extraction post vault access change by administrator.json
Просмотреть файл

@ -8,22 +8,22 @@
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/395db1d2-fb5a-44a8-9f8c-bf539d4d26ce')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/395db1d2-fb5a-44a8-9f8c-bf539d4d26ce')]",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6711b747-16d7-4df4-9f61-8633617f45d7')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6711b747-16d7-4df4-9f61-8633617f45d7')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Secret extraction post vault access change by administrator",
"description": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"description": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "High",
"enabled": true,
"query": "let ruleFrequency = 5m;\r\nlet lookback = 1h;\r\nlet secretExtractionActivity =\r\n OnePasswordEventLogs_CL\r\n | where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))\r\n | where log_source == \"itemusages\"\r\n | where action has_any(\"server-fetch\", \"reveal\", \"secure-copy\")\r\n;\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where (action == \"grant\" and object_type == \"uva\") or (action == \"update\" and object_type == \"uva\")\r\n| where tostring(actor_details.uuid) == tostring(aux_details.uuid)\r\n| extend\r\n userUuid = tostring(actor_details.uuid)\r\n , vaultUuid = tostring(object_uuid)\r\n| join (\r\n secretExtractionActivity\r\n | extend\r\n userUuid = tostring(user.uuid)\r\n , vaultUuid = tostring(vault_uuid)\r\n )\r\n on $left.userUuid == $right.userUuid and $left.vaultUuid == $right.vaultUuid\r\n| extend\r\n auditevents = bag_pack(\"action\", action, \"object_type\", object_type)\r\n , itemusages = bag_pack(\"action\", action1, \"object_type\", object_type1)\r\n , vault_details = bag_pack(\"vault_uuid\", vault_uuid1, \"item_uuid\", item_uuid1)\r\n| project\r\n TimeGenerated\r\n , actor_details\r\n , target_details = aux_details\r\n , location_details = location\r\n , client_details = client1\r\n , auditevents\r\n , itemusages\r\n , vault_details\r\n , TargetUsername = tostring(user1.email)\r\n , SrcIpAddr = tostring(client1.ip_address)",
"query": "let lookback = 1h;\nlet secretExtractionActivity =\n OnePasswordEventLogs_CL\n | where TimeGenerated between (ago(lookback) .. now())\n | where log_source == \"itemusages\"\n | where action has_any(\"server-fetch\", \"reveal\", \"secure-copy\")\n;\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where (action == \"grant\" and object_type == \"uva\") or (action == \"update\" and object_type == \"uva\")\n| where tostring(actor_details.uuid) == tostring(aux_details.uuid)\n| extend\n userUuid = tostring(actor_details.uuid)\n , vaultUuid = tostring(object_uuid)\n| join (\n secretExtractionActivity\n | extend\n userUuid = tostring(user.uuid)\n , vaultUuid = tostring(vault_uuid)\n )\n on $left.userUuid == $right.userUuid and $left.vaultUuid == $right.vaultUuid\n| extend\n auditevents = bag_pack(\"action\", action, \"object_type\", object_type)\n , itemusages = bag_pack(\"action\", action1, \"object_type\", object_type1)\n , vault_details = bag_pack(\"vault_uuid\", vault_uuid1, \"item_uuid\", item_uuid1)\n| project\n TimeGenerated\n , actor_details\n , target_details = aux_details\n , location_details = location\n , client_details = client1\n , auditevents\n , itemusages\n , vault_details\n , TargetUsername = tostring(user1.email)\n , SrcIpAddr = tostring(client1.ip_address)",
"queryFrequency": "PT5M",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
@ -32,7 +32,7 @@
"techniques": [
"T1555"
],
"alertRuleTemplateName": null,
"alertRuleTemplateName": "395db1d2-fb5a-44a8-9f8c-bf539d4d26ce",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
@ -71,7 +71,8 @@
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
"templateVersion": "1.0.0",
"subTechniques": []
}
}
]

81
Solutions/1Password/Analytics Rules/arm/1Password - Service account integration token adjustment.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d54a3cf9-6169-449c-83f1-e7def3359702')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Service account integration token adjustment",
"description": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"create\", \"trename\", \"tverify\", \"trevoke\")\r\n| where object_type == \"satoken\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1134"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": [
"T1134.003"
]
}
}
]
}

21
Solutions/1Password/Analytics Rules/arm/1Password - Successful anomalous sign-in.json
Просмотреть файл

@ -8,22 +8,22 @@
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ac54655-e213-424f-a676-c90cfe59e927')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ac54655-e213-424f-a676-c90cfe59e927')]",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb20a5c-adce-4eba-9728-541361d47d87')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb20a5c-adce-4eba-9728-541361d47d87')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Successful anomalous sign-in",
"description": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"description": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Low",
"enabled": true,
"query": "let ruleFrequency = 1h;\r\nlet lookback = 14d;\r\nlet onePasswordSigninBaseline =\r\n OnePasswordEventLogs_CL\r\n | where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))\r\n | where log_source == \"signinattempts\"\r\n | where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\r\n | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)\r\n | extend identifier = strcat(target_user_uuid, client_ip_address)\r\n | summarize make_list(identifier)\r\n;\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"signinattempts\"\r\n| where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\r\n| extend identifier = strcat(target_user.uuid, client.ip_address)\r\n| where identifier !in (onePasswordSigninBaseline)\r\n| extend\r\n TargetUsername = target_user.email\r\n , SrcIpAddr = client.ip_address",
"query": "let rulefrequency = 1h;\nlet lookback = 14d;\nlet onePasswordSigninBaseline =\n OnePasswordEventLogs_CL\n | where TimeGenerated between (ago(lookback) .. now())\n | where log_source == \"signinattempts\"\n | where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\n | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)\n | extend identifier = strcat(target_user_uuid, client_ip_address)\n | summarize make_list(identifier)\n;\nOnePasswordEventLogs_CL\n| where TimeGenerated between (ago(rulefrequency) .. now())\n| where log_source == \"signinattempts\"\n| where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\n// limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins\n// | where country !in~ (\"CA\", \"US\")\n| extend identifier = strcat(target_user.uuid, client.ip_address)\n| where identifier !in (onePasswordSigninBaseline)\n| extend\n TargetUsername = target_user.email\n , SrcIpAddr = client.ip_address",
"queryFrequency": "PT1H",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
@ -32,11 +32,11 @@
"techniques": [
"T1078"
],
"alertRuleTemplateName": null,
"alertRuleTemplateName": "6ac54655-e213-424f-a676-c90cfe59e927",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
@ -51,7 +51,7 @@
"alertDetailsOverride": {
"alertDynamicProperties": []
},
"customDetails": {},
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
@ -73,7 +73,8 @@
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
"templateVersion": "1.0.0",
"subTechniques": []
}
}
]

80
Solutions/1Password/Analytics Rules/arm/1Password - User account MFA settings changed.json Normal file
Просмотреть файл

@ -0,0 +1,80 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c8140eb-e946-4bf2-8c61-03e4df56d400')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c8140eb-e946-4bf2-8c61-03e4df56d400')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - User account MFA settings changed",
"description": "This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"enblmfa\", \"updatmfa\", \"disblmfa\")\r\n| where object_type == \"user\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"queryFrequency": "PT30M",
"queryPeriod": "PT30M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence",
"DefenseEvasion"
],
"techniques": [
"T1556"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

88
Solutions/1Password/Analytics Rules/arm/1Password - User added to privileged group.json Normal file
Просмотреть файл

@ -0,0 +1,88 @@
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - User added to privileged group",
"description": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Medium",
"enabled": true,
"query": "let watchlist =\r\n _GetWatchlist(\"PG1PW\")\r\n | project SearchKey\r\n;\r\nlet groups = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"join\"\r\n| where object_type == \"gm\"\r\n| where tostring(actor_details.email) != tostring(aux_details.email)\r\n// Enable the line below when using the \"Privileged Groups - 1PW\" watchlist\r\n| where object_uuid in (watchlist)\r\n// Enable the line below when using the dynamic groups list within the analytics rule itself\r\n// | where object_uuid in (groups)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip\r\n , GroupRole = case(\r\n aux_info == \"R\", \"Group member\"\r\n , aux_info == \"A\", \"Group manager\"\r\n , aux_info\r\n )",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT30M",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "ActorUsername"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "TargetUsername"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "SrcIpAddr"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null,
"subTechniques": []
}
}
]
}

21
Solutions/1Password/Analytics Rules/arm/1Password - Vault export.json
Просмотреть файл

@ -8,22 +8,22 @@
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb23d6cb-4b2e-44a7-b48e-040dd043147b')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb23d6cb-4b2e-44a7-b48e-040dd043147b')]",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dae4c601-51c9-47f5-83d3-e6eaef929cf6')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dae4c601-51c9-47f5-83d3-e6eaef929cf6')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"apiVersion": "2023-12-01-preview",
"properties": {
"displayName": "1Password - Vault export",
"description": "This will alert when a successful vault export has occurred within 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"description": "This will alert when a successful vault export has occurred within 1Password.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
"severity": "Low",
"enabled": true,
"query": "OnePasswordEventLogs_CL\r\n| where action == \"export\" and object_type == \"vault\"\r\n| extend\r\n TargetUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
"query": "OnePasswordEventLogs_CL\n| where action == \"export\"\n| where object_type == \"vault\"\n| extend\n TargetUsername = actor_details.email\n , SrcIpAddr = session.ip",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"startTimeUtc": null,
"tactics": [
@ -32,13 +32,13 @@
"techniques": [
"T1555"
],
"alertRuleTemplateName": null,
"alertRuleTemplateName": "cb23d6cb-4b2e-44a7-b48e-040dd043147b",
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"lookbackDuration": "PT1H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
@ -71,7 +71,8 @@
}
],
"sentinelEntitiesMappings": null,
"templateVersion": null
"templateVersion": "1.0.0",
"subTechniques": []
}
}
]

5
Solutions/1Password/Data Connectors/1Password/1Password_API_FunctionApp.json
Просмотреть файл

@ -64,9 +64,6 @@
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs from Azure. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias 1PasswordLogs and load the function code or click [here](https://github.com/azurekid/Azure-Sentinel/blob/cc33169df91a14cfcd860db33033d2146415d084/Solutions/1Password/Parsers/1Password.yaml), The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
@ -77,7 +74,7 @@
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
},
{
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
}
]

2
Solutions/1Password/Data Connectors/1Password/azuredeploy.json
Просмотреть файл

@ -96,7 +96,7 @@
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
},
{
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Azure Resource Manager (ARM) Template"
}
]

2
Solutions/1Password/Data Connectors/1Password/azuredeploy_1Password_API_FunctionApp.json
Просмотреть файл

@ -35,7 +35,7 @@
"metadata": {
"description": "Specifies the URI of the arifacts on GitHub"
},
"defaultValue": "https://raw.githubusercontent.com/azurekid/Azure-Sentinel/feature/1password/Solutions/1Password/Data%20Connectors/1Password/deployment/"
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/1Password/Data%20Connectors/1Password/deployment/"
}
},
"resources": [

5
Solutions/1Password/Data Connectors/1Password/deployment/1Password_data_connector.json
Просмотреть файл

@ -87,9 +87,6 @@
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias 1PasswordLogs and load the function code or click [here](https://github.com/azurekid/Azure-Sentinel/blob/cc33169df91a14cfcd860db33033d2146415d084/Solutions/1Password/Parsers/1Password.yaml), The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
@ -100,7 +97,7 @@
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
},
{
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
}
]

4
Solutions/1Password/Data Connectors/1Password/deployment/1Password_function_app.json
Просмотреть файл

@ -43,7 +43,7 @@
"metadata": {
"description": "Specifies the URI to the package to deploy"
},
"defaultValue": "https://github.com/azurekid/Azure-Sentinel/raw/feature/1password/Solutions/1Password/Data%20Connectors/1Password/function.zip"
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/1Password/Data%20Connectors/1Password/function.zip"
}
},
"variables": {
@ -319,7 +319,7 @@
"FUNCTIONS_WORKER_RUNTIME": "powershell",
"FUNCTIONS_WORKER_RUNTIME_VERSION": "7.2",
"APPINSIGHTS_CONNECTION_STRING": "[reference(concat('microsoft.insights/components/', variables('functionName')), '2015-05-01').ConnectionString]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[NF.secretName(variables('functionName'), 'AzureWebJobsStorage')]",
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[NF.StorageConnectionString(variables('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]",
"WEBSITE_CONTENTSHARE": "[toLower(variables('FunctionName'))]",
"WEBSITE_RUN_FROM_PACKAGE": "1",
"AzureWebJobsStorage": "[NF.secretName(variables('functionName'), 'AzureWebJobsStorage')]",

147
Solutions/1Password/Data Connectors/1Password/deployment/UiDefinition.json
Просмотреть файл

@ -1,77 +1,81 @@
{
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": true,
"basics": {
"description": "<img src=\"https://lever-client-logos.s3.us-west-2.amazonaws.com/f2192f1c-fc87-4e38-9764-293c0eb616a2-1682022825728.png\">\n\n**1Password Solution** deployment, more information about this project [here](https://github.com/azurekid/Azure-Sentinel/).\n\n_**Information:** The 1Password solution for Microsoft Sentinel is in active development. This feature is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities._\n\nThe 1Password Microsoft Sentinel Solution provides a consolidated way to provision Azure Sentinel with content like a Data Connector, Workbooks and Analytics rules in your workspace with a single deployment step.\n\nInitially it takes around 15 minutes to see the first data to appear in Log Analytics.\n\n"
}
},
"basics": [],
"steps": [
{
"name": "Sentinel",
"label": "Microsoft Sentinel",
"$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
"handler": "Microsoft.Azure.CreateUIDef",
"version": "0.1.2-preview",
"parameters": {
"config": {
"isWizard": true,
"basics": {
"description": "<img src=\"https://lever-client-logos.s3.us-west-2.amazonaws.com/f2192f1c-fc87-4e38-9764-293c0eb616a2-1682022825728.png\">\n\n**1Password Solution** deployment, more information about this project [here](https://github.com/azurekid/Azure-Sentinel/).\n\n_**Information:** The 1Password solution for Microsoft Sentinel is in active development. This feature is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities._\n\nThe 1Password Microsoft Sentinel Solution provides a consolidated way to provision Azure Sentinel with content like a Data Connector, Workbooks and Analytics rules in your workspace with a single deployment step.\n\nInitially it takes around 15 minutes to see the first data to appear in Log Analytics.\n\n",
"location": {
"metadata": {
"hidden": "Hiding location, we get it from the log analytics workspace"
},
"visible": false
},
"resourceGroup": {
"allowExisting": true
}
}
},
"basics": [
{
"name": "getLAWorkspace",
"type": "Microsoft.Solutions.ArmApiControl",
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
"condition": "[greater(length(resourceGroup().name),0)]",
"request": {
"method": "GET",
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
}
},
{
"name": "workspace",
"type": "Microsoft.Common.DropDown",
"label": "Workspace",
"placeholder": "Select a workspace",
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
"constraints": {
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
"required": true
},
"visible": true
}
],
"steps": [
{
"name": "1Password",
"label": "1Password",
"elements": [
{
"name": "text1",
"type": "Microsoft.Common.InfoBox",
"name": "textBlock1",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"icon": "warning",
"text": "The Sentinel Workspace must be located in the same resource group as the deployment",
"uri": "https://www.microsoft.com"
"text": "Provide the 1Password API key",
"link": {
"label": "Learn more on how to create a API key for 1Password",
"uri": "https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens"
}
}
},
{
"name": "workspaceSelector",
"type": "Microsoft.Solutions.ResourceSelector",
"label": "Select an existing workspace",
"resourceType": "Microsoft.OperationalInsights/workspaces",
"name": "password",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "1Password API Key"
},
"toolTip": "",
"constraints": {
"required": true,
"regex": "",
"validationMessage": ""
},
"options": {
"filter": {
"subscription": "onBasics",
"location": "onBasics"
}
}
}
]
},
{
"name": "1Password",
"label": "1Password",
"elements": [
{
"name": "textBlock1",
"type": "Microsoft.Common.TextBlock",
"visible": true,
"options": {
"text": "Provide the 1Password API key",
"link": {
"label": "Learn more on how to create a API key for 1Password",
"uri": "https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens"
}
}
},
{
"name": "password",
"type": "Microsoft.Common.PasswordBox",
"label": {
"password": "1Password API Key"
},
"toolTip": "",
"constraints": {
"required": true,
"regex": "",
"validationMessage": ""
},
"options": {
"hideConfirmation": true
},
"visible": true
},
"hideConfirmation": true
},
"visible": true
},
{
"name": "apiEndpoint",
"type": "Microsoft.Common.DropDown",
@ -102,13 +106,14 @@
},
"visible": true
}
]
]
}
],
"outputs": {
"workspaceName": "[steps('Sentinel').workspaceSelector.name]",
"apiToken": "[steps('1Password').password]",
"outputs": {
"workspaceName": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.name))]",
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
"apiToken": "[steps('1Password').password]",
"apiEndpoint": "[steps('1Password').apiEndpoint]"
}
}
}
}
}

Двоичные данные
Solutions/1Password/Data Connectors/1Password/function.zip
Просмотреть файл

Двоичный файл не отображается.

12
Solutions/1Password/Data Connectors/1Password/function/run.ps1
Просмотреть файл

@ -7,7 +7,7 @@ $currentUTCtime = (Get-Date).ToUniversalTime()
# Write an information log with the current time.
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"
$currentStartTime = (Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
$global:currentStartTime = (Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
try {
Get-Variables
@ -24,7 +24,7 @@ foreach ($api in $endpoints) {
try {
# continue if the cursor does not exist and proceed with the lastRunTime
$cursor = Get-Cursor @storagePayload -cursor $api -ErrorAction SilentlyContinue
if ($cursor) {
if ($cursor -and $cursor -ne "none") {
$results += Get-AuditLogs -cursor $cursor -api $api
} else {
$results += Get-AuditLogs -lastRunTime $currentStartTime -api $api
@ -34,6 +34,14 @@ foreach ($api in $endpoints) {
}
}
Write-Output $results
$results += @{
"log_source" = "healthevents"
}
Write-Output $results
if ($results.count -gt 0) {
Write-Host "Sending $($results.count) new records"
Send-Data -body ($results | ConvertTo-Json -AsArray)

81
Solutions/1Password/Data Connectors/1Password_API_FunctionApp.json Normal file
Просмотреть файл

@ -0,0 +1,81 @@
{
"id": "1Password",
"title": "1Password",
"publisher": "1Password",
"descriptionMarkdown": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "1Password",
"baseQuery": "OnePasswordEventLogsDev_CL"
}
],
"sampleQueries": [
{
"description" : "Top 10 Users",
"query": "OnePasswordEventLogs_CL\n | summarize count() by tostring(target_user.name) \n | top 10 by count_"
}
],
"dataTypes": [
{
"name": "OnePasswordEventLogs_CL",
"lastDataReceivedQuery": "OnePasswordEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"OnePasswordEventLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
]
}
],
"availability": {
"status": 1,
"isPreview": true
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions on the workspace are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
}
],
"customs": [
{
"name": "Microsoft.Web/sites permissions",
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
},
{
"name": "1Password Events API Token",
"description": "A 1Password Events API Token is required. [See the documentation to learn more about the 1Password API](https://developer.1password.com/docs/events-api/reference). \n\n**Note:** A 1Password Business account is required"
}
]
},
"instructionSteps": [
{
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs from Azure. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
},
{
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
},
{
"description": "**STEP 1 - Configuration steps for the 1Password Events Reporting API**\n\n [Follow these instructions](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) provided by 1Password to obtain an Events Reporting API Token. **Note:** A 1Password Business account is required"
},
{
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
},
{
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
"title": "Option 1 - Azure Resource Manager (ARM) Template"
}
]
}

24
Solutions/1Password/Data/Solution_1Password.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"Name": "1Password",
"Author": "1Password",
"Author": "Rogier Dijkman (SecureHats)",
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
"Description": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and creating rich visual reports within the Azure portal. They allow you to combine one or more data sources from Microsoft Sentinel into unified interactive experience.",
@ -12,12 +12,24 @@
],
"Parsers": [],
"Analytic Rules": [
"Analytics Rules/1Password - Manually invited user.yaml",
"Analytics Rules/1Password - Secret Extraction Post Vault Access Change By Administrator.yaml",
"Analytics Rules/1Password - Successful Anomalous SignIn.yaml",
"Analytics Rules/1Password - Vault Export Post Account Creation.yaml",
"Analytics Rules/1Password - Changes to firewall rules.yaml",
"Analytics Rules/1Password - Changes to SSO configuration.yaml",
"Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml",
"Analytics Rules/1Password - Log Ingestion Failure.yaml",
"Analytics Rules/1Password - Manual account creation.yaml",
"Analytics Rules/1Password - New service account integration created.yaml",
"Analytics Rules/1Password - Non-privileged vault user permission change.yaml",
"Analytics Rules/1Password - Potential insider privilege escalation via group.yaml",
"Analytics Rules/1Password - Potential insider privilege escalation via vault.yaml",
"Analytics Rules/1Password - Privileged vault permission change.yaml",
"Analytics Rules/1Password - Secret extraction post vault access change by administrator.yaml",
"Analytics Rules/1Password - Service account integration token adjustment.yaml",
"Analytics Rules/1Password - Successful anomalous sign-in.yaml",
"Analytics Rules/1Password - User account MFA settings changed.yaml",
"Analytics Rules/1Password - User added to privileged group.yaml",
"Analytics Rules/1Password - Vault export post account creation.yaml",
"Analytics Rules/1Password - Vault export prior to account suspension or deletion.yaml",
"Analytics Rules/1Password - Vault Export.yaml"
"Analytics Rules/1Password - Vault export.yaml"
],
"BasePath": "C:\\1Password",
"Version": "1.0.0",

Двоичные данные
Solutions/1Password/Package/3.0.0.zip
Просмотреть файл

Двоичный файл не отображается.

208
Solutions/1Password/Package/createUiDefinition.json
Просмотреть файл

@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest 1Password logs and events into Microsoft Sentinel. The connector provides visibility into 1Password Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/1Password/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 18\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Solution installs the data connector for the 1Password Events Reporting API, allowing you to ingest log data from your 1Password Business account to your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
"text": "This Solution installs the data connector for 1Password. You can get 1Password custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
}
},
{
@ -88,7 +88,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and creating rich visual reports within the Azure portal. They allow you to combine one or more data sources from Microsoft Sentinel into unified interactive experience."
}
},
{
@ -104,10 +104,14 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
"label": "1Password",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock"
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "1Password workbook provides insights into the 1Password events and activities. It includes visualizations for sign-in attempts, item usage, and audit events from your 1Password Business account."
}
}
]
}
@ -142,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
"label": "1Password - Manually invited user",
"label": "1Password - Changes to firewall rules",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when when someone is manually invited to join your 1Password account, rather than provisioned via SCIM from your identity provider. This should only be used when using Automated User Provisioning via 1Password SCIM Bridge.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/"
"text": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
@ -156,11 +160,137 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
"label": "1Password - Secret extraction post vault access change by administrator",
"label": "1Password - Changes to SSO configuration",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic3",
"type": "Microsoft.Common.Section",
"label": "1Password - Disable MFA factor or type for all user accounts",
"elements": [
{
"name": "analytic3-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic4",
"type": "Microsoft.Common.Section",
"label": "1Password - Log Ingestion Failure",
"elements": [
{
"name": "analytic4-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.\n\nLog ingestion troubleshooting:\n<insert URL>\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic5",
"type": "Microsoft.Common.Section",
"label": "1Password - Manual account creation",
"elements": [
{
"name": "analytic5-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic6",
"type": "Microsoft.Common.Section",
"label": "1Password - New service account integration created",
"elements": [
{
"name": "analytic6-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic7",
"type": "Microsoft.Common.Section",
"label": "1Password - Non-privileged vault user permission change",
"elements": [
{
"name": "analytic7-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic8",
"type": "Microsoft.Common.Section",
"label": "1Password - Potential insider privilege escalation via group",
"elements": [
{
"name": "analytic8-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic9",
"type": "Microsoft.Common.Section",
"label": "1Password - Potential insider privilege escalation via vault",
"elements": [
{
"name": "analytic9-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic10",
"type": "Microsoft.Common.Section",
"label": "1Password - Privileged vault permission change",
"elements": [
{
"name": "analytic10-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic11",
"type": "Microsoft.Common.Section",
"label": "1Password - Secret extraction post vault access change by administrator",
"elements": [
{
"name": "analytic11-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
@ -168,12 +298,26 @@
]
},
{
"name": "analytic3",
"name": "analytic12",
"type": "Microsoft.Common.Section",
"label": "1Password - Service account integration token adjustment",
"elements": [
{
"name": "analytic12-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic13",
"type": "Microsoft.Common.Section",
"label": "1Password - Successful anomalous sign-in",
"elements": [
{
"name": "analytic3-text",
"name": "analytic13-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
@ -182,43 +326,71 @@
]
},
{
"name": "analytic4",
"name": "analytic14",
"type": "Microsoft.Common.Section",
"label": "1Password - User account MFA settings changed",
"elements": [
{
"name": "analytic14-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic15",
"type": "Microsoft.Common.Section",
"label": "1Password - User added to privileged group",
"elements": [
{
"name": "analytic15-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic16",
"type": "Microsoft.Common.Section",
"label": "1Password - Vault export post account creation",
"elements": [
{
"name": "analytic4-text",
"name": "analytic16-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a successful vault export was performed by someone within 14 days them joining your 1Password account.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
"text": "This will alert when a successful vault export has occurred within 14 days of a new account being created within 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic5",
"name": "analytic17",
"type": "Microsoft.Common.Section",
"label": "1Password - Vault export prior to account suspension or deletion",
"elements": [
{
"name": "analytic5-text",
"name": "analytic17-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a successful vault export was performed by a member of your 1Password account within the 14 days prior their 1Password account being suspended or deleted.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
"text": "This will alert when a successful vault export has occurred within the last 14 days prior to an account being suspended or deleted from 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]
},
{
"name": "analytic6",
"name": "analytic18",
"type": "Microsoft.Common.Section",
"label": "1Password - Vault export",
"elements": [
{
"name": "analytic6-text",
"name": "analytic18-text",
"type": "Microsoft.Common.TextBlock",
"options": {
"text": "This will alert when a member of your 1Password account successfully exports vault data from your 1Password account.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
"text": "This will alert when a successful vault export has occurred within 1Password.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
}
}
]

2095
Solutions/1Password/Package/mainTemplate.json
Просмотреть файл

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

32
Solutions/1Password/Package/testParameters.json Normal file
Просмотреть файл

@ -0,0 +1,32 @@
{
"location": {
"type": "string",
"minLength": 1,
"defaultValue": "[resourceGroup().location]",
"metadata": {
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
}
},
"workspace-location": {
"type": "string",
"defaultValue": "",
"metadata": {
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
}
},
"workspace": {
"defaultValue": "",
"type": "string",
"metadata": {
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
}
},
"workbook1-name": {
"type": "string",
"defaultValue": null,
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
}
}
}

2
Solutions/1Password/README.md
Просмотреть файл

@ -21,7 +21,7 @@ The key function of this Solution is to retrieve sign-in attempts, item usage, a
Installing the 1Password Solution for Microsoft Sentinel is easy and can be completed in only a few minutes.
Just click the button below to get started with the deployment wizard. <br>
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%2520Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%2520Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)
> NOTE: To deploy the solution, the Azure user account executing the deployment needs to have `Owner` permissions on the Microsoft Sentinel `Resource Group` in Azure.<br>
> This is required to assign the correct RBAC role to the managed identity of the FunctionApp!

4
Solutions/1Password/SolutionMetadata.json
Просмотреть файл

@ -1,6 +1,6 @@
{
"publisherId": "1password",
"offerId": "1password_mss",
"publisherId": "1password1617200969773",
"offerId": "1password",
"firstPublishDate": "2023-12-01",
"providers": ["1password"],
"categories": {

28
Solutions/1Password/Workbooks/1Password.json
Просмотреть файл

@ -22,7 +22,7 @@
"name": "Subscription",
"type": 6,
"isRequired": true,
"value": "/subscriptions/ba161e49-a831-48e5-a0b2-e9c6d7a310e3",
"value": "/subscriptions/7570c6f7-9ca9-409b-aeaf-cb0f5ac1ad50",
"typeSettings": {
"additionalResourceOptions": [],
"includeAll": false
@ -47,7 +47,8 @@
},
"queryType": 1,
"resourceType": "microsoft.resourcegraph/resources",
"label": "🗂️ Workspace"
"label": "🗂️ Workspace",
"value": ""
},
{
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
@ -205,14 +206,14 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OnePasswordEventLogs_CL\r\n| summarize count() by bin (TimeGenerated, 1d), log_source",
"query": "OnePasswordEventLogs_CL\r\n| summarize count() by bin (timestamp, 1d), log_source",
"size": 1,
"timeContextFromParameter": "TimeRange",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
"chartSettings": {
"xAxis": "TimeGenerated"
"xAxis": "timestamp"
}
},
"name": "query - 7"
@ -221,7 +222,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring((geo_info_from_ip_address (tostring(client.ip_address))).region)\r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring((geo_info_from_ip_address (tostring(client.ip_address))).region)\r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by timestamp asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(timestamp, {TimeRange:grain}),\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by timestamp asc, visitedInThisOrder asc",
"size": 0,
"title": "User Locations",
"timeContextFromParameter": "TimeRange",
@ -253,7 +254,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "let data = \r\nOnePasswordEventLogs_CL\r\n| where log_source == 'signinattempts'\r\n and tostring(target_user.name) notcontains 'Provisioning';\r\ndata\r\n| summarize count() by tostring(target_user.name), bin (TimeGenerated, 1d)",
"query": "let data = \r\nOnePasswordEventLogs_CL\r\n| where log_source == 'signinattempts'\r\n and tostring(target_user.name) notcontains 'Provisioning';\r\ndata\r\n| summarize count() by tostring(target_user.name), bin (timestamp, 1d)",
"size": 1,
"title": "User Sign-ins",
"timeContextFromParameter": "TimeRange",
@ -399,7 +400,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend applicationName_ = tostring(client.app_name)\r\n| where applicationName_ notcontains \"SCIM\"\r\n| order by TimeGenerated asc , applicationName_\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}),\r\n ApplicationName=applicationName_ \r\n| order by count_ desc",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend applicationName_ = tostring(client.app_name)\r\n| where applicationName_ notcontains \"SCIM\"\r\n| order by timestamp asc , applicationName_\r\n| summarize count() by bin(timestamp, {TimeRange:grain}),\r\n ApplicationName=applicationName_ \r\n| order by count_ desc",
"size": 1,
"showAnalytics": true,
"title": "All Users : Used Application by most frequent",
@ -601,11 +602,11 @@
"name": "SelectUserName",
"type": 2,
"isRequired": true,
"query": "OnePasswordEventLogs_CL\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where TimeGenerated {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
"query": "OnePasswordEventLogs_CL\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where timestamp {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
"crossComponentResources": [
"{Workspace}"
],
"value": "1Password Test Account",
"value": "Rogier Dijkman",
"typeSettings": {
"additionalResourceOptions": []
},
@ -866,7 +867,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring(location.region) \r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring(location.region) \r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 0,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType, 2)), \"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
"size": 0,
"showAnalytics": true,
"title": "Map showing locations for user: '{SelectUser}'",
@ -991,6 +992,11 @@
"colorSettings": null,
"hivesMargin": 5
},
"chartSettings": {
"yAxis": [
"City"
]
},
"mapSettings": {
"locInfo": "LatLong",
"latitude": "latitude_",
@ -1236,7 +1242,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/Microsoft.aadiam/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version=2021-09-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\",\"columns\":[]}}]}",
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/Microsoft.aadiam/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version=2021-09-01-preview\",\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\"}}]}",
"size": 4,
"title": "🖧 Lookup IP Address: {ipAddress} from Microsoft geoLocation api",
"queryType": 12,