Родитель
9aaeda5b94
Коммит
31e6792484
|
@ -0,0 +1,53 @@
|
|||
id: 9406f5ab-1197-4db9-8042-9f3345be061c
|
||||
name: 1Password - Changes to SSO configuration
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1556
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("enblsso", "disblsso", "chngpsso", "chngasso", "chngdssoo", "addgsso", "delgsso")
|
||||
| where object_type == "sso"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
alertDetailsOverride:
|
||||
alertDynamicProperties: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
id: 54e6bb8e-2935-422f-9387-dba1961abfd7
|
||||
name: 1Password - Changes to firewall rules
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1562
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action == "updatfw"
|
||||
| where object_type == "account"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
subTechniques:
|
||||
- T1562.007
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,51 @@
|
|||
id: 92ab0938-1e7c-4671-9810-392e8b9714da
|
||||
name: 1Password - Disable MFA factor or type for all user accounts
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1556
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action == "disblmfa"
|
||||
| where object_type == "account"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,42 @@
|
|||
id: bf9132c7-9d4d-4244-98c7-7d994703c208
|
||||
name: 1Password - Log Ingestion Failure
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.
|
||||
|
||||
Log ingestion troubleshooting:
|
||||
<insert URL>
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: Equal
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1562
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "healthevents"
|
||||
subTechniques:
|
||||
- T1562.008
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: false
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 5h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
|
|
@ -0,0 +1,57 @@
|
|||
id: 9a264487-bcb8-4c7f-a461-b289a46377b8
|
||||
name: 1Password - Manual account creation
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.
|
||||
|
||||
Ref: https://support.1password.com/scim/
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1136
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where action == "create"
|
||||
| where object_type == "invite"
|
||||
| where actor_details.email !endswith "@1passwordserviceaccounts.com"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
, TargetUsername = aux_info
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AnyAlert
|
||||
suppressionDuration: 1h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
|
|
@ -0,0 +1,53 @@
|
|||
id: 26daed54-cea5-469c-9b6e-0d85a40dc463
|
||||
name: 1Password - New service account integration created
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1136
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action == "create"
|
||||
| where object_type == "sa"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
subTechniques:
|
||||
- T1136.003
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
id: 327e0579-7c03-4ec7-acf5-a29dcc4a12b6
|
||||
name: 1Password - Non-privileged vault user permission change
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
query: |-
|
||||
let watchlist =
|
||||
_GetWatchlist("PV1PW")
|
||||
| project SearchKey
|
||||
;
|
||||
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
|
||||
let vaults = dynamic([""]);
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("grant", "revoke", "update")
|
||||
| where object_type == "uva"
|
||||
| where tostring(actor_details.email) != tostring(aux_details.email)
|
||||
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
|
||||
| where object_uuid !in (watchlist)
|
||||
// Enable the line below when using the dynamic vaults list within the analytics rule itself
|
||||
// | where object_uuid !in (vaults)
|
||||
| extend
|
||||
TargetUsername = aux_details.email
|
||||
, ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,64 @@
|
|||
id: 398a1cf1-f56f-4700-912c-9bf4c8409ebc
|
||||
name: 1Password - Potential insider privilege escalation via group
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("join", "role")
|
||||
| where object_type == "gm"
|
||||
| where tostring(actor_details.email) == tostring(aux_details.email)
|
||||
| extend
|
||||
TargetUsername = aux_details.email
|
||||
, ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
, GroupRole = case(
|
||||
aux_info == "R", "Group member"
|
||||
, aux_info == "A", "Group manager"
|
||||
, aux_info
|
||||
)
|
||||
subTechniques:
|
||||
- T1078.004
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,59 @@
|
|||
id: a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed
|
||||
name: 1Password - Potential insider privilege escalation via vault
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("grant", "update")
|
||||
| where object_type == "uva"
|
||||
| where tostring(actor_details.email) == tostring(aux_details.email)
|
||||
| extend
|
||||
TargetUsername = aux_details.email
|
||||
, ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
subTechniques:
|
||||
- T1078.004
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,68 @@
|
|||
id: 76e386eb-f51a-4600-97d1-f0db3b7e41f1
|
||||
name: 1Password - Privileged vault permission change
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
query: |-
|
||||
let watchlist =
|
||||
_GetWatchlist("PV1PW")
|
||||
| project SearchKey
|
||||
;
|
||||
// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself
|
||||
let vaults = dynamic([""]);
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where
|
||||
(action has_any("grant", "revoke", "update") and object_type == "uva") or
|
||||
(action has_any("grant", "revoke", "update") and object_type == "gva")
|
||||
// Enable the line below when using the "Privileged Vaults - 1PW" watchlist
|
||||
| where object_uuid in (watchlist)
|
||||
// Enable the line below when using the dynamic vaults list within the analytics rule itself
|
||||
// | where object_uuid in (vaults)
|
||||
| extend
|
||||
TargetUsername = case(isnotempty(aux_details), aux_details.email, "")
|
||||
, TargetGroupUUID = case(isempty(aux_details), aux_uuid, "")
|
||||
, ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -1,13 +1,16 @@
|
|||
id: 395db1d2-fb5a-44a8-9f8c-bf539d4d26ce
|
||||
id: 6711b747-16d7-4df4-9f61-8633617f45d7
|
||||
name: 1Password - Secret extraction post vault access change by administrator
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
@ -17,11 +20,10 @@ tactics:
|
|||
relevantTechniques:
|
||||
- T1555
|
||||
query: |-
|
||||
let ruleFrequency = 5m;
|
||||
let lookback = 1h;
|
||||
let secretExtractionActivity =
|
||||
OnePasswordEventLogs_CL
|
||||
| where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))
|
||||
| where TimeGenerated between (ago(lookback) .. now())
|
||||
| where log_source == "itemusages"
|
||||
| where action has_any("server-fetch", "reveal", "secure-copy")
|
||||
;
|
||||
|
@ -62,9 +64,7 @@ incidentConfiguration:
|
|||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
groupByEntities: []
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
suppressionDuration: 1h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
|
@ -76,5 +76,4 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
suppressionDuration: 5h
|
||||
|
||||
|
|
|
@ -0,0 +1,53 @@
|
|||
id: d54a3cf9-6169-449c-83f1-e7def3359702
|
||||
name: 1Password - Service account integration token adjustment
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1134
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("create", "trename", "tverify", "trevoke")
|
||||
| where object_type == "satoken"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
subTechniques:
|
||||
- T1134.003
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,67 @@
|
|||
id: ceb20a5c-adce-4eba-9728-541361d47d87
|
||||
name: 1Password - Successful anomalous sign-in
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Low
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |-
|
||||
let rulefrequency = 1h;
|
||||
let lookback = 14d;
|
||||
let onePasswordSigninBaseline =
|
||||
OnePasswordEventLogs_CL
|
||||
| where TimeGenerated between (ago(lookback) .. now())
|
||||
| where log_source == "signinattempts"
|
||||
| where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
|
||||
| summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)
|
||||
| extend identifier = strcat(target_user_uuid, client_ip_address)
|
||||
| summarize make_list(identifier)
|
||||
;
|
||||
OnePasswordEventLogs_CL
|
||||
| where TimeGenerated between (ago(rulefrequency) .. now())
|
||||
| where log_source == "signinattempts"
|
||||
| where (category == "success" and action_type == "mfa_ok") or (category == "success" and action_type == "credentials_ok")
|
||||
// limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins
|
||||
// | where country !in~ ("CA", "US")
|
||||
| extend identifier = strcat(target_user.uuid, client.ip_address)
|
||||
| where identifier !in (onePasswordSigninBaseline)
|
||||
| extend
|
||||
TargetUsername = target_user.email
|
||||
, SrcIpAddr = client.ip_address
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: false
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 1h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
alertDetailsOverride:
|
||||
alertDynamicProperties: []
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,52 @@
|
|||
id: 3c8140eb-e946-4bf2-8c61-03e4df56d400
|
||||
name: 1Password - User account MFA settings changed
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 30m
|
||||
queryPeriod: 30m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1556
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action has_any("enblmfa", "updatmfa", "disblmfa")
|
||||
| where object_type == "user"
|
||||
| extend
|
||||
ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
id: 849ea271-cd9c-4afe-a13b-ddbbac5fc6d3
|
||||
name: 1Password - User added to privileged group
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 5m
|
||||
queryPeriod: 5m
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
query: |-
|
||||
let watchlist =
|
||||
_GetWatchlist("PG1PW")
|
||||
| project SearchKey
|
||||
;
|
||||
let groups = dynamic([""]);
|
||||
OnePasswordEventLogs_CL
|
||||
| where log_source == "auditevents"
|
||||
| where action == "join"
|
||||
| where object_type == "gm"
|
||||
| where tostring(actor_details.email) != tostring(aux_details.email)
|
||||
// Enable the line below when using the "Privileged Groups - 1PW" watchlist
|
||||
| where object_uuid in (watchlist)
|
||||
// Enable the line below when using the dynamic groups list within the analytics rule itself
|
||||
// | where object_uuid in (groups)
|
||||
| extend
|
||||
TargetUsername = aux_details.email
|
||||
, ActorUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
, GroupRole = case(
|
||||
aux_info == "R", "Group member"
|
||||
, aux_info == "A", "Group manager"
|
||||
, aux_info
|
||||
)
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 30m
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: ActorUsername
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
- identifier: FullName
|
||||
columnName: TargetUsername
|
||||
- entityType: IP
|
||||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
|
@ -1,4 +1,4 @@
|
|||
id: 969e2e5c-9cc6-423c-a3de-514f7ad75fe7
|
||||
id: 969e2e5c-9cc6-423c-a3de-514f7ad75fe7
|
||||
name: 1Password - Vault export post account creation
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
@ -8,6 +8,10 @@ description: |-
|
|||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
|
@ -38,19 +42,6 @@ query: |-
|
|||
| extend
|
||||
TargetUsername = object_details1.email
|
||||
, SrcIpAddr = session1.ip_address
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
groupByEntities: []
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
@ -60,5 +51,15 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
|
||||
|
|
|
@ -1,13 +1,16 @@
|
|||
id: cb23d6cb-4b2e-44a7-b48e-040dd043147b
|
||||
id: dae4c601-51c9-47f5-83d3-e6eaef929cf6
|
||||
name: 1Password - Vault export
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
description: |-
|
||||
This will alert when a successful vault export has occurred within 1Password.
|
||||
|
||||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Low
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 1h
|
||||
triggerOperator: gt
|
||||
|
@ -18,7 +21,8 @@ relevantTechniques:
|
|||
- T1555
|
||||
query: |-
|
||||
OnePasswordEventLogs_CL
|
||||
| where action == "export" and object_type == "vault"
|
||||
| where action == "export"
|
||||
| where object_type == "vault"
|
||||
| extend
|
||||
TargetUsername = actor_details.email
|
||||
, SrcIpAddr = session.ip
|
||||
|
@ -26,13 +30,11 @@ suppressionEnabled: false
|
|||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: false
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 5h
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
groupByEntities: []
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
suppressionDuration: 1h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
|
@ -44,5 +46,4 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
suppressionDuration: 5h
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
id: 51617533-cf51-4415-9020-b15bd47d69d2
|
||||
id: 51617533-cf51-4415-9020-b15bd47d69d2
|
||||
name: 1Password - Vault export prior to account suspension or deletion
|
||||
version: 1.0.0
|
||||
kind: Scheduled
|
||||
|
@ -8,6 +8,10 @@ description: |-
|
|||
Ref: https://1password.com/
|
||||
Ref: https://github.com/securehats/
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: 1Password
|
||||
dataTypes:
|
||||
- OnePasswordEventLogs_CL
|
||||
queryFrequency: 1h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
|
@ -46,19 +50,6 @@ query: |-
|
|||
, exported_vault = object_details
|
||||
, TargetUsername
|
||||
, SrcIpAddr
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
groupByEntities: []
|
||||
groupByAlertDetails: []
|
||||
groupByCustomDetails: []
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
entityMappings:
|
||||
- entityType: Account
|
||||
fieldMappings:
|
||||
|
@ -68,5 +59,15 @@ entityMappings:
|
|||
fieldMappings:
|
||||
- identifier: Address
|
||||
columnName: SrcIpAddr
|
||||
suppressionEnabled: false
|
||||
incidentConfiguration:
|
||||
createIncident: true
|
||||
groupingConfiguration:
|
||||
enabled: true
|
||||
reopenClosedIncident: false
|
||||
lookbackDuration: 1h
|
||||
matchingMethod: AllEntities
|
||||
suppressionDuration: 5h
|
||||
eventGroupingSettings:
|
||||
aggregationKind: SingleAlert
|
||||
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9406f5ab-1197-4db9-8042-9f3345be061c')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9406f5ab-1197-4db9-8042-9f3345be061c')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Changes to SSO configuration",
|
||||
"description": "This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"enblsso\", \"disblsso\", \"chngpsso\", \"chngasso\", \"chngdssoo\", \"addgsso\", \"delgsso\")\r\n| where object_type == \"sso\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"techniques": [
|
||||
"T1556"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": {
|
||||
"alertDynamicProperties": []
|
||||
},
|
||||
"customDetails": {},
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/54e6bb8e-2935-422f-9387-dba1961abfd7')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Changes to firewall rules",
|
||||
"description": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"updatfw\"\r\n| where object_type == \"account\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"DefenseEvasion"
|
||||
],
|
||||
"techniques": [
|
||||
"T1562"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1562.007"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,79 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/92ab0938-1e7c-4671-9810-392e8b9714da')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/92ab0938-1e7c-4671-9810-392e8b9714da')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Disable MFA factor or type for all user accounts",
|
||||
"description": "This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "High",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"disblmfa\"\r\n| where object_type == \"account\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"DefenseEvasion"
|
||||
],
|
||||
"techniques": [
|
||||
"T1556"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,62 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bf9132c7-9d4d-4244-98c7-7d994703c208')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bf9132c7-9d4d-4244-98c7-7d994703c208')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Log Ingestion Failure",
|
||||
"description": "This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.\n\nLog ingestion troubleshooting:\n<insert URL>\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"healthevents\"",
|
||||
"queryFrequency": "PT1H",
|
||||
"queryPeriod": "PT1H",
|
||||
"triggerOperator": "Equal",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"DefenseEvasion"
|
||||
],
|
||||
"techniques": [
|
||||
"T1562"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": false,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT5H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": null,
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1562.008"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -8,22 +8,22 @@
|
|||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/4ef8a4e9-1d08-4743-939f-c995c795c5e8')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/4ef8a4e9-1d08-4743-939f-c995c795c5e8')]",
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/9a264487-bcb8-4c7f-a461-b289a46377b8')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/9a264487-bcb8-4c7f-a461-b289a46377b8')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2022-11-01-preview",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Manual account creation",
|
||||
"description": "This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where actor_details.email !endswith \"@1passwordserviceaccounts.com\"\r\n| where action == \"create\"\r\n and object_type == \"invite\"\r\n| extend\r\n TargetUsername = target_user.email\r\n , SrcIpAddr = client.ip_address",
|
||||
"query": "OnePasswordEventLogs_CL\n| where action == \"create\"\n| where object_type == \"invite\"\n| where actor_details.email !endswith \"@1passwordserviceaccounts.com\"\n| extend\n ActorUsername = actor_details.email\n , SrcIpAddr = session.ip\n , TargetUsername = aux_info",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
|
@ -32,14 +32,14 @@
|
|||
"techniques": [
|
||||
"T1136"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"alertRuleTemplateName": "4ef8a4e9-1d08-4743-939f-c995c795c5e8",
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT5M",
|
||||
"matchingMethod": "AllEntities",
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AnyAlert",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
|
@ -56,7 +56,7 @@
|
|||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
|
@ -68,10 +68,20 @@
|
|||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null
|
||||
"templateVersion": "1.0.0",
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/26daed54-cea5-469c-9b6e-0d85a40dc463')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/26daed54-cea5-469c-9b6e-0d85a40dc463')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - New service account integration created",
|
||||
"description": "This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"create\"\r\n| where object_type == \"sa\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"techniques": [
|
||||
"T1136"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1136.003"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/327e0579-7c03-4ec7-acf5-a29dcc4a12b6')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Non-privileged vault user permission change",
|
||||
"description": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "let watchlist =\r\n _GetWatchlist(\"PV1PW\")\r\n | project SearchKey\r\n;\r\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\r\nlet vaults = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"grant\", \"revoke\", \"update\")\r\n| where object_type == \"uva\"\r\n| where tostring(actor_details.email) != tostring(aux_details.email)\r\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\r\n| where object_uuid !in (watchlist)\r\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\r\n// | where object_uuid !in (vaults)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"techniques": [
|
||||
"T1098"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/398a1cf1-f56f-4700-912c-9bf4c8409ebc')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/398a1cf1-f56f-4700-912c-9bf4c8409ebc')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Potential insider privilege escalation via group",
|
||||
"description": "This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"join\", \"role\")\r\n| where object_type == \"gm\"\r\n| where tostring(actor_details.email) == tostring(aux_details.email)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip\r\n , GroupRole = case(\r\n aux_info == \"R\", \"Group member\"\r\n , aux_info == \"A\", \"Group manager\"\r\n , aux_info\r\n )",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"PrivilegeEscalation"
|
||||
],
|
||||
"techniques": [
|
||||
"T1078"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1078.004"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,90 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a00ffbd8-1d1c-47a3-b0a6-7d70bd8017ed')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Potential insider privilege escalation via vault",
|
||||
"description": "This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"grant\", \"update\")\r\n| where object_type == \"uva\"\r\n| where tostring(actor_details.email) == tostring(aux_details.email)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"PrivilegeEscalation"
|
||||
],
|
||||
"techniques": [
|
||||
"T1078"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1078.004"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/76e386eb-f51a-4600-97d1-f0db3b7e41f1')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/76e386eb-f51a-4600-97d1-f0db3b7e41f1')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Privileged vault permission change",
|
||||
"description": "This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "High",
|
||||
"enabled": true,
|
||||
"query": "let watchlist =\r\n _GetWatchlist(\"PV1PW\")\r\n | project SearchKey\r\n;\r\n// Insert the vault UUIDs below when using the dynamic vaults list within the analytics rule itself\r\nlet vaults = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where\r\n (action has_any(\"grant\", \"revoke\", \"update\") and object_type == \"uva\") or\r\n (action has_any(\"grant\", \"revoke\", \"update\") and object_type == \"gva\")\r\n// Enable the line below when using the \"Privileged Vaults - 1PW\" watchlist\r\n| where object_uuid in (watchlist)\r\n// Enable the line below when using the dynamic vaults list within the analytics rule itself\r\n// | where object_uuid in (vaults)\r\n| extend\r\n TargetUsername = case(isnotempty(aux_details), aux_details.email, \"\")\r\n , TargetGroupUUID = case(isempty(aux_details), aux_uuid, \"\")\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"techniques": [
|
||||
"T1098"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -8,22 +8,22 @@
|
|||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/395db1d2-fb5a-44a8-9f8c-bf539d4d26ce')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/395db1d2-fb5a-44a8-9f8c-bf539d4d26ce')]",
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6711b747-16d7-4df4-9f61-8633617f45d7')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6711b747-16d7-4df4-9f61-8633617f45d7')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2022-11-01-preview",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Secret extraction post vault access change by administrator",
|
||||
"description": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"description": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "High",
|
||||
"enabled": true,
|
||||
"query": "let ruleFrequency = 5m;\r\nlet lookback = 1h;\r\nlet secretExtractionActivity =\r\n OnePasswordEventLogs_CL\r\n | where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))\r\n | where log_source == \"itemusages\"\r\n | where action has_any(\"server-fetch\", \"reveal\", \"secure-copy\")\r\n;\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where (action == \"grant\" and object_type == \"uva\") or (action == \"update\" and object_type == \"uva\")\r\n| where tostring(actor_details.uuid) == tostring(aux_details.uuid)\r\n| extend\r\n userUuid = tostring(actor_details.uuid)\r\n , vaultUuid = tostring(object_uuid)\r\n| join (\r\n secretExtractionActivity\r\n | extend\r\n userUuid = tostring(user.uuid)\r\n , vaultUuid = tostring(vault_uuid)\r\n )\r\n on $left.userUuid == $right.userUuid and $left.vaultUuid == $right.vaultUuid\r\n| extend\r\n auditevents = bag_pack(\"action\", action, \"object_type\", object_type)\r\n , itemusages = bag_pack(\"action\", action1, \"object_type\", object_type1)\r\n , vault_details = bag_pack(\"vault_uuid\", vault_uuid1, \"item_uuid\", item_uuid1)\r\n| project\r\n TimeGenerated\r\n , actor_details\r\n , target_details = aux_details\r\n , location_details = location\r\n , client_details = client1\r\n , auditevents\r\n , itemusages\r\n , vault_details\r\n , TargetUsername = tostring(user1.email)\r\n , SrcIpAddr = tostring(client1.ip_address)",
|
||||
"query": "let lookback = 1h;\nlet secretExtractionActivity =\n OnePasswordEventLogs_CL\n | where TimeGenerated between (ago(lookback) .. now())\n | where log_source == \"itemusages\"\n | where action has_any(\"server-fetch\", \"reveal\", \"secure-copy\")\n;\nOnePasswordEventLogs_CL\n| where log_source == \"auditevents\"\n| where (action == \"grant\" and object_type == \"uva\") or (action == \"update\" and object_type == \"uva\")\n| where tostring(actor_details.uuid) == tostring(aux_details.uuid)\n| extend\n userUuid = tostring(actor_details.uuid)\n , vaultUuid = tostring(object_uuid)\n| join (\n secretExtractionActivity\n | extend\n userUuid = tostring(user.uuid)\n , vaultUuid = tostring(vault_uuid)\n )\n on $left.userUuid == $right.userUuid and $left.vaultUuid == $right.vaultUuid\n| extend\n auditevents = bag_pack(\"action\", action, \"object_type\", object_type)\n , itemusages = bag_pack(\"action\", action1, \"object_type\", object_type1)\n , vault_details = bag_pack(\"vault_uuid\", vault_uuid1, \"item_uuid\", item_uuid1)\n| project\n TimeGenerated\n , actor_details\n , target_details = aux_details\n , location_details = location\n , client_details = client1\n , auditevents\n , itemusages\n , vault_details\n , TargetUsername = tostring(user1.email)\n , SrcIpAddr = tostring(client1.ip_address)",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT1H",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
|
@ -32,7 +32,7 @@
|
|||
"techniques": [
|
||||
"T1555"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"alertRuleTemplateName": "395db1d2-fb5a-44a8-9f8c-bf539d4d26ce",
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
|
@ -71,7 +71,8 @@
|
|||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null
|
||||
"templateVersion": "1.0.0",
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d54a3cf9-6169-449c-83f1-e7def3359702')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d54a3cf9-6169-449c-83f1-e7def3359702')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Service account integration token adjustment",
|
||||
"description": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"create\", \"trename\", \"tverify\", \"trevoke\")\r\n| where object_type == \"satoken\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"DefenseEvasion"
|
||||
],
|
||||
"techniques": [
|
||||
"T1134"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": [
|
||||
"T1134.003"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -8,22 +8,22 @@
|
|||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ac54655-e213-424f-a676-c90cfe59e927')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ac54655-e213-424f-a676-c90cfe59e927')]",
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ceb20a5c-adce-4eba-9728-541361d47d87')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ceb20a5c-adce-4eba-9728-541361d47d87')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2022-11-01-preview",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Successful anomalous sign-in",
|
||||
"description": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"description": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Low",
|
||||
"enabled": true,
|
||||
"query": "let ruleFrequency = 1h;\r\nlet lookback = 14d;\r\nlet onePasswordSigninBaseline =\r\n OnePasswordEventLogs_CL\r\n | where TimeGenerated between (ago(lookback) .. ago(now() - ago(ruleFrequency)))\r\n | where log_source == \"signinattempts\"\r\n | where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\r\n | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)\r\n | extend identifier = strcat(target_user_uuid, client_ip_address)\r\n | summarize make_list(identifier)\r\n;\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"signinattempts\"\r\n| where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\r\n| extend identifier = strcat(target_user.uuid, client.ip_address)\r\n| where identifier !in (onePasswordSigninBaseline)\r\n| extend\r\n TargetUsername = target_user.email\r\n , SrcIpAddr = client.ip_address",
|
||||
"query": "let rulefrequency = 1h;\nlet lookback = 14d;\nlet onePasswordSigninBaseline =\n OnePasswordEventLogs_CL\n | where TimeGenerated between (ago(lookback) .. now())\n | where log_source == \"signinattempts\"\n | where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\n | summarize count() by tostring(target_user.uuid), tostring(target_user.email), tostring(client.ip_address), tostring(location.country)\n | extend identifier = strcat(target_user_uuid, client_ip_address)\n | summarize make_list(identifier)\n;\nOnePasswordEventLogs_CL\n| where TimeGenerated between (ago(rulefrequency) .. now())\n| where log_source == \"signinattempts\"\n| where (category == \"success\" and action_type == \"mfa_ok\") or (category == \"success\" and action_type == \"credentials_ok\")\n// limit the amount of incident triggers by enabling and adjusting the following in order to exclude country specific sign-ins\n// | where country !in~ (\"CA\", \"US\")\n| extend identifier = strcat(target_user.uuid, client.ip_address)\n| where identifier !in (onePasswordSigninBaseline)\n| extend\n TargetUsername = target_user.email\n , SrcIpAddr = client.ip_address",
|
||||
"queryFrequency": "PT1H",
|
||||
"queryPeriod": "P14D",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
|
@ -32,11 +32,11 @@
|
|||
"techniques": [
|
||||
"T1078"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"alertRuleTemplateName": "6ac54655-e213-424f-a676-c90cfe59e927",
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"enabled": false,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
|
@ -51,7 +51,7 @@
|
|||
"alertDetailsOverride": {
|
||||
"alertDynamicProperties": []
|
||||
},
|
||||
"customDetails": {},
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
|
@ -73,7 +73,8 @@
|
|||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null
|
||||
"templateVersion": "1.0.0",
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -0,0 +1,80 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3c8140eb-e946-4bf2-8c61-03e4df56d400')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3c8140eb-e946-4bf2-8c61-03e4df56d400')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - User account MFA settings changed",
|
||||
"description": "This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action has_any(\"enblmfa\", \"updatmfa\", \"disblmfa\")\r\n| where object_type == \"user\"\r\n| extend\r\n ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT30M",
|
||||
"queryPeriod": "PT30M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence",
|
||||
"DefenseEvasion"
|
||||
],
|
||||
"techniques": [
|
||||
"T1556"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -0,0 +1,88 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"workspace": {
|
||||
"type": "String"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/849ea271-cd9c-4afe-a13b-ddbbac5fc6d3')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - User added to privileged group",
|
||||
"description": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Medium",
|
||||
"enabled": true,
|
||||
"query": "let watchlist =\r\n _GetWatchlist(\"PG1PW\")\r\n | project SearchKey\r\n;\r\nlet groups = dynamic([\"\"]);\r\nOnePasswordEventLogs_CL\r\n| where log_source == \"auditevents\"\r\n| where action == \"join\"\r\n| where object_type == \"gm\"\r\n| where tostring(actor_details.email) != tostring(aux_details.email)\r\n// Enable the line below when using the \"Privileged Groups - 1PW\" watchlist\r\n| where object_uuid in (watchlist)\r\n// Enable the line below when using the dynamic groups list within the analytics rule itself\r\n// | where object_uuid in (groups)\r\n| extend\r\n TargetUsername = aux_details.email\r\n , ActorUsername = actor_details.email\r\n , SrcIpAddr = session.ip\r\n , GroupRole = case(\r\n aux_info == \"R\", \"Group member\"\r\n , aux_info == \"A\", \"Group manager\"\r\n , aux_info\r\n )",
|
||||
"queryFrequency": "PT5M",
|
||||
"queryPeriod": "PT5M",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
"Persistence"
|
||||
],
|
||||
"techniques": [
|
||||
"T1098"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT30M",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
"groupByCustomDetails": []
|
||||
}
|
||||
},
|
||||
"eventGroupingSettings": {
|
||||
"aggregationKind": "SingleAlert"
|
||||
},
|
||||
"alertDetailsOverride": null,
|
||||
"customDetails": null,
|
||||
"entityMappings": [
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "ActorUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "Account",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "FullName",
|
||||
"columnName": "TargetUsername"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"entityType": "IP",
|
||||
"fieldMappings": [
|
||||
{
|
||||
"identifier": "Address",
|
||||
"columnName": "SrcIpAddr"
|
||||
}
|
||||
]
|
||||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null,
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
|
@ -8,22 +8,22 @@
|
|||
},
|
||||
"resources": [
|
||||
{
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/cb23d6cb-4b2e-44a7-b48e-040dd043147b')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/cb23d6cb-4b2e-44a7-b48e-040dd043147b')]",
|
||||
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/dae4c601-51c9-47f5-83d3-e6eaef929cf6')]",
|
||||
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/dae4c601-51c9-47f5-83d3-e6eaef929cf6')]",
|
||||
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
|
||||
"kind": "Scheduled",
|
||||
"apiVersion": "2022-11-01-preview",
|
||||
"apiVersion": "2023-12-01-preview",
|
||||
"properties": {
|
||||
"displayName": "1Password - Vault export",
|
||||
"description": "This will alert when a successful vault export has occurred within 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"description": "This will alert when a successful vault export has occurred within 1Password.\nRef: https://1password.com/\nRef: https://github.com/securehats/",
|
||||
"severity": "Low",
|
||||
"enabled": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where action == \"export\" and object_type == \"vault\"\r\n| extend\r\n TargetUsername = actor_details.email\r\n , SrcIpAddr = session.ip",
|
||||
"query": "OnePasswordEventLogs_CL\n| where action == \"export\"\n| where object_type == \"vault\"\n| extend\n TargetUsername = actor_details.email\n , SrcIpAddr = session.ip",
|
||||
"queryFrequency": "PT1H",
|
||||
"queryPeriod": "PT1H",
|
||||
"triggerOperator": "GreaterThan",
|
||||
"triggerThreshold": 0,
|
||||
"suppressionDuration": "PT5H",
|
||||
"suppressionDuration": "PT1H",
|
||||
"suppressionEnabled": false,
|
||||
"startTimeUtc": null,
|
||||
"tactics": [
|
||||
|
@ -32,13 +32,13 @@
|
|||
"techniques": [
|
||||
"T1555"
|
||||
],
|
||||
"alertRuleTemplateName": null,
|
||||
"alertRuleTemplateName": "cb23d6cb-4b2e-44a7-b48e-040dd043147b",
|
||||
"incidentConfiguration": {
|
||||
"createIncident": true,
|
||||
"groupingConfiguration": {
|
||||
"enabled": false,
|
||||
"enabled": true,
|
||||
"reopenClosedIncident": false,
|
||||
"lookbackDuration": "PT5H",
|
||||
"lookbackDuration": "PT1H",
|
||||
"matchingMethod": "AllEntities",
|
||||
"groupByEntities": [],
|
||||
"groupByAlertDetails": [],
|
||||
|
@ -71,7 +71,8 @@
|
|||
}
|
||||
],
|
||||
"sentinelEntitiesMappings": null,
|
||||
"templateVersion": null
|
||||
"templateVersion": "1.0.0",
|
||||
"subTechniques": []
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
|
@ -64,9 +64,6 @@
|
|||
{
|
||||
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs from Azure. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
|
||||
},
|
||||
{
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias 1PasswordLogs and load the function code or click [here](https://github.com/azurekid/Azure-Sentinel/blob/cc33169df91a14cfcd860db33033d2146415d084/Solutions/1Password/Parsers/1Password.yaml), The function usually takes 10-15 minutes to activate after solution installation/update."
|
||||
},
|
||||
{
|
||||
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
|
||||
},
|
||||
|
@ -77,7 +74,7 @@
|
|||
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
|
||||
},
|
||||
{
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"title": "Option 1 - Azure Resource Manager (ARM) Template"
|
||||
}
|
||||
]
|
||||
|
|
|
@ -96,7 +96,7 @@
|
|||
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
|
||||
},
|
||||
{
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"title": "Azure Resource Manager (ARM) Template"
|
||||
}
|
||||
]
|
||||
|
|
|
@ -35,7 +35,7 @@
|
|||
"metadata": {
|
||||
"description": "Specifies the URI of the arifacts on GitHub"
|
||||
},
|
||||
"defaultValue": "https://raw.githubusercontent.com/azurekid/Azure-Sentinel/feature/1password/Solutions/1Password/Data%20Connectors/1Password/deployment/"
|
||||
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/1Password/Data%20Connectors/1Password/deployment/"
|
||||
}
|
||||
},
|
||||
"resources": [
|
||||
|
|
|
@ -87,9 +87,6 @@
|
|||
{
|
||||
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
|
||||
},
|
||||
{
|
||||
"description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias 1PasswordLogs and load the function code or click [here](https://github.com/azurekid/Azure-Sentinel/blob/cc33169df91a14cfcd860db33033d2146415d084/Solutions/1Password/Parsers/1Password.yaml), The function usually takes 10-15 minutes to activate after solution installation/update."
|
||||
},
|
||||
{
|
||||
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
|
||||
},
|
||||
|
@ -100,7 +97,7 @@
|
|||
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
|
||||
},
|
||||
{
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **API Key**, and **URI**.\n - The default **Time Interval** is set to pull the last five (5) minutes of data. If the time interval needs to be modified, it is recommended to change the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"title": "Option 1 - Azure Resource Manager (ARM) Template"
|
||||
}
|
||||
]
|
||||
|
|
|
@ -43,7 +43,7 @@
|
|||
"metadata": {
|
||||
"description": "Specifies the URI to the package to deploy"
|
||||
},
|
||||
"defaultValue": "https://github.com/azurekid/Azure-Sentinel/raw/feature/1password/Solutions/1Password/Data%20Connectors/1Password/function.zip"
|
||||
"defaultValue": "https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/1Password/Data%20Connectors/1Password/function.zip"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
|
@ -319,7 +319,7 @@
|
|||
"FUNCTIONS_WORKER_RUNTIME": "powershell",
|
||||
"FUNCTIONS_WORKER_RUNTIME_VERSION": "7.2",
|
||||
"APPINSIGHTS_CONNECTION_STRING": "[reference(concat('microsoft.insights/components/', variables('functionName')), '2015-05-01').ConnectionString]",
|
||||
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[NF.secretName(variables('functionName'), 'AzureWebJobsStorage')]",
|
||||
"WEBSITE_CONTENTAZUREFILECONNECTIONSTRING": "[NF.StorageConnectionString(variables('storageAccountName'), listKeys(resourceId('Microsoft.Storage/storageAccounts', variables('storageAccountName')), '2019-06-01').keys[0].value)]",
|
||||
"WEBSITE_CONTENTSHARE": "[toLower(variables('FunctionName'))]",
|
||||
"WEBSITE_RUN_FROM_PACKAGE": "1",
|
||||
"AzureWebJobsStorage": "[NF.secretName(variables('functionName'), 'AzureWebJobsStorage')]",
|
||||
|
|
|
@ -6,39 +6,43 @@
|
|||
"config": {
|
||||
"isWizard": true,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://lever-client-logos.s3.us-west-2.amazonaws.com/f2192f1c-fc87-4e38-9764-293c0eb616a2-1682022825728.png\">\n\n**1Password Solution** deployment, more information about this project [here](https://github.com/azurekid/Azure-Sentinel/).\n\n_**Information:** The 1Password solution for Microsoft Sentinel is in active development. This feature is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities._\n\nThe 1Password Microsoft Sentinel Solution provides a consolidated way to provision Azure Sentinel with content like a Data Connector, Workbooks and Analytics rules in your workspace with a single deployment step.\n\nInitially it takes around 15 minutes to see the first data to appear in Log Analytics.\n\n"
|
||||
"description": "<img src=\"https://lever-client-logos.s3.us-west-2.amazonaws.com/f2192f1c-fc87-4e38-9764-293c0eb616a2-1682022825728.png\">\n\n**1Password Solution** deployment, more information about this project [here](https://github.com/azurekid/Azure-Sentinel/).\n\n_**Information:** The 1Password solution for Microsoft Sentinel is in active development. This feature is provided without a service level agreement. Certain features might not be supported or might have constrained capabilities._\n\nThe 1Password Microsoft Sentinel Solution provides a consolidated way to provision Azure Sentinel with content like a Data Connector, Workbooks and Analytics rules in your workspace with a single deployment step.\n\nInitially it takes around 15 minutes to see the first data to appear in Log Analytics.\n\n",
|
||||
"location": {
|
||||
"metadata": {
|
||||
"hidden": "Hiding location, we get it from the log analytics workspace"
|
||||
},
|
||||
"visible": false
|
||||
},
|
||||
"resourceGroup": {
|
||||
"allowExisting": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"basics": [],
|
||||
"basics": [
|
||||
{
|
||||
"name": "getLAWorkspace",
|
||||
"type": "Microsoft.Solutions.ArmApiControl",
|
||||
"toolTip": "This filters by workspaces that exist in the Resource Group selected",
|
||||
"condition": "[greater(length(resourceGroup().name),0)]",
|
||||
"request": {
|
||||
"method": "GET",
|
||||
"path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspace",
|
||||
"type": "Microsoft.Common.DropDown",
|
||||
"label": "Workspace",
|
||||
"placeholder": "Select a workspace",
|
||||
"toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
|
||||
"constraints": {
|
||||
"allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
|
||||
"required": true
|
||||
},
|
||||
"visible": true
|
||||
}
|
||||
],
|
||||
"steps": [
|
||||
{
|
||||
"name": "Sentinel",
|
||||
"label": "Microsoft Sentinel",
|
||||
"elements": [
|
||||
{
|
||||
"name": "text1",
|
||||
"type": "Microsoft.Common.InfoBox",
|
||||
"visible": true,
|
||||
"options": {
|
||||
"icon": "warning",
|
||||
"text": "The Sentinel Workspace must be located in the same resource group as the deployment",
|
||||
"uri": "https://www.microsoft.com"
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "workspaceSelector",
|
||||
"type": "Microsoft.Solutions.ResourceSelector",
|
||||
"label": "Select an existing workspace",
|
||||
"resourceType": "Microsoft.OperationalInsights/workspaces",
|
||||
"options": {
|
||||
"filter": {
|
||||
"subscription": "onBasics",
|
||||
"location": "onBasics"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "1Password",
|
||||
"label": "1Password",
|
||||
|
@ -106,7 +110,8 @@
|
|||
}
|
||||
],
|
||||
"outputs": {
|
||||
"workspaceName": "[steps('Sentinel').workspaceSelector.name]",
|
||||
"workspaceName": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.name))]",
|
||||
"workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
|
||||
"apiToken": "[steps('1Password').password]",
|
||||
"apiEndpoint": "[steps('1Password').apiEndpoint]"
|
||||
}
|
||||
|
|
Двоичные данные
Solutions/1Password/Data Connectors/1Password/function.zip
Двоичные данные
Solutions/1Password/Data Connectors/1Password/function.zip
Двоичный файл не отображается.
|
@ -7,7 +7,7 @@ $currentUTCtime = (Get-Date).ToUniversalTime()
|
|||
# Write an information log with the current time.
|
||||
Write-Host "PowerShell timer trigger function ran! TIME: $currentUTCtime"
|
||||
|
||||
$currentStartTime = (Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
|
||||
$global:currentStartTime = (Get-Date).AddDays(-30).ToString('yyyy-MM-ddTHH:mm:ss.fffZ')
|
||||
|
||||
try {
|
||||
Get-Variables
|
||||
|
@ -24,7 +24,7 @@ foreach ($api in $endpoints) {
|
|||
try {
|
||||
# continue if the cursor does not exist and proceed with the lastRunTime
|
||||
$cursor = Get-Cursor @storagePayload -cursor $api -ErrorAction SilentlyContinue
|
||||
if ($cursor) {
|
||||
if ($cursor -and $cursor -ne "none") {
|
||||
$results += Get-AuditLogs -cursor $cursor -api $api
|
||||
} else {
|
||||
$results += Get-AuditLogs -lastRunTime $currentStartTime -api $api
|
||||
|
@ -34,6 +34,14 @@ foreach ($api in $endpoints) {
|
|||
}
|
||||
}
|
||||
|
||||
Write-Output $results
|
||||
|
||||
$results += @{
|
||||
"log_source" = "healthevents"
|
||||
}
|
||||
|
||||
Write-Output $results
|
||||
|
||||
if ($results.count -gt 0) {
|
||||
Write-Host "Sending $($results.count) new records"
|
||||
Send-Data -body ($results | ConvertTo-Json -AsArray)
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
{
|
||||
"id": "1Password",
|
||||
"title": "1Password",
|
||||
"publisher": "1Password",
|
||||
"descriptionMarkdown": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
|
||||
"additionalRequirementBanner":"These queries are dependent on a parser based on a Kusto Function deployed as part of the solution.",
|
||||
"graphQueries": [
|
||||
{
|
||||
"metricName": "Total data received",
|
||||
"legend": "1Password",
|
||||
"baseQuery": "OnePasswordEventLogsDev_CL"
|
||||
}
|
||||
],
|
||||
"sampleQueries": [
|
||||
{
|
||||
"description" : "Top 10 Users",
|
||||
"query": "OnePasswordEventLogs_CL\n | summarize count() by tostring(target_user.name) \n | top 10 by count_"
|
||||
}
|
||||
],
|
||||
"dataTypes": [
|
||||
{
|
||||
"name": "OnePasswordEventLogs_CL",
|
||||
"lastDataReceivedQuery": "OnePasswordEventLogs_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
|
||||
}
|
||||
],
|
||||
"connectivityCriterias": [
|
||||
{
|
||||
"type": "IsConnectedQuery",
|
||||
"value": [
|
||||
"OnePasswordEventLogs_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(7d)"
|
||||
]
|
||||
}
|
||||
],
|
||||
"availability": {
|
||||
"status": 1,
|
||||
"isPreview": true
|
||||
},
|
||||
"permissions": {
|
||||
"resourceProvider": [
|
||||
{
|
||||
"provider": "Microsoft.OperationalInsights/workspaces",
|
||||
"permissionsDisplayText": "read and write permissions on the workspace are required.",
|
||||
"providerDisplayName": "Workspace",
|
||||
"scope": "Workspace",
|
||||
"requiredPermissions": {
|
||||
"write": true,
|
||||
"read": true,
|
||||
"delete": true
|
||||
}
|
||||
}
|
||||
],
|
||||
"customs": [
|
||||
{
|
||||
"name": "Microsoft.Web/sites permissions",
|
||||
"description": "Read and write permissions to Azure Functions to create a Function App is required. [See the documentation to learn more about Azure Functions](https://docs.microsoft.com/azure/azure-functions/)."
|
||||
},
|
||||
{
|
||||
"name": "1Password Events API Token",
|
||||
"description": "A 1Password Events API Token is required. [See the documentation to learn more about the 1Password API](https://developer.1password.com/docs/events-api/reference). \n\n**Note:** A 1Password Business account is required"
|
||||
}
|
||||
]
|
||||
},
|
||||
"instructionSteps": [
|
||||
{
|
||||
"description": ">**NOTE:** This connector uses Azure Functions to connect to 1Password to pull logs into Microsoft Sentinel. This might result in additional data ingestion costs from Azure. Check the [Azure Functions pricing page](https://azure.microsoft.com/pricing/details/functions/) for details."
|
||||
},
|
||||
{
|
||||
"description": ">**(Optional Step)** Securely store workspace and API authorization key(s) or token(s) in Azure Key Vault. Azure Key Vault provides a secure mechanism to store and retrieve key values. [Follow these instructions](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) to use Azure Key Vault with an Azure Function App."
|
||||
},
|
||||
{
|
||||
"description": "**STEP 1 - Configuration steps for the 1Password Events Reporting API**\n\n [Follow these instructions](https://support.1password.com/events-reporting/#appendix-issue-or-revoke-bearer-tokens) provided by 1Password to obtain an Events Reporting API Token. **Note:** A 1Password Business account is required"
|
||||
},
|
||||
{
|
||||
"description": "**STEP 2 - Deploy the functionApp using DeployToAzure button to create the table, dcr and the associated Azure Function**\n\n>**IMPORTANT:** Before deploying the 1Password connector, a custom table needs to be created."
|
||||
},
|
||||
{
|
||||
"description": "This method provides an automated deployment of the 1Password connector using an ARM Tempate.\n\n1. Click the **Deploy to Azure** button below. \n\n\t[![Deploy To Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)\n2. Select the preferred **Subscription**, **Resource Group** and **Location**. \n3. Enter the **Workspace Name**, **Workspace Name**, **1Password Events API Key**, and **URI**.\n - The default **Time Interval** is set to five (5) minutes. If you'd like to modify the interval, you can adjust the Function App Timer Trigger accordingly (in the function.json file, post deployment) to prevent overlapping data ingestion.\n - Note: If using Azure Key Vault secrets for any of the values above, use the`@Microsoft.KeyVault(SecretUri={Security Identifier})`schema in place of the string values. Refer to [Key Vault references documentation](https://docs.microsoft.com/azure/app-service/app-service-key-vault-references) for further details. \n4. Mark the checkbox labeled **I agree to the terms and conditions stated above**. \n5. Click **Purchase** to deploy.",
|
||||
"title": "Option 1 - Azure Resource Manager (ARM) Template"
|
||||
}
|
||||
]
|
||||
}
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"Name": "1Password",
|
||||
"Author": "1Password",
|
||||
"Author": "Rogier Dijkman (SecureHats)",
|
||||
"Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">",
|
||||
"Description": "The [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)",
|
||||
"WorkbookBladeDescription": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and creating rich visual reports within the Azure portal. They allow you to combine one or more data sources from Microsoft Sentinel into unified interactive experience.",
|
||||
|
@ -12,12 +12,24 @@
|
|||
],
|
||||
"Parsers": [],
|
||||
"Analytic Rules": [
|
||||
"Analytics Rules/1Password - Manually invited user.yaml",
|
||||
"Analytics Rules/1Password - Secret Extraction Post Vault Access Change By Administrator.yaml",
|
||||
"Analytics Rules/1Password - Successful Anomalous SignIn.yaml",
|
||||
"Analytics Rules/1Password - Vault Export Post Account Creation.yaml",
|
||||
"Analytics Rules/1Password - Changes to firewall rules.yaml",
|
||||
"Analytics Rules/1Password - Changes to SSO configuration.yaml",
|
||||
"Analytics Rules/1Password - Disable MFA factor or type for all user accounts.yaml",
|
||||
"Analytics Rules/1Password - Log Ingestion Failure.yaml",
|
||||
"Analytics Rules/1Password - Manual account creation.yaml",
|
||||
"Analytics Rules/1Password - New service account integration created.yaml",
|
||||
"Analytics Rules/1Password - Non-privileged vault user permission change.yaml",
|
||||
"Analytics Rules/1Password - Potential insider privilege escalation via group.yaml",
|
||||
"Analytics Rules/1Password - Potential insider privilege escalation via vault.yaml",
|
||||
"Analytics Rules/1Password - Privileged vault permission change.yaml",
|
||||
"Analytics Rules/1Password - Secret extraction post vault access change by administrator.yaml",
|
||||
"Analytics Rules/1Password - Service account integration token adjustment.yaml",
|
||||
"Analytics Rules/1Password - Successful anomalous sign-in.yaml",
|
||||
"Analytics Rules/1Password - User account MFA settings changed.yaml",
|
||||
"Analytics Rules/1Password - User added to privileged group.yaml",
|
||||
"Analytics Rules/1Password - Vault export post account creation.yaml",
|
||||
"Analytics Rules/1Password - Vault export prior to account suspension or deletion.yaml",
|
||||
"Analytics Rules/1Password - Vault Export.yaml"
|
||||
"Analytics Rules/1Password - Vault export.yaml"
|
||||
],
|
||||
"BasePath": "C:\\1Password",
|
||||
"Version": "1.0.0",
|
||||
|
|
Двоичные данные
Solutions/1Password/Package/3.0.0.zip
Двоичные данные
Solutions/1Password/Package/3.0.0.zip
Двоичный файл не отображается.
|
@ -6,7 +6,7 @@
|
|||
"config": {
|
||||
"isWizard": false,
|
||||
"basics": {
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest 1Password logs and events into Microsoft Sentinel. The connector provides visibility into 1Password Events and Alerts in Microsoft Sentinel to improve monitoring and investigation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/1Password/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [1Password](https://www.1password.com) solution for Microsoft Sentinel enables you to ingest sign-in attempts, item usage, and audit events from your 1Password Business account using the [1Password Events Reporting API](https://developer.1password.com/docs/events-api). This allows you to monitor and investigate events in 1Password in Microsoft Sentinel along with the other applications and services your organization uses.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution depends on the following technologies, and some of which may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or may incur additional ingestion or operational costs:\n\n- [Azure Functions](https://azure.microsoft.com/services/functions/#overview)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 18\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
|
||||
"subscription": {
|
||||
"resourceProviders": [
|
||||
"Microsoft.OperationsManagement/solutions",
|
||||
|
@ -60,7 +60,7 @@
|
|||
"name": "dataconnectors1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Solution installs the data connector for the 1Password Events Reporting API, allowing you to ingest log data from your 1Password Business account to your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
"text": "This Solution installs the data connector for 1Password. You can get 1Password custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -88,7 +88,7 @@
|
|||
"name": "workbooks-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and the creation of rich visual reports within the Azure portal. They allow you to tap into one or many data sources from Microsoft Sentinel and combine them into unified interactive experiences."
|
||||
"text": "This Microsoft Sentinel Solution installs workbooks. Workbooks provide a flexible canvas for data monitoring, analysis, and creating rich visual reports within the Azure portal. They allow you to combine one or more data sources from Microsoft Sentinel into unified interactive experience."
|
||||
}
|
||||
},
|
||||
{
|
||||
|
@ -104,10 +104,14 @@
|
|||
{
|
||||
"name": "workbook1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password",
|
||||
"elements": [
|
||||
{
|
||||
"name": "workbook1-text",
|
||||
"type": "Microsoft.Common.TextBlock"
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "1Password workbook provides insights into the 1Password events and activities. It includes visualizations for sign-in attempts, item usage, and audit events from your 1Password Business account."
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
|
@ -142,13 +146,13 @@
|
|||
{
|
||||
"name": "analytic1",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Manually invited user",
|
||||
"label": "1Password - Changes to firewall rules",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic1-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when when someone is manually invited to join your 1Password account, rather than provisioned via SCIM from your identity provider. This should only be used when using Automated User Provisioning via 1Password SCIM Bridge.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
"text": "This will alert when changes have been made to the firewall rules. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
@ -156,11 +160,137 @@
|
|||
{
|
||||
"name": "analytic2",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Secret extraction post vault access change by administrator",
|
||||
"label": "1Password - Changes to SSO configuration",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic2-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when changes have been made to the SSO configuration. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic3",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Disable MFA factor or type for all user accounts",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic3-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when the MFA factor or type for all user accounts are disabled. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic4",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Log Ingestion Failure",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic4-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when the log ingestion for the OnePasswordEventLogs_CL logs is failing. The alert is based on the healthevents that are created every 5 minutes and will trigger if no logs have been received for 1 hour.\n\nLog ingestion troubleshooting:\n<insert URL>\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic5",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Manual account creation",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic5-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a new account was created manually within 1Password. This should only be used when a 1Password integration via a SCIM Bridge has been implemented.\n\nRef: https://support.1password.com/scim/\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic6",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - New service account integration created",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic6-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a new integration has been created. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic7",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Non-privileged vault user permission change",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic7-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when user permissions have changed within a non-privileged vault which have been implemented by an actor that was not the target user account. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic8",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Potential insider privilege escalation via group",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic8-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when an actor grants, or updates their own permissions via a group. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic9",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Potential insider privilege escalation via vault",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic9-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when an actor grants, or updates their own permissions via a vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic10",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Privileged vault permission change",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic10-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when permissions have changed within a privileged vault. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic11",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Secret extraction post vault access change by administrator",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic11-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a secret extraction has occurred after an administrator has changed their own vault access permissions within that same vault.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
|
@ -168,12 +298,26 @@
|
|||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic3",
|
||||
"name": "analytic12",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Service account integration token adjustment",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic12-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a service account integration token has been created, renamed, verified, or revoked. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic13",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Successful anomalous sign-in",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic3-text",
|
||||
"name": "analytic13-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a new successful MFA confirmed sign-in has occurred from a location that was not seen within the last 14 days.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
|
@ -182,43 +326,71 @@
|
|||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic4",
|
||||
"name": "analytic14",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - User account MFA settings changed",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic14-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a user creates, updates, or disables the user account MFA settings. Once this analytics rule is triggered it will group all related future alerts for upto an hour when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic15",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - User added to privileged group",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic15-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a user is added to a privileged group which has been implemented by an actor that was not the target user account. Once the analytics rule is triggered it will group all related future alerts for upto 30 minutes when all related entities are the same.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic16",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Vault export post account creation",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic4-text",
|
||||
"name": "analytic16-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a successful vault export was performed by someone within 14 days them joining your 1Password account.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
"text": "This will alert when a successful vault export has occurred within 14 days of a new account being created within 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic5",
|
||||
"name": "analytic17",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Vault export prior to account suspension or deletion",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic5-text",
|
||||
"name": "analytic17-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a successful vault export was performed by a member of your 1Password account within the 14 days prior their 1Password account being suspended or deleted.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
"text": "This will alert when a successful vault export has occurred within the last 14 days prior to an account being suspended or deleted from 1Password.\n\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "analytic6",
|
||||
"name": "analytic18",
|
||||
"type": "Microsoft.Common.Section",
|
||||
"label": "1Password - Vault export",
|
||||
"elements": [
|
||||
{
|
||||
"name": "analytic6-text",
|
||||
"name": "analytic18-text",
|
||||
"type": "Microsoft.Common.TextBlock",
|
||||
"options": {
|
||||
"text": "This will alert when a member of your 1Password account successfully exports vault data from your 1Password account.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
"text": "This will alert when a successful vault export has occurred within 1Password.\nRef: https://1password.com/\nRef: https://github.com/securehats/"
|
||||
}
|
||||
}
|
||||
]
|
||||
|
|
Различия файлов скрыты, потому что одна или несколько строк слишком длинны
|
@ -0,0 +1,32 @@
|
|||
{
|
||||
"location": {
|
||||
"type": "string",
|
||||
"minLength": 1,
|
||||
"defaultValue": "[resourceGroup().location]",
|
||||
"metadata": {
|
||||
"description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace"
|
||||
}
|
||||
},
|
||||
"workspace-location": {
|
||||
"type": "string",
|
||||
"defaultValue": "",
|
||||
"metadata": {
|
||||
"description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]"
|
||||
}
|
||||
},
|
||||
"workspace": {
|
||||
"defaultValue": "",
|
||||
"type": "string",
|
||||
"metadata": {
|
||||
"description": "Workspace name for Log Analytics where Microsoft Sentinel is setup"
|
||||
}
|
||||
},
|
||||
"workbook1-name": {
|
||||
"type": "string",
|
||||
"defaultValue": null,
|
||||
"minLength": 1,
|
||||
"metadata": {
|
||||
"description": "Name for the workbook"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -21,7 +21,7 @@ The key function of this Solution is to retrieve sign-in attempts, item usage, a
|
|||
Installing the 1Password Solution for Microsoft Sentinel is easy and can be completed in only a few minutes.
|
||||
Just click the button below to get started with the deployment wizard. <br>
|
||||
|
||||
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2F1Password%2FData%20Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)
|
||||
[![Deploy To Azure](https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazure.svg?sanitize=true)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%2520Connectors%2F1Password%2Fazuredeploy_1Password_API_FunctionApp.json/createUIDefinitionUri/https%3A%2F%2Fraw.githubusercontent.com%2Fazurekid%2FAzure-Sentinel%2Ffeature%2F1password%2FSolutions%2F1Password%2FData%2520Connectors%2F1Password%2Fdeployment%2FUiDefinition.json)
|
||||
|
||||
> NOTE: To deploy the solution, the Azure user account executing the deployment needs to have `Owner` permissions on the Microsoft Sentinel `Resource Group` in Azure.<br>
|
||||
> This is required to assign the correct RBAC role to the managed identity of the FunctionApp!
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
{
|
||||
"publisherId": "1password",
|
||||
"offerId": "1password_mss",
|
||||
"publisherId": "1password1617200969773",
|
||||
"offerId": "1password",
|
||||
"firstPublishDate": "2023-12-01",
|
||||
"providers": ["1password"],
|
||||
"categories": {
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
"name": "Subscription",
|
||||
"type": 6,
|
||||
"isRequired": true,
|
||||
"value": "/subscriptions/ba161e49-a831-48e5-a0b2-e9c6d7a310e3",
|
||||
"value": "/subscriptions/7570c6f7-9ca9-409b-aeaf-cb0f5ac1ad50",
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": [],
|
||||
"includeAll": false
|
||||
|
@ -47,7 +47,8 @@
|
|||
},
|
||||
"queryType": 1,
|
||||
"resourceType": "microsoft.resourcegraph/resources",
|
||||
"label": "🗂️ Workspace"
|
||||
"label": "🗂️ Workspace",
|
||||
"value": ""
|
||||
},
|
||||
{
|
||||
"id": "c4b69c01-2263-4ada-8d9c-43433b739ff3",
|
||||
|
@ -205,14 +206,14 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| summarize count() by bin (TimeGenerated, 1d), log_source",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| summarize count() by bin (timestamp, 1d), log_source",
|
||||
"size": 1,
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
"queryType": 0,
|
||||
"resourceType": "microsoft.operationalinsights/workspaces",
|
||||
"visualization": "areachart",
|
||||
"chartSettings": {
|
||||
"xAxis": "TimeGenerated"
|
||||
"xAxis": "timestamp"
|
||||
}
|
||||
},
|
||||
"name": "query - 7"
|
||||
|
@ -221,7 +222,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring((geo_info_from_ip_address (tostring(client.ip_address))).region)\r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring((geo_info_from_ip_address (tostring(client.ip_address))).region)\r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by timestamp asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(timestamp, {TimeRange:grain}),\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by timestamp asc, visitedInThisOrder asc",
|
||||
"size": 0,
|
||||
"title": "User Locations",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
@ -253,7 +254,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "let data = \r\nOnePasswordEventLogs_CL\r\n| where log_source == 'signinattempts'\r\n and tostring(target_user.name) notcontains 'Provisioning';\r\ndata\r\n| summarize count() by tostring(target_user.name), bin (TimeGenerated, 1d)",
|
||||
"query": "let data = \r\nOnePasswordEventLogs_CL\r\n| where log_source == 'signinattempts'\r\n and tostring(target_user.name) notcontains 'Provisioning';\r\ndata\r\n| summarize count() by tostring(target_user.name), bin (timestamp, 1d)",
|
||||
"size": 1,
|
||||
"title": "User Sign-ins",
|
||||
"timeContextFromParameter": "TimeRange",
|
||||
|
@ -399,7 +400,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend applicationName_ = tostring(client.app_name)\r\n| where applicationName_ notcontains \"SCIM\"\r\n| order by TimeGenerated asc , applicationName_\r\n| summarize count() by bin(TimeGenerated, {TimeRange:grain}),\r\n ApplicationName=applicationName_ \r\n| order by count_ desc",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend applicationName_ = tostring(client.app_name)\r\n| where applicationName_ notcontains \"SCIM\"\r\n| order by timestamp asc , applicationName_\r\n| summarize count() by bin(timestamp, {TimeRange:grain}),\r\n ApplicationName=applicationName_ \r\n| order by count_ desc",
|
||||
"size": 1,
|
||||
"showAnalytics": true,
|
||||
"title": "All Users : Used Application by most frequent",
|
||||
|
@ -601,11 +602,11 @@
|
|||
"name": "SelectUserName",
|
||||
"type": 2,
|
||||
"isRequired": true,
|
||||
"query": "OnePasswordEventLogs_CL\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where TimeGenerated {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where timestamp {TimeRange:query}\r\n| where isnotempty(UserDisplayName) and UserDisplayName !=\"On-Premises Directory Synchronization Service Account\"\r\n| summarize Count = count() by UserDisplayName\r\n| order by Count desc, UserDisplayName asc\r\n| project Value = UserDisplayName, Label = strcat(UserDisplayName, ' - ', Count, ' sign-ins'), Selected = false\r\n",
|
||||
"crossComponentResources": [
|
||||
"{Workspace}"
|
||||
],
|
||||
"value": "1Password Test Account",
|
||||
"value": "Rogier Dijkman",
|
||||
"typeSettings": {
|
||||
"additionalResourceOptions": []
|
||||
},
|
||||
|
@ -866,7 +867,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring(location.region) \r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 1,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType ,2)),\"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
||||
"query": "OnePasswordEventLogs_CL\r\n| where log_source contains \"signinattempts\"\r\n| extend UserDisplayName = tostring(target_user.name)\r\n| where UserDisplayName == '{SelectUser}'\r\n| extend city_ = tostring(location.city) \r\n| extend state_ = tostring(location.state) \r\n| extend countryOrRegion_ = tostring(location.region) \r\n| extend latitude_ = tostring(location.latitude)\r\n| extend longitude_ = tostring(location.longitude) \r\n| order by TimeGenerated asc, city_ asc\r\n| serialize \r\n| extend pLat = prev(latitude_, 1)\r\n| extend pLon = prev(longitude_, 1)\r\n| extend distanceType = iif('{Measurement}' == \"KM\", todouble(1000), todouble(1609.344))\r\n| extend distance_in = iif(row_number() > 0,tostring(round(geo_distance_2points(todouble(longitude_), todouble(latitude_), todouble(pLon), todouble(pLat))/distanceType, 2)), \"FirstLocation\")\r\n| where distance_in !=\"0.0\"\r\n| summarize by bin(TimeGenerated, {TimeRange:grain}),\r\n UserDisplayName,\r\n City=city_ ,\r\n CountryorRegion=countryOrRegion_, \r\n visitedInThisOrder = row_number(),\r\n distanceTravelled = distance_in,\r\n distanceTravelled2 = strcat(distance_in,' ','{Measurement}'),\r\n latitude_,\r\n longitude_\r\n| order by TimeGenerated asc, visitedInThisOrder asc",
|
||||
"size": 0,
|
||||
"showAnalytics": true,
|
||||
"title": "Map showing locations for user: '{SelectUser}'",
|
||||
|
@ -991,6 +992,11 @@
|
|||
"colorSettings": null,
|
||||
"hivesMargin": 5
|
||||
},
|
||||
"chartSettings": {
|
||||
"yAxis": [
|
||||
"City"
|
||||
]
|
||||
},
|
||||
"mapSettings": {
|
||||
"locInfo": "LatLong",
|
||||
"latitude": "latitude_",
|
||||
|
@ -1236,7 +1242,7 @@
|
|||
"type": 3,
|
||||
"content": {
|
||||
"version": "KqlItem/1.0",
|
||||
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"headers\":[],\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/Microsoft.aadiam/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version=2021-09-01-preview\",\"urlParams\":[],\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\",\"columns\":[]}}]}",
|
||||
"query": "{\"version\":\"ARMEndpoint/1.0\",\"data\":null,\"method\":\"GET\",\"path\":\"/subscriptions/{Workspace:subscriptionid}/resourceGroups/Microsoft.aadiam/providers/Microsoft.SecurityInsights/enrichment/ip/geodata/?ipaddress={ipAddress}&api-version=2021-09-01-preview\",\"batchDisabled\":false,\"transformers\":[{\"type\":\"jsonpath\",\"settings\":{\"tablePath\":\"$\"}}]}",
|
||||
"size": 4,
|
||||
"title": "🖧 Lookup IP Address: {ipAddress} from Microsoft geoLocation api",
|
||||
"queryType": 12,
|
||||
|
|
Загрузка…
Ссылка в новой задаче