1Password activity observed from Tor client IP

1password

Classification:

attack

Set up the 1password integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when 1Password activity is observed from a Tor exit node.

Strategy

This rule monitors 1Password logs to determine when an activity originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real-time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if {{@usr.email}} from IP address {{@network.client.ip}} should have made the {{@evt.name}} API call.
  2. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and an investigation.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.