API

Anomalous amount of failed sign-in attempts by 1Password user

Docs > Datadog Security > OOTB Rules > Anomalous amount of failed sign-in attempts by 1Password user

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the 1password integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect failed sign-in attempts from a 1Password user.

Strategy

This rule monitors 1Password logs to identify when an user generates an anomalous amount of failed sign-in events.

Triage and response

Investigate and determine if user {{@usr.email}} with failed sign-in events {{@evt.outcome}}, attempting to authenticate from IP address {{@network.client.ip}} should have access.

Changelog

Updated query by replacing @evt.category:*failed* with @evt.outcome:*failed*.