Attempt to modify a 1Password item by user

1password

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1555-credentials-from-password-stores

Set up the 1password integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a 1Password user attempts to modify an item.

Strategy

This rule monitors 1Password audit logs to determine when the the enter-item-edit-mode item usage action occurs. This could indicate an attempt to modify an item.

Triage & response

  1. Investigate the {{@usr.email}} attempting to modify item {{@item_uuid}} within vault {{@vault_uuid}}.
  2. If this action was unintend by the user:
    • Rotate the user’s 1Password master password
    • Identify all the items that were modified and rotate the necessary authentication credentials