Unusual 1Password device authorization activity

1password

Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1098-account-manipulation

Set up the 1password integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a 1Password device authorization action is observed.

Strategy

This rule monitors 1Password audit logs for device authorization action that may allow an attacker to maintain persistence within a 1Password tenant.

Note: This rule uses the New Value detection method to determine when a previously unseen device authorization action is observed.

Triage & response

Investigate user {{@usr.email}} attempting an unfamiliar {{@evt.name}} device authorization action on {{@session.device_uuid}} from {{@network.client.ip}}.