Anomalous amount of failed sign-in attempts by 1Password user

Set up the 1password integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect failed sign-in attempts from a 1Password user.

Strategy

This rule monitors 1Password logs to identify when an user generates an anomalous amount of failed sign-in events.

Triage and response

Investigate and determine if user {{@usr.email}} with failed sign-in events {{@evt.outcome}}, attempting to authenticate from IP address {{@network.client.ip}} should have access.

Changelog

Updated query by replacing @evt.category:*failed* with @evt.outcome:*failed*.