Attempt to modify a 1Password item by user

1password

Classification:

attack

Set up the 1password integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a 1Password user attempts to modify an item.

Strategy

This rule monitors 1Password audit logs to determine when the the enter-item-edit-mode item usage action occurs. This could indicate an attempt to modify an item.

Triage & response

  1. Investigate the {{@usr.email}} attempting to modify item {{@item_uuid}} within vault {{@vault_uuid}}.
  2. If this action was unintend by the user:
    • Rotate the user’s 1Password master password
    • Identify all the items that were modified and rotate the necessary authentication credentials