---
title: Unusual 1Password device authorization activity
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Unusual 1Password device authorization
  activity
---

# Unusual 1Password device authorization activity
Classification:attackTactic:[TA0003-persistence](https://attack.mitre.org/tactics/TA0003)Technique:[T1098-account-manipulation](https://attack.mitre.org/techniques/T1098) 
## Goal{% #goal %}

Detect when a 1Password device authorization action is observed.

## Strategy{% #strategy %}

This rule monitors 1Password audit logs for device authorization action that may allow an attacker to maintain persistence within a 1Password tenant.

**Note:** This rule uses the `New Value` detection method to determine when a previously unseen device authorization action is observed.

## Triage & response{% #triage--response %}

Investigate user `{{@usr.email}}` attempting an unfamiliar `{{@evt.name}}` device authorization action on `{{@session.device_uuid}}` from `{{@network.client.ip}}`.