This alert detects Login attempts that originated from multiple different users in a specific time frame from a single IP address. This alert should be fine-tuned according to user alerting needs and organizational policy. Impact Multiple login attempts of different users from the same IP address might indicate malicious activity of an attacker. Mitigation Validate that there are no successful login attempt from those users. If there is a suspicion of a compromised user/s temporarily suspend the relevant user until further investigation is conducted. MITRE Tactic: TA0001 MITRE Technique: T1078

This alert will trigger when SSO is disabled. Impact Disabling SSO can result in a less secure authentication environment. It may lead to weaker password practices, an increased likelihood of credential reuse, and a higher chance of successful phishing attacks. Mitigation Verify from the logs whether the action was legitimate or not. MITRE Tactic: TA0001 MITRE Technique: T1566

This alert will trigger when MFA (Multi-Factor Authentication) is disabled on User/Account. Disabling MFA poses a substantial security risk, as it adds an extra layer of protection beyond passwords, and its deactivation increases the vulnerability of the account to unauthorized access. Without MFA, attackers have a higher chance of exploiting compromised credentials or conducting successful phishing attacks. Impact Disabling MFA increases the risk of unauthorized account access, potential data breaches, and compromise of sensitive information stored in 1Password. Mitigation Verify from the logs if the change in user/account was legitimate or not, investigate other user activity to verify no malicious intent is used while making these changes on the user/account. MITRE Tactic: TA0001 MITRE Technique: T1566

This alert will trigger when DUO MFA is disabled on an account. DUO provides an additional layer of authentication, and its deactivation increases the vulnerability of the account to unauthorized access. Attackers, upon compromising credentials, could exploit this weakness, gaining unauthorized entry and potentially compromising sensitive data stored in 1Password. Impact Without the protection of DUO, the account becomes more susceptible to attacks, including those exploiting compromised credentials or successful phishing attempts. Mitigation Verify from the logs if the change in user/account was legitimate or not, investigate other user activity to verify no malicious intent is used while making these changes on the user/account. MITRE Tactic: TA0001 MITRE Technique: T1566

This alert will trigger when a vault is exported in 1Password. Exporting a vault in 1Password introduces a significant security risk, as it allows a user to potentially share sensitive credentials and data outside the secure management environment. This action poses a threat to the confidentiality of stored passwords and other secure information, as exported data may be mishandled, shared with unauthorized individuals, or become subject to exposure. Impact The impact of exporting a vault can be severe, leading to unauthorized access to sensitive information, potential data breaches, and compromise of confidential credentials. If the exported data falls into the wrong hands, it can be exploited for malicious purposes, such as unauthorized access to accounts and systems. Mitigation Verify the action was legitimate and originated from an authorized user and determine the intention behind the user action. MITRE Tactic: TA0009 MITRE Technique: T1213

This alert will trigger when a Vault is created in 1Password. The risk of a user creating a vault in 1Password can pose a security concern as it introduces the potential for unauthorized or unregulated storage of sensitive information. Users might inadvertently create vaults that are not subject to organizational security policies, leading to a lack of control and visibility over stored credentials and data. Impact The impact of users creating unauthorized vaults can result in a fragmented security landscape. It may lead to the inadvertent sharing of sensitive information, the circumvention of established security policies, and difficulties in enforcing consistent security practices across the organization. Mitigation Verify the action was legitimate and originated from an authorized user and determine the intention behind the user action. MITRE Tactic: TA0009 MITRE Technique: T1213

This alert will trigger when a user is removed from a Vault. The risk of a user being removed from a vault in 1Password introduces a security concern, as it may lead to unauthorized access or denial of access to critical information. Removal from a vault can disrupt normal workflows, hinder collaboration, and potentially lead to data loss or compromise if not managed appropriately. Impact The impact of removing a user from a vault can be significant. It may result in a loss of access to essential credentials, potential disruptions to collaborative efforts, and a risk of data inconsistency if the user is no longer part of necessary sharing arrangements. Mitigation Verify the action was legitimate and originated from an authorized user and determine the intention behind the user action. MITRE Tactic: TA0005 MITRE Technique: T1556

This alert will trigger when a user is granted access to a vault. The risk of a user being granted access to a vault in 1Password introduces a security concern, as unauthorized access to sensitive information may occur. Granting access improperly can lead to the exposure of confidential credentials and compromise the security of the stored data. Impact The impact of granting unauthorized access to a vault can be severe. It may result in the unauthorized viewing, modification, or sharing of sensitive credentials. This can lead to potential data breaches, loss of confidentiality, and compromise of critical systems or accounts. Mitigation Verify the action was legitimate and originated from an authorized user and determine the intention behind the user action. MITRE Tactic: TA0005 MITRE Technique: T1556

This alert will trigger when a Vault is deleted in 1Password. The risk of a vault being deleted in 1Password poses a serious security threat as it can result in the loss of critical data and disrupt normal operations. The deletion of a vault may lead to data loss, the compromise of sensitive information, and hinder collaboration efforts if essential credentials are no longer accessible. Impact The impact of a deleted vault can be severe, potentially resulting in the loss of access to crucial credentials, data inconsistencies, and disruption of collaborative workflows. It may also lead to the compromise of sensitive information stored in the vault, impacting the confidentiality and integrity of stored data. Mitigation Verify the action was legitimate and originated from an authorized user and determine the intention behind the user action. MITRE Tactic: TA0040 MITRE Technique: T1485

This alert detects Login attempts that originated from multiple different IPs in a specific time frame (3 IPs in 2 hours in this alert). This alert can be fine-tuned according to the user alerting needs and organizational policy. Impact Multiple login attempts from different IPs might indicate malicious activity of an attacker connecting in parallel to a legitimate user from a different location. Mitigation Inspect the IP ranges and location of the different IPs and validate with the user if he is actually connecting in parallel. Advanced users might use VPNs or connect to their account from cloud machines, so this needs to be considered while investigating. If the user is not familiar with the second connection, investigate further as it might indicate malicious activity. MITRE Tactic: TA0001 MITRE Technique: T1078