Feature/1password

[azurekid]

Change(s):

• Added the following artifacts:

Alert Rules

- 1Password - Changes to firewall rules.yaml
- 1Password - Changes to SSO configuration.yaml
- 1Password - Disable MFA factor or type for all user accounts.yaml
- 1Password - Log Ingestion Failure.yaml
- 1Password - Manual account creation.yaml
- 1Password - New service account integration created.yaml
- 1Password - Non-privileged vault user permission change.yaml
- 1Password - Potential insider privilege escalation via group.yaml
- 1Password - Potential insider privilege escalation via vault.yaml
- 1Password - Privileged vault permission change.yaml
- 1Password - Secret extraction post vault access change by administrator.yaml
- 1Password - Service account integration token adjustment.yaml
- 1Password - Successful anomalous sign-in.yaml
- 1Password - User account MFA settings changed.yaml
- 1Password - User added to privileged group.yaml
- 1Password - Vault export post account creation.yaml
- 1Password - Vault export prior to account suspension or deletion.yaml
- 1Password - Vault export.yaml

Data Connector

• 1Password_API_FunctionApp.json

  Workbooks

  • 1Password.json

  Reason for Change(s):

  • New feature for Microsoft Sentinel Content Hub

  Version Updated:

  • Yes

  Testing Completed:

  • Yes

  Checked that the validations are passing and have addressed any issues that are present:

  • In Progress

[azurekid]

Hello @azurekid, I'm trying to resolve the KQL validation issue. It is for Data connector. I've raised a Draft PR where im working on it.
I can give you access to my environment if you want to test it against 1Password data where I have the solution running.

#10475

Okay cool!
When running the queries in the LA it comes with result.
Also when using the data connector valid results are shown in the MS Sentinel data connector

[v-prasadboke]

Hello @azurekid, On my test branch, I was looking for the cause for validation failure.
As per my analysis and investigation I've came to known the issue which is causing the validation failure is not about the code in the file.

Even I tried to replace the code in the data connector with another data connector.

We can skip this validation failure but need to discuss this within team whether the validation failure is legit or not OR can it be skipped

Thanks and sorry for the delay in response.

[azurekid]

Hello @azurekid, On my test branch, I was looking for the cause for validation failure. As per my analysis and investigation I've came to known the issue which is causing the validation failure is not about the code in the file.

Even I tried to replace the code in the data connector with another data connector.

We can skip this validation failure but need to discuss this within team whether the validation failure is legit or not OR can it be skipped

Thanks and sorry for the delay in response.

Thanks! I am glad we came to the same conclusion regarding this.
We wanted to go live around RSA with this solution as a lot of customers are waiting for a supported integration between 1Password and Microsoft Sentinel.

Would love to see how we can put a bit more pressure on it so organizations can start to test the preview version and provide us with valuable feedback.

@scottisloud for visibility

[v-prasadboke]

Hello @azurekid, On my test branch, I was looking for the cause for validation failure. As per my analysis and investigation I've came to known the issue which is causing the validation failure is not about the code in the file.
Even I tried to replace the code in the data connector with another data connector.
We can skip this validation failure but need to discuss this within team whether the validation failure is legit or not OR can it be skipped
Thanks and sorry for the delay in response.

Thanks! I am glad we came to the same conclusion regarding this. We wanted to go live around RSA with this solution as a lot of customers are waiting for a supported integration between 1Password and Microsoft Sentinel.

Would love to see how we can put a bit more pressure on it so organizations can start to test the preview version and provide us with valuable feedback.

@scottisloud for visibility

Noted @azurekid, Will get this complete soonest

[scottisloud]

Thanks @azurekid and @v-prasadboke for all of your hard work to help bring this solution across the finish line.

[azurekid]

Hello @azurekid, On my test branch, I was looking for the cause for validation failure. As per my analysis and investigation I've came to known the issue which is causing the validation failure is not about the code in the file.
Even I tried to replace the code in the data connector with another data connector.
We can skip this validation failure but need to discuss this within team whether the validation failure is legit or not OR can it be skipped
Thanks and sorry for the delay in response.

Thanks! I am glad we came to the same conclusion regarding this. We wanted to go live around RSA with this solution as a lot of customers are waiting for a supported integration between 1Password and Microsoft Sentinel.

Would love to see how we can put a bit more pressure on it so organizations can start to test the preview version and provide us with valuable feedback.

@scottisloud for visibility

Noted @azurekid, Will get this complete soonest

Hey, the blog post has been published on Medium, LinkedIn, and a few security communities. People are excited to start testing, but the link in the articles still directs to my personal GitHub.

It's been 10 days now, and I think it's time to move forward. Can we escalate this PR? It's been open for months.

[v-prasadboke]

Hello, @azurekid & @scottisloud.

You know I have been working on this PR, there is a KQL validation thats throwing an error for null value.

But, while investigating the error I did not notice any missing or null values.

I submitted a test PR and have been working on it #10536
And as you said the data connector is working and ingests logs but I dont want these KQL validation error to be a part of any trouble in the future even if we skip it.

I'm in connect with Internal resources regarding this KQL failure.

I apologize @azurekid and @scottisloud for the inconvenience and delay with this PR.

[scottisloud]

Hi @v-prasadboke thanks for the update. I see it's been about a week since #10536 had commits and two days since your post above.

We agree we'd prefer to not have a validation error cause trouble in the future, however the ongoing delays here are holding up our ability to deliver a feature to our mutual customers.

Do we know the validation failures flagged by your GH workflow are meaningful failures? In our testing we've seen no actual impacts to the behaviour of the solution, despite the errors your workflow flags.

We have had to reschedule formal release and marketing a couple times already, and we'd like to avoid further last-minute delays. To that end, is there a chance you could provide us with an approximate ETA for a resolution to the GH workflow issues? That would allow us to anticipate and schedule the release in a way that accommodates your ongoing efforts here.

This is not a request to expedite this (though we'd welcome that too), but rather a request for an ETA (regardless of what the ETA is) so we can plan around that ETA.

[v-prasadboke]

Hello @azurekid & @azurekid, The KQL validation is resolved. The function app is new to me. Can we get on a call tomorrow so that I can get an understanding of this function apps working and get this PR merged by tomorrow EOD.

I work in IST time zone and my mail id is [email protected]
You can ping me on teams so that schedule about the same.

[azurekid]

Thank you very much!
I have sent a teams invite for tomorrow 👍

[v-prasadboke]

Hello @azurekid, Please follow this guidelines for offerid
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/README.md

[azurekid]

Hello @azurekid, Please follow this guidelines for offerid https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/README.md

just pushed the change to the solutionMetadata file

[v-prasadboke]

@azurekid maybe you missed on committing the change requested for OfferID. Can you confirm on this once.

[azurekid]

@azurekid maybe you missed on committing the change requested for OfferID. Can you confirm on this once.

Sorry, pushed it to the wrong branch.
Updated the code in correct branch now