1Password activity observed from Tor client IP

1password

Classification:

attack

Set up the 1password integration.

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when 1Password activity is observed from a Tor exit node.

Strategy

This rule monitors 1Password logs to determine when an activity originated from a Tor client. Datadog enriches all ingested logs with expert-curated threat intelligence in real-time. An attacker may use a Tor client to anonymize their true origin.

Triage and response

  1. Determine if {{@usr.email}} from IP address {{@network.client.ip}} should have made the {{@evt.name}} API call.
  2. If the results of the triage indicate that an attacker has taken the action, begin your company’s incident response process and an investigation.

Changelog

  • 17 August 2023 - Updated query to replace attribute @threat_intel.results.subcategory:tor with @threat_intel.results.category:tor.
PREVIEWING: antoine.dussault/service-representation-ga-docs-us1