Ping Federate - New user SSO success login
| Id | 05282c91-7aaf-4d76-9a19-6dc582e6a411 |
| Rulename | Ping Federate - New user SSO success login |
| Description | Detects new user SSO success login. |
| Severity | Low |
| Tactics | InitialAccess Persistence |
| Techniques | T1078 T1136 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml |
| Version | 1.0.3 |
| Arm template | 05282c91-7aaf-4d76-9a19-6dc582e6a411.json |
let known_usrs =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
relevantTechniques:
- T1078
- T1136
entityMappings:
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
triggerThreshold: 0
description: |
'Detects new user SSO success login.'
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
triggerOperator: gt
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
id: 05282c91-7aaf-4d76-9a19-6dc582e6a411
queryFrequency: 1h
query: |
let known_usrs =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
severity: Low
status: Available
queryPeriod: 14d
name: Ping Federate - New user SSO success login
tactics:
- InitialAccess
- Persistence
kind: Scheduled