Ping Federate - New user SSO success login
| Id | 05282c91-7aaf-4d76-9a19-6dc582e6a411 |
| Rulename | Ping Federate - New user SSO success login |
| Description | Detects new user SSO success login. |
| Severity | Low |
| Tactics | InitialAccess Persistence |
| Techniques | T1078 T1136 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml |
| Version | 1.0.3 |
| Arm template | 05282c91-7aaf-4d76-9a19-6dc582e6a411.json |
let known_usrs =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
triggerThreshold: 0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
name: Ping Federate - New user SSO success login
relevantTechniques:
- T1078
- T1136
status: Available
version: 1.0.3
queryPeriod: 14d
kind: Scheduled
id: 05282c91-7aaf-4d76-9a19-6dc582e6a411
query: |
let known_usrs =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
description: |
'Detects new user SSO success login.'
queryFrequency: 1h
severity: Low
triggerOperator: gt
tactics:
- InitialAccess
- Persistence