Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - New user SSO success login

Back
Id05282c91-7aaf-4d76-9a19-6dc582e6a411
RulenamePing Federate - New user SSO success login
DescriptionDetects new user SSO success login.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
T1136
Required data connectorsCefAma
PingFederate
PingFederateAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
Version1.0.2
Arm template05282c91-7aaf-4d76-9a19-6dc582e6a411.json
Deploy To Azure
let known_usrs = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
kind: Scheduled
relevantTechniques:
- T1078
- T1136
description: |
    'Detects new user SSO success login.'
queryPeriod: 14d
queryFrequency: 1h
tactics:
- InitialAccess
- Persistence
name: Ping Federate - New user SSO success login
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
triggerThreshold: 0
version: 1.0.2
id: 05282c91-7aaf-4d76-9a19-6dc582e6a411
query: |
  let known_usrs = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | where isnotempty(DstUserName)
  | summarize makeset(DstUserName);
  PingFederateEvent
  | where EventType =~ 'SSO'
  | where EventMessage has 'success'
  | where DstUserName !in (known_usrs)
  | extend AccountCustomEntity = DstUserName  
status: Available
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
severity: Low
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05282c91-7aaf-4d76-9a19-6dc582e6a411')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05282c91-7aaf-4d76-9a19-6dc582e6a411')]",
      "properties": {
        "alertRuleTemplateName": "05282c91-7aaf-4d76-9a19-6dc582e6a411",
        "customDetails": null,
        "description": "'Detects new user SSO success login.'\n",
        "displayName": "Ping Federate - New user SSO success login",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml",
        "query": "let known_usrs = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where EventType =~ 'SSO'\n| where EventMessage has 'success'\n| where DstUserName !in (known_usrs)\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1078",
          "T1136"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}