Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - New user SSO success login

Back
Id05282c91-7aaf-4d76-9a19-6dc582e6a411
RulenamePing Federate - New user SSO success login
DescriptionDetects new user SSO success login.
SeverityLow
TacticsInitialAccess
Persistence
TechniquesT1078
T1136
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
Version1.0.1
Arm template05282c91-7aaf-4d76-9a19-6dc582e6a411.json
Deploy To Azure
let known_usrs = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DstUserName)
| summarize makeset(DstUserName);
PingFederateEvent
| where EventType =~ 'SSO'
| where EventMessage has 'success'
| where DstUserName !in (known_usrs)
| extend AccountCustomEntity = DstUserName
triggerOperator: gt
version: 1.0.1
query: |
  let known_usrs = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | where isnotempty(DstUserName)
  | summarize makeset(DstUserName);
  PingFederateEvent
  | where EventType =~ 'SSO'
  | where EventMessage has 'success'
  | where DstUserName !in (known_usrs)
  | extend AccountCustomEntity = DstUserName  
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
name: Ping Federate - New user SSO success login
queryPeriod: 14d
severity: Low
kind: Scheduled
tactics:
- InitialAccess
- Persistence
id: 05282c91-7aaf-4d76-9a19-6dc582e6a411
description: |
    'Detects new user SSO success login.'
relevantTechniques:
- T1078
- T1136
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/05282c91-7aaf-4d76-9a19-6dc582e6a411')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/05282c91-7aaf-4d76-9a19-6dc582e6a411')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Ping Federate - New user SSO success login",
        "description": "'Detects new user SSO success login.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let known_usrs = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(DstUserName)\n| summarize makeset(DstUserName);\nPingFederateEvent\n| where EventType =~ 'SSO'\n| where EventMessage has 'success'\n| where DstUserName !in (known_usrs)\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1078",
          "T1136"
        ],
        "alertRuleTemplateName": "05282c91-7aaf-4d76-9a19-6dc582e6a411",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateNewUserSSO.yaml",
        "status": "Available",
        "templateVersion": "1.0.1"
      }
    }
  ]
}