Ping Federate - Password reset request from unexpected source IP address

Back


Id	2d201d21-77b4-4d97-95f3-26b5c6bde09f
Rulename	Ping Federate - Password reset request from unexpected source IP address..
Description	Detects password reset requests from unexpected source IP address.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
Version	1.0.3
Arm template	2d201d21-77b4-4d97-95f3-26b5c6bde09f.json

KQL

let known_src = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(SrcIpAddr)
| summarize makeset(SrcIpAddr);
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| where isnotempty(SrcIpAddr)
| where SrcIpAddr !in (known_src)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

YAML

status: Available
triggerOperator: gt
triggerThreshold: 0
name: Ping Federate - Password reset request from unexpected source IP address..
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
queryPeriod: 14d
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IpCustomEntity
    identifier: Address
queryFrequency: 1h
relevantTechniques:
- T1078
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
description: |
    'Detects password reset requests from unexpected source IP address.'
tactics:
- InitialAccess
query: |
  let known_src = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | where isnotempty(SrcIpAddr)
  | summarize makeset(SrcIpAddr);
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | where isnotempty(SrcIpAddr)
  | where SrcIpAddr !in (known_src)
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
id: 2d201d21-77b4-4d97-95f3-26b5c6bde09f
version: 1.0.3

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d201d21-77b4-4d97-95f3-26b5c6bde09f')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d201d21-77b4-4d97-95f3-26b5c6bde09f')]",
      "properties": {
        "alertRuleTemplateName": "2d201d21-77b4-4d97-95f3-26b5c6bde09f",
        "customDetails": null,
        "description": "'Detects password reset requests from unexpected source IP address.'\n",
        "displayName": "Ping Federate - Password reset request from unexpected source IP address..",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml",
        "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}