Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Password reset request from unexpected source IP address..

Back
Id2d201d21-77b4-4d97-95f3-26b5c6bde09f
RulenamePing Federate - Password reset request from unexpected source IP address..
DescriptionDetects password reset requests from unexpected source IP address.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
Version1.0.1
Arm template2d201d21-77b4-4d97-95f3-26b5c6bde09f.json
Deploy To Azure
let known_src = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(SrcIpAddr)
| summarize makeset(SrcIpAddr);
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| where isnotempty(SrcIpAddr)
| where SrcIpAddr !in (known_src)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
version: 1.0.1
name: Ping Federate - Password reset request from unexpected source IP address..
severity: Medium
queryFrequency: 1h
kind: Scheduled
queryPeriod: 14d
description: |
    'Detects password reset requests from unexpected source IP address.'
query: |
  let known_src = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | where isnotempty(SrcIpAddr)
  | summarize makeset(SrcIpAddr);
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | where isnotempty(SrcIpAddr)
  | where SrcIpAddr !in (known_src)
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
tactics:
- InitialAccess
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IpCustomEntity
    identifier: Address
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
status: Available
relevantTechniques:
- T1078
id: 2d201d21-77b4-4d97-95f3-26b5c6bde09f
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2d201d21-77b4-4d97-95f3-26b5c6bde09f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2d201d21-77b4-4d97-95f3-26b5c6bde09f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Ping Federate - Password reset request from unexpected source IP address..",
        "description": "'Detects password reset requests from unexpected source IP address.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "2d201d21-77b4-4d97-95f3-26b5c6bde09f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederatePasswordRstReqUnexpectedSource.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}