Ping Federate - Authentication from new IP

Back


Id	30583ed4-d13c-43b8-baf2-d75fbe727210
Rulename	Ping Federate - Authentication from new IP.
Description	Detects authentication requests from new IP address.
Severity	Low
Tactics	InitialAccess
Techniques	T1078
Required data connectors	PingFederate PingFederateAma
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml
Version	1.0.1
Arm template	30583ed4-d13c-43b8-baf2-d75fbe727210.json

KQL

let known_src = 
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')
| where isnotempty(SrcIpAddr)
| summarize makeset(SrcIpAddr);
PingFederateEvent
| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')
| where isnotempty(SrcIpAddr)
| where SrcIpAddr !in (known_src)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

YAML

severity: Low
triggerThreshold: 0
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
kind: Scheduled
id: 30583ed4-d13c-43b8-baf2-d75fbe727210
triggerOperator: gt
tactics:
- InitialAccess
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpCustomEntity
relevantTechniques:
- T1078
version: 1.0.1
queryPeriod: 14d
name: Ping Federate - Authentication from new IP.
status: Available
description: |
    'Detects authentication requests from new IP address.'
query: |
  let known_src = 
  PingFederateEvent
  | where TimeGenerated between (ago(14d) .. (1d))
  | where EventType in~ ('AUTHN_ATTEMPT', 'SSO')
  | where isnotempty(SrcIpAddr)
  | summarize makeset(SrcIpAddr);
  PingFederateEvent
  | where EventType in~ ('AUTHN_ATTEMPT', 'SSO')
  | where isnotempty(SrcIpAddr)
  | where SrcIpAddr !in (known_src)
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/30583ed4-d13c-43b8-baf2-d75fbe727210')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/30583ed4-d13c-43b8-baf2-d75fbe727210')]",
      "properties": {
        "alertRuleTemplateName": "30583ed4-d13c-43b8-baf2-d75fbe727210",
        "customDetails": null,
        "description": "'Detects authentication requests from new IP address.'\n",
        "displayName": "Ping Federate - Authentication from new IP.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAuthFromNewSource.yaml",
        "query": "let known_src = \nPingFederateEvent\n| where TimeGenerated between (ago(14d) .. (1d))\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| summarize makeset(SrcIpAddr);\nPingFederateEvent\n| where EventType in~ ('AUTHN_ATTEMPT', 'SSO')\n| where isnotempty(SrcIpAddr)\n| where SrcIpAddr !in (known_src)\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}