Ping Federate - Abnormal password resets for user

Back


Id	6145efdc-4724-42a6-9756-5bd1ba33982e
Rulename	Ping Federate - Abnormal password resets for user
Description	Detects multiple password reset for user.
Severity	High
Tactics	InitialAccess Persistence PrivilegeEscalation
Techniques	T1078 T1098 T1134
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
Version	1.0.3
Arm template	6145efdc-4724-42a6-9756-5bd1ba33982e.json

KQL

let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET'
| summarize count() by DstUserName
| where count_ > threshold
| extend AccountCustomEntity = DstUserName

YAML

query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET'
  | summarize count() by DstUserName
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
kind: Scheduled
id: 6145efdc-4724-42a6-9756-5bd1ba33982e
triggerOperator: gt
severity: High
queryPeriod: 1d
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
description: |
    'Detects multiple password reset for user.'
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
version: 1.0.3
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
name: Ping Federate - Abnormal password resets for user
queryFrequency: 1d
relevantTechniques:
- T1078
- T1098
- T1134

ARM