Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password resets for user

Back
Id6145efdc-4724-42a6-9756-5bd1ba33982e
RulenamePing Federate - Abnormal password resets for user
DescriptionDetects multiple password reset for user.
SeverityHigh
TacticsInitialAccess
Persistence
PrivilegeEscalation
TechniquesT1078
T1098
T1134
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
Version1.0.1
Arm template6145efdc-4724-42a6-9756-5bd1ba33982e.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET'
| summarize count() by DstUserName
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
description: |
    'Detects multiple password reset for user.'
triggerOperator: gt
queryPeriod: 1d
requiredDataConnectors:
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederate
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederateAma
queryFrequency: 1d
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET'
  | summarize count() by DstUserName
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
status: Available
kind: Scheduled
relevantTechniques:
- T1078
- T1098
- T1134
version: 1.0.1
id: 6145efdc-4724-42a6-9756-5bd1ba33982e
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
name: Ping Federate - Abnormal password resets for user
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Ping Federate - Abnormal password resets for user",
        "description": "'Detects multiple password reset for user.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET'\n| summarize count() by DstUserName\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098",
          "T1134"
        ],
        "alertRuleTemplateName": "6145efdc-4724-42a6-9756-5bd1ba33982e",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml"
      }
    }
  ]
}