Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password resets for user

Back
Id6145efdc-4724-42a6-9756-5bd1ba33982e
RulenamePing Federate - Abnormal password resets for user
DescriptionDetects multiple password reset for user.
SeverityHigh
TacticsInitialAccess
Persistence
PrivilegeEscalation
TechniquesT1078
T1098
T1134
Required data connectorsCefAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
Version1.0.3
Arm template6145efdc-4724-42a6-9756-5bd1ba33982e.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET'
| summarize count() by DstUserName
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
name: Ping Federate - Abnormal password resets for user
version: 1.0.3
severity: High
queryFrequency: 1d
triggerOperator: gt
relevantTechniques:
- T1078
- T1098
- T1134
status: Available
description: |
    'Detects multiple password reset for user.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
queryPeriod: 1d
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET'
  | summarize count() by DstUserName
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
kind: Scheduled
triggerThreshold: 0
id: 6145efdc-4724-42a6-9756-5bd1ba33982e
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "properties": {
        "alertRuleTemplateName": "6145efdc-4724-42a6-9756-5bd1ba33982e",
        "customDetails": null,
        "description": "'Detects multiple password reset for user.'\n",
        "displayName": "Ping Federate - Abnormal password resets for user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml",
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET'\n| summarize count() by DstUserName\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098",
          "T1134"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}