Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password resets for user

Back
Id6145efdc-4724-42a6-9756-5bd1ba33982e
RulenamePing Federate - Abnormal password resets for user
DescriptionDetects multiple password reset for user.
SeverityHigh
TacticsInitialAccess
Persistence
PrivilegeEscalation
TechniquesT1078
T1098
T1134
Required data connectorsCefAma
PingFederate
PingFederateAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
Version1.0.2
Arm template6145efdc-4724-42a6-9756-5bd1ba33982e.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET'
| summarize count() by DstUserName
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
status: Available
relevantTechniques:
- T1078
- T1098
- T1134
queryFrequency: 1d
id: 6145efdc-4724-42a6-9756-5bd1ba33982e
name: Ping Federate - Abnormal password resets for user
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
description: |
    'Detects multiple password reset for user.'
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
- PrivilegeEscalation
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET'
  | summarize count() by DstUserName
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
kind: Scheduled
triggerOperator: gt
version: 1.0.2
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6145efdc-4724-42a6-9756-5bd1ba33982e')]",
      "properties": {
        "alertRuleTemplateName": "6145efdc-4724-42a6-9756-5bd1ba33982e",
        "customDetails": null,
        "description": "'Detects multiple password reset for user.'\n",
        "displayName": "Ping Federate - Abnormal password resets for user",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateMultiplePasswordResetsForUser.yaml",
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET'\n| summarize count() by DstUserName\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078",
          "T1098",
          "T1134"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}