PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
tactics:
- InitialAccess
id: 85f70197-4865-4635-a4b2-a9c57e8fea1b
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
status: Available
description: |
'Detects requests using not the latest version of OAuth protocol.'
version: 1.0.3
severity: Medium
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IpCustomEntity
entityType: IP
kind: Scheduled
name: Ping Federate - OAuth old version
query: |
PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
queryPeriod: 1d
queryFrequency: 1d
triggerOperator: gt
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
relevantTechniques:
- T1190
