Ping Federate - OAuth old version

Back


Id	85f70197-4865-4635-a4b2-a9c57e8fea1b
Rulename	Ping Federate - OAuth old version
Description	Detects requests using not the latest version of OAuth protocol.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
Version	1.0.3
Arm template	85f70197-4865-4635-a4b2-a9c57e8fea1b.json

KQL

PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

YAML

name: Ping Federate - OAuth old version
queryFrequency: 1d
description: |
    'Detects requests using not the latest version of OAuth protocol.'
relevantTechniques:
- T1190
id: 85f70197-4865-4635-a4b2-a9c57e8fea1b
triggerOperator: gt
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IpCustomEntity
    identifier: Address
kind: Scheduled
status: Available
tactics:
- InitialAccess
triggerThreshold: 0
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
query: |
  PingFederateEvent
  | where isnotempty(DeviceCustomString3)
  | extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
  | extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
  | where proto =~ 'OAuth'
  | where ver !~ '20'
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
severity: Medium

ARM