PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
id: 85f70197-4865-4635-a4b2-a9c57e8fea1b
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IpCustomEntity
entityType: IP
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
queryFrequency: 1d
queryPeriod: 1d
status: Available
query: |
PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
name: Ping Federate - OAuth old version
kind: Scheduled
tactics:
- InitialAccess
severity: Medium
relevantTechniques:
- T1190
triggerThreshold: 0
version: 1.0.3
description: |
'Detects requests using not the latest version of OAuth protocol.'
