Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - OAuth old version

Back
Id85f70197-4865-4635-a4b2-a9c57e8fea1b
RulenamePing Federate - OAuth old version
DescriptionDetects requests using not the latest version of OAuth protocol.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
Version1.0.1
Arm template85f70197-4865-4635-a4b2-a9c57e8fea1b.json
Deploy To Azure
PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
status: Available
id: 85f70197-4865-4635-a4b2-a9c57e8fea1b
name: Ping Federate - OAuth old version
requiredDataConnectors:
- connectorId: PingFederate
  dataTypes:
  - PingFederateEvent
- connectorId: PingFederateAma
  dataTypes:
  - PingFederateEvent
severity: Medium
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
kind: Scheduled
description: |
    'Detects requests using not the latest version of OAuth protocol.'
relevantTechniques:
- T1190
queryPeriod: 1d
triggerOperator: gt
queryFrequency: 1d
query: |
  PingFederateEvent
  | where isnotempty(DeviceCustomString3)
  | extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
  | extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
  | where proto =~ 'OAuth'
  | where ver !~ '20'
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
version: 1.0.1
tactics:
- InitialAccess
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IpCustomEntity
  entityType: IP
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85f70197-4865-4635-a4b2-a9c57e8fea1b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85f70197-4865-4635-a4b2-a9c57e8fea1b')]",
      "properties": {
        "alertRuleTemplateName": "85f70197-4865-4635-a4b2-a9c57e8fea1b",
        "customDetails": null,
        "description": "'Detects requests using not the latest version of OAuth protocol.'\n",
        "displayName": "Ping Federate - OAuth old version",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml",
        "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'OAuth'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}