Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - OAuth old version

Back
Id85f70197-4865-4635-a4b2-a9c57e8fea1b
RulenamePing Federate - OAuth old version
DescriptionDetects requests using not the latest version of OAuth protocol.
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
Version1.0.1
Arm template85f70197-4865-4635-a4b2-a9c57e8fea1b.json
Deploy To Azure
PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'OAuth'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
severity: Medium
queryFrequency: 1d
relevantTechniques:
- T1190
tactics:
- InitialAccess
kind: Scheduled
query: |
  PingFederateEvent
  | where isnotempty(DeviceCustomString3)
  | extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)
  | extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
  | where proto =~ 'OAuth'
  | where ver !~ '20'
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml
queryPeriod: 1d
status: Available
version: 1.0.1
name: Ping Federate - OAuth old version
requiredDataConnectors:
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederate
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederateAma
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpCustomEntity
id: 85f70197-4865-4635-a4b2-a9c57e8fea1b
description: |
    'Detects requests using not the latest version of OAuth protocol.'
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/85f70197-4865-4635-a4b2-a9c57e8fea1b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/85f70197-4865-4635-a4b2-a9c57e8fea1b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Ping Federate - OAuth old version",
        "description": "'Detects requests using not the latest version of OAuth protocol.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "PingFederateEvent\n| where isnotempty(DeviceCustomString3)\n| extend proto = extract(@'(OAuth)', 1, DeviceCustomString3)\n| extend ver = extract(@'(\\d+)', 1, DeviceCustomString3)\n| where proto =~ 'OAuth'\n| where ver !~ '20'\n| extend AccountCustomEntity = DstUserName\n| extend IpCustomEntity = SrcIpAddr\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "alertRuleTemplateName": "85f70197-4865-4635-a4b2-a9c57e8fea1b",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IpCustomEntity",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "templateVersion": "1.0.1",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateOauthOld.yaml"
      }
    }
  ]
}