let known_domains =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DeviceCustomString1)
| extend url_parsed = parse_url(DeviceCustomString1)
| extend url_domain = extract(@'.*\.(.*\.[a-z]+)', 1, tostring(url_parsed.Host))
| summarize makeset(url_domain);
PingFederateEvent
| where isnotempty(DeviceCustomString1)
| extend url_parsed = parse_url(DeviceCustomString1)
| extend url_domain = extract(@'.*\.(.*\.[a-z]+)', 1, tostring(url_parsed.Host))
| where url_domain !in (known_domains)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
queryPeriod: 14d
description: |
'Detects unexpected authentication URL.'
kind: Scheduled
query: |
let known_domains =
PingFederateEvent
| where TimeGenerated between (ago(14d) .. (1d))
| where isnotempty(DeviceCustomString1)
| extend url_parsed = parse_url(DeviceCustomString1)
| extend url_domain = extract(@'.*\.(.*\.[a-z]+)', 1, tostring(url_parsed.Host))
| summarize makeset(url_domain);
PingFederateEvent
| where isnotempty(DeviceCustomString1)
| extend url_parsed = parse_url(DeviceCustomString1)
| extend url_domain = extract(@'.*\.(.*\.[a-z]+)', 1, tostring(url_parsed.Host))
| where url_domain !in (known_domains)
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr
tactics:
- InitialAccess
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateUnexpectedAuthUrl.yaml
id: 9578ef7f-cbb4-4e9a-bd26-37c15c53b413
version: 1.0.3
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IpCustomEntity
triggerThreshold: 0
status: Available
relevantTechniques:
- T1078
name: Ping Federate - Unexpected authentication URL.
severity: Medium
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
queryFrequency: 1h
