Ping Federate - Abnormal password reset attempts

Back


Id	e45a7334-2cb4-4690-8156-f02cac73d584
Rulename	Ping Federate - Abnormal password reset attempts
Description	Detects abnormal password reset attempts for user in short period of time.
Severity	High
Tactics	CredentialAccess
Techniques	T1110
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
Version	1.0.3
Arm template	e45a7334-2cb4-4690-8156-f02cac73d584.json

KQL

let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| summarize count() by DstUserName, bin(TimeGenerated, 30m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName

YAML

entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
triggerThreshold: 0
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
queryFrequency: 1d
status: Available
relevantTechniques:
- T1110
triggerOperator: gt
id: e45a7334-2cb4-4690-8156-f02cac73d584
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
version: 1.0.3
name: Ping Federate - Abnormal password reset attempts
description: |
    'Detects abnormal password reset attempts for user in short period of time.'
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | summarize count() by DstUserName, bin(TimeGenerated, 30m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
tactics:
- CredentialAccess
queryPeriod: 1d
kind: Scheduled

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "properties": {
        "alertRuleTemplateName": "e45a7334-2cb4-4690-8156-f02cac73d584",
        "customDetails": null,
        "description": "'Detects abnormal password reset attempts for user in short period of time.'\n",
        "displayName": "Ping Federate - Abnormal password reset attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml",
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}