Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password reset attempts

Back
Ide45a7334-2cb4-4690-8156-f02cac73d584
RulenamePing Federate - Abnormal password reset attempts
DescriptionDetects abnormal password reset attempts for user in short period of time.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsCefAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
Version1.0.3
Arm templatee45a7334-2cb4-4690-8156-f02cac73d584.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| summarize count() by DstUserName, bin(TimeGenerated, 30m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
tactics:
- CredentialAccess
name: Ping Federate - Abnormal password reset attempts
id: e45a7334-2cb4-4690-8156-f02cac73d584
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | summarize count() by DstUserName, bin(TimeGenerated, 30m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
relevantTechniques:
- T1110
description: |
    'Detects abnormal password reset attempts for user in short period of time.'
triggerOperator: gt
queryPeriod: 1d
severity: High
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
version: 1.0.3
triggerThreshold: 0
kind: Scheduled
queryFrequency: 1d
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "properties": {
        "alertRuleTemplateName": "e45a7334-2cb4-4690-8156-f02cac73d584",
        "customDetails": null,
        "description": "'Detects abnormal password reset attempts for user in short period of time.'\n",
        "displayName": "Ping Federate - Abnormal password reset attempts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml",
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}