Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password reset attempts

Back
Ide45a7334-2cb4-4690-8156-f02cac73d584
RulenamePing Federate - Abnormal password reset attempts
DescriptionDetects abnormal password reset attempts for user in short period of time.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsPingFederate
PingFederateAma
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
Version1.0.1
Arm templatee45a7334-2cb4-4690-8156-f02cac73d584.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| summarize count() by DstUserName, bin(TimeGenerated, 30m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
severity: High
queryFrequency: 1d
relevantTechniques:
- T1110
tactics:
- CredentialAccess
kind: Scheduled
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | summarize count() by DstUserName, bin(TimeGenerated, 30m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
queryPeriod: 1d
status: Available
version: 1.0.1
name: Ping Federate - Abnormal password reset attempts
requiredDataConnectors:
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederate
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederateAma
triggerOperator: gt
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
id: e45a7334-2cb4-4690-8156-f02cac73d584
description: |
    'Detects abnormal password reset attempts for user in short period of time.'
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Ping Federate - Abnormal password reset attempts",
        "description": "'Detects abnormal password reset attempts for user in short period of time.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "e45a7334-2cb4-4690-8156-f02cac73d584",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.1",
        "status": "Available",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml"
      }
    }
  ]
}