Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Ping Federate - Abnormal password reset attempts

Back
Ide45a7334-2cb4-4690-8156-f02cac73d584
RulenamePing Federate - Abnormal password reset attempts
DescriptionDetects abnormal password reset attempts for user in short period of time.
SeverityHigh
TacticsCredentialAccess
TechniquesT1110
Required data connectorsPingFederate
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
Version1.0.0
Arm templatee45a7334-2cb4-4690-8156-f02cac73d584.json
Deploy To Azure
let threshold = 10;
PingFederateEvent
| where EventType =~ 'PWD_RESET_REQUEST'
| summarize count() by DstUserName, bin(TimeGenerated, 30m)
| where count_ > threshold
| extend AccountCustomEntity = DstUserName
name: Ping Federate - Abnormal password reset attempts
query: |
  let threshold = 10;
  PingFederateEvent
  | where EventType =~ 'PWD_RESET_REQUEST'
  | summarize count() by DstUserName, bin(TimeGenerated, 30m)
  | where count_ > threshold
  | extend AccountCustomEntity = DstUserName  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - PingFederateEvent
  connectorId: PingFederate
version: 1.0.0
status: Available
queryPeriod: 1d
id: e45a7334-2cb4-4690-8156-f02cac73d584
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
relevantTechniques:
- T1110
severity: High
description: |
    'Detects abnormal password reset attempts for user in short period of time.'
kind: Scheduled
tactics:
- CredentialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/e45a7334-2cb4-4690-8156-f02cac73d584')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Ping Federate - Abnormal password reset attempts",
        "description": "'Detects abnormal password reset attempts for user in short period of time.'\n",
        "severity": "High",
        "enabled": true,
        "query": "let threshold = 10;\nPingFederateEvent\n| where EventType =~ 'PWD_RESET_REQUEST'\n| summarize count() by DstUserName, bin(TimeGenerated, 30m)\n| where count_ > threshold\n| extend AccountCustomEntity = DstUserName\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1110"
        ],
        "alertRuleTemplateName": "e45a7334-2cb4-4690-8156-f02cac73d584",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateAbnormalPasswordResetsAttempts.yaml"
      }
    }
  ]
}