Ping Federate - SAML old version

Back


Id	fddd3840-acd2-41ed-94d9-1474b0a7c8a6
Rulename	Ping Federate - SAML old version
Description	Detects requests using not the latest version of SAML protocol.
Severity	Medium
Tactics	InitialAccess
Techniques	T1190
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml
Version	1.0.3
Arm template	fddd3840-acd2-41ed-94d9-1474b0a7c8a6.json

KQL

PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(SAML)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'SAML'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

YAML

version: 1.0.3
kind: Scheduled
severity: Medium
tactics:
- InitialAccess
status: Available
triggerThreshold: 0
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: IpCustomEntity
    identifier: Address
  entityType: IP
query: |
  PingFederateEvent
  | where isnotempty(DeviceCustomString3)
  | extend proto = extract(@'(SAML)', 1, DeviceCustomString3)
  | extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
  | where proto =~ 'SAML'
  | where ver !~ '20'
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
triggerOperator: gt
id: fddd3840-acd2-41ed-94d9-1474b0a7c8a6
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
relevantTechniques:
- T1190
name: Ping Federate - SAML old version
queryFrequency: 1d
description: |
    'Detects requests using not the latest version of SAML protocol.'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml

ARM