Ping Federate - SAML old version

PingFederateEvent
| where isnotempty(DeviceCustomString3)
| extend proto = extract(@'(SAML)', 1, DeviceCustomString3)
| extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
| where proto =~ 'SAML'
| where ver !~ '20'
| extend AccountCustomEntity = DstUserName
| extend IpCustomEntity = SrcIpAddr

triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpCustomEntity
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/PingFederate/Analytic Rules/PingFederateSamlOld.yaml
name: Ping Federate - SAML old version
relevantTechniques:
- T1190
status: Available
version: 1.0.3
queryPeriod: 1d
kind: Scheduled
id: fddd3840-acd2-41ed-94d9-1474b0a7c8a6
query: |
  PingFederateEvent
  | where isnotempty(DeviceCustomString3)
  | extend proto = extract(@'(SAML)', 1, DeviceCustomString3)
  | extend ver = extract(@'(\d+)', 1, DeviceCustomString3)
  | where proto =~ 'SAML'
  | where ver !~ '20'
  | extend AccountCustomEntity = DstUserName
  | extend IpCustomEntity = SrcIpAddr  
description: |
    'Detects requests using not the latest version of SAML protocol.'
queryFrequency: 1d
severity: Medium
triggerOperator: gt
tactics:
- InitialAccess