PingFederate

PingFederate Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index

Attribute Value
Publisher Microsoft Corporation
Support Tier Microsoft
Support Link https://support.microsoft.com
Categories domains
Version 3.0.2
Author Microsoft - support@microsoft.com
First Published 2022-06-01
Solution Folder PingFederate
Marketplace Azure Marketplace · Popularity: 🔵 Medium (57%)
Pre-requisites Common Event Format

The PingFederate solution provides the capability to ingest PingFederate events into Microsoft Sentinel. Refer to PingFederate documentation for more information.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

Contents

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Common Event Format

Data Connectors

This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):

Connectors from dependency solutions:

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table Used By Connectors Used By Content
CommonSecurityLog Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] PingFederate via AMA, [Deprecated] PingFederate via Legacy Agent Analytics, Hunting, Workbooks

Content Items

This solution includes 23 content item(s):

Content Type Count
Analytic Rules 11
Hunting Queries 10
Workbooks 1
Parsers 1

Analytic Rules

Name Severity Tactics Tables Used
Ping Federate - Abnormal password reset attempts High CredentialAccess CommonSecurityLog
Ping Federate - Abnormal password resets for user High InitialAccess, Persistence, PrivilegeEscalation CommonSecurityLog
Ping Federate - Authentication from new IP. Low InitialAccess CommonSecurityLog
Ping Federate - Forbidden country High InitialAccess CommonSecurityLog
Ping Federate - New user SSO success login Low InitialAccess, Persistence CommonSecurityLog
Ping Federate - OAuth old version Medium InitialAccess CommonSecurityLog
Ping Federate - Password reset request from unexpected source IP address.. Medium InitialAccess CommonSecurityLog
Ping Federate - SAML old version Medium InitialAccess CommonSecurityLog
Ping Federate - Unexpected authentication URL. Medium InitialAccess CommonSecurityLog
Ping Federate - Unexpected country for user Medium InitialAccess CommonSecurityLog
Ping Federate - Unusual mail domain. Medium InitialAccess CommonSecurityLog

Hunting Queries

Name Tactics Tables Used
Ping Federate - Authentication URLs CredentialAccess CommonSecurityLog
Ping Federate - Authentication from unusual sources InitialAccess CommonSecurityLog
Ping Federate - Failed Authentication InitialAccess CommonSecurityLog
Ping Federate - New users InitialAccess CommonSecurityLog
Ping Federate - Password reset requests InitialAccess, Persistence CommonSecurityLog
Ping Federate - Rare source IP addresses InitialAccess CommonSecurityLog
Ping Federate - Requests from unusual countries InitialAccess CommonSecurityLog
Ping Federate - SAML subjects CredentialAccess CommonSecurityLog
Ping Federate - Top source IP addresses InitialAccess CommonSecurityLog
Ping Federate - Users recently reseted password InitialAccess, Persistence CommonSecurityLog

Workbooks

Name Tables Used
PingFederate CommonSecurityLog

Parsers

Name Description Tables Used
PingFederateEvent - CommonSecurityLog (read)

Release Notes

Version Date Modified (DD-MM-YYYY) Change History
3.0.2 22-11-2024 Removed Deprecated Data Connectors
3.0.1 12-07-2024 Deprecated Data Connector
3.0.0 04-09-2023 Addition of new PingFederate AMA Data Connector

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Solutions Index