PingID New MFA Method Registered For User
Description
The following analytic identifies the registration of a new Multi Factor authentication method for a PingID (PingOne) account. Adversaries who have obtained unauthorized access to a user account may register a new MFA method to maintain persistence.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-09-26
- Author: Steven Dick
- ID: 892dfeaf-461d-4a78-aac8-b07e185c9bce
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
- Installation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
9
`pingid` "result.message"="Device Paired*" result.status="SUCCESS"
| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)"
| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message'
| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract)
| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted")
| stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `pingid_new_mfa_method_registered_for_user_filter`
Macros
The SPL above uses the following Macros:
pingid_new_mfa_method_registered_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- resources{}.ipaddress
- actors{}.name
- result.message
- resources{}.devicemodel
- result.status
How To Implement
Target environment must ingest JSON logging from a PingID(PingOne) enterprise environment, either via Webhook or Push Subscription.
Known False Positives
False positives may be generated by normal provisioning workflows for user device registration.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
10.0 | 20 | 50 | An MFA configuration change was detected for [$user$], the device [$object$] was $action$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://twitter.com/jhencinski/status/1618660062352007174
- https://attack.mitre.org/techniques/T1098/005/
- https://attack.mitre.org/techniques/T1556/006/
- https://docs.pingidentity.com/r/en-us/pingoneforenterprise/p14e_subscriptions?tocId=3xhnxjX3VzKNs3SXigWnQA
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1