LoFP / false positives may be generated by normal provisioning workflows for user device registration.

Techniques

• T1078
• T1098.005
• T1110
• T1556.006
• T1621

Sample rules

PingID New MFA Method Registered For User

• source: splunk
• technicques:
  • T1621
  • T1556.006
  • T1098.005

Description

The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a PingID (PingOne) account. It leverages JSON logs from PingID, specifically looking for successful device pairing events. This activity is significant as adversaries who gain unauthorized access to a user account may register a new MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security measures, maintain long-term access, and potentially escalate their privileges within the compromised environment.

Detection logic

`pingid` "result.message"="Device Paired*" result.status="SUCCESS"   
| rex field=result.message "Device (Unp)?(P)?aired (?<device_extract>.+)" 
| eval src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), reason = 'result.message' 
| eval object=CASE(ISNOTNULL('resources{}.devicemodel'),'resources{}.devicemodel',true(),device_extract) 
| eval action=CASE(match('result.message',"Device Paired*"),"created",match('result.message', "Device Unpaired*"),"deleted") 
| stats count min(_time) as firstTime, max(_time) as lastTime by src,user,object,action,reason 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `pingid_new_mfa_method_registered_for_user_filter`

PingID Multiple Failed MFA Requests For User

• source: splunk
• technicques:
  • T1621
  • T1078
  • T1110

Description

The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within a PingID environment. It triggers when 10 or more MFA prompts fail within 10 minutes, using JSON logs from PingID. This activity is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication requests. If confirmed malicious, this could lead to unauthorized access, as the user might eventually accept the fraudulent request, compromising the security of the account and potentially the entire network.

Detection logic

`pingid` "result.status" IN ("FAILURE,authFail","UNSUCCESSFUL_ATTEMPT") 
| eval time = _time, src = coalesce('resources{}.ipaddress','resources{}.devicemodel'), user = upper('actors{}.name'), object = 'resources{}.devicemodel', reason = 'result.message'
| bucket span=10m _time 
| stats dc(_raw) AS mfa_prompts min(time) as firstTime, max(time) as lastTime values(src) as src by user, reason, _time 
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` 
| where mfa_prompts >= 10 
| `pingid_multiple_failed_mfa_requests_for_user_filter`