Techniques
Sample rules
PingID Mismatch Auth Source and Verification Response
- source: splunk
- technicques:
- T1621
- T1556.006
- T1098.005
Description
The following analytic identifies variations in the authentication event IP address versus the verification response event IP address to identify suspicious sign-in behavior. Currently this detection is configured to identify when the originating country of an authentication request is different than the verification country.
Detection logic
`pingid` ("result.status" IN ("SUCCESS*","FAIL*","UNSUCCESSFUL*") NOT "result.message" IN ("*pair*","*create*","*delete*"))
| eval user = upper('actors{}.name'), session_id = 'resources{}.websession', dest = 'resources{}.ipaddress', reason = 'result.message', object = 'resources{}.devicemodel', status = 'result.status'
| join user session_id [ search `pingid` ("result.status" IN ("POLICY") AND "resources{}.ipaddress"=*) AND "result.message" IN("*Action: Authenticate*","*Action: Approve*","*Action: Allowed*")
| rex field=result.message "IP Address: (?:N\/A)?(?<policy_ipaddress>.+)?\n"
| rex field=result.message "Action: (?:N\/A)?(?<signature>.+)?\n"
| rex field=result.message "Requested Application Name: (?:N\/A)?(?<Requested_Application_Name>.+)?\n"
| rex field=result.message "Requested Application ID: (?:N\/A)?(?<Requested_Application_ID>.+)?\n"
| eval user = upper('actors{}.name'), session_id = 'resources{}.websession', src = coalesce('resources{}.ipaddress',policy_ipaddress), app = coalesce(Requested_Application_ID,Requested_Application_Name)
| fields app, user, session_id, src, signature ]
| iplocation prefix=auth_ dest
| iplocation prefix=verify_ src
| stats count min(_time) as firstTime max(_time) as lastTime values(app) as app values(session_id) as session_id by user, dest, auth_Country, src, verify_Country, object, signature, status, reason
| where auth_Country != verify_Country
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `pingid_mismatch_auth_source_and_verification_response_filter`