External User Added and Removed in a Short Timeframe
Id | 119d9e1c-afcc-4d23-b239-cdb4e7bf851c |
Rulename | External User Added and Removed in a Short Timeframe |
Description | This hunting query identifies external user accounts that are added to a Team and then removed within one hour. |
Tactics | Persistence |
Techniques | T1136 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml |
Version | 2.0.1 |
Arm template | 119d9e1c-afcc-4d23-b239-cdb4e7bf851c.json |
// If you want to look at user added further than 7 days ago adjust this value
// If you want to change the timeframe of how quickly accounts need to be added and removed change this value
let time_delta = 1h;
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberAdded"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeAdded = TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
| join kind=innerunique (
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberRemoved"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeDeleted = TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
) on UPN, TeamGuid
| where TimeDeleted < (TimeAdded + time_delta)
| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid
| extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1])
relevantTechniques:
- T1136
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml
id: 119d9e1c-afcc-4d23-b239-cdb4e7bf851c
query: |
// If you want to look at user added further than 7 days ago adjust this value
// If you want to change the timeframe of how quickly accounts need to be added and removed change this value
let time_delta = 1h;
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberAdded"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeAdded = TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
| join kind=innerunique (
EnrichedMicrosoft365AuditLogs
| where Workload == "MicrosoftTeams"
| where Operation == "MemberRemoved"
| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties
| where UPN contains "#EXT#"
| project TimeDeleted = TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)
) on UPN, TeamGuid
| where TimeDeleted < (TimeAdded + time_delta)
| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid
| extend AccountName = tostring(split(UPN, "@")[0]), AccountUPNSuffix = tostring(split(UPN, "@")[1])
entityMappings:
- fieldMappings:
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
entityType: Account
name: External User Added and Removed in a Short Timeframe
version: 2.0.1
description: |
This hunting query identifies external user accounts that are added to a Team and then removed within one hour.
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- EnrichedMicrosoft365AuditLogs
kind: Scheduled
tactics:
- Persistence
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/119d9e1c-afcc-4d23-b239-cdb4e7bf851c')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/119d9e1c-afcc-4d23-b239-cdb4e7bf851c')]",
"properties": {
"alertRuleTemplateName": "119d9e1c-afcc-4d23-b239-cdb4e7bf851c",
"customDetails": null,
"description": "This hunting query identifies external user accounts that are added to a Team and then removed within one hour.\n",
"displayName": "External User Added and Removed in a Short Timeframe",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Global Secure Access/Hunting Queries/ExternalUserAddedRemovedInTeams_HuntVersion.yaml",
"query": "// If you want to look at user added further than 7 days ago adjust this value\n// If you want to change the timeframe of how quickly accounts need to be added and removed change this value\nlet time_delta = 1h;\nEnrichedMicrosoft365AuditLogs\n| where Workload == \"MicrosoftTeams\"\n| where Operation == \"MemberAdded\"\n| extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties\n| where UPN contains \"#EXT#\"\n| project TimeAdded = TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)\n| join kind=innerunique (\n EnrichedMicrosoft365AuditLogs\n | where Workload == \"MicrosoftTeams\"\n | where Operation == \"MemberRemoved\"\n | extend UPN = tostring(parse_json(tostring(AdditionalProperties)).UPN) // Assuming UPN is stored in AdditionalProperties\n | where UPN contains \"#EXT#\"\n | project TimeDeleted = TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName = tostring(parse_json(tostring(AdditionalProperties)).TeamName), TeamGuid = tostring(parse_json(tostring(AdditionalProperties)).TeamGuid)\n) on UPN, TeamGuid\n| where TimeDeleted < (TimeAdded + time_delta)\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName, TeamGuid\n| extend AccountName = tostring(split(UPN, \"@\")[0]), AccountUPNSuffix = tostring(split(UPN, \"@\")[1])\n",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1136"
],
"templateVersion": "2.0.1"
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}