Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious linking of existing user to external User

Suspicious linking of existing user to external User

Back
Id22a320c2-e1e5-4c74-a35b-39fc9cdcf859
RulenameSuspicious linking of existing user to external User
DescriptionThis query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external

identities should be investigated. In some cases you may see internal AAD sync accounts (Sync_) do this which may be benign
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousLinkingofExternalIdtoExistingUsers.yaml
Version1.0.1
Arm template22a320c2-e1e5-4c74-a35b-39fc9cdcf859.json
Deploy To Azure
let lookback = 1d;
AuditLogs 
| where TimeGenerated > ago(lookback)
| where OperationName=~ "Update user" 
| where Result =~ "success" 
| mv-expand TargetResources 
| mv-expand TargetResources.modifiedProperties 
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
| where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) 
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_

tactics:
- PrivilegeEscalation
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
triggerOperator: gt
query: |
  let lookback = 1d;
  AuditLogs 
  | where TimeGenerated > ago(lookback)
  | where OperationName=~ "Update user" 
  | where Result =~ "success" 
  | mv-expand TargetResources 
  | mv-expand TargetResources.modifiedProperties 
  | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
  | where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
  | extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) 
  | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
  | project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_  
triggerThreshold: 0
name: Suspicious linking of existing user to external User
kind: Scheduled
version: 1.0.1
description: |
  ' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external 
  identities should be investigated. In some cases you may see internal AAD sync accounts (Sync_) do this which may be benign'  
relevantTechniques:
- T1078.004
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousLinkingofExternalIdtoExistingUsers.yaml
tags:
- GuestorExternalIdentities
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Initiator
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: displayName_
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
queryFrequency: 1d
queryPeriod: 1d
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
  author:
    name: Ashwin Patil
id: 22a320c2-e1e5-4c74-a35b-39fc9cdcf859

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/22a320c2-e1e5-4c74-a35b-39fc9cdcf859')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/22a320c2-e1e5-4c74-a35b-39fc9cdcf859')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Suspicious linking of existing user to external User",
        "description": "' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external \nidentities should be investigated. In some cases you may see internal AAD sync accounts (Sync_) do this which may be benign'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lookback = 1d;\nAuditLogs \n| where TimeGenerated > ago(lookback)\n| where OperationName=~ \"Update user\" \n| where Result =~ \"success\" \n| mv-expand TargetResources \n| mv-expand TargetResources.modifiedProperties \n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)\n| where displayName_ == \"UserPrincipalName\" and oldValue_ !has \"#EXT\" and newValue_ has \"#EXT\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.[\"user\"].[\"ipAddress\"])\n| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "22a320c2-e1e5-4c74-a35b-39fc9cdcf859",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "Initiator",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "displayName_",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/SuspiciousLinkingofExternalIdtoExistingUsers.yaml",
        "templateVersion": "1.0.1",
        "tags": [
          "GuestorExternalIdentities"
        ]
      }
    }
  ]
}