Guest Users Invited to Tenant by New Inviters
| Id | 572e75ef-5147-49d9-9d65-13f2ed1e3a86 |
| Rulename | Guest Users Invited to Tenant by New Inviters |
| Description | Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts added should be investigated to ensure the activity was legitimate. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml |
| Version | 1.1.1 |
| Arm template | 572e75ef-5147-49d9-9d65-13f2ed1e3a86.json |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatingUserPrincipalName)
| summarize by InitiatingUserPrincipalName);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
triggerThreshold: 0
relevantTechniques:
- T1078.004
queryPeriod: 14d
version: 1.1.1
tags:
- AADSecOpsGuide
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
query: |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatingUserPrincipalName)
| summarize by InitiatingUserPrincipalName);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress
metadata:
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
author:
name: Microsoft Security Research
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: InitiatingAccountName
- identifier: UPNSuffix
columnName: InitiatingAccountUPNSuffix
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: TargetUserPrincipalName
- identifier: Name
columnName: TargetAccountName
- identifier: UPNSuffix
columnName: TargetAccountUPNSuffix
entityType: Account
- fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
entityType: Account
- fieldMappings:
- identifier: AadUserId
columnName: TargetAadUserId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: InitiatingIPAddress
entityType: IP
tactics:
- Persistence
severity: Medium
name: Guest Users Invited to Tenant by New Inviters
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
description: |
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
Accounts added should be investigated to ensure the activity was legitimate.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"properties": {
"alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
"customDetails": null,
"description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n Accounts added should be investigated to ensure the activity was legitimate.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"displayName": "Guest Users Invited to Tenant by New Inviters",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
"query": "let inviting_users = (AuditLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(InitiatingUserPrincipalName)\n | summarize by InitiatingUserPrincipalName);\n AuditLogs\n | where TimeGenerated > ago(1d)\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | extend TargetAadUserId = tostring(TargetResources[0].id)\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \"@\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \"@\")[1])\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Medium",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}