Guest Users Invited to Tenant by New Inviters
| Id | 572e75ef-5147-49d9-9d65-13f2ed1e3a86 |
| Rulename | Guest Users Invited to Tenant by New Inviters |
| Description | Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts added should be investigated to ensure the activity was legitimate. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml |
| Version | 1.1.1 |
| Arm template | 572e75ef-5147-49d9-9d65-13f2ed1e3a86.json |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatingUserPrincipalName)
| summarize by InitiatingUserPrincipalName);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
tactics:
- Persistence
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
metadata:
categories:
domains:
- Security - Others
- Identity
source:
kind: Community
support:
tier: Community
author:
name: Microsoft Security Research
triggerThreshold: 0
name: Guest Users Invited to Tenant by New Inviters
query: |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(InitiatingUserPrincipalName)
| summarize by InitiatingUserPrincipalName);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress
severity: Medium
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
description: |
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
Accounts added should be investigated to ensure the activity was legitimate.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
version: 1.1.1
entityMappings:
- fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: InitiatingAccountName
identifier: Name
- columnName: InitiatingAccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: TargetUserPrincipalName
identifier: FullName
- columnName: TargetAccountName
identifier: Name
- columnName: TargetAccountUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: TargetAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingIPAddress
identifier: Address
entityType: IP
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"properties": {
"alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
"customDetails": null,
"description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n Accounts added should be investigated to ensure the activity was legitimate.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"displayName": "Guest Users Invited to Tenant by New Inviters",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InitiatingAccountName",
"identifier": "Name"
},
{
"columnName": "InitiatingAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "TargetAccountName",
"identifier": "Name"
},
{
"columnName": "TargetAccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "TargetAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
"query": "let inviting_users = (AuditLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(InitiatingUserPrincipalName)\n | summarize by InitiatingUserPrincipalName);\n AuditLogs\n | where TimeGenerated > ago(1d)\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend InitiatingUserPrincipalName = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)\n | where isnotempty(InitiatingUserPrincipalName) and InitiatingUserPrincipalName !in (inviting_users)\n | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | extend TargetAadUserId = tostring(TargetResources[0].id)\n | extend invitingUser = InitiatingUserPrincipalName, invitedUserPrincipalName = TargetUserPrincipalName\n | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, \"@\")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, \"@\")[1])\n | extend TargetAccountName = tostring(split(TargetUserPrincipalName, \"@\")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, \"@\")[1])\n | project-reorder TimeGenerated, OperationName, Result, TargetUserPrincipalName, TargetAadUserId, InitiatingUserPrincipalName, InitiatingAadUserId, InitiatingIPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"severity": "Medium",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.1.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}