Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Guest Users Invited to Tenant by New Inviters

Back
Id572e75ef-5147-49d9-9d65-13f2ed1e3a86
RulenameGuest Users Invited to Tenant by New Inviters
DescriptionDetects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.

Monitoring guest accounts and the access they are provided is important to detect potential account abuse.

Accounts added should be investigated to ensure the activity was legitimate.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
SeverityMedium
TacticsPersistence
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
Version1.0.1
Arm template572e75ef-5147-49d9-9d65-13f2ed1e3a86.json
Deploy To Azure
let inviting_users = (AuditLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where OperationName =~ "Invite external user"
  | where Result =~ "success"
  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | where isnotempty(invitingUser)
  | summarize by invitingUser);
  AuditLogs
  | where TimeGenerated > ago(1d)
  | where OperationName =~ "Invite external user"
  | where Result =~ "success"
  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | where isnotempty(invitingUser) and invitingUser !in (inviting_users)
  | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
queryFrequency: 1d
version: 1.0.1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
entityMappings:
- fieldMappings:
  - columnName: invitingUser
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: invitedUserPrincipalName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
kind: Scheduled
queryPeriod: 14d
severity: Medium
query: |
  let inviting_users = (AuditLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where OperationName =~ "Invite external user"
    | where Result =~ "success"
    | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | where isnotempty(invitingUser)
    | summarize by invitingUser);
    AuditLogs
    | where TimeGenerated > ago(1d)
    | where OperationName =~ "Invite external user"
    | where Result =~ "success"
    | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | where isnotempty(invitingUser) and invitingUser !in (inviting_users)
    | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)  
metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Pete Bryan
  support:
    tier: Community
  source:
    kind: Community
triggerOperator: gt
tags:
- AADSecOpsGuide
description: |
  'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
    Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
    Accounts added should be investigated to ensure the activity was legitimate.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'  
triggerThreshold: 0
name: Guest Users Invited to Tenant by New Inviters
relevantTechniques:
- T1078.004
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Guest Users Invited to Tenant by New Inviters",
        "description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n  Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n  Accounts added should be investigated to ensure the activity was legitimate.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let inviting_users = (AuditLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where OperationName =~ \"Invite external user\"\n  | where Result =~ \"success\"\n  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | where isnotempty(invitingUser)\n  | summarize by invitingUser);\n  AuditLogs\n  | where TimeGenerated > ago(1d)\n  | where OperationName =~ \"Invite external user\"\n  | where Result =~ \"success\"\n  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\n  | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "invitingUser"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "invitedUserPrincipalName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "ipAddress"
              }
            ]
          }
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}