Guest Users Invited to Tenant by New Inviters
Id | 572e75ef-5147-49d9-9d65-13f2ed1e3a86 |
Rulename | Guest Users Invited to Tenant by New Inviters |
Description | Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts added should be investigated to ensure the activity was legitimate. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Severity | Medium |
Tactics | Persistence |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml |
Version | 1.0.1 |
Arm template | 572e75ef-5147-49d9-9d65-13f2ed1e3a86.json |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser)
| summarize by invitingUser);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser) and invitingUser !in (inviting_users)
| extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
queryFrequency: 1d
version: 1.0.1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
entityMappings:
- fieldMappings:
- columnName: invitingUser
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: invitedUserPrincipalName
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: ipAddress
identifier: Address
entityType: IP
kind: Scheduled
queryPeriod: 14d
severity: Medium
query: |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser)
| summarize by invitingUser);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser) and invitingUser !in (inviting_users)
| extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
metadata:
categories:
domains:
- Security - Others
- Identity
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
triggerOperator: gt
tags:
- AADSecOpsGuide
description: |
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
Accounts added should be investigated to ensure the activity was legitimate.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
triggerThreshold: 0
name: Guest Users Invited to Tenant by New Inviters
relevantTechniques:
- T1078.004
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Guest Users Invited to Tenant by New Inviters",
"description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n Accounts added should be investigated to ensure the activity was legitimate.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"severity": "Medium",
"enabled": true,
"query": "let inviting_users = (AuditLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(invitingUser)\n | summarize by invitingUser);\n AuditLogs\n | where TimeGenerated > ago(1d)\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "invitingUser"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "invitedUserPrincipalName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "ipAddress"
}
]
}
],
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
"templateVersion": "1.0.1"
}
}
]
}