Guest Users Invited to Tenant by New Inviters
Id | 572e75ef-5147-49d9-9d65-13f2ed1e3a86 |
Rulename | Guest Users Invited to Tenant by New Inviters |
Description | Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts added should be investigated to ensure the activity was legitimate. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Severity | Medium |
Tactics | Persistence |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml |
Version | 1.0.1 |
Arm template | 572e75ef-5147-49d9-9d65-13f2ed1e3a86.json |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser)
| summarize by invitingUser);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser) and invitingUser !in (inviting_users)
| extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
metadata:
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
description: |
'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
Accounts added should be investigated to ensure the activity was legitimate.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
tags:
- AADSecOpsGuide
triggerOperator: gt
queryPeriod: 14d
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
queryFrequency: 1d
triggerThreshold: 0
tactics:
- Persistence
query: |
let inviting_users = (AuditLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser)
| summarize by invitingUser);
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Invite external user"
| where Result =~ "success"
| extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| where isnotempty(invitingUser) and invitingUser !in (inviting_users)
| extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
kind: Scheduled
relevantTechniques:
- T1078.004
version: 1.0.1
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
entityMappings:
- fieldMappings:
- columnName: invitingUser
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: invitedUserPrincipalName
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: ipAddress
identifier: Address
entityType: IP
name: Guest Users Invited to Tenant by New Inviters
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Guest Users Invited to Tenant by New Inviters",
"description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n Accounts added should be investigated to ensure the activity was legitimate.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"severity": "Medium",
"enabled": true,
"query": "let inviting_users = (AuditLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(invitingUser)\n | summarize by invitingUser);\n AuditLogs\n | where TimeGenerated > ago(1d)\n | where OperationName =~ \"Invite external user\"\n | where Result =~ \"success\"\n | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\n | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "invitingUser",
"identifier": "FullName"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "invitedUserPrincipalName",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "ipAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.1"
}
}
]
}