Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Guest Users Invited to Tenant by New Inviters

Back
Id572e75ef-5147-49d9-9d65-13f2ed1e3a86
RulenameGuest Users Invited to Tenant by New Inviters
DescriptionDetects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.

Monitoring guest accounts and the access they are provided is important to detect potential account abuse.

Accounts added should be investigated to ensure the activity was legitimate.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
SeverityMedium
TacticsPersistence
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
Version1.0.1
Arm template572e75ef-5147-49d9-9d65-13f2ed1e3a86.json
Deploy To Azure
let inviting_users = (AuditLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where OperationName =~ "Invite external user"
  | where Result =~ "success"
  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | where isnotempty(invitingUser)
  | summarize by invitingUser);
  AuditLogs
  | where TimeGenerated > ago(1d)
  | where OperationName =~ "Invite external user"
  | where Result =~ "success"
  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
  | where isnotempty(invitingUser) and invitingUser !in (inviting_users)
  | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
metadata:
  author:
    name: Pete Bryan
  support:
    tier: Community
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml
description: |
  'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.
    Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
    Accounts added should be investigated to ensure the activity was legitimate.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'  
tags:
- AADSecOpsGuide
triggerOperator: gt
queryPeriod: 14d
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
queryFrequency: 1d
triggerThreshold: 0
tactics:
- Persistence
query: |
  let inviting_users = (AuditLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where OperationName =~ "Invite external user"
    | where Result =~ "success"
    | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | where isnotempty(invitingUser)
    | summarize by invitingUser);
    AuditLogs
    | where TimeGenerated > ago(1d)
    | where OperationName =~ "Invite external user"
    | where Result =~ "success"
    | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | where isnotempty(invitingUser) and invitingUser !in (inviting_users)
    | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)  
kind: Scheduled
relevantTechniques:
- T1078.004
version: 1.0.1
id: 572e75ef-5147-49d9-9d65-13f2ed1e3a86
entityMappings:
- fieldMappings:
  - columnName: invitingUser
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: invitedUserPrincipalName
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: ipAddress
    identifier: Address
  entityType: IP
name: Guest Users Invited to Tenant by New Inviters
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/572e75ef-5147-49d9-9d65-13f2ed1e3a86')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Guest Users Invited to Tenant by New Inviters",
        "description": "'Detects when a Guest User is added by a user account that has not been seen adding a guest in the previous 14 days.\n  Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n  Accounts added should be investigated to ensure the activity was legitimate.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let inviting_users = (AuditLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where OperationName =~ \"Invite external user\"\n  | where Result =~ \"success\"\n  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | where isnotempty(invitingUser)\n  | summarize by invitingUser);\n  AuditLogs\n  | where TimeGenerated > ago(1d)\n  | where OperationName =~ \"Invite external user\"\n  | where Result =~ \"success\"\n  | extend invitingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n  | where isnotempty(invitingUser) and invitingUser !in (inviting_users)\n  | extend invitedUserPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "572e75ef-5147-49d9-9d65-13f2ed1e3a86",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "invitingUser",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "invitedUserPrincipalName",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "ipAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestUsersInvitedtoTenantbyNewInviters.yaml",
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.1"
      }
    }
  ]
}