Guest accounts added in Entra ID Groups other than the ones specified
| Id | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53 |
| Rulename | Guest accounts added in Entra ID Groups other than the ones specified |
| Description | Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data. |
| Severity | High |
| Tactics | InitialAccess Persistence Discovery |
| Techniques | T1078.004 T1136.003 T1087.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 2h |
| Query period | 2h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml |
| Version | 1.0.6 |
| Arm template | 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53.json |
// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each
let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]);
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group')
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
// Uncomment the following line to filter events where the inviting user was a guest user
//| where InitiatedBy has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "User"
| extend InvitedUserPrincipalName = trim(@'"',tostring(TargetResource.userPrincipalName)),
Properties = TargetResource.modifiedProperties
)
| mv-apply Property = Properties on
(
where Property.displayName =~ "Group.DisplayName"
| extend AADGroup = trim('"',tostring(Property.newValue))
)
| where InvitedUserPrincipalName has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| mv-apply Property = Properties on
(
where Property.displayName =~ "Group.ObjectID"
| extend AADGroupId = trim('"',tostring(Property.newValue))
)
| project-away TargetResource, Property
| where AADGroupId !in (GroupIDs)
| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
| extend InvitedUserName = tostring(split(InvitedUserPrincipalName,'@',0)[0]), InvitedUPNSuffix = tostring(split(InvitedUserPrincipalName,'@',1)[0])
name: Guest accounts added in Entra ID Groups other than the ones specified
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
query: |
// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each
let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]);
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group')
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
// Uncomment the following line to filter events where the inviting user was a guest user
//| where InitiatedBy has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| mv-apply TargetResource = TargetResources on
(
where TargetResource.type =~ "User"
| extend InvitedUserPrincipalName = trim(@'"',tostring(TargetResource.userPrincipalName)),
Properties = TargetResource.modifiedProperties
)
| mv-apply Property = Properties on
(
where Property.displayName =~ "Group.DisplayName"
| extend AADGroup = trim('"',tostring(Property.newValue))
)
| where InvitedUserPrincipalName has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| mv-apply Property = Properties on
(
where Property.displayName =~ "Group.ObjectID"
| extend AADGroupId = trim('"',tostring(Property.newValue))
)
| project-away TargetResource, Property
| where AADGroupId !in (GroupIDs)
| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])
| extend InvitedUserName = tostring(split(InvitedUserPrincipalName,'@',0)[0]), InvitedUPNSuffix = tostring(split(InvitedUserPrincipalName,'@',1)[0])
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.'
entityMappings:
- fieldMappings:
- columnName: InvitedUserPrincipalName
identifier: FullName
- columnName: InvitedUserName
identifier: Name
- columnName: InvitedUPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingUserPrincipalName
identifier: FullName
- columnName: Name
identifier: Name
- columnName: UPNSuffix
identifier: UPNSuffix
entityType: Account
- fieldMappings:
- columnName: InitiatingAadUserId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingAppServicePrincipalId
identifier: AadUserId
entityType: Account
- fieldMappings:
- columnName: InitiatingIpAddress
identifier: Address
entityType: IP
- fieldMappings:
- columnName: AADGroup
identifier: DistinguishedName
- columnName: AADGroupId
identifier: ObjectGuid
entityType: SecurityGroup
queryFrequency: 2h
triggerOperator: gt
version: 1.0.6
queryPeriod: 2h
status: Available
kind: Scheduled
severity: High
triggerThreshold: 0
id: 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]",
"properties": {
"alertRuleTemplateName": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53",
"customDetails": null,
"description": "'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.'\n",
"displayName": "Guest accounts added in Entra ID Groups other than the ones specified",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InvitedUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "InvitedUserName",
"identifier": "Name"
},
{
"columnName": "InvitedUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAppServicePrincipalId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIpAddress",
"identifier": "Address"
}
]
},
{
"entityType": "SecurityGroup",
"fieldMappings": [
{
"columnName": "AADGroup",
"identifier": "DistinguishedName"
},
{
"columnName": "AADGroupId",
"identifier": "ObjectGuid"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml",
"query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\n| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\n| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply TargetResource = TargetResources on \n (\n where TargetResource.type =~ \"User\"\n | extend InvitedUserPrincipalName = trim(@'\"',tostring(TargetResource.userPrincipalName)),\n Properties = TargetResource.modifiedProperties\n )\n| mv-apply Property = Properties on \n (\n where Property.displayName =~ \"Group.DisplayName\"\n | extend AADGroup = trim('\"',tostring(Property.newValue))\n )\n| where InvitedUserPrincipalName has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-apply Property = Properties on\n (\n where Property.displayName =~ \"Group.ObjectID\"\n | extend AADGroupId = trim('\"',tostring(Property.newValue))\n )\n| project-away TargetResource, Property\n| where AADGroupId !in (GroupIDs)\n| extend Name = tostring(split(InitiatingUserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserPrincipalName,'@',1)[0])\n| extend InvitedUserName = tostring(split(InvitedUserPrincipalName,'@',0)[0]), InvitedUPNSuffix = tostring(split(InvitedUserPrincipalName,'@',1)[0])\n",
"queryFrequency": "PT2H",
"queryPeriod": "PT2H",
"severity": "High",
"status": "Available",
"subTechniques": [
"T1078.004",
"T1136.003",
"T1087.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Discovery",
"InitialAccess",
"Persistence"
],
"techniques": [
"T1078",
"T1087",
"T1136"
],
"templateVersion": "1.0.6",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}