Guest accounts added in AAD Groups other than the ones specified

Back


Id	6ab1f7b2-61b8-442f-bc81-96afe7ad8c53
Rulename	Guest accounts added in AAD Groups other than the ones specified
Description	Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.
Severity	High
Tactics	InitialAccess Persistence Discovery
Techniques	T1078.004 T1136.003 T1087.004
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
Version	1.0.1
Arm template	6ab1f7b2-61b8-442f-bc81-96afe7ad8c53.json

KQL

// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each
let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]);
AuditLogs
| where OperationName in ('Add member to group', 'Add owner to group')
| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress 
// Uncomment the following line to filter events where the inviting user was a guest user
//| where InitiatedBy has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| extend InvitedUser = TargetResources[0].userPrincipalName
| extend AADGroup = TargetResources[0].modifiedProperties[1].newValue
| where InvitedUser has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
| mv-expand AADGroupId = TargetResources[1].id to typeof(string)
| where AADGroupId !in (GroupIDs)

YAML

severity: High
triggerThreshold: 0
query: |
  // OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each
  let GroupIDs = dynamic(["List with Custom AAD GROUP OBJECT ID 1","Custom AAD GROUP OBJECT ID 2"]);
  AuditLogs
  | where OperationName in ('Add member to group', 'Add owner to group')
  | extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
  | extend InitiatedByIPAdress = InitiatedBy.user.ipAddress 
  // Uncomment the following line to filter events where the inviting user was a guest user
  //| where InitiatedBy has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
  | extend InvitedUser = TargetResources[0].userPrincipalName
  | extend AADGroup = TargetResources[0].modifiedProperties[1].newValue
  | where InvitedUser has_any ("CUSTOM DOMAIN NAME#", "#EXT#")
  | mv-expand AADGroupId = TargetResources[1].id to typeof(string)
  | where AADGroupId !in (GroupIDs)  
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
id: 6ab1f7b2-61b8-442f-bc81-96afe7ad8c53
version: 1.0.1
name: Guest accounts added in AAD Groups other than the ones specified
kind: Scheduled
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml
queryPeriod: 1d
relevantTechniques:
- T1078.004
- T1136.003
- T1087.004
triggerOperator: gt
tactics:
- InitialAccess
- Persistence
- Discovery
description: |
    'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.'
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: InvitedUser
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: InitiatedByActionUserInformation
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: InitiatedByIPAdress

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6ab1f7b2-61b8-442f-bc81-96afe7ad8c53')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Guest accounts added in AAD Groups other than the ones specified",
        "description": "'Guest Accounts are added in the Organization Tenants to perform various tasks i.e projects execution, support etc.. This detection notifies when guest users are added to Azure AD Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// OBJECT ID of AAD Groups can be found by navigating to Azure Active Directory then from menu on the left, select Groups and from the list shown of AAD Groups, the Second Column shows the ObjectID of each\nlet GroupIDs = dynamic([\"List with Custom AAD GROUP OBJECT ID 1\",\"Custom AAD GROUP OBJECT ID 2\"]);\nAuditLogs\n| where OperationName in ('Add member to group', 'Add owner to group')\n| extend InitiatedByActionUserInformation = iff(isnotempty(InitiatedBy.user.userPrincipalName), InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)\n| extend InitiatedByIPAdress = InitiatedBy.user.ipAddress \n// Uncomment the following line to filter events where the inviting user was a guest user\n//| where InitiatedBy has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| extend InvitedUser = TargetResources[0].userPrincipalName\n| extend AADGroup = TargetResources[0].modifiedProperties[1].newValue\n| where InvitedUser has_any (\"CUSTOM DOMAIN NAME#\", \"#EXT#\")\n| mv-expand AADGroupId = TargetResources[1].id to typeof(string)\n| where AADGroupId !in (GroupIDs)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence",
          "Discovery"
        ],
        "techniques": [
          "T1078.004",
          "T1136.003",
          "T1087.004"
        ],
        "alertRuleTemplateName": "6ab1f7b2-61b8-442f-bc81-96afe7ad8c53",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "InvitedUser",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "InitiatedByActionUserInformation",
                "identifier": "Name"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "InitiatedByIPAdress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml",
        "templateVersion": "1.0.1",
        "status": "Available"
      }
    }
  ]
}