Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. External User Access Enabled

External User Access Enabled

Back
Id8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
RulenameExternal User Access Enabled
DescriptionThis alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.
SeverityLow
TacticsCredentialAccess
Persistence
TechniquesT1098
T1556
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
Version1.0.4
Arm template8e267e91-6bda-4b3c-bf68-9f5cbdd103a3.json
Deploy To Azure
ZoomLogs
| where Event =~ "account.settings_updated"
| extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                            EnforceLoginDomain == 'false', "Enfored Domains Changed",
                            GuestAlerts == 'false', "Guest Join Alerts Changed",
                            EnforceLogin == 'false', "Enforced Logins Changed",
                            "No Changes")
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])

kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
description: |
    'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
severity: Low
queryFrequency: 1d
triggerThreshold: 0
relevantTechniques:
- T1098
- T1556
metadata:
  support:
    tier: Community
  source:
    kind: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Others
    - Identity
tactics:
- CredentialAccess
- Persistence
name: External User Access Enabled
id: 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
query: |
  ZoomLogs
  | where Event =~ "account.settings_updated"
  | extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
  | where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
  | extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                              EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                              EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                              EnforceLoginDomain == 'false', "Enfored Domains Changed",
                              GuestAlerts == 'false', "Guest Join Alerts Changed",
                              EnforceLogin == 'false', "Enforced Logins Changed",
                              "No Changes")
  | extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])  
requiredDataConnectors: []
version: 1.0.4
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
queryPeriod: 1d

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "properties": {
        "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3",
        "customDetails": null,
        "description": "'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'\n",
        "displayName": "External User Access Enabled",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml",
        "query": "ZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\")\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\",\n                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\",\n                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\",\n                            EnforceLoginDomain == 'false', \"Enfored Domains Changed\",\n                            GuestAlerts == 'false', \"Guest Join Alerts Changed\",\n                            EnforceLogin == 'false', \"Enforced Logins Changed\",\n                            \"No Changes\")\n| extend AccountName = tostring(split(User, \"@\")[0]), AccountUPNSuffix = tostring(split(User, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1098",
          "T1556"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}