External User Access Enabled

Back


Id	8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
Rulename	External User Access Enabled
Description	This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.
Severity	Low
Tactics	CredentialAccess Persistence
Techniques	T1098 T1556
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
Version	1.0.4
Arm template	8e267e91-6bda-4b3c-bf68-9f5cbdd103a3.json

KQL

ZoomLogs
| where Event =~ "account.settings_updated"
| extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                            EnforceLoginDomain == 'false', "Enfored Domains Changed",
                            GuestAlerts == 'false', "Guest Join Alerts Changed",
                            EnforceLogin == 'false', "Enforced Logins Changed",
                            "No Changes")
| extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])

YAML

id: 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
query: |
  ZoomLogs
  | where Event =~ "account.settings_updated"
  | extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
  | where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
  | extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                              EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                              EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                              EnforceLoginDomain == 'false', "Enfored Domains Changed",
                              GuestAlerts == 'false', "Guest Join Alerts Changed",
                              EnforceLogin == 'false', "Enforced Logins Changed",
                              "No Changes")
  | extend AccountName = tostring(split(User, "@")[0]), AccountUPNSuffix = tostring(split(User, "@")[1])  
triggerOperator: gt
metadata:
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Microsoft Security Research
  source:
    kind: Community
  support:
    tier: Community
description: |
    'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
kind: Scheduled
name: External User Access Enabled
version: 1.0.4
tactics:
- CredentialAccess
- Persistence
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountUPNSuffix
    identifier: UPNSuffix
queryPeriod: 1d
severity: Low
queryFrequency: 1d
relevantTechniques:
- T1098
- T1556
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
triggerThreshold: 0
requiredDataConnectors: []

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "properties": {
        "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3",
        "customDetails": null,
        "description": "'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'\n",
        "displayName": "External User Access Enabled",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml",
        "query": "ZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\")\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\",\n                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\",\n                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\",\n                            EnforceLoginDomain == 'false', \"Enfored Domains Changed\",\n                            GuestAlerts == 'false', \"Guest Join Alerts Changed\",\n                            EnforceLogin == 'false', \"Enforced Logins Changed\",\n                            \"No Changes\")\n| extend AccountName = tostring(split(User, \"@\")[0]), AccountUPNSuffix = tostring(split(User, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1098",
          "T1556"
        ],
        "templateVersion": "1.0.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}