Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

External User Access Enabled

Back
Id8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
RulenameExternal User Access Enabled
DescriptionThis alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.
SeverityLow
TacticsCredentialAccess
Persistence
TechniquesT1098
T1556
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
Version1.0.3
Arm template8e267e91-6bda-4b3c-bf68-9f5cbdd103a3.json
Deploy To Azure
ZoomLogs
| where Event =~ "account.settings_updated"
| extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
| extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                            EnforceLoginDomain == 'false', "Enfored Domains Changed",
                            GuestAlerts == 'false', "Guest Join Alerts Changed",
                            EnforceLogin == 'false', "Enforced Logins Changed",
                            "No Changes")
| extend timestamp = TimeGenerated, AccountCustomEntity = User
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml
severity: Low
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
  author:
    name: Pete Bryan
name: External User Access Enabled
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
relevantTechniques:
- T1098
- T1556
queryFrequency: 1d
triggerThreshold: 0
queryPeriod: 1d
description: |
    'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'
id: 8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
version: 1.0.3
tactics:
- CredentialAccess
- Persistence
query: |
  ZoomLogs
  | where Event =~ "account.settings_updated"
  | extend EnforceLogin = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend EnforceLoginDomain = columnifexists("payload_object_settings_schedule_meeting_enfore_login_b", "")
  | extend GuestAlerts = columnifexists("payload_object_settings_in_meeting_alert_guest_join_b", "")
  | where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'
  | extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', "All settings changed",
                              EnforceLogin == 'false' and EnforceLoginDomain == 'false', "Enforced Logons and Restricted Domains Changed",
                              EnforceLoginDomain == 'false' and GuestAlerts == 'false', "Enforced Domains Changed",
                              EnforceLoginDomain == 'false', "Enfored Domains Changed",
                              GuestAlerts == 'false', "Guest Join Alerts Changed",
                              EnforceLogin == 'false', "Enforced Logins Changed",
                              "No Changes")
  | extend timestamp = TimeGenerated, AccountCustomEntity = User  
requiredDataConnectors: []
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8e267e91-6bda-4b3c-bf68-9f5cbdd103a3')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "External User Access Enabled",
        "description": "'This alerts when the account setting is changed to allow either external domain access or anonymous access to meetings.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "ZoomLogs\n| where Event =~ \"account.settings_updated\"\n| extend EnforceLogin = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend EnforceLoginDomain = columnifexists(\"payload_object_settings_schedule_meeting_enfore_login_b\", \"\")\n| extend GuestAlerts = columnifexists(\"payload_object_settings_in_meeting_alert_guest_join_b\", \"\")\n| where EnforceLogin == 'false' or EnforceLoginDomain == 'false' or GuestAlerts == 'false'\n| extend SettingChanged = case(EnforceLogin == 'false' and EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"All settings changed\",\n                            EnforceLogin == 'false' and EnforceLoginDomain == 'false', \"Enforced Logons and Restricted Domains Changed\",\n                            EnforceLoginDomain == 'false' and GuestAlerts == 'false', \"Enforced Domains Changed\",\n                            EnforceLoginDomain == 'false', \"Enfored Domains Changed\",\n                            GuestAlerts == 'false', \"Guest Join Alerts Changed\",\n                            EnforceLogin == 'false', \"Enforced Logins Changed\",\n                            \"No Changes\")\n| extend timestamp = TimeGenerated, AccountCustomEntity = User\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "Persistence"
        ],
        "techniques": [
          "T1098",
          "T1556"
        ],
        "alertRuleTemplateName": "8e267e91-6bda-4b3c-bf68-9f5cbdd103a3",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          }
        ],
        "templateVersion": "1.0.3",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ZoomLogs/ExternalUserAccess.yaml"
      }
    }
  ]
}