User State changed from Guest to Member
Id | a09a0b8e-30fe-4ebf-94a0-cffe50f579cd |
Rulename | User State changed from Guest to Member |
Description | Detects when a guest account in a tenant is converted to a member of the tenant. Monitoring guest accounts and the access they are provided is important to detect potential account abuse. Accounts converted to members should be investigated to ensure the activity was legitimate. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Severity | Medium |
Tactics | Persistence |
Techniques | T1098 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml |
Version | 1.0.1 |
Arm template | a09a0b8e-30fe-4ebf-94a0-cffe50f579cd.json |
AuditLogs
| where OperationName =~ "Update user"
| where Result =~ "success"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName =~ "TargetId.UserType"
| extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)
| extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)
| project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser
| where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ "\"Member\"" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ "\"Guest\""
id: a09a0b8e-30fe-4ebf-94a0-cffe50f579cd
queryFrequency: 1d
version: 1.0.1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
entityMappings:
- fieldMappings:
- columnName: UpdatingUser
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: UpdatedUserPrincipalName
identifier: FullName
entityType: Account
kind: Scheduled
queryPeriod: 1d
severity: Medium
query: |
AuditLogs
| where OperationName =~ "Update user"
| where Result =~ "success"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| where TargetResources_modifiedProperties.displayName =~ "TargetId.UserType"
| extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)
| extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)
| project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser
| where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ "\"Member\"" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ "\"Guest\""
metadata:
categories:
domains:
- Security - Others
- Identity
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
triggerOperator: gt
tags:
- AADSecOpsGuide
description: |
'Detects when a guest account in a tenant is converted to a member of the tenant.
Monitoring guest accounts and the access they are provided is important to detect potential account abuse.
Accounts converted to members should be investigated to ensure the activity was legitimate.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
triggerThreshold: 0
name: User State changed from Guest to Member
relevantTechniques:
- T1098
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a09a0b8e-30fe-4ebf-94a0-cffe50f579cd')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "User State changed from Guest to Member",
"description": "'Detects when a guest account in a tenant is converted to a member of the tenant.\n Monitoring guest accounts and the access they are provided is important to detect potential account abuse.\n Accounts converted to members should be investigated to ensure the activity was legitimate.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"severity": "Medium",
"enabled": true,
"query": "AuditLogs\n | where OperationName =~ \"Update user\"\n | where Result =~ \"success\"\n | mv-expand TargetResources\n | mv-expand TargetResources.modifiedProperties\n | where TargetResources_modifiedProperties.displayName =~ \"TargetId.UserType\"\n | extend UpdatingServicePrincipal = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)\n | extend UpdatingUserPrincipal = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend UpdatingUser = iif(isnotempty(UpdatingServicePrincipal), UpdatingServicePrincipal, UpdatingUserPrincipal)\n | extend UpdatedUserPrincipalName = tostring(TargetResources.userPrincipalName)\n | project-reorder TimeGenerated, UpdatedUserPrincipalName, UpdatingUser\n | where parse_json(tostring(TargetResources_modifiedProperties.newValue)) =~ \"\\\"Member\\\"\" and parse_json(tostring(TargetResources_modifiedProperties.oldValue)) =~ \"\\\"Guest\\\"\"\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1098"
],
"alertRuleTemplateName": "a09a0b8e-30fe-4ebf-94a0-cffe50f579cd",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "UpdatingUser"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "UpdatedUserPrincipalName"
}
]
}
],
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserStatechangedfromGuesttoMember.yaml",
"templateVersion": "1.0.1"
}
}
]
}