Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

External user added and removed in short timeframe

Back
Idbff093b2-500e-4ae5-bb49-a5b1423cbd5b
RulenameExternal user added and removed in short timeframe
DescriptionThis detection flags the occurances of external user accounts that are added to a Team and then removed within

one hour.
SeverityLow
TacticsPersistence
TechniquesT1136
Required data connectorsOffice365
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml
Version2.0.0
Arm templatebff093b2-500e-4ae5-bb49-a5b1423cbd5b.json
Deploy To Azure
let TeamsAddDel = (Op:string){
OfficeActivity
| where OfficeWorkload =~ "MicrosoftTeams"
| where Operation == Op
| where Members has ("#EXT#")
| mv-expand Members
| extend UPN = tostring(Members.UPN)
| where UPN has ("#EXT#")
| project TimeGenerated, Operation, UPN, UserId, TeamName
};
let TeamsAdd = TeamsAddDel("MemberAdded")
| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName;
let TeamsDel = TeamsAddDel("MemberRemoved")
| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName;
TeamsAdd
| join kind=inner (TeamsDel) on UPN
| where TimeDeleted > TimeAdded
| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml
description: |
  'This detection flags the occurances of external user accounts that are added to a Team and then removed within
  one hour.'  
triggerOperator: gt
queryPeriod: 1h
requiredDataConnectors:
- dataTypes:
  - OfficeActivity (Teams)
  connectorId: Office365
queryFrequency: 1h
triggerThreshold: 0
tactics:
- Persistence
query: |
  let TeamsAddDel = (Op:string){
  OfficeActivity
  | where OfficeWorkload =~ "MicrosoftTeams"
  | where Operation == Op
  | where Members has ("#EXT#")
  | mv-expand Members
  | extend UPN = tostring(Members.UPN)
  | where UPN has ("#EXT#")
  | project TimeGenerated, Operation, UPN, UserId, TeamName
  };
  let TeamsAdd = TeamsAddDel("MemberAdded")
  | project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName;
  let TeamsDel = TeamsAddDel("MemberRemoved")
  | project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName;
  TeamsAdd
  | join kind=inner (TeamsDel) on UPN
  | where TimeDeleted > TimeAdded
  | project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName  
status: Available
kind: Scheduled
relevantTechniques:
- T1136
version: 2.0.0
id: bff093b2-500e-4ae5-bb49-a5b1423cbd5b
entityMappings:
- fieldMappings:
  - columnName: UPN
    identifier: FullName
  entityType: Account
name: External user added and removed in short timeframe
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/bff093b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/bff093b2-500e-4ae5-bb49-a5b1423cbd5b')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "External user added and removed in short timeframe",
        "description": "'This detection flags the occurances of external user accounts that are added to a Team and then removed within\none hour.'\n",
        "severity": "Low",
        "enabled": true,
        "query": "let TeamsAddDel = (Op:string){\nOfficeActivity\n| where OfficeWorkload =~ \"MicrosoftTeams\"\n| where Operation == Op\n| where Members has (\"#EXT#\")\n| mv-expand Members\n| extend UPN = tostring(Members.UPN)\n| where UPN has (\"#EXT#\")\n| project TimeGenerated, Operation, UPN, UserId, TeamName\n};\nlet TeamsAdd = TeamsAddDel(\"MemberAdded\")\n| project TimeAdded=TimeGenerated, Operation, UPN, UserWhoAdded = UserId, TeamName;\nlet TeamsDel = TeamsAddDel(\"MemberRemoved\")\n| project TimeDeleted=TimeGenerated, Operation, UPN, UserWhoDeleted = UserId, TeamName;\nTeamsAdd\n| join kind=inner (TeamsDel) on UPN\n| where TimeDeleted > TimeAdded\n| project TimeAdded, TimeDeleted, UPN, UserWhoAdded, UserWhoDeleted, TeamName\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1136"
        ],
        "alertRuleTemplateName": "bff093b2-500e-4ae5-bb49-a5b1423cbd5b",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UPN",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "status": "Available",
        "templateVersion": "2.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft 365/Analytic Rules/ExternalUserAddedRemovedInTeams.yaml"
      }
    }
  ]
}