Suspicious Login from deleted guest account
Id | defe4855-0d33-4362-9557-009237623976 |
Rulename | Suspicious Login from deleted guest account |
Description | This query will detect logins from guest account which was recently deleted. For any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion |
Severity | Medium |
Tactics | PrivilegeEscalation |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml |
Version | 1.0.1 |
Arm template | defe4855-0d33-4362-9557-009237623976.json |
let lookback = 1d;
let DeleteExtUsers = AuditLogs
| where TimeGenerated > ago(lookback)
| where Category =~ "UserManagement"
| where OperationName =~ "Delete external user"
| where Result =~ "success"
| extend InviteInitiator = tostring(InitiatedBy.["user"].["userPrincipalName"])
| extend Target = tostring(TargetResources[0].["displayName"])
| extend TargetUPN = tostring(extract(@"UPN\:\s(.+)\,\sEmail",1,Target)) , DeleteUserTime = TimeGenerated;
DeleteExtUsers
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(lookback)
| extend LoginTime = TimeGenerated
) on $left.TargetUPN == $right.UserPrincipalName
| where DeleteUserTime > LoginTime
tactics:
- PrivilegeEscalation
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
triggerOperator: gt
query: |
let lookback = 1d;
let DeleteExtUsers = AuditLogs
| where TimeGenerated > ago(lookback)
| where Category =~ "UserManagement"
| where OperationName =~ "Delete external user"
| where Result =~ "success"
| extend InviteInitiator = tostring(InitiatedBy.["user"].["userPrincipalName"])
| extend Target = tostring(TargetResources[0].["displayName"])
| extend TargetUPN = tostring(extract(@"UPN\:\s(.+)\,\sEmail",1,Target)) , DeleteUserTime = TimeGenerated;
DeleteExtUsers
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(lookback)
| extend LoginTime = TimeGenerated
) on $left.TargetUPN == $right.UserPrincipalName
| where DeleteUserTime > LoginTime
triggerThreshold: 0
name: Suspicious Login from deleted guest account
kind: Scheduled
version: 1.0.1
description: |
' This query will detect logins from guest account which was recently deleted.
For any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion'
relevantTechniques:
- T1078.004
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml
tags:
- GuestorExternalIdentities
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InviteInitiator
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
queryFrequency: 1d
queryPeriod: 1d
metadata:
support:
tier: Community
categories:
domains:
- Security - Others
- Identity
source:
kind: Community
author:
name: Ashwin Patil
id: defe4855-0d33-4362-9557-009237623976
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe4855-0d33-4362-9557-009237623976')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe4855-0d33-4362-9557-009237623976')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Suspicious Login from deleted guest account",
"description": "' This query will detect logins from guest account which was recently deleted. \nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion'\n",
"severity": "Medium",
"enabled": true,
"query": "let lookback = 1d;\nlet DeleteExtUsers = AuditLogs\n| where TimeGenerated > ago(lookback)\n| where Category =~ \"UserManagement\"\n| where OperationName =~ \"Delete external user\"\n| where Result =~ \"success\"\n| extend InviteInitiator = tostring(InitiatedBy.[\"user\"].[\"userPrincipalName\"])\n| extend Target = tostring(TargetResources[0].[\"displayName\"])\n| extend TargetUPN = tostring(extract(@\"UPN\\:\\s(.+)\\,\\sEmail\",1,Target)) , DeleteUserTime = TimeGenerated;\nDeleteExtUsers\n| join kind=inner (\nSigninLogs\n| where TimeGenerated > ago(lookback)\n| extend LoginTime = TimeGenerated\n) on $left.TargetUPN == $right.UserPrincipalName\n| where DeleteUserTime > LoginTime\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "defe4855-0d33-4362-9557-009237623976",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "InviteInitiator",
"identifier": "FullName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
],
"entityType": "IP"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml",
"templateVersion": "1.0.1",
"tags": [
"GuestorExternalIdentities"
]
}
}
]
}