Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious Login from deleted guest account

Back
Iddefe4855-0d33-4362-9557-009237623976
RulenameSuspicious Login from deleted guest account
DescriptionThis query will detect logins from guest account which was recently deleted.

For any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml
Version1.0.1
Arm templatedefe4855-0d33-4362-9557-009237623976.json
Deploy To Azure
let lookback = 1d;
let DeleteExtUsers = AuditLogs
| where TimeGenerated > ago(lookback)
| where Category =~ "UserManagement"
| where OperationName =~ "Delete external user"
| where Result =~ "success"
| extend InviteInitiator = tostring(InitiatedBy.["user"].["userPrincipalName"])
| extend Target = tostring(TargetResources[0].["displayName"])
| extend TargetUPN = tostring(extract(@"UPN\:\s(.+)\,\sEmail",1,Target)) , DeleteUserTime = TimeGenerated;
DeleteExtUsers
| join kind=inner (
SigninLogs
| where TimeGenerated > ago(lookback)
| extend LoginTime = TimeGenerated
) on $left.TargetUPN == $right.UserPrincipalName
| where DeleteUserTime > LoginTime
tactics:
- PrivilegeEscalation
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
triggerOperator: gt
query: |
  let lookback = 1d;
  let DeleteExtUsers = AuditLogs
  | where TimeGenerated > ago(lookback)
  | where Category =~ "UserManagement"
  | where OperationName =~ "Delete external user"
  | where Result =~ "success"
  | extend InviteInitiator = tostring(InitiatedBy.["user"].["userPrincipalName"])
  | extend Target = tostring(TargetResources[0].["displayName"])
  | extend TargetUPN = tostring(extract(@"UPN\:\s(.+)\,\sEmail",1,Target)) , DeleteUserTime = TimeGenerated;
  DeleteExtUsers
  | join kind=inner (
  SigninLogs
  | where TimeGenerated > ago(lookback)
  | extend LoginTime = TimeGenerated
  ) on $left.TargetUPN == $right.UserPrincipalName
  | where DeleteUserTime > LoginTime  
triggerThreshold: 0
name: Suspicious Login from deleted guest account
kind: Scheduled
version: 1.0.1
description: |
  ' This query will detect logins from guest account which was recently deleted. 
  For any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion'  
relevantTechniques:
- T1078.004
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml
tags:
- GuestorExternalIdentities
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: InviteInitiator
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
queryFrequency: 1d
queryPeriod: 1d
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  source:
    kind: Community
  author:
    name: Ashwin Patil
id: defe4855-0d33-4362-9557-009237623976
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/defe4855-0d33-4362-9557-009237623976')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/defe4855-0d33-4362-9557-009237623976')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Suspicious Login from deleted guest account",
        "description": "' This query will detect logins from guest account which was recently deleted. \nFor any successful logins from deleted identities should be investigated further if any existing user accounts have been altered or linked to such identity prior deletion'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lookback = 1d;\nlet DeleteExtUsers = AuditLogs\n| where TimeGenerated > ago(lookback)\n| where Category =~ \"UserManagement\"\n| where OperationName =~ \"Delete external user\"\n| where Result =~ \"success\"\n| extend InviteInitiator = tostring(InitiatedBy.[\"user\"].[\"userPrincipalName\"])\n| extend Target = tostring(TargetResources[0].[\"displayName\"])\n| extend TargetUPN = tostring(extract(@\"UPN\\:\\s(.+)\\,\\sEmail\",1,Target)) , DeleteUserTime = TimeGenerated;\nDeleteExtUsers\n| join kind=inner (\nSigninLogs\n| where TimeGenerated > ago(lookback)\n| extend LoginTime = TimeGenerated\n) on $left.TargetUPN == $right.UserPrincipalName\n| where DeleteUserTime > LoginTime\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "defe4855-0d33-4362-9557-009237623976",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "InviteInitiator",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousLoginfromDeletedExternalIdentities.yaml",
        "templateVersion": "1.0.1",
        "tags": [
          "GuestorExternalIdentities"
        ]
      }
    }
  ]
}