Azure External Guest User Invitation
Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/31"
3integration = ["azure"]
4maturity = "production"
5updated_date = "2025/01/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include
11collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account.
12Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users
13could potentially be overlooked indefinitely leading to a potential vulnerability.
14"""
15false_positives = [
16 """
17 Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname,
18 and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or
19 hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
20 """,
21]
22from = "now-25m"
23index = ["filebeat-*", "logs-azure*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "Azure External Guest User Invitation"
27note = """## Triage and analysis
28
29> **Disclaimer**:
30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
31
32### Investigating Azure External Guest User Invitation
33
34Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations.
35
36### Possible investigation steps
37
38- Review the audit logs to confirm the details of the invitation event, focusing on the operation name "Invite external user" and ensuring the event outcome is marked as Success.
39- Identify the inviter by examining the properties of the audit log entry, such as the initiator's user ID or email, to determine if the invitation was expected or authorized.
40- Check the display name and other attributes of the invited guest user to assess if they align with known business needs or if they appear suspicious or unnecessary.
41- Investigate the inviter's recent activity in Azure AD to identify any unusual patterns or deviations from their typical behavior that might indicate compromised credentials.
42- Consult with relevant business units or stakeholders to verify if there was a legitimate business requirement for the guest user invitation and if it aligns with current projects or collaborations.
43- Review the access permissions granted to the guest user to ensure they are limited to the minimum necessary for their role and do not expose sensitive resources.
44
45### False positive analysis
46
47- Invitations for legitimate business partners or vendors may trigger alerts. Regularly review and whitelist known partners to prevent unnecessary alerts.
48- Internal users with dual roles or responsibilities that require external access might be flagged. Maintain a list of such users and update it periodically to exclude them from alerts.
49- Automated systems or applications that require guest access for integration purposes can cause false positives. Identify these systems and configure exceptions in the monitoring rules.
50- Temporary projects or collaborations often involve inviting external users. Document these projects and set expiration dates for guest access to minimize false positives.
51- Frequent invitations from specific departments, such as HR or Marketing, for events or collaborations can be common. Establish a process to verify and approve these invitations to reduce false alerts.
52
53### Response and remediation
54
55- Immediately disable the guest user account identified in the alert to prevent any unauthorized access or activities.
56- Review the audit logs to determine the source and context of the invitation, identifying the user or system that initiated the guest invitation.
57- Notify the security team and relevant stakeholders about the unauthorized guest invitation for further investigation and potential escalation.
58- Conduct a security assessment of the affected Azure AD environment to identify any other unauthorized guest accounts or suspicious activities.
59- Implement conditional access policies to restrict guest user invitations to authorized personnel only, reducing the risk of future unauthorized invitations.
60- Enhance monitoring and alerting for guest user invitations by integrating with a Security Information and Event Management (SIEM) system to ensure timely detection and response.
61- Review and update the organization's Azure AD guest user policies to ensure they align with security best practices and business needs, minimizing unnecessary guest access.
62
63## Setup
64
65The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
66references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
67risk_score = 21
68rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
69severity = "low"
70tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"]
71timestamp_override = "event.ingested"
72type = "query"
73
74query = '''
75event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)
76'''
77
78
79[[rule.threat]]
80framework = "MITRE ATT&CK"
81[[rule.threat.technique]]
82id = "T1078"
83name = "Valid Accounts"
84reference = "https://attack.mitre.org/techniques/T1078/"
85
86
87[rule.threat.tactic]
88id = "TA0001"
89name = "Initial Access"
90reference = "https://attack.mitre.org/tactics/TA0001/"
91[[rule.threat]]
92framework = "MITRE ATT&CK"
93[[rule.threat.technique]]
94id = "T1078"
95name = "Valid Accounts"
96reference = "https://attack.mitre.org/techniques/T1078/"
97
98
99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Azure External Guest User Invitation
Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations.
Possible investigation steps
- Review the audit logs to confirm the details of the invitation event, focusing on the operation name "Invite external user" and ensuring the event outcome is marked as Success.
- Identify the inviter by examining the properties of the audit log entry, such as the initiator's user ID or email, to determine if the invitation was expected or authorized.
- Check the display name and other attributes of the invited guest user to assess if they align with known business needs or if they appear suspicious or unnecessary.
- Investigate the inviter's recent activity in Azure AD to identify any unusual patterns or deviations from their typical behavior that might indicate compromised credentials.
- Consult with relevant business units or stakeholders to verify if there was a legitimate business requirement for the guest user invitation and if it aligns with current projects or collaborations.
- Review the access permissions granted to the guest user to ensure they are limited to the minimum necessary for their role and do not expose sensitive resources.
False positive analysis
- Invitations for legitimate business partners or vendors may trigger alerts. Regularly review and whitelist known partners to prevent unnecessary alerts.
- Internal users with dual roles or responsibilities that require external access might be flagged. Maintain a list of such users and update it periodically to exclude them from alerts.
- Automated systems or applications that require guest access for integration purposes can cause false positives. Identify these systems and configure exceptions in the monitoring rules.
- Temporary projects or collaborations often involve inviting external users. Document these projects and set expiration dates for guest access to minimize false positives.
- Frequent invitations from specific departments, such as HR or Marketing, for events or collaborations can be common. Establish a process to verify and approve these invitations to reduce false alerts.
Response and remediation
- Immediately disable the guest user account identified in the alert to prevent any unauthorized access or activities.
- Review the audit logs to determine the source and context of the invitation, identifying the user or system that initiated the guest invitation.
- Notify the security team and relevant stakeholders about the unauthorized guest invitation for further investigation and potential escalation.
- Conduct a security assessment of the affected Azure AD environment to identify any other unauthorized guest accounts or suspicious activities.
- Implement conditional access policies to restrict guest user invitations to authorized personnel only, reducing the risk of future unauthorized invitations.
- Enhance monitoring and alerting for guest user invitations by integrating with a Security Information and Event Management (SIEM) system to ensure timely detection and response.
- Review and update the organization's Azure AD guest user policies to ensure they align with security best practices and business needs, minimizing unnecessary guest access.
Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
References
Related rules
- Possible Consent Grant Attack via Azure-Registered Application
- Azure Active Directory High Risk Sign-in
- Azure Active Directory High Risk User Sign-in Heuristic
- Azure Active Directory PowerShell Sign-in
- AWS IAM Password Recovery Requested