Azure External Guest User Invitation

Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2020/08/31"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include
 11collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account.
 12Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users
 13could potentially be overlooked indefinitely leading to a potential vulnerability.
 14"""
 15false_positives = [
 16    """
 17    Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname,
 18    and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or
 19    hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
 20    """,
 21]
 22from = "now-25m"
 23index = ["filebeat-*", "logs-azure*"]
 24language = "kuery"
 25license = "Elastic License v2"
 26name = "Azure External Guest User Invitation"
 27note = """## Triage and analysis
 28
 29> **Disclaimer**:
 30> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 31
 32### Investigating Azure External Guest User Invitation
 33
 34Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations.
 35
 36### Possible investigation steps
 37
 38- Review the audit logs to confirm the details of the invitation event, focusing on the operation name "Invite external user" and ensuring the event outcome is marked as Success.
 39- Identify the inviter by examining the properties of the audit log entry, such as the initiator's user ID or email, to determine if the invitation was expected or authorized.
 40- Check the display name and other attributes of the invited guest user to assess if they align with known business needs or if they appear suspicious or unnecessary.
 41- Investigate the inviter's recent activity in Azure AD to identify any unusual patterns or deviations from their typical behavior that might indicate compromised credentials.
 42- Consult with relevant business units or stakeholders to verify if there was a legitimate business requirement for the guest user invitation and if it aligns with current projects or collaborations.
 43- Review the access permissions granted to the guest user to ensure they are limited to the minimum necessary for their role and do not expose sensitive resources.
 44
 45### False positive analysis
 46
 47- Invitations for legitimate business partners or vendors may trigger alerts. Regularly review and whitelist known partners to prevent unnecessary alerts.
 48- Internal users with dual roles or responsibilities that require external access might be flagged. Maintain a list of such users and update it periodically to exclude them from alerts.
 49- Automated systems or applications that require guest access for integration purposes can cause false positives. Identify these systems and configure exceptions in the monitoring rules.
 50- Temporary projects or collaborations often involve inviting external users. Document these projects and set expiration dates for guest access to minimize false positives.
 51- Frequent invitations from specific departments, such as HR or Marketing, for events or collaborations can be common. Establish a process to verify and approve these invitations to reduce false alerts.
 52
 53### Response and remediation
 54
 55- Immediately disable the guest user account identified in the alert to prevent any unauthorized access or activities.
 56- Review the audit logs to determine the source and context of the invitation, identifying the user or system that initiated the guest invitation.
 57- Notify the security team and relevant stakeholders about the unauthorized guest invitation for further investigation and potential escalation.
 58- Conduct a security assessment of the affected Azure AD environment to identify any other unauthorized guest accounts or suspicious activities.
 59- Implement conditional access policies to restrict guest user invitations to authorized personnel only, reducing the risk of future unauthorized invitations.
 60- Enhance monitoring and alerting for guest user invitations by integrating with a Security Information and Event Management (SIEM) system to ensure timely detection and response.
 61- Review and update the organization's Azure AD guest user policies to ensure they align with security best practices and business needs, minimizing unnecessary guest access.
 62
 63## Setup
 64
 65The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
 66references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
 67risk_score = 21
 68rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
 69severity = "low"
 70tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access", "Resources: Investigation Guide"]
 71timestamp_override = "event.ingested"
 72type = "query"
 73
 74query = '''
 75event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)
 76'''
 77
 78
 79[[rule.threat]]
 80framework = "MITRE ATT&CK"
 81[[rule.threat.technique]]
 82id = "T1078"
 83name = "Valid Accounts"
 84reference = "https://attack.mitre.org/techniques/T1078/"
 85
 86
 87[rule.threat.tactic]
 88id = "TA0001"
 89name = "Initial Access"
 90reference = "https://attack.mitre.org/tactics/TA0001/"
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93[[rule.threat.technique]]
 94id = "T1078"
 95name = "Valid Accounts"
 96reference = "https://attack.mitre.org/techniques/T1078/"
 97
 98
 99[rule.threat.tactic]
100id = "TA0003"
101name = "Persistence"
102reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating Azure External Guest User Invitation

Azure Active Directory (AD) facilitates collaboration by allowing external users to be invited as guest users, enhancing flexibility in cloud environments. However, adversaries may exploit this feature to gain unauthorized access, posing security risks. The detection rule monitors audit logs for successful external user invitations, flagging potential misuse by identifying unusual or unnecessary guest account creations.

Possible investigation steps

  • Review the audit logs to confirm the details of the invitation event, focusing on the operation name "Invite external user" and ensuring the event outcome is marked as Success.
  • Identify the inviter by examining the properties of the audit log entry, such as the initiator's user ID or email, to determine if the invitation was expected or authorized.
  • Check the display name and other attributes of the invited guest user to assess if they align with known business needs or if they appear suspicious or unnecessary.
  • Investigate the inviter's recent activity in Azure AD to identify any unusual patterns or deviations from their typical behavior that might indicate compromised credentials.
  • Consult with relevant business units or stakeholders to verify if there was a legitimate business requirement for the guest user invitation and if it aligns with current projects or collaborations.
  • Review the access permissions granted to the guest user to ensure they are limited to the minimum necessary for their role and do not expose sensitive resources.

False positive analysis

  • Invitations for legitimate business partners or vendors may trigger alerts. Regularly review and whitelist known partners to prevent unnecessary alerts.
  • Internal users with dual roles or responsibilities that require external access might be flagged. Maintain a list of such users and update it periodically to exclude them from alerts.
  • Automated systems or applications that require guest access for integration purposes can cause false positives. Identify these systems and configure exceptions in the monitoring rules.
  • Temporary projects or collaborations often involve inviting external users. Document these projects and set expiration dates for guest access to minimize false positives.
  • Frequent invitations from specific departments, such as HR or Marketing, for events or collaborations can be common. Establish a process to verify and approve these invitations to reduce false alerts.

Response and remediation

  • Immediately disable the guest user account identified in the alert to prevent any unauthorized access or activities.
  • Review the audit logs to determine the source and context of the invitation, identifying the user or system that initiated the guest invitation.
  • Notify the security team and relevant stakeholders about the unauthorized guest invitation for further investigation and potential escalation.
  • Conduct a security assessment of the affected Azure AD environment to identify any other unauthorized guest accounts or suspicious activities.
  • Implement conditional access policies to restrict guest user invitations to authorized personnel only, reducing the risk of future unauthorized invitations.
  • Enhance monitoring and alerting for guest user invitations by integrating with a Security Information and Event Management (SIEM) system to ensure timely detection and response.
  • Review and update the organization's Azure AD guest user policies to ensure they align with security best practices and business needs, minimizing unnecessary guest access.

Setup

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

References

Related rules

to-top