Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
Sigma rule (View on GitHub)
1title: Guest Users Invited To Tenant By Non Approved Inviters
2id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
3status: test
4description: Detects guest users being invited to tenant by non-approved inviters
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
7author: MikeDuddington, '@dudders1'
8date: 2022-07-28
9tags:
10 - attack.initial-access
11 - attack.t1078
12logsource:
13 product: azure
14 service: auditlogs
15detection:
16 selection:
17 Category: 'UserManagement'
18 OperationName: 'Invite external user'
19 filter:
20 InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
21 condition: selection and not filter
22falsepositives:
23 - If this was approved by System Administrator.
24level: medium
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- AWS Suspicious SAML Activity
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow