Guest Users Invited To Tenant By Non Approved Inviters

Detects guest users being invited to tenant by non-approved inviters

Sigma rule (View on GitHub)

 1title: Guest Users Invited To Tenant By Non Approved Inviters
 2id: 4ad97bf5-a514-41a4-abd3-4f3455ad4865
 3status: test
 4description: Detects guest users being invited to tenant by non-approved inviters
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
 7author: MikeDuddington, '@dudders1'
 8date: 2022/07/28
 9tags:
10    - attack.initial_access
11    - attack.t1078
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        Category: 'UserManagement'
18        OperationName: 'Invite external user'
19    filter:
20        InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
21    condition: selection and not filter
22falsepositives:
23    - If this was approved by System Administrator.
24level: medium

References

Related rules

to-top