User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
Sigma rule (View on GitHub)
1title: User State Changed From Guest To Member
2id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e
3status: test
4description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
7author: MikeDuddington, '@dudders1'
8date: 2022-06-30
9tags:
10 - attack.privilege-escalation
11 - attack.initial-access
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 Category: 'UserManagement'
19 OperationName: 'Update user'
20 properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
21 condition: selection
22falsepositives:
23 - If this was approved by System Administrator.
24level: medium
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Github New Secret Created
- Github Self Hosted Runner Changes Detected
- AWS Root Credentials
- AWS Suspicious SAML Activity
- Account Disabled or Blocked for Sign in Attempts