User State Changed From Guest To Member

calendar Oct 23, 2025 · attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access attack.t1078.004  ·
Share on: linkedin copy

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Sigma rule (View on GitHub)

 1title: User State Changed From Guest To Member
 2id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e
 3status: test
 4description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts#monitoring-external-user-sign-ins
 7author: MikeDuddington, '@dudders1'
 8date: 2022-06-30
 9tags:
10    - attack.persistence
11    - attack.defense-evasion
12    - attack.privilege-escalation
13    - attack.initial-access
14    - attack.t1078.004
15logsource:
16    product: azure
17    service: auditlogs
18detection:
19    selection:
20        Category: 'UserManagement'
21        OperationName: 'Update user'
22        properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
23    condition: selection
24falsepositives:
25    - If this was approved by System Administrator.
26level: medium

References

Related rules

to-top