User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
Sigma rule (View on GitHub)
1title: User State Changed From Guest To Member
2id: 8dee7a0d-43fd-4b3c-8cd1-605e189d195e
3status: test
4description: Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
5references:
6 - https://docs.microsoft.com/en-gb/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-external-user-sign-ins
7author: MikeDuddington, '@dudders1'
8date: 2022/06/30
9tags:
10 - attack.privilege_escalation
11 - attack.initial_access
12 - attack.t1078.004
13logsource:
14 product: azure
15 service: auditlogs
16detection:
17 selection:
18 Category: 'UserManagement'
19 OperationName: 'Update user'
20 properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
21 condition: selection
22falsepositives:
23 - If this was approved by System Administrator.
24level: medium
References
Related rules
- Account Disabled or Blocked for Sign in Attempts
- Account Tampering - Suspicious Failed Logon Reasons
- Application AppID Uri Configuration Changes
- Application URI Configuration Changes
- Application Using Device Code Authentication Flow