Detectionmediumtest

Guest User Invited By Non Approved Inviters

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Yochana HendersonCreated Wed Aug 100b4b72e3-4c53-4d5b-b198-2c58cfef39a9cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        properties.message: Invite external user
        Status: failure
    condition: selection

False Positives

A non malicious user is unaware of the proper process

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

0b4b72e3-4c53-4d5b-b198-2c58cfef39a9

Status

test

Level

medium

Type

Detection

Created

Wed Aug 10

Author

Path

rules/cloud/azure/audit_logs/azure_guest_invite_failure.yml

Raw Tags

attack.privilege-escalationattack.initial-accessattack.persistenceattack.defense-evasionattack.t1078.004