Detectionmediumtest

Guest Users Invited To Tenant By Non Approved Inviters

Detects guest users being invited to tenant by non-approved inviters

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mike DuddingtonCreated Thu Jul 284ad97bf5-a514-41a4-abd3-4f3455ad4865cloud

Log Source

Azureauditlogs

ProductAzure← raw: azure

Serviceauditlogs← raw: auditlogs

Detection Logic

detection:
    selection:
        Category: 'UserManagement'
        OperationName: 'Invite external user'
    filter:
        InitiatedBy|contains: '<approved guest inviter use OR for multiple>'
    condition: selection and not filter

False Positives

If this was approved by System Administrator.

References

Resolving title…

learn.microsoft.com

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

4ad97bf5-a514-41a4-abd3-4f3455ad4865

Status

test

Level

medium

Type

Detection

Created

Thu Jul 28

Author

Mike Duddington

Path

rules/cloud/azure/audit_logs/azure_ad_guest_users_invited_to_tenant_by_non_approved_inviters.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub