IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Azure Event Hub Deletion Azure Firewall Policy Deletion »

› › ›

Azure External Guest User Invitation

edit

Azure External Guest User Invitation

edit

Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Rule type: query

Rule indices:

filebeat-*
logs-azure*

Severity: low

Risk score: 21

Runs every: 5m

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0

Tags:

Domain: Cloud
Data Source: Azure
Use Case: Identity and Access Audit
Tactic: Initial Access

Version: 102

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Rule query

edit

event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Tactic:
- Name: Persistence
- ID: TA0003
- Reference URL: https://attack.mitre.org/tactics/TA0003/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/

« Azure Event Hub Deletion Azure Firewall Policy Deletion »