Techniques
Sample rules
Azure AD External Guest User Invited
- source: splunk
- technicques:
- T1136.003
Description
The following analytic identifies the invitation of an external guest user within Azure AD. With Azure AD B2B collaboration, users and administrators can invite external users to collaborate with internal users. External guest account invitations should be monitored by security teams as they could potentially lead to unauthorized access. An example of this attack vector was described at BlackHat 2022 by security researcher Dirk-Jan during his tall Backdooring and Hijacking Azure AD Accounts by Abusing External Identities
Detection logic
`azure_monitor_aad` operationName="Invite external user"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.type as type
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by type, initiatedBy, result, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_external_guest_user_invited_filter`