IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [7.10] Detections and Alerts Prebuilt rule reference
« Azure Event Hub Deletion Azure Firewall Policy Deletion »

Azure External Guest User Invitationedit

Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account. Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users could potentially be overlooked indefinitely leading to a potential vulnerability.

Rule type: query

Rule indices:

  • filebeat-*

Severity: low

Risk score: 21

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 1

Added (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.

Investigation guideedit

The Azure Filebeat module must be enabled to use this rule.

Rule queryedit

event.dataset:azure.auditlogs and
azure.auditlogs.operation_name:"Invite external user" and
azure.auditlogs.properties.target_resources.*.display_name:guest and
event.outcome:Success

Threat mappingedit

Framework: MITRE ATT&CKTM

« Azure Event Hub Deletion Azure Firewall Policy Deletion »