forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathinitial_access_external_guest_user_invite.toml
More file actions
69 lines (59 loc) · 2.44 KB
/
initial_access_external_guest_user_invite.toml
File metadata and controls
69 lines (59 loc) · 2.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
[metadata]
creation_date = "2020/08/31"
integration = ["azure"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2022/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include
collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account.
Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users
could potentially be overlooked indefinitely leading to a potential vulnerability.
"""
false_positives = [
"""
Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure External Guest User Invitation"
note = """## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
risk_score = 21
rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
severity = "low"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"