Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query will detect instances where a newly invited external user is granted an administrative role. By default this query will alert on any granted administrative role, however this can be modified using the roles variable if false positives occur in your environment. The maximum delta between invite and escalation to admin is 60 minues, this can be configured using the deltaBetweenInviteEscalation variable.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Cloud Identity Threat Protection Essentials |
| ID | d7424fd9-abb3-4ded-a723-eebe023aaa0b |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Persistence |
| Techniques | T1098.001 |
| Required Connectors | AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
AuditLogs |
OperationName in "Invite external user,Redeem external user invite"OperationName has "Invite external user"OperationName has "Redeem external user invite" |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Cloud Identity Threat Protection Essentials