External guest invitation followed by Microsoft Entra ID PowerShell signin

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

By default guests have capability to invite more external guest users, guests also can do suspicious Microsoft Entra ID enumeration. This detection look at guest users, who have been invited or have invited recently, who also are logging via various PowerShell CLI. Ref : 'https://danielchronlund.com/2021/11/18/scary-azure-ad-tenant-enumeration-using-regular-b2b-guest-accounts/

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Entra ID
ID	acc4c247-aaf7-494b-b5da-17f18863878a
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	InitialAccess, Persistence, Discovery
Techniques	T1078.004, T1136.003, T1087.004
Required Connectors	AzureActiveDirectory, AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AADNonInteractiveUserSignInLogs		✓	✗	?
AuditLogs	OperationName == "Invite external user"	✓	✗	?
SigninLogs		✓	✗	?

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Entra ID