
Summary
The rule 'Azure Invite External Users' is designed to monitor and detect instances within Azure where a user attempts to invite an external user to an organization. This detection primarily focuses on reviewing audit logs for successful and unsuccessful invitations, as well as specific operational parameters associated with user invitations. The rule is particularly concerned with identifying potential unauthorized access or compliance violations when users invite external entities. If a user invites an external individual, it triggers an alert to review the user permissions and the details of the external user invited. The rule references the MITRE ATT&CK framework under TA0001:T1078, which indicates an emphasis on account enumeration and credential access. Upon detection, the runbook suggests verifying the user's permissions and taking precautionary measures such as revoking unauthorized invites. This detection utilizes Azure audit logs to gather its data, thus ensuring a contextual understanding of the activities being logged. The vulnerabilities targeted include unexpected external access and compliance breaches, which are critical in ensuring organizational security.
Categories
- Cloud
- Azure
- Identity Management
Data Sources
- User Account
- Application Log
- Logon Session
ATT&CK Techniques
- T1078
Created: 2025-02-10