Monitor Azure AD Guest Users With Azure Sentinel

7 Min. Read

Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

In this article, I will share with you how to monitor Azure AD guest users’ accounts with Azure Sentinel.

Introduction

Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data.

A simple invitation and redemption process lets partners use their own credentials to access your company’s resources. As part of your identity governance effort, you need to monitor closely who is inviting external users and then make sure you have an access review policy in place to delete and remove those users if access is not needed anymore on a regular basis.

In this article, I will walk you through how to create an analytic rule in Azure Sentinel that will trigger an alert when an administrator invites a guest user to your Azure AD tenant, and then automatically runs a security playbook to inform the organization’s Security Operation Center (SOC) team.

Prerequisites

To follow this article, you need to have the following:

1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.

2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.

3) Azure Sentinel – To enable Azure Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days, follow the instructions here.

4) Connect data from Azure Active Directory (Azure AD) to Azure Sentinel. You need to export (send) Azure AD ‘AuditLogs‘ to Sentinel workspace enabled as shown in the figure below. Audit logs contain information about system activity relating to user and group management, managed applications, and directory activities. The good news is, you can use the Azure AD Free or Office 365 license to export Audit Logs, you don’t need to have a P1 or P2 license compare to ‘SignInLogs‘ requirements.

Azure AD Diagnostic settings
Azure AD Diagnostic settings

5) Your user must be assigned the Azure Sentinel Contributor role on the Log Analytics workspace.

6) Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.

7) Last but not least, your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.

Assuming you have all the prerequisites in place, take now the following steps:

Azure Sentinel Side

Now that we know we have all the capabilities for collecting Azure AD activity logs, we can monitor, track and detect guest user invitations, suspicious activities, and many other Azure Sentinel actions.

Create a hunting query

If you’re a threat hunter who wants to be proactive about looking for security threats, Azure Sentinel powerful hunting search and query tools to hunt for security threats across your organization’s data sources.

In this step, we will create a hunting query to monitor in real-time when someone in your organization invites an external user to Azure AD.

Now you may ask, why do we need to create a Hunting query instead of an Analytic query rule? In fact, you can do both, with an analytic rule, the minimum query schedule is 5 minutes or above at the time of this writing, however, with a hunting query, it’s nearly real-time (live stream). You can think of it as reactive versus proactive.

For the remainder of this article, I will use both approaches with Hunting to create a live stream session and create an analytic rule. The good news is, when the custom query is created, you can create an analytic rule from the Hunting queries blade directly.

Open Azure Portal and sign in with a user who has Azure Sentinel Contributor permissions.

Click All services found in the upper left-hand corner. In the list of resources, type Azure Sentinel. As you begin typing, the list filters based on your input.

Click on Azure Sentinel and then select the desired Workspace.

From Azure Sentinel’s sidebar, select Hunting under the Threat management section, then click + New Query as shown in the figure below.

Create Azure Sentinel Hunting Query
Create Azure Sentinel Hunting Query

Enter a descriptive Name and Description. And In the Custom query section enter the following KQL query to be alerted when some invite an external guest user:

    AuditLogs
    | where ActivityDisplayName == "Invite external user"
    | extend initiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
    | extend InvitedUser = tostring(AdditionalDetails[5].value)
    | extend ObjectId = tostring(TargetResources[0].id)
    | extend RefObjectId = tostring(parse_json(tostring(InitiatedBy.user)).id)
    | project initiatedBy, InvitedUser, ObjectId, RefObjectId

This query will search in the Audit Logs table for Azure AD with the invite external user as an action, and then with the extend operator, I am creating a custom column called ‘initiatedBy‘,  ‘InvitedUser ‘, ‘ObjectId‘, and ‘RefObjectId‘, then I am appending them to the correct result values. And finally, with the project operator, I am selecting the desired columns to have more details about this operation.

You might ask why I am looking for ‘ObjectId‘ and ‘RefObjectId‘, those values will help you as part of the Security Orchestration, Automation, and Response (SOAR) effort to automate the response to a security incident, for example, you may want to revoke access, assign a manager, disable the account, etc.

Next, map the entities recognized by Azure Sentinel to the appropriate columns available for this query results. This enables Azure Sentinel to recognize the entities that are part of the alerts for further analysis.

Create Azure Sentinel custom query
Create Azure Sentinel custom query

Next, give the right Tactics for the query such as (Initial Access, and Credential Access) and then click on Create.

Once the custom query is created, navigate to Sentinel > Threat management > Hunting > Queries tab and filter by the provider (Custom Queries).

Now to monitor external identities in real-time and receive notifications when a new invitation occurs, locate the hunting query that we created in the previous step, right-click the query, and select Add to Livestream as shown in the figure below.

Hunting Query - Add to Livestream
Hunting Query – Add to Livestream

Now to view your Livestream session in action, navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that we added in the previous step, and make sure it’s in the ‘Running‘ state as shown in the figure below.

Azure Sentinel Running Livestream
Azure Sentinel Running Livestream

I will go now and invite a guest user to my Azure AD Tenant and wait for the notification to pop up. Because Livestream notifications for new events use Azure Portal notifications, you will see these notifications whenever you use the Azure portal. In my example, it took around 3 minutes for the notification to pop up after I invited a guest user. Select the notification to open the Livestream pane as shown in the figure below.

Receive Azure Sentinel Notifications with Livestream
Receive Azure Sentinel Notifications with Livestream

Navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that is running and on the right-hand side click on the Open Livestream button.

Make sure that your Livestream session is running, you would see a similar output to below when someone invites a guest user (InitiatedBy, InvitedUser, ObjectId, and RefObjectId).

Azure Sentinel Livestream query results
Azure Sentinel Livestream query results

Create an analytic rule

Now you can promote a Livestream session to a new alert by creating an analytic rule.

From within the same Livestream session, click on the Create analytics rule as shown in the figure below.

Azure Sentinel Livestream - Create an analytic rule
Azure Sentinel Livestream – Create an analytic rule

Give the analytic rule a meaningful ‘Name‘ and ‘Description‘, then select the following 2 ‘Tactics‘ (Initial Access, and Credential Access). Those tactics are based on the MITRE ATT&CK Matrix for Enterprise. Then select ‘Medium‘ for the Severity and then click Next to Set rule logic.

In the Set rule logic tab, you will see the same rule query that we used in the previous step. You can update it or leave it as it is.

I need to enrich my alert, so I will map the following entities to the rule under the Alert enrichment (Entity mapping) section:

  • Account
    • UPNSuffix = InitiatedBy
    • AadUserId = RefObjectId
  • Account
    • UPNSuffix = InvitedUser
    • AadUserId = ObjectId
Azure Sentinel Alert enrichment (Entity mapping)
Azure Sentinel Alert enrichment (Entity mapping)

In the Query scheduling section, I will schedule this query to run every 5 minutes and lookup data from the last 5 minutes. For the Alert threshold, I will keep the default value greater than ‘0‘. I will not change any other setting in the Set rule logic tab.

Click Next to configure the Incident settings.

I will keep the default options for the Incident settings as well. However, I will enable group-related alerts, triggered by this analytics rule, into incidents. And keep the default settings: Grouping alerts into a single incident if all the entities match (recommended). Click Next to configure the Automated response.

Azure Sentinel - Alert grouping
Azure Sentinel – Alert grouping

In the Automated response tab, I will select the automated playbook that I created earlier to post a message in the Microsoft Teams Channel to inform the SOC team members about this operation. You can also create an ‘Incident automation‘ rule if you want. Automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Click Next to review and create.

In the Review and create the page, validate the settings and click Create to start the rule creation process.

Azure Sentinel - Analytics rule wizard details
Azure Sentinel – Analytics rule wizard details

Simulate an alert

To trigger an alert, I will go now and invite another guest user to my Azure AD Tenant.

Let’s see if I have received any messages on the Microsoft Team channel. After waiting for 5 minutes, a message popped up in my team channel as shown in the below screenshot, which means the analytic rule ran the playbook automatically, and the SOC team received this alert including all entity details and which Azure resource is affected.

Post Azure Sentinel Alert in Microsoft Teams
Post Azure Sentinel Alert in Microsoft Teams

If you switch back to the Azure Sentinel and check if you have any incident created after this suspicious activity. You will see a new open incident that is created when inviting a guest user account to Azure AD. You can see the Incident id number that was created by the analytic rule as illustrated in the previous step, which has the playbook attached to it.

On the Incidents page under ‘Actions‘ for a particular incident, you can also easily ‘Create team‘ and use Microsoft Teams to take on attacks – collaborate, investigate and solve the incident/alert together.

Azure Sentinel Incident - Create a team and use Microsoft Teams
Azure Sentinel Incident – Create a team and use Microsoft Teams

You can also view more details of the incident by clicking on the View full details button and see all the Entities as shown in the figure below.

Azure Sentinel Incident Details
Azure Sentinel Incident Details

That’s it there you have it. Happy Azure Sentinel Azure AD Guest Users Hunting!

Conclusion

In this article, I showed you how to create a hunting query with a Livestream session in Azure Sentinel that will trigger an alert when an administrator invites a guest user account to your Azure AD tenant. Then I have created an analytic rule that will automatically trigger a security playbook to inform the organization’s Security Operation Center (SOC) team of this activity.

Please note that this is only one automation scenario I showed you on how to respond to security events by posting a message on Microsoft Teams, you could also automatically block the IP address, you could disable the account so any access to your tenant will be denied, or you could also assign/add a manager to the invited account for access review to efficiently manage group memberships, access to enterprise applications, and role assignments.

Additional resources I highly encourage you to check:

The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data from different sources, such as Azure platform logs, Azure AD, Azure Security Center, or other Microsoft security solutions, as well as other third-party solutions.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

Previous

Azure Policy Compliance and Remediation via Azure DevOps

AZ-305 Exam Study Guide: Azure Solutions Architect Expert

Next

Let me know what you think, or ask a question...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to Stay in Touch

Never miss out on your favorite posts and our latest announcements!

The content of this website is copyrighted from being plagiarized!

You can copy from the 'Code Blocks' in 'Black' by selecting the Code.

Please send your feedback to the author using this form for any 'Code' you like.

Thank you for visiting!