Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
In this article, I will share with you how to monitor Azure AD guest users’ accounts with Azure Sentinel.
In This Article
Azure Active Directory (Azure AD) business-to-business (B2B) collaboration is a feature within External Identities that lets you invite guest users to collaborate with your organization. With B2B collaboration, you can securely share your company’s applications and services with guest users from any other organization, while maintaining control over your own corporate data.
A simple invitation and redemption process lets partners use their own credentials to access your company’s resources. As part of your identity governance effort, you need to monitor closely who is inviting external users and then make sure you have an access review policy in place to delete and remove those users if access is not needed anymore on a regular basis.
In this article, I will walk you through how to create an analytic rule in Azure Sentinel that will trigger an alert when an administrator invites a guest user to your Azure AD tenant, and then automatically runs a security playbook to inform the organization’s Security Operation Center (SOC) team.
To follow this article, you need to have the following:
1) Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
2) Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
3) Azure Sentinel – To enable Azure Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days, follow the instructions here.
4) Connect data from Azure Active Directory (Azure AD) to Azure Sentinel. You need to export (send) Azure AD ‘AuditLogs‘ to Sentinel workspace enabled as shown in the figure below. Audit logs contain information about system activity relating to user and group management, managed applications, and directory activities. The good news is, you can use the Azure AD Free or Office 365 license to export Audit Logs, you don’t need to have a P1 or P2 license compare to ‘SignInLogs‘ requirements.
5) Your user must be assigned the Azure Sentinel Contributor role on the Log Analytics workspace.
6) Your user must be assigned the Global Administrator or Security Administrator roles on the tenant you want to stream the logs from.
7) Last but not least, your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
Assuming you have all the prerequisites in place, take now the following steps:
Azure Sentinel Side
Now that we know we have all the capabilities for collecting Azure AD activity logs, we can monitor, track and detect guest user invitations, suspicious activities, and many other Azure Sentinel actions.
Create a hunting query
If you’re a threat hunter who wants to be proactive about looking for security threats, Azure Sentinel powerful hunting search and query tools to hunt for security threats across your organization’s data sources.
In this step, we will create a hunting query to monitor in real-time when someone in your organization invites an external user to Azure AD.
Now you may ask, why do we need to create a Hunting query instead of an Analytic query rule? In fact, you can do both, with an analytic rule, the minimum query schedule is 5 minutes or above at the time of this writing, however, with a hunting query, it’s nearly real-time (live stream). You can think of it as reactive versus proactive.
For the remainder of this article, I will use both approaches with Hunting to create a live stream session and create an analytic rule. The good news is, when the custom query is created, you can create an analytic rule from the Hunting queries blade directly.
Open Azure Portal and sign in with a user who has Azure Sentinel Contributor permissions.
Click All services found in the upper left-hand corner. In the list of resources, type Azure Sentinel. As you begin typing, the list filters based on your input.
Click on Azure Sentinel and then select the desired Workspace.
From Azure Sentinel’s sidebar, select Hunting under the Threat management section, then click + New Query as shown in the figure below.
Enter a descriptive Name and Description. And In the Custom query section enter the following KQL query to be alerted when some invite an external guest user:
AuditLogs | where ActivityDisplayName == "Invite external user" | extend initiatedBy = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | extend InvitedUser = tostring(AdditionalDetails.value) | extend ObjectId = tostring(TargetResources.id) | extend RefObjectId = tostring(parse_json(tostring(InitiatedBy.user)).id) | project initiatedBy, InvitedUser, ObjectId, RefObjectId
This query will search in the Audit Logs table for Azure AD with the invite external user as an action, and then with the extend operator, I am creating a custom column called ‘initiatedBy‘, ‘InvitedUser ‘, ‘ObjectId‘, and ‘RefObjectId‘, then I am appending them to the correct result values. And finally, with the project operator, I am selecting the desired columns to have more details about this operation.
You might ask why I am looking for ‘ObjectId‘ and ‘RefObjectId‘, those values will help you as part of the Security Orchestration, Automation, and Response (SOAR) effort to automate the response to a security incident, for example, you may want to revoke access, assign a manager, disable the account, etc.
Next, map the entities recognized by Azure Sentinel to the appropriate columns available for this query results. This enables Azure Sentinel to recognize the entities that are part of the alerts for further analysis.
Next, give the right Tactics for the query such as (Initial Access, and Credential Access) and then click on Create.
Once the custom query is created, navigate to Sentinel > Threat management > Hunting > Queries tab and filter by the provider (Custom Queries).
Now to monitor external identities in real-time and receive notifications when a new invitation occurs, locate the hunting query that we created in the previous step, right-click the query, and select Add to Livestream as shown in the figure below.
Now to view your Livestream session in action, navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that we added in the previous step, and make sure it’s in the ‘Running‘ state as shown in the figure below.
I will go now and invite a guest user to my Azure AD Tenant and wait for the notification to pop up. Because Livestream notifications for new events use Azure Portal notifications, you will see these notifications whenever you use the Azure portal. In my example, it took around 3 minutes for the notification to pop up after I invited a guest user. Select the notification to open the Livestream pane as shown in the figure below.
Navigate to Sentinel > Threat management > Hunting > Livestream tab. Select the Livestream query that is running and on the right-hand side click on the Open Livestream button.
Make sure that your Livestream session is running, you would see a similar output to below when someone invites a guest user (InitiatedBy, InvitedUser, ObjectId, and RefObjectId).
Create an analytic rule
Now you can promote a Livestream session to a new alert by creating an analytic rule.
From within the same Livestream session, click on the Create analytics rule as shown in the figure below.
Give the analytic rule a meaningful ‘Name‘ and ‘Description‘, then select the following 2 ‘Tactics‘ (Initial Access, and Credential Access). Those tactics are based on the MITRE ATT&CK Matrix for Enterprise. Then select ‘Medium‘ for the Severity and then click Next to Set rule logic.
In the Set rule logic tab, you will see the same rule query that we used in the previous step. You can update it or leave it as it is.
I need to enrich my alert, so I will map the following entities to the rule under the Alert enrichment (Entity mapping) section:
- UPNSuffix = InitiatedBy
- AadUserId = RefObjectId
- UPNSuffix = InvitedUser
- AadUserId = ObjectId
In the Query scheduling section, I will schedule this query to run every 5 minutes and lookup data from the last 5 minutes. For the Alert threshold, I will keep the default value greater than ‘0‘. I will not change any other setting in the Set rule logic tab.
Click Next to configure the Incident settings.
I will keep the default options for the Incident settings as well. However, I will enable group-related alerts, triggered by this analytics rule, into incidents. And keep the default settings: Grouping alerts into a single incident if all the entities match (recommended). Click Next to configure the Automated response.
In the Automated response tab, I will select the automated playbook that I created earlier to post a message in the Microsoft Teams Channel to inform the SOC team members about this operation. You can also create an ‘Incident automation‘ rule if you want. Automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Click Next to review and create.
In the Review and create the page, validate the settings and click Create to start the rule creation process.
Simulate an alert
To trigger an alert, I will go now and invite another guest user to my Azure AD Tenant.
Let’s see if I have received any messages on the Microsoft Team channel. After waiting for 5 minutes, a message popped up in my team channel as shown in the below screenshot, which means the analytic rule ran the playbook automatically, and the SOC team received this alert including all entity details and which Azure resource is affected.
If you switch back to the Azure Sentinel and check if you have any incident created after this suspicious activity. You will see a new open incident that is created when inviting a guest user account to Azure AD. You can see the Incident id number that was created by the analytic rule as illustrated in the previous step, which has the playbook attached to it.
On the Incidents page under ‘Actions‘ for a particular incident, you can also easily ‘Create team‘ and use Microsoft Teams to take on attacks – collaborate, investigate and solve the incident/alert together.
You can also view more details of the incident by clicking on the View full details button and see all the Entities as shown in the figure below.
That’s it there you have it. Happy Azure Sentinel Azure AD Guest Users Hunting!
In this article, I showed you how to create a hunting query with a Livestream session in Azure Sentinel that will trigger an alert when an administrator invites a guest user account to your Azure AD tenant. Then I have created an analytic rule that will automatically trigger a security playbook to inform the organization’s Security Operation Center (SOC) team of this activity.
Please note that this is only one automation scenario I showed you on how to respond to security events by posting a message on Microsoft Teams, you could also automatically block the IP address, you could disable the account so any access to your tenant will be denied, or you could also assign/add a manager to the invited account for access review to efficiently manage group memberships, access to enterprise applications, and role assignments.
Additional resources I highly encourage you to check:
- Learn how to monitor Azure Storage account activity logs with Azure Sentinel.
- Learn how to monitor Azure AD emergency accounts with Azure Sentinel.
- Learn more about Azure Sentinel, check the official documentation from Microsoft.
- Learn about Analytics Rules, check the official documentation from Microsoft.
- Learn about Playbooks, check the Azure Sentinel’s GitHub page contributed by the community and Microsoft.
The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data from different sources, such as Azure platform logs, Azure AD, Azure Security Center, or other Microsoft security solutions, as well as other third-party solutions.
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.