Skip to content

Instantly share code, notes, and snippets.

@dirkjanm
Last active August 17, 2022 23:50
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save dirkjanm/814b4fcd75f0c0f13f5c05b7edbee794 to your computer and use it in GitHub Desktop.
KQL query to hunt for guest invite abuse
// Guest invite abuse hunting
// Query by @_dirkjan / Outsider Security - released as CC BY (https://creativecommons.org/licenses/by/2.0/)
AuditLogs
| where OperationName =~ "Update user"
| where Result =~ "success"
| mv-expand target = TargetResources
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| extend targetUPN = tostring(TargetResources[0].userPrincipalName)
| extend targetId = tostring(TargetResources[0].id)
| extend targetType = tostring(TargetResources[0].type)
| extend modifiedProps = TargetResources[0].modifiedProperties
| extend initiatedUser = tostring(InitiatedBy.user.userPrincipalName)
| mv-expand modifiedProps
| where modifiedProps.displayName =~ "UserState"
| mv-expand AdditionalDetails
| where AdditionalDetails.key =~ "UserType" and AdditionalDetails.value =~ "Guest"
| extend new_value_set = parse_json(tostring(modifiedProps.newValue))
| extend old_value_set = parse_json(tostring(modifiedProps.oldValue))
| where new_value_set[0] =~ "Accepted" and old_value_set[0] =~ "PendingAcceptance"
| project-away old_value_set, new_value_set, modifiedProps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment