Skip to content

Instantly share code, notes, and snippets.

@dirkjanm
Last active Aug 17, 2022
Embed
What would you like to do?
KQL query to hunt for guest invite abuse
// Guest invite abuse hunting
// Query by @_dirkjan / Outsider Security - released as CC BY (https://creativecommons.org/licenses/by/2.0/)
AuditLogs
| where OperationName =~ "Update user"
| where Result =~ "success"
| mv-expand target = TargetResources
| where tostring(InitiatedBy.user.userPrincipalName) has "@" or tostring(InitiatedBy.app.displayName) has "@"
| extend targetUPN = tostring(TargetResources[0].userPrincipalName)
| extend targetId = tostring(TargetResources[0].id)
| extend targetType = tostring(TargetResources[0].type)
| extend modifiedProps = TargetResources[0].modifiedProperties
| extend initiatedUser = tostring(InitiatedBy.user.userPrincipalName)
| mv-expand modifiedProps
| where modifiedProps.displayName =~ "UserState"
| mv-expand AdditionalDetails
| where AdditionalDetails.key =~ "UserType" and AdditionalDetails.value =~ "Guest"
| extend new_value_set = parse_json(tostring(modifiedProps.newValue))
| extend old_value_set = parse_json(tostring(modifiedProps.oldValue))
| where new_value_set[0] =~ "Accepted" and old_value_set[0] =~ "PendingAcceptance"
| project-away old_value_set, new_value_set, modifiedProps
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment