Diving into Sentinel analytics rules
The analytics rule ‘Guest accounts added in Entra ID Groups other than the ones specified’ helps a security operations center identify unexpected and/or malicious changes in Entra ID group membership, which could indicate the following Mitre ATT&CK-techniques:
- T1078: Valid Accounts
- T1136: Create Account
- T1087: Account Discovery
- T1078.004: Cloud Accounts
- T1136.003: Cloud Account
- T1087.004: Cloud Account
On the surface this kind of analytics rule is valuable: adding users to groups can indicate an established presence of an attacker in your Entra ID/Azure environment, where they might try to establish persistence, gain additional rights and elevate privileges, etcetera. What piqued my interest here, was the alert description line: ”(…) This detection notifies when guest users are added to Microsoft Entra ID Groups other than the ones specified and poses a risk to gain access to sensitive apps or data.”
Think about ‘other than the ones specified’, indicating specific Entra ID groups. Who specified these groups? Besides the common group characteristics and options link to Microsoft documentation, the organization of Entra ID groups can be entirely different between tenants. So as you can see from the Sentinel-screenshot above: this is a template rule, that alerts a SOC as soon as users are added to groups not in the dynamically created GroupIDs variable, which contains placeholder values.
Long story short: you tend to think (X)DR is an ‘automagical’ tool, but like every good tool, you need to sharpen it, fix it, to fit your needs.