Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1136-create-account

VIEW RULE IN DATADOG VIEW SIGNALS

Set up the azure integration.

Goal

Detect when an invitation is sent to an external user.

Strategy

Monitor Azure Active Directory Audit logs and detect when any @evt.name is equal to Invite external user and the @evt.outcome is equal to success.

Triage and response

Review and determine if the invitation and its recipient are valid.