General
This alarm is triggered when elevated administrative rights are granted to a guest user. This is reflected in two separate rules due to different logs that indicate this event. However, the situation and follow-up are identical in both cases.
Rationale
Guest users are quickly created in Microsoft365, for example by adding external partners to a Teams channel. There is not much wrong with guest users per se, but it is very unusual for such users to receive administrative rights.
But because it is possible, these rules exist so that every time those rights are granted, it is immediately investigated. That role assignment can only be performed by someone with administrative rights. It may indicate that the admin account used to make the change has been compromised.
Follow-up
Perform these steps to adequately follow up on this detection:
- Contact the administrator who made the change by phone to validate that the rights were consciously granted.
-
-
If not: consider the admin account as compromised:
- Reset the administrator's password
- Revoke all logged-in sessions of the administrator
- Remove the elevated rights from the guest account, or delete the specific account entirely
- Consider conducting an Attic Tier2 investigation to learn more about the attack (who, what, when, where, why, how?). This is strongly advised since the executing user has administrative rights.
-
If yes: assess whether the purpose of the elevated rights conflicts with company policy.
- If yes: remove the elevated rights and provide an explanation to the employee(s)
- If no: close the Attic incident as resolved
-
If not: consider the admin account as compromised:
More Information
n/a
Comments
0 comments
Please sign in to leave a comment.