Create azure_ad_cross_tenant_user_provisioning.yml

[whichbuffer]

Summary of the Pull Request

This PR introduces a new detection rule, Potential Malicious Cross-Tenant Provisioning, to identify external user provisioning activities that may indicate attacker abuse of cross-tenant synchronization for backdoor account creation.

Changelog

new: Potential Malicious Cross-Tenant Provisioning - Detects suspicious external user provisioning activities in Azure.

Example Log Event

[
  {
    "id": "12345678-90ab-cdef-1234-567890abcdef",
    "category": "UserManagement",
    "activityDisplayName": "Invite external user",
    "activityDateTime": "2025-03-15T10:30:00.123Z",
    "loggedByService": "Core Directory",
    "operationType": "Add",
    "result": "Success",
    "initiatedBy": {
      "user": {
        "id": "d56789ab-cdef-1234-5678-90abcdef1234",
        "displayName": "John Doe",
        "userPrincipalName": "[email protected]",
        "ipAddress": "192.168.1.10"
      }
    },
    "targetResources": [
      {
        "id": "e7890fgh-ijkl-4567-mnop-qrstuvwxyz123",
        "displayName": "[email protected]",
        "userPrincipalName": "[email protected]",
        "type": "User",
        "modifiedProperties": [
          {
            "displayName": "InvitationState",
            "oldValue": "PendingAcceptance",
            "newValue": "Accepted"
          }
        ]
      }
    ],
    "additionalDetails": [
      {
        "key": "invitedUserEmailAddress",
        "value": "[email protected]"
      }
    ]
  },
  {
    "id": "abcdef12-3456-7890-abcd-ef1234567890",
    "category": "UserManagement",
    "activityDisplayName": "Redeem external user invite",
    "activityDateTime": "2025-03-15T11:15:45.789Z",
    "loggedByService": "Core Directory",
    "operationType": "Modify",
    "result": "Success",
    "initiatedBy": {
      "user": {
        "id": "e7890fgh-ijkl-4567-mnop-qrstuvwxyz123",
        "displayName": "[email protected]",
        "userPrincipalName": "[email protected]",
        "ipAddress": "203.0.113.45"
      }
    },
    "targetResources": [
      {
        "id": "e7890fgh-ijkl-4567-mnop-qrstuvwxyz123",
        "displayName": "[email protected]",
        "userPrincipalName": "[email protected]",
        "type": "User"
      }
    ]
  },
  {
    "id": "567890ab-cdef-1234-5678-90abcdef1234",
    "category": "UserManagement",
    "activityDisplayName": "Update User",
    "activityDateTime": "2025-03-15T12:05:30.567Z",
    "loggedByService": "Core Directory",
    "operationType": "Modify",
    "result": "Success",
    "initiatedBy": {
      "user": {
        "id": "d56789ab-cdef-1234-5678-90abcdef1234",
        "displayName": "John Doe",
        "userPrincipalName": "[email protected]",
        "ipAddress": "192.168.1.10"
      }
    },
    "targetResources": [
      {
        "id": "e7890fgh-ijkl-4567-mnop-qrstuvwxyz123",
        "displayName": "[email protected]",
        "userPrincipalName": "[email protected]",
        "type": "User",
        "modifiedProperties": [
          {
            "displayName": "AssignedRoles",
            "oldValue": "Guest",
            "newValue": "User Administrator"
          }
        ]
      }
    ]
  }
]

Fixed Issues

N/A (If this PR fixes a specific issue, provide the reference here.)

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions