Create Guest Accounts.kql

Adding initial KQL Query

Reference: https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/hunting-in-azure-subscriptions/ba-p/4125875

PurpleTeam/Guest Accounts.kql

@@ -0,0 +1,10 @@
+//Hunt for creation of new guest accounts
+
+CloudAppEvents 
+| where Timestamp > ago(7d) 
+| where ActionType == "Add user." 
+| where RawEventData.ResultStatus == "Success" 
+| where RawEventData has "guest" and RawEventData.ObjectId has "#EXT#" 
+| mv-expand Property = RawEventData.ModifiedProperties 
+| where Property.Name == "AccountEnabled" and Property.NewValue has "true" 
+| project Timestamp, AccountObjectId, AccountDisplayName, newGuestAccount = RawEventData.ObjectId, UserAgent