Benign
Persistence
INV-317
9:42PM (EST)
External User Added to Restricted Group
Alert Summary
An alert from Microsoft Sentinel, named "External User Added to Non-External Group," was triggered when Karen Kantos, an external user with the account karen.kantos_cipherauditorsllc.net#EXT#@thisisarealcompany.onmicrosoft.com, was added to the "Security Engineering - Read Only" group, which has the Object GUID ca475f1a-8d25-4220-a72c-9cb052ec85e1. The incident, detected on December 5, 2024, involves Emily Eaton who appears to be the actor responsible for adding the external user, and is classified with a medium severity level. The tactics associated with this alert include Persistence, Privilege Escalation, and Discovery, with techniques identified as T1078 (Valid Accounts), T1136 (Create Account), and T1087 (Account Discovery).
Top Findings
1
Legitimate business relationship between cipherauditorsllc.net and thisisarealcompany.com.
2
emily.eaton@thisisarealcompany.com holds several privileged roles and permissions.
3
The IP 2611:2230:429:6::2e is not normally used by emily.eaton@thisisarealcompany.com.
4
The IP 2611:2230:429:6::2e is active in the Microsoft environment.
Conclusion
The conclusion that the alert is benign was reached because there is a legitimate business relationship between cipherauditorsllc.net and thisisarealcompany.com, as evidenced by ongoing email communications, indicating that the addition of the external user karen.kantos_ciphera… to the group was part of legitimate business activities.
Associated Entities
3
2611:2230:429:6::2e
emily.eaton@thisisarealcompany.comkaren.kantos_cipherauditorsllc.net#EXT#@thisisarealcompany.onmicrosoft.com