Successful unusual guest user invitation

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
Detector Tags
ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Informational
Response playbooks	Variations of this detector that create incidents have an OOTB response playbook included in the Cortex Response and Remediation Pack

An identity successfully invited a guest user to the tenant with unusual characteristics.

An attacker can invite users to for evasion.

Check who is the invited guest user.
Check whether the inviter is permitted to perform such actions.
Check if the domain of the invited guest is allowed for invitations in the organization.

ATT&CK Tactic	Persistence (TA0003)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Low
Response playbooks	Successful guest user invitation

An identity successfully invited a suspicious guest user to the tenant.

An attacker can invite users to for evasion.

Check who is the invited guest user.
Check whether the inviter is permitted to perform such actions.
Check if the domain of the invited guest is allowed for invitations in the organization.