Temporary Access Pass Added To An Account

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Sigma rule (View on GitHub)

 1title: Temporary Access Pass Added To An Account
 2id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
 3status: test
 4description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
 5references:
 6    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-privileged-accounts#changes-to-privileged-accounts
 7author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
 8date: 2022/08/10
 9tags:
10    - attack.persistence
11    - attack.t1078.004
12logsource:
13    product: azure
14    service: auditlogs
15detection:
16    selection:
17        properties.message: Admin registered security info
18        Status: Admin registered temporary access pass method for user
19    condition: selection
20falsepositives:
21    - Administrator adding a legitimate temporary access pass
22level: high

References

Related rules

to-top