Query Details

Blocked Sign In By User Credential Policy With TAP Outside Of The Authentication Methods Policy

Query

// Time range between generation of TAP and login attempts
let logonDiff = 4h;
AuditLogs
| where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
| extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TAPTargetId = tostring(TargetResources[0].id)
| project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
| join kind= inner (
    SigninLogs
    // Error Code "130502" seems to be audited in case of "Temporary Access Pass sign in was blocked due to User Credential Policy.", no documentation available as far as I know
    | where ResultType == "130502"
    | where AuthenticationDetails contains "Temporary Access Pass"
    | project SignInAttemptTime = TimeGenerated, UserPrincipalName, SignInAttemptIPAddress = IPAddress
) on UserPrincipalName
| where TAPGeneratedTime < SignInAttemptTime and SignInAttemptTime - TAPGeneratedTime <= logonDiff
| summarize TAPGeneratedTime = max(TAPGeneratedTime), SignInAttemptTime = max(SignInAttemptTime) by UserPrincipalName, TAPInitiatingUserOrApp, SignInAttemptIPAddress
| extend timestamp = SignInAttemptTime, AccountCustomEntity = TAPInitiatingUserOrApp, IPCustomEntity = SignInAttemptIPAddress

Explanation

This query identifies when a privileged user has generated a temporary access pass (TAP) outside of the Authentication Methods policy and sign-in was blocked due to User Credential Policy. It looks for audit logs where the TAP method was registered for a user and then joins it with sign-in logs where the TAP was used. The query calculates the time difference between the generation of the TAP and the sign-in attempt and summarizes the results by user, initiating user or app, and sign-in IP address. The query is scheduled to run daily and requires data connectors for Azure Active Directory sign-in and audit logs. The severity of this issue is medium. The relevant techniques are Credential Access and Initial Access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogsSigninLogs

Keywords

BlockedSigninLogsAuditLogsAuthentication MethodsAdmintemporary access passUser Credential PolicyLoggedByServiceResultDescriptionInitiatedByuserPrincipalNameappipAddressTargetResourcesTimeGeneratedTargetUpnTargetIdSignInAttemptTimeResultTypeAuthenticationDetailsSignInAttemptIPAddresslogonDifftimestampAccountCustomEntityIPCustomEntityFullNameAddress

Operators

whereextendiffisnotemptytostringtolowerprojectjoinonsummarizemax

Severity

Medium

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub