KQL Search

Query Details

HomeAI ToolsDevice Query

Blocked Sign In By User Credential Policy With TAP Outside Of The Authentication Methods Policy

Query

id: 0cbd98b9-300a-4f91-b888-fb2302f77607
name: Blocked sign-in by User Credential Policy with TAP outside of the Authentication Methods Policy.
description: |
  'Identifies when a privileged user has generated a temporary access pass (TAP) outside of the Authentication Methods policy and ign in was blocked due to User Credential Policy.'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - InitialAccess
relevantTechniques:
  - T1110
  - T1078
query: |
  // Time range between generation of TAP and login attempts
  let logonDiff = 4h;
  AuditLogs
  | where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
  | extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
  | extend TAPTargetId = tostring(TargetResources[0].id)
  | project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
  | join kind= inner (
      SigninLogs
      // Error Code "130502" seems to be audited in case of "Temporary Access Pass sign in was blocked due to User Credential Policy.", no documentation available as far as I know
      | where ResultType == "130502"
      | where AuthenticationDetails contains "Temporary Access Pass"
      | project SignInAttemptTime = TimeGenerated, UserPrincipalName, SignInAttemptIPAddress = IPAddress
  ) on UserPrincipalName
  | where TAPGeneratedTime < SignInAttemptTime and SignInAttemptTime - TAPGeneratedTime <= logonDiff
  | summarize TAPGeneratedTime = max(TAPGeneratedTime), SignInAttemptTime = max(SignInAttemptTime) by UserPrincipalName, TAPInitiatingUserOrApp, SignInAttemptIPAddress
  | extend timestamp = SignInAttemptTime, AccountCustomEntity = TAPInitiatingUserOrApp, IPCustomEntity = SignInAttemptIPAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Explanation

This query identifies when a privileged user has generated a temporary access pass (TAP) outside of the Authentication Methods policy and sign-in was blocked due to User Credential Policy. It looks for audit logs where the TAP method was registered for a user and then joins it with sign-in logs where the TAP was used. The query calculates the time difference between the generation of the TAP and the sign-in attempt and summarizes the results by user, initiating user or app, and sign-in IP address. The query is scheduled to run daily and requires data connectors for Azure Active Directory sign-in and audit logs. The severity of this issue is medium. The relevant techniques are Credential Access and Initial Access.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogsSigninLogs

Keywords

Blocked,SigninLogs,AuditLogs,AuthenticationMethods,Admin,temporaryaccesspass,UserCredentialPolicy,LoggedByService,ResultDescription,InitiatedBy,userPrincipalName,app,ipAddress,TargetResources,TimeGenerated,TargetUpn,TargetId,SignInAttemptTime,ResultType,AuthenticationDetails,SignInAttemptIPAddress,logonDiff,timestamp,AccountCustomEntity,IPCustomEntity,FullName,Address

Operators

whereextendiffisnotemptytostringtolowerprojectjoinonsummarizemax

Actions