Query Details
Registration Of TAP By Admin After Successful Strong Authentication From User
Query
id: a8c40d05-59dc-4fb3-b680-2563157bd7aa
name: Registration of TAP by admin after successful strong authentication from user
description: |
'Identifies when a privileged user has generated a temporary access pass (TAP) and a successful multiFactorAuthentication was used by the user within a specific time window.
This may indicate a suspicious admin activity because the user should be able to add a security key on their own.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- CredentialAccess
- InitialAccess
relevantTechniques:
- T1110
- T1078
query: |
let logonDiff = 4h;
AuditLogs
| where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
| extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TAPTargetId = tostring(TargetResources[0].id)
| project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
| join kind= inner (
SigninLogs
| where ResultType == "0"
| where AuthenticationRequirement == "multiFactorAuthentication" or AuthenticationDetails contains "Windows Hello" or AuthenticationMethodsUsed contains "FIDO2"
| project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress
) on UserPrincipalName
| where TAPGeneratedTime > SuccessLogonTime and TAPGeneratedTime - SuccessLogonTime <= logonDiff
| summarize TAPGeneratedTime = max(TAPGeneratedTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, TAPInitiatingUserOrApp
| extend timestamp = TAPGeneratedTime, AccountCustomEntity = TAPInitiatingUserOrApp
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
version: 1.0.1
kind: ScheduledExplanation
This query is designed to identify suspicious activity where a privileged user registers a temporary access pass (TAP) for a user after the user has successfully completed multi-factor authentication. The query looks for logs in Azure Active Directory that indicate an admin registered a TAP for a user, and then joins those logs with sign-in logs to verify that the user had successfully completed multi-factor authentication within a specific time window. The query summarizes the relevant information and maps it to the "Account" entity type. The query is scheduled to run daily.
Details
Thomas Naunheim
Released: August 23, 2023
Tables
AuditLogsSigninLogs
Keywords
Keywords:Registration,TAP,Admin,StrongAuthentication,User,PrivilegedUser,MultiFactorAuthentication,SecurityKey,SuspiciousActivity,AzureActiveDirectory,SigninLogs,AuditLogs,AuthenticationMethods,ResultDescription,InitiatedBy,TargetResources,TimeGenerated,UserPrincipalName,IPAddress,ResultType,AuthenticationRequirement,AuthenticationDetails,AuthenticationMethodsUsed,SuccessLogonTime,SuccessIPAddress,logonDiff,timestamp,AccountCustomEntity,entityType,fieldMappings,FullName,Scheduled
Operators
letwhereextendiffisnotemptytostringprojectjoinonsummarizemax