Query Details

Registration Of TAP By Admin After Successful Strong Authentication From User

Query

let logonDiff = 4h;
AuditLogs
| where LoggedByService == "Authentication Methods" and ResultDescription == "Admin registered temporary access pass method for user"
| extend TAPInitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend TAPInitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
| extend TAPTargetUpn = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TAPTargetId = tostring(TargetResources[0].id)
| project TAPGeneratedTime = TimeGenerated, UserPrincipalName = TAPTargetUpn, TAPInitiatingUserOrApp, TAPInitiatingIpAddress
| join kind= inner (
    SigninLogs
    | where ResultType == "0"
    | where AuthenticationRequirement == "multiFactorAuthentication" or AuthenticationDetails contains "Windows Hello" or AuthenticationMethodsUsed  contains "FIDO2"
    | project SuccessLogonTime = TimeGenerated, UserPrincipalName, SuccessIPAddress = IPAddress
) on UserPrincipalName
| where TAPGeneratedTime > SuccessLogonTime and TAPGeneratedTime - SuccessLogonTime <= logonDiff
| summarize TAPGeneratedTime = max(TAPGeneratedTime), SuccessLogonTime = max(SuccessLogonTime) by UserPrincipalName, TAPInitiatingUserOrApp
| extend timestamp = TAPGeneratedTime, AccountCustomEntity = TAPInitiatingUserOrApp

Explanation

This query is designed to identify suspicious activity where a privileged user registers a temporary access pass (TAP) for a user after the user has successfully completed multi-factor authentication. The query looks for logs in Azure Active Directory that indicate an admin registered a TAP for a user, and then joins those logs with sign-in logs to verify that the user had successfully completed multi-factor authentication within a specific time window. The query summarizes the relevant information and maps it to the "Account" entity type. The query is scheduled to run daily.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogsSigninLogs

Keywords

Keywords: RegistrationTAPAdminStrong AuthenticationUserPrivileged UserMultiFactorAuthenticationSecurity KeySuspicious ActivityAzureActiveDirectorySigninLogsAuditLogsAuthentication MethodsResultDescriptionInitiatedByTargetResourcesTimeGeneratedUserPrincipalNameIPAddressResultTypeAuthenticationRequirementAuthenticationDetailsAuthenticationMethodsUsedSuccessLogonTimeSuccessIPAddresslogonDifftimestampAccountCustomEntityentityTypefieldMappingsFullNameScheduled

Operators

letwhereextendiffisnotemptytostringprojectjoinonsummarizemax

Severity

Medium

Tactics

CredentialAccessInitialAccess

MITRE Techniques

Frequency: 1d

Period: 1d

Actions

GitHub