security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
80098113d06750ddb9ab275d7df1049f88d4ea7c
blue-team-tools/rules/cloud/azure/azure_tap_added.yml
T
Mark Morowczynski d1c5153103 Create azure_tap_added.yml 
Detection for temporary access pass (TAP) added to an account.
2022-08-10 07:09:09 -07:00

24 lines
902 B
YAML
Raw Blame History

title: Temporary Access Pass Added To An Account
id: fa84aaf5-8142-43cd-9ec2-78cfebf878ce
status: experimental
description: Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/10
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts
logsource:
product: azure
service: auditlogs
detection:
selection:
properties.message: Admin registered security info
Status: Admin registered temporary access pass method for user
condition: selection
falsepositives:
- Administrator adding a legitmate temporary access pass
tags:
- attack.privilege_escalation
- attack.defense_evasion
- attack.t1078
level: high
Reference in New Issue View Git Blame Copy Permalink