Addition of a Temporary Access Pass to a Privileged Account

let admin_users = (IdentityInfo
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  AuditLogs
  | where OperationName =~ "Admin registered security info"
  | where ResultReason =~ "Admin registered temporary access pass method for user"
  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | where tolower(userPrincipalName) in (admin_users)

requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
triggerOperator: gt
queryFrequency: 1d
name: Addition of a Temporary Access Pass to a Privileged Account
tags:
- AADSecOpsGuide
queryPeriod: 1d
metadata:
  categories:
    domains:
    - Security - Threat Protection
    - Identity
  support:
    tier: Community
  author:
    name: Pete Bryan
  source:
    kind: Community
id: d7feb859-f03e-4e8d-8b21-617be0213b13
description: |
  'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.
    A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.
    A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.
    Review any TAP creations to ensure they were used legitimately.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'  
severity: High
query: |
  let admin_users = (IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    AuditLogs
    | where OperationName =~ "Admin registered security info"
    | where ResultReason =~ "Admin registered temporary access pass method for user"
    | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)
    | where tolower(userPrincipalName) in (admin_users)  
version: 1.0.2
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: userPrincipalName
relevantTechniques:
- T1078.004
tactics:
- Persistence
triggerThreshold: 0

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d7feb859-f03e-4e8d-8b21-617be0213b13')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Addition of a Temporary Access Pass to a Privileged Account",
        "description": "'Detects when a Temporary Access Pass (TAP) is created for a Privileged Account.\n  A Temporary Access Pass is a time-limited passcode issued by an admin that satisfies strong authentication requirements and can be used to onboard other authentication methods, including Passwordless ones such as Microsoft Authenticator or even Windows Hello.\n  A threat actor could use a TAP to register a new authentication method to maintain persistance to an account.\n  Review any TAP creations to ensure they were used legitimately.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#changes-to-privileged-accounts'\n",
        "severity": "High",
        "enabled": true,
        "query": "let admin_users = (IdentityInfo\n  | summarize arg_max(TimeGenerated, *) by AccountUPN\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  AuditLogs\n  | where OperationName =~ \"Admin registered security info\"\n  | where ResultReason =~ \"Admin registered temporary access pass method for user\"\n  | extend userPrincipalName = tostring(TargetResources[0].userPrincipalName)\n  | where tolower(userPrincipalName) in (admin_users)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "d7feb859-f03e-4e8d-8b21-617be0213b13",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "userPrincipalName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.2",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/AdditionofaTemporaryAccessPasstoaPrivilegedAccount.yaml"
      }
    }
  ]
}