Azure Temporary Access Pass (TAP) registered to an account

Cortex XDR Analytics Alert Reference by data source

Last date published: 2024-04-15
Order: data source

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AzureAD Audit Log
Detection Modules	Identity Threat Module
ATT&CK Tactic	Defense Evasion (TA0005) Privilege Escalation (TA0004)
ATT&CK Technique	Valid Accounts (T1078)
Severity	Informational

Description

An identity registered an Azure Temporary Access Pass (TAP) to an account.

Attacker's Goals

A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.

Investigative actions

Check if the account that got the TAP should get it.
Check whether the account that registered the TAP is supposed to perform such actions.
Check if the TAP was registered to a privileged account.
Follow further actions done by the initiator and the account with the TAP.

Variations

Abnormal Azure Temporary Access Pass (TAP) account registration

Synopsis

ATT&CK Tactic

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

An identity registered an Azure Temporary Access Pass (TAP) to an account.

Attacker's Goals

A TAP can allow setting of other authentication methods and can be used as an initial replacement of a multifactor authentication.

Investigative actions

Check if the account that got the TAP should get it.
Check whether the account that registered the TAP is supposed to perform such actions.
Check if the TAP was registered to a privileged account.
Follow further actions done by the initiator and the account with the TAP.