LoFP / administrator adding a legitimate temporary access pass

Techniques

• t1078
• t1078.004

Sample rules

Temporary Access Pass Added To An Account

• source: sigma
• technicques:
  • t1078
  • t1078.004

Description

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Detection logic

condition: selection
selection:
  Status: Admin registered temporary access pass method for user
  properties.message: Admin registered security info