
Summary
This detection rule identifies when a Temporary Access Pass (TAP) is added to an account, specifically focusing on privileged accounts. The rule captures instances where the properties indicate that an admin has registered security information in conjunction with the status message indicating the registration of a temporary access pass for a user. Given the potential risks associated with unauthorized access to privileged accounts, it is crucial to investigate this action to ensure it is legitimate. False positives may occur when an administrator is performing normal duties by adding a TAP, hence requiring a filtering mechanism in the monitoring process. This rule is essential for maintaining security standards in environments utilizing TAPs, as it helps track potentially unauthorized changes. Monitoring should include examining who is making the change and if the context aligns with typical administrative duties. Corporately, enhancements of security measures surrounding the use of TAPs are vital for protecting sensitive account data.
Categories
- Cloud
- Identity Management
Data Sources
- Cloud Service
- Application Log
Created: 2022-08-10