Query Details

Operation download all users in Azure Active directory performed

Azure AD Download All Users

Query

AuditLogs
| where OperationName contains "Download users"
| extend InitiatedByInfo = parse_json(InitiatedBy).['user']
| extend InitiatedByUser = InitiatedByInfo.userPrincipalName
| project-reorder OperationName, ResultDescription, InitiatedByUser, TimeGenerated

About this query

Operation download all users in Azure Active directory performed

Query Information

MITRE ATT&CK Technique(s)

Technique IDTitleLink
T1087.004Account Discovery: Cloud Accounthttps://attack.mitre.org/techniques/T1087/004/
T1069.003Permission Groups Discovery: Cloud Groupshttps://attack.mitre.org/techniques/T1069/003/

Description

Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists.

Risk

A malicious actor downloads Azure Active Directory to gain valuable information of the users and groups in your domain.

References

Sentinel

Explanation

This query is designed to detect and log instances where a user downloads all users from Azure Active Directory. Here's a simple breakdown of what the query does:

  1. Data Source: It uses the AuditLogs table, which contains logs of various operations performed in Azure.

  2. Filter: The query filters the logs to find entries where the OperationName includes the phrase "Download users". This indicates an operation where a list of Azure AD users was downloaded.

  3. Extract Information:

    • It extracts information about who initiated the download operation by parsing the InitiatedBy field to get the userPrincipalName of the user who performed the action.
  4. Output:

    • The query then organizes the output to show the OperationName, ResultDescription, InitiatedByUser (the user who initiated the download), and TimeGenerated (when the operation occurred).
  5. Purpose: The purpose of this query is to monitor and identify potential security risks by detecting when someone, whether an admin or a non-admin, downloads the list of users from Azure Active Directory. This could be a sign of malicious activity if done without proper authorization.

In summary, the query helps in identifying and tracking the download of user lists from Azure AD, which is crucial for maintaining security and preventing unauthorized access to sensitive user information.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AuditLogs

Keywords

AuditLogsOperationNameInitiatedByInfoInitiatedByUserTimeGenerated

Operators

containsextendparse_jsonproject-reorderwhere

Actions

GitHub