Query Details
Azure AD Download All Users
Query
# Operation download all users in Azure Active directory performed ## Query Information #### MITRE ATT&CK Technique(s) | Technique ID | Title | Link | | --- | --- | --- | | T1087.004 | Account Discovery: Cloud Account |https://attack.mitre.org/techniques/T1087/004/| | T1069.003 | Permission Groups Discovery: Cloud Groups | https://attack.mitre.org/techniques/T1069/003/ | #### Description Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists. #### Risk A malicious actor downloads Azure Active Directory to gain valuable information of the users and groups in your domain. #### References - https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/users-bulk-download ## Sentinel ``` AuditLogs | where OperationName contains "Download users" | extend InitiatedByInfo = parse_json(InitiatedBy).['user'] | extend InitiatedByUser = InitiatedByInfo.userPrincipalName | project-reorder OperationName, ResultDescription, InitiatedByUser, TimeGenerated ```
Explanation
This query is used to detect when a user account downloads all users in Azure Active Directory. It looks for audit logs where the operation name contains "Download users". It then extracts information about the user who initiated the download and the time it was generated. The purpose of this query is to identify any malicious actors who may be trying to gain valuable information about the users and groups in the domain.
Details
Bert-Jan Pals
Released: February 14, 2023
Tables
AuditLogs
Keywords
Devices,Intune,User,AzureActiveDirectory
Operators
wherecontainsextendparse_jsonextendproject-reorder