Operation download all users in Azure Active directory performed
Azure AD Download All Users
Query
AuditLogs
| where OperationName contains "Download users"
| extend InitiatedByInfo = parse_json(InitiatedBy).['user']
| extend InitiatedByUser = InitiatedByInfo.userPrincipalName
| project-reorder OperationName, ResultDescription, InitiatedByUser, TimeGeneratedAbout this query
Operation download all users in Azure Active directory performed
Query Information
MITRE ATT&CK Technique(s)
| Technique ID | Title | Link |
|---|---|---|
| T1087.004 | Account Discovery: Cloud Account | https://attack.mitre.org/techniques/T1087/004/ |
| T1069.003 | Permission Groups Discovery: Cloud Groups | https://attack.mitre.org/techniques/T1069/003/ |
Description
Detect when a user account downloads all Azure Active Directory users. This can be used to dump all Azure AD users. Both admin and non-admin users can download user lists.
Risk
A malicious actor downloads Azure Active Directory to gain valuable information of the users and groups in your domain.
References
Sentinel
Explanation
This query is designed to detect and log instances where a user downloads all users from Azure Active Directory. Here's a simple breakdown of what the query does:
-
Data Source: It uses the
AuditLogstable, which contains logs of various operations performed in Azure. -
Filter: The query filters the logs to find entries where the
OperationNameincludes the phrase "Download users". This indicates an operation where a list of Azure AD users was downloaded. -
Extract Information:
- It extracts information about who initiated the download operation by parsing the
InitiatedByfield to get theuserPrincipalNameof the user who performed the action.
- It extracts information about who initiated the download operation by parsing the
-
Output:
- The query then organizes the output to show the
OperationName,ResultDescription,InitiatedByUser(the user who initiated the download), andTimeGenerated(when the operation occurred).
- The query then organizes the output to show the
-
Purpose: The purpose of this query is to monitor and identify potential security risks by detecting when someone, whether an admin or a non-admin, downloads the list of users from Azure Active Directory. This could be a sign of malicious activity if done without proper authorization.
In summary, the query helps in identifying and tracking the download of user lists from Azure AD, which is crucial for maintaining security and preventing unauthorized access to sensitive user information.
