Contextual data about an account, which may include a username, user ID, environmental data, etc.
| Name | Channel |
|---|---|
| auditd:SYSCALL | open,openat,read |
| AWS:CloudTrail | AssumeRole |
| AWS:CloudTrail | GetAccountPasswordPolicy |
| AWS:CloudTrail | PassRole |
| AWS:CloudTrail | AssumeRole: Discovery actions tied to assumed identities outside of normal context |
| azure:activity | Azure CLI Operation: Microsoft.Graph/users/read |
| azure:audit | operation contains 'Get*Password*Policy' OR 'List*Authentication*Policy' OR 'Get-ADDefaultDomainPasswordPolicy' |
| CloudTrail:GetCallerIdentity | GetCallerIdentity |
| Defender for Identity | Suspicious Enumeration of Cloud Directory |
| gcp:audit | Directory API Access: users.list or groups.list |
| gcp:audit | IAM API call: serviceAccounts.list or projects.getIamPolicy |
| gcp:audit | Directory API Access |
| gcp:iam | PrincipalEmail with serviceAccountTokenCreator impersonating new identity |
| Google Admin Audit | users.list, groups.list |
| linux:osquery | Listing of /etc/passwd and /etc/shadow metadata |
| m365:unified | Workload=AzureActiveDirectory OR Exchange AND (Operation=Cmdlet AND Parameters contains 'Password' AND (CmdletName='Get-*' OR CmdletName='Get-OrganizationConfig')) |
| macos:MDM | profiles -P|getaccountpolicies |
| macos:unifiedlog | Creation of user account with UID <500 |
| Microsoft Entra ID Audit Logs | RoleManagement.Read.Directory or Directory.Read.All |
| Microsoft Graph API Logs | users.list, directoryObjects.getByIds |
| saas:auth | Refresh token issuance or refresh token usage from new IPs or user agents |
| saas:okta | User lifecycle events |
| saas:okta | User Enumeration Events |
| vpxd.log | vCenter Management |
| windows:osquery | User enumeration with creation/last modified timestamps |
| WinEventLog:Security | EventCode=4720, 4738 |
| WinEventLog:Security | EventCode=4673 |
| WinEventLog:Security | EventCode=4674 |