Enumeration of global address lists or email account metadata via PowerShell cmdlets (e.g., Get-GlobalAddressList) or MAPI/RPC from non-admin, non-mailserver systems.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| CommandLinePattern | Match variations of Get-GlobalAddressList, Get-Recipient, and related cmdlets. |
| HostRole | Suppress expected usage on Exchange servers or known IT admin consoles. |
| TimeWindow | Detect bulk execution patterns in short intervals, often used during recon. |
Suspicious querying of organization-wide directory data via Google Workspace Directory API or Outlook GAL sync in high volume from abnormal users, service accounts, or unknown device contexts.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | gcp:audit | Directory API Access: users.list or groups.list |
| Application Log Content (DC0038) | m365:unified | GAL Lookup or Address Book download |
| User Account Authentication (DC0002) | azure:signinlogs | Unusual Token Usage or Application Consent |
| Field | Description |
|---|---|
| APIQueryVolume | Set thresholds for excessive use of 'users.list' or recursive group enumerations. |
| UserContext | Flag non-admin or previously unseen user agents requesting directory information. |
| AppSource | Distinguish between sanctioned sync tools and unauthorized scripts or OAuth tokens. |