Enumeration of identity roles and users via API calls such as Get-MsolRoleMember, az ad user list, or Graph API tokens from unauthorized users or automation accounts.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | Microsoft Entra ID Audit Logs | RoleManagement.Read.Directory or Directory.Read.All |
| User Account Authentication (DC0002) | azure:signinlogs | Interactive/Non-Interactive Sign-In |
| Command Execution (DC0064) | m365:defender | Activity Log: Command Invocation |
| Field | Description |
|---|---|
| TokenScope | Flags excessive or abnormal use of directory read scopes by unexpected principals. |
| AppContext | Differentiate authorized automation from rogue access tokens or external tools. |
| TimeWindow | Trigger correlation across short bursts of high-volume enumeration. |
Use of AWS CLI (aws iam list-users, list-roles), Azure CLI (az ad user list), or GCP CLI (gcloud iam service-accounts list) from endpoints or cloud shells where such activity is unexpected.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | AWS:CloudTrail | AWS IAM: ListUsers, ListRoles |
| User Account Metadata (DC0013) | azure:activity | Azure CLI Operation: Microsoft.Graph/users/read |
| Field | Description |
|---|---|
| CallerType | Suppress known admin accounts and alert on developer/test/service identities. |
| CLIUserAgent | Correlate unexpected CLI user-agents and geolocation anomalies. |
| CloudRegion | Suppress noise from known IP ranges or whitelisted accounts per region. |
Bulk enumeration of cloud user email identities through Get-Recipient, Get-Mailbox, Get-User, or Graph API directory listings by abnormal accounts or suspicious sessions.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | CmdletName: Get-Recipient, Get-User |
| User Account Metadata (DC0013) | Microsoft Graph API Logs | users.list, directoryObjects.getByIds |
| Field | Description |
|---|---|
| CmdletVolume | Tune threshold for recipient/mailbox queries by volume per hour. |
| UserAgent | Match known admin consoles and exclude sanctioned tools like MSOL PowerShell. |
| SessionContext | Elevate sessions from unmanaged or external endpoints. |
Access to organizational directories via Google Workspace Directory API, Slack SCIM, or Okta SCIM by apps or identities outside normal roles.
| Data Component | Name | Channel |
|---|---|---|
| User Account Metadata (DC0013) | Google Admin Audit | users.list, groups.list |
| Application Log Content (DC0038) | saas:okta | System API Call: user.read, group.read |
| Field | Description |
|---|---|
| APIRequestRate | Detect rapid enumeration attempts or recursive group expansion. |
| AppIntegrationID | Tag expected SCIM clients and suppress false positives from enterprise sync tools. |
| GeoContext | Trigger alerts if enumeration occurs from anomalous IPs or regions. |