Successful Sign-In From Non-Compliant Device with bulk download activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

'This hunting query will help detect successful sign-ins from devices that are marked non-compliant along with bulk download activity. Attackers may attempt to get a list of accounts, groups, registration details within an environment which could help in follow-on behavior. Best practice is to block sign ins from non-complaint devices, however if allowed monitor these events to ensure they do not lead to other risky activity. Reference: https://docs.microsoft.com/azure/active-directory/fundame

Attribute	Value
Type	Hunting Query
Solution	GitHub Only
ID	a5bb38e3-5ee2-47fe-a65d-c3c9341112ef
Tactics	InitialAccess, Discovery
Techniques	T1078, T1087
Required Connectors	AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
AuditLogs	OperationName has_any "Download group members,Download groups,Download user registeration details,Download users"	✓	✗	?
SigninLogs		✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID

Solutions: Microsoft Entra ID

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Hunting Queries