Which SIEM platforms have a T1591 detection rule?

df00tech provides T1591 (Gather Victim Org Information) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Gather Victim Org Information (T1591)?

Detecting Gather Victim Org Information requires the following data sources: Azure Active Directory, Microsoft Entra ID.

What severity and confidence is the T1591 detection?

The T1591 detection is rated high severity with medium confidence.

What are common false positives for T1591?

Common false positives for T1591 include: IT automation scripts running bulk user provisioning or deprovisioning workflows; HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization; Security tools such as Microsoft Entra ID Governance performing access reviews.

T1591 Elastic Security · Elastic

Detect Gather Victim Org Information in Elastic Security

This detection identifies adversary attempts to gather organizational information about the victim, including employee roles, departmental structure, business operations, and key personnel. Because T1591 is a PRE-ATT&CK technique primarily executed outside the defender's network, direct endpoint telemetry is limited. Detection pivots to observable side-effects: Azure AD and Microsoft Graph API enumeration of users, groups, and org hierarchy; inbound phishing-for-information email patterns; unusual bulk access to internal directories or SharePoint org charts; and outbound access to known OSINT/data-broker platforms (LinkedIn, ZoomInfo, Hunter.io) at volume. These signals correlate with early-stage targeting by threat actors such as APT28, Kimsuky, Lazarus Group, and FIN7, who conduct org reconnaissance prior to tailored spearphishing campaigns.

MITRE ATT&CK

Tactic: Reconnaissance
Technique: T1591 Gather Victim Org Information
Canonical reference: https://attack.mitre.org/techniques/T1591/

Elastic Detection Query

Elastic Security (Elastic)

eql

// T1591 — Gather Victim Org Information
any where event.dataset == "azure.auditlogs"
  and azure.auditlogs.operation_name in (
    "Get users", "List users", "Get groups", "List groups",
    "Get members", "Get organization", "Get directoryRoles",
    "List directoryRoleMembers", "Get contacts", "List contacts"
  )
  and azure.auditlogs.result == "success"

high severity medium confidence

Elastic EQL detection for Gather Victim Org Information (T1591). Translates the Microsoft Sentinel KQL logic to Elastic Common Schema (ECS) field mappings for use in Elastic SIEM. Targets the same behavioral indicators across process creation, network, and authentication event types.

Data Sources

Azure Active DirectoryMicrosoft 365

Required Tables

logs-azure.*logs-azure.signinlogs-*

False Positives & Tuning

IT automation scripts running bulk user provisioning or deprovisioning workflows
HR system sync tools (Workday, BambooHR) performing scheduled directory synchronization
Security tools such as Microsoft Entra ID Governance performing access reviews
PowerShell scripts run by directory administrators for legitimate reporting

Download portable Sigma rule (.yml)

Other platforms for T1591

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Azure AD Bulk User Enumeration via Microsoft Graph PowerShell
Expected signal: Azure AD AuditLogs: multiple entries for 'Get users', 'List users', 'Get groups', 'List groups', 'Get directoryRoles' with InitiatedBy set to the test account UPN. Volume should exceed the 30-operation threshold within minutes.
Test 2OSINT Tool Execution — theHarvester Org Reconnaissance
Expected signal: Outbound HTTP/HTTPS connections to linkedin.com, google.com, bing.com with tool user-agent strings from the attacking host. DNS queries for target domain variations. Proxy logs showing linkedin.com/in/ path access at volume.
Test 3Social Engineering Email — Org Structure Elicitation (Phishing for Information)
Expected signal: EmailEvents entry with SenderFromDomain=atomictest.invalid, Subject containing 'org chart' and 'reporting structure', DeliveryAction=Delivered. Microsoft Defender for Office 365 may flag based on sender reputation.

Last updated: 2026-03-20 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1591 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Detect Gather Victim Org Information in Elastic Security

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1591

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (4)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

MITRE ATT&CK

Elastic Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1591

Testing Methodology

Unlock Pro Content

Related Detections

Sub-techniques (4)

Related Techniques

Same Tactic: Reconnaissance

Popular Detections

Get new detections in your inbox