LoFP LoFP / administrative or automated tasks that involve accessing microsoft graph api using the specified client application id and tenant id, such as provisioning or managing resources.

Techniques

Sample rules

Microsoft Graph First Occurrence of Client Request

Description

This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user’s credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.

Detection logic

event.dataset: "azure.graphactivitylogs"
    and event.type: "access"
    and azure.graphactivitylogs.properties.c_idtyp: "user"