administrative or automated tasks that involve accessing microsoft graph api using the specified client application id and tenant id, such as provisioning or managing resources.

t1078
azure
elastic

Techniques

T1078

Sample rules

Microsoft Graph First Occurrence of Client Request

source: elastic
technicques:
- T1078

Description

This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user’s credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.

Detection logic

event.dataset: "azure.graphactivitylogs"
    and event.type: "access"
    and azure.graphactivitylogs.properties.c_idtyp: "user"
    and azure.graphactivitylogs.properties.client_auth_method: 0
    and http.response.status_code: 200
    and url.domain: "graph.microsoft.com"