Techniques
Sample rules
Azure AD Graph Access with Unusual Client and User
- source: elastic
- technicques:
- T1087
- T1550
Description
Identifies Azure AD Graph (graph.windows.net) requests where the combination of calling OAuth client (“azure.aadgraphactivitylogs.properties.app_id”) and signed-in user (“user.id”) has not been observed in the tenant in a historical window. A user appearing against AAD Graph under an OAuth client that has not previously authenticated that user is a sign of a FOCI swap, a phished refresh token being redeemed for a new client, or an adversary running tooling under a client identity the user does not normally use.
Detection logic
data_stream.dataset:"azure.aadgraphactivitylogs" and
azure.aadgraphactivitylogs.properties.actor_type : "User" and
azure.aadgraphactivitylogs.properties.app_id: (* and not (
"74658136-14ec-4630-ad9b-26e160ff0fc6" or
"bb8f18b0-9c38-48c9-a847-e1ef3af0602d" or
"00000006-0000-0ff1-ce00-000000000000" or
"18ed3507-a475-4ccb-b669-d66bc9f2a36e")
) and user.id:*