Techniques
Sample rules
Azure AD Graph Access with Suspicious User-Agent
- source: elastic
- technicques:
- T1069
- T1087
- T1526
Description
Identifies Azure AD Graph (graph.windows.net) requests originating from user-agent strings associated with offensive tooling, scripting libraries, or generic HTTP clients. First-party Microsoft components calling AAD Graph identify with specific user agents such as “Microsoft Azure Graph Client Library”, “Microsoft ADO.NET Data Services”, or “Microsoft.OData.Client”. Anything outside that recognised set is either a developer prototyping against the legacy API or an enumeration tool walking the directory.
Detection logic
from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index
| where data_stream.dataset == "azure.aadgraphactivitylogs"
and azure.aadgraphactivitylogs.properties.actor_type == "User"
and user_agent.original is not null
| eval Esql.ua_lower = to_lower(user_agent.original)
| where Esql.ua_lower like "*fasthttp*"
or Esql.ua_lower like "*aiohttp*"
or Esql.ua_lower like "*hound*"
or Esql.ua_lower like "*aadinternals*"
or Esql.ua_lower like "*go-http-client*"
or Esql.ua_lower like "python*"
or Esql.ua_lower like "*curl/*"
or Esql.ua_lower like "*okhttp*"
or Esql.ua_lower like "*axios*"
or Esql.ua_lower like "*node-fetch*"
or Esql.ua_lower like "*go-resty*"
or Esql.ua_lower like "*bav2ropc*"
or Esql.ua_lower like "*undici*"
| keep
_id,
_version,
_index,
@timestamp,
user.id,
source.ip,
source.as.organization.name,
user_agent.original,
azure.aadgraphactivitylogs.properties.app_id,
azure.aadgraphactivitylogs.properties.api_version,
url.path,
http.response.status_code,
azure.tenant_id,
Esql.ua_lower