LoFP LoFP / authorized red team or penetration test activity using roadrecon, roadtools, aadinternalsor similar tooling can match. add exceptions on the source ip, signed-in user, or app id after validation.

Techniques

Sample rules

Azure AD Graph Access with Suspicious User-Agent

Description

Identifies Azure AD Graph (graph.windows.net) requests originating from user-agent strings associated with offensive tooling, scripting libraries, or generic HTTP clients. First-party Microsoft components calling AAD Graph identify with specific user agents such as “Microsoft Azure Graph Client Library”, “Microsoft ADO.NET Data Services”, or “Microsoft.OData.Client”. Anything outside that recognised set is either a developer prototyping against the legacy API or an enumeration tool walking the directory.

Detection logic

from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index

| where data_stream.dataset == "azure.aadgraphactivitylogs"
    and azure.aadgraphactivitylogs.properties.actor_type == "User"
    and user_agent.original is not null
| eval Esql.ua_lower = to_lower(user_agent.original)
| where Esql.ua_lower like "*fasthttp*"
    or Esql.ua_lower like "*aiohttp*"
    or Esql.ua_lower like "*hound*"
    or Esql.ua_lower like "*aadinternals*"
    or Esql.ua_lower like "*go-http-client*"
    or Esql.ua_lower like "python*"
    or Esql.ua_lower like "*curl/*"
    or Esql.ua_lower like "*okhttp*"
    or Esql.ua_lower like "*axios*"
    or Esql.ua_lower like "*node-fetch*"
    or Esql.ua_lower like "*go-resty*"
    or Esql.ua_lower like "*bav2ropc*"
    or Esql.ua_lower like "*undici*"
| keep
    _id,
    _version,
    _index,
    @timestamp,
    user.id,
    source.ip,
    source.as.organization.name,
    user_agent.original,
    azure.aadgraphactivitylogs.properties.app_id,
    azure.aadgraphactivitylogs.properties.api_version,
    url.path,
    http.response.status_code,
    azure.tenant_id,
    Esql.ua_lower