Techniques
Sample rules
Microsoft Graph First Occurrence of Client Request
- source: elastic
- technicques:
- T1078
Description
This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user’s credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.
Detection logic
event.dataset: "azure.graphactivitylogs"
and event.type: "access"
and azure.graphactivitylogs.properties.c_idtyp: "user"