authorized third-party applications or services that use the specified client application id to access microsoft graph api resources for legitimate purposes.

t1078
azure
elastic

Techniques

T1078

Sample rules

Microsoft Graph First Occurrence of Client Request

source: elastic
technicques:
- T1078

Description

This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user’s credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.

Detection logic

event.dataset: "azure.graphactivitylogs"
    and event.type: "access"
    and azure.graphactivitylogs.properties.c_idtyp: "user"
    and azure.graphactivitylogs.properties.client_auth_method: 0
    and http.response.status_code: 200
    and url.domain: "graph.microsoft.com"