LoFP LoFP / first-time use of a legitimate first-party or sanctioned client by the user (newly installed app, first sign-in to a workload, fresh powershell module install). validate by `azure.aadgraphactivitylogs.properties.app_id` and the user's history.

Techniques

Sample rules

Azure AD Graph Access with Unusual Client and User

Description

Identifies Azure AD Graph (graph.windows.net) requests where the combination of calling OAuth client (“azure.aadgraphactivitylogs.properties.app_id”) and signed-in user (“user.id”) has not been observed in the tenant in a historical window. A user appearing against AAD Graph under an OAuth client that has not previously authenticated that user is a sign of a FOCI swap, a phished refresh token being redeemed for a new client, or an adversary running tooling under a client identity the user does not normally use.

Detection logic

data_stream.dataset:"azure.aadgraphactivitylogs" and
    azure.aadgraphactivitylogs.properties.actor_type : "User" and
    azure.aadgraphactivitylogs.properties.app_id: (* and not (
        "74658136-14ec-4630-ad9b-26e160ff0fc6" or
        "bb8f18b0-9c38-48c9-a847-e1ef3af0602d" or
        "00000006-0000-0ff1-ce00-000000000000" or
        "18ed3507-a475-4ccb-b669-d66bc9f2a36e")
    ) and user.id:*