Microsoft Graph Request User Impersonation by Unusual Client

  1[metadata]
  2creation_date = "2025/04/23"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2026/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This New Terms rule focuses on the first occurrence of a client application ID
 11(azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID
 12(azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule
 13may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully
 14compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the
 15user.
 16"""
 17false_positives = [
 18    """
 19    Users legitimately accessing Microsoft Graph API using the specified client application ID and tenant ID. This may
 20    include authorized applications or services that interact with Microsoft Graph on behalf of users.
 21    """,
 22    """
 23    Authorized third-party applications or services that use the specified client application ID to access Microsoft
 24    Graph API resources for legitimate purposes.
 25    """,
 26    """
 27    Administrative or automated tasks that involve accessing Microsoft Graph API using the specified client application
 28    ID and tenant ID, such as provisioning or managing resources.
 29    """,
 30]
 31from = "now-9m"
 32index = ["logs-azure.graphactivitylogs-*"]
 33language = "kuery"
 34license = "Elastic License v2"
 35name = "Microsoft Graph Request User Impersonation by Unusual Client"
 36note = """## Triage and analysis
 37
 38### Investigating Microsoft Graph Request User Impersonation by Unusual Client
 39
 40This rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (`azure.graphactivitylogs.properties.app_id`) in combination with a user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) and tenant ID (`azure.tenant_id`) within specific number of days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows.
 41
 42Adversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction.
 43
 44### Possible investigation steps
 45
 46- Review `azure.graphactivitylogs.properties.user_principal_object_id` and correlate with recent sign-in logs for the associated user.
 47- Determine whether `azure.graphactivitylogs.properties.app_id` is a known and approved application in your environment.
 48- Investigate the `user_agent.original` field for signs of scripted access (e.g., automation tools or libraries).
 49- Check the source IP address (`source.ip`) and geolocation data (`source.geo.*`) for unfamiliar origins.
 50- Inspect `azure.graphactivitylogs.properties.scopes` to understand the level of access being requested by the app.
 51- Examine any follow-up Graph API activity from the same `app_id` or `user_principal_object_id` for signs of data access or exfiltration.
 52- Correlate with device or session ID fields (`azure.graphactivitylogs.properties.c_sid`, if present) to detect persistent or repeat activity.
 53
 54### False positive analysis
 55
 56- First-time use of a legitimate Microsoft or enterprise-approved application.
 57- Developer or automation workflows initiating new Graph API requests.
 58- Valid end-user activity following device reconfiguration or new client installation.
 59- Maintain an allowlist of expected `app_id` values and known developer tools.
 60- Suppress detections from known good `user_agent.original` strings or approved source IP ranges.
 61- Use device and identity telemetry to distinguish trusted vs. unknown activity sources.
 62- Combine with session risk or sign-in anomaly signals where available.
 63
 64### Response and remediation
 65
 66- Reach out to the user and verify whether they authorized the application access.
 67- Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed.
 68- Search for additional Graph API calls made by the same `app_id` or `user_principal_object_id`.
 69- Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed.
 70- Apply Conditional Access policies to limit Graph API access by app type, IP, or device state.
 71- Restrict user consent for third-party apps and enforce admin approval workflows.
 72- Monitor usage of new or uncommon `app_id` values across your tenant.
 73- Provide user education on OAuth phishing tactics and reporting suspicious prompts.
 74"""
 75references = [
 76    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 77    "https://pushsecurity.com/blog/consentfix",
 78]
 79risk_score = 21
 80rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd"
 81severity = "low"
 82tags = [
 83    "Domain: Cloud",
 84    "Data Source: Azure",
 85    "Data Source: Microsoft Graph",
 86    "Data Source: Microsoft Graph Activity Logs",
 87    "Resources: Investigation Guide",
 88    "Use Case: Identity and Access Audit",
 89    "Tactic: Initial Access",
 90]
 91timestamp_override = "event.ingested"
 92type = "new_terms"
 93
 94query = '''
 95event.dataset: "azure.graphactivitylogs"
 96    and event.type: "access"
 97    and azure.graphactivitylogs.properties.app_id: *
 98    and azure.graphactivitylogs.properties.c_idtyp: "user"
 99    and azure.graphactivitylogs.properties.client_auth_method: 0
100    and http.response.status_code: 200
101    and url.domain: "graph.microsoft.com"
102    and not url.path: (
103        /v1.0/organization
104        or /v1.0/me/licenseDetails
105        or /v1.0/me/photo*
106        or /v1.0/me/photos*
107        or /beta/me/settings/regionalAndLanguageSettings
108        or /v1.0/me/drive/special/copilotuploads
109        or /v1.0/me/informationProtection/sensitivityLabels
110        or /beta/me/informationProtection/dataLossPreventionPolicies
111    )
112'''
113
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117[[rule.threat.technique]]
118id = "T1078"
119name = "Valid Accounts"
120reference = "https://attack.mitre.org/techniques/T1078/"
121[[rule.threat.technique.subtechnique]]
122id = "T1078.004"
123name = "Cloud Accounts"
124reference = "https://attack.mitre.org/techniques/T1078/004/"
125
126
127
128[rule.threat.tactic]
129id = "TA0001"
130name = "Initial Access"
131reference = "https://attack.mitre.org/tactics/TA0001/"
132[[rule.threat]]
133framework = "MITRE ATT&CK"
134[[rule.threat.technique]]
135id = "T1528"
136name = "Steal Application Access Token"
137reference = "https://attack.mitre.org/techniques/T1528/"
138
139
140[rule.threat.tactic]
141id = "TA0006"
142name = "Credential Access"
143reference = "https://attack.mitre.org/tactics/TA0006/"
144
145[rule.new_terms]
146field = "new_terms_fields"
147value = [
148    "azure.graphactivitylogs.properties.app_id",
149    "azure.graphactivitylogs.properties.user_principal_object_id",
150]
151[[rule.new_terms.history_window_start]]
152field = "history_window_start"
153value = "now-10d"