Microsoft Graph First Occurrence of Client Request

calendar May 19, 2025 · Domain: Cloud Data Source: Azure Data Source: Microsoft Graph Data Source: Microsoft Graph Activity Logs Resources: Investigation Guide Use Case: Identity and Access Audit Tactic: Initial Access  ·
Share on: linkedin copy

This New Terms rule focuses on the first occurrence of a client application ID (azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID (azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the user.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2025/04/23"
  3integration = ["azure"]
  4maturity = "production"
  5updated_date = "2025/05/19"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This New Terms rule focuses on the first occurrence of a client application ID
 11(azure.graphactivitylogs.properties.app_id) making a request to Microsoft Graph API for a specific tenant ID
 12(azure.tenant_id) and user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id). This rule
 13may helps identify unauthorized access or actions performed by compromised accounts. Advesaries may succesfully
 14compromise a user's credentials and use the Microsoft Graph API to access resources or perform actions on behalf of the
 15user.
 16"""
 17false_positives = [
 18    """
 19    Users legitimately accessing Microsoft Graph API using the specified client application ID and tenant ID. This may
 20    include authorized applications or services that interact with Microsoft Graph on behalf of users.
 21    """,
 22    """
 23    Authorized third-party applications or services that use the specified client application ID to access Microsoft
 24    Graph API resources for legitimate purposes.
 25    """,
 26    """
 27    Administrative or automated tasks that involve accessing Microsoft Graph API using the specified client application
 28    ID and tenant ID, such as provisioning or managing resources.
 29    """,
 30]
 31from = "now-9m"
 32index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
 33language = "kuery"
 34license = "Elastic License v2"
 35name = "Microsoft Graph First Occurrence of Client Request"
 36note = """## Triage and analysis
 37
 38### Investigating Microsoft Graph First Occurrence of Client Request
 39
 40This rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (`azure.graphactivitylogs.properties.app_id`) in combination with a user principal object ID (`azure.graphactivitylogs.properties.user_principal_object_id`) and tenant ID (`azure.tenant_id`) within the last 14 days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows.
 41
 42Adversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction.
 43
 44### Possible investigation steps
 45
 46- Review `azure.graphactivitylogs.properties.user_principal_object_id` and correlate with recent sign-in logs for the associated user.
 47- Determine whether `azure.graphactivitylogs.properties.app_id` is a known and approved application in your environment.
 48- Investigate the `user_agent.original` field for signs of scripted access (e.g., automation tools or libraries).
 49- Check the source IP address (`source.ip`) and geolocation data (`source.geo.*`) for unfamiliar origins.
 50- Inspect `azure.graphactivitylogs.properties.scopes` to understand the level of access being requested by the app.
 51- Examine any follow-up Graph API activity from the same `app_id` or `user_principal_object_id` for signs of data access or exfiltration.
 52- Correlate with device or session ID fields (`azure.graphactivitylogs.properties.c_sid`, if present) to detect persistent or repeat activity.
 53
 54### False positive analysis
 55
 56- First-time use of a legitimate Microsoft or enterprise-approved application.
 57- Developer or automation workflows initiating new Graph API requests.
 58- Valid end-user activity following device reconfiguration or new client installation.
 59- Maintain an allowlist of expected `app_id` values and known developer tools.
 60- Suppress detections from known good `user_agent.original` strings or approved source IP ranges.
 61- Use device and identity telemetry to distinguish trusted vs. unknown activity sources.
 62- Combine with session risk or sign-in anomaly signals where available.
 63
 64### Response and remediation
 65
 66- Reach out to the user and verify whether they authorized the application access.
 67- Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed.
 68- Search for additional Graph API calls made by the same `app_id` or `user_principal_object_id`.
 69- Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed.
 70- Apply Conditional Access policies to limit Graph API access by app type, IP, or device state.
 71- Restrict user consent for third-party apps and enforce admin approval workflows.
 72- Monitor usage of new or uncommon `app_id` values across your tenant.
 73- Provide user education on OAuth phishing tactics and reporting suspicious prompts.
 74"""
 75references = [
 76    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
 77]
 78risk_score = 21
 79rule_id = "2a3f38a8-204e-11f0-9c1f-f661ea17fbcd"
 80severity = "low"
 81tags = [
 82    "Domain: Cloud",
 83    "Data Source: Azure",
 84    "Data Source: Microsoft Graph",
 85    "Data Source: Microsoft Graph Activity Logs",
 86    "Resources: Investigation Guide",
 87    "Use Case: Identity and Access Audit",
 88    "Tactic: Initial Access",
 89]
 90timestamp_override = "event.ingested"
 91type = "new_terms"
 92
 93query = '''
 94event.dataset: "azure.graphactivitylogs"
 95    and event.type: "access"
 96    and azure.graphactivitylogs.properties.c_idtyp: "user"
 97    and azure.graphactivitylogs.properties.client_auth_method: 0
 98    and http.response.status_code: 200
 99    and url.domain: "graph.microsoft.com"
100'''
101
102
103[[rule.threat]]
104framework = "MITRE ATT&CK"
105[[rule.threat.technique]]
106id = "T1078"
107name = "Valid Accounts"
108reference = "https://attack.mitre.org/techniques/T1078/"
109[[rule.threat.technique.subtechnique]]
110id = "T1078.004"
111name = "Cloud Accounts"
112reference = "https://attack.mitre.org/techniques/T1078/004/"
113
114
115
116[rule.threat.tactic]
117id = "TA0001"
118name = "Initial Access"
119reference = "https://attack.mitre.org/tactics/TA0001/"
120
121[rule.new_terms]
122field = "new_terms_fields"
123value = [
124    "azure.graphactivitylogs.properties.app_id",
125    "azure.graphactivitylogs.properties.user_principal_object_id"
126]
127[[rule.new_terms.history_window_start]]
128field = "history_window_start"
129value = "now-14d"

Triage and analysis

Investigating Microsoft Graph First Occurrence of Client Request

This rule detects the first observed occurrence of a Microsoft Graph API request by a specific client application ID (azure.graphactivitylogs.properties.app_id) in combination with a user principal object ID (azure.graphactivitylogs.properties.user_principal_object_id) and tenant ID (azure.tenant_id) within the last 14 days. This may indicate unauthorized access following a successful phishing attempt, token theft, or abuse of OAuth workflows.

Adversaries frequently exploit legitimate Microsoft or third-party application IDs to avoid raising suspicion during initial access. By using pre-consented or trusted apps to interact with Microsoft Graph, attackers can perform actions on behalf of users without triggering conventional authentication alerts or requiring additional user interaction.

Possible investigation steps

  • Review azure.graphactivitylogs.properties.user_principal_object_id and correlate with recent sign-in logs for the associated user.
  • Determine whether azure.graphactivitylogs.properties.app_id is a known and approved application in your environment.
  • Investigate the user_agent.original field for signs of scripted access (e.g., automation tools or libraries).
  • Check the source IP address (source.ip) and geolocation data (source.geo.*) for unfamiliar origins.
  • Inspect azure.graphactivitylogs.properties.scopes to understand the level of access being requested by the app.
  • Examine any follow-up Graph API activity from the same app_id or user_principal_object_id for signs of data access or exfiltration.
  • Correlate with device or session ID fields (azure.graphactivitylogs.properties.c_sid, if present) to detect persistent or repeat activity.

False positive analysis

  • First-time use of a legitimate Microsoft or enterprise-approved application.
  • Developer or automation workflows initiating new Graph API requests.
  • Valid end-user activity following device reconfiguration or new client installation.
  • Maintain an allowlist of expected app_id values and known developer tools.
  • Suppress detections from known good user_agent.original strings or approved source IP ranges.
  • Use device and identity telemetry to distinguish trusted vs. unknown activity sources.
  • Combine with session risk or sign-in anomaly signals where available.

Response and remediation

  • Reach out to the user and verify whether they authorized the application access.
  • Revoke active OAuth tokens and reset credentials if unauthorized use is confirmed.
  • Search for additional Graph API calls made by the same app_id or user_principal_object_id.
  • Investigate whether sensitive resources (mail, files, Teams, contacts) were accessed.
  • Apply Conditional Access policies to limit Graph API access by app type, IP, or device state.
  • Restrict user consent for third-party apps and enforce admin approval workflows.
  • Monitor usage of new or uncommon app_id values across your tenant.
  • Provide user education on OAuth phishing tactics and reporting suspicious prompts.

References

  • Phishing for Codes: Russian Threat Actors Target Microsoft 365 OAuth Workflows

    Since early March 2025, Volexity has observed multiple suspected Russian threat actors conducting highly targeted social engineering operations aimed at gaining access to the Microsoft 365 (M365) accounts of targeted individuals. This activity comes on the heels of attacks Volexity reported on back in February 2025, where Russian threat actors were discovered targeting users and organizations through Device Code Authentication phishing...


    Read More

Related rules

to-top