Query Details

Analyzing Malicious Microsoft Graph API Rate Limit Count

Query

// Analyzing Malicious Microsoft Graph API Rate Limit Count
// https://www.linkedin.com/posts/activity-7218488532250546178-zAMf/

// Utilizing Sentinel’s BehaviourAnalytics with MicrosoftGraphActivityLogs to pinpoint Entra app IDs that are abusing the Microsoft Graph API and causing throttling due to malicious activities. Once the throttling operation resource is identified, additional KQLs can be further deployed to detect specific use case misuse. 🎯

let AttackerIPs =
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where ThreatIntelIndicatorDescription contains "proxy"
| distinct SourceIPAddress;
MicrosoftGraphActivityLogs 
| where TimeGenerated > ago(90d) 
| where IPAddress has_any(AttackerIPs)
| extend path = replace_string(replace_string(replace_regex(tostring(parse_url(RequestUri).Path), @'(\/)+','//'),'v1.0/',''),'beta/','') 
| extend UriSegments = extract_all(@'\/([A-z2]+|\$batch)($|\/|\(|\$)',dynamic([1]),tolower(path))
| extend OperationResource = strcat_array(UriSegments,'/')| summarize RateLimitedCount=count() by AppId, OperationResource, RequestMethod 
| sort by RateLimitedCount desc

// MITRE ATT&CK Mapping

// T1071.001 - Application Layer Protocol: Web Protocols
// The query looks for suspicious activity in web protocols, specifically targeting proxy-related indicators.
// T1070.004 - Indicator Removal on Host: File Deletion
// By analyzing logs for specific IPs and paths, the query can help detect attempts to remove or hide indicators on the host.
// T1087.001 - Account Discovery: Local Account
// The query extends and normalizes paths to identify operations on resources, which can be related to account discovery activities.
// T1040 - Network Sniffing
// The use of BehaviorAnalytics to identify proxy-related activities can be linked to network sniffing techniques.
// T1078 - Valid Accounts
// By summarizing and sorting activities by AppId and RequestMethod, the query can help detect the use of valid accounts for malicious purposes.

Explanation

This query is designed to identify potentially malicious activities involving the Microsoft Graph API by analyzing logs in Microsoft Sentinel. Here's a simplified breakdown:

  1. Identify Suspicious IPs: The query first looks at behavior analytics data from the past 90 days to find IP addresses associated with proxy-related threats. These IPs are considered suspicious.

  2. Analyze Graph API Logs: It then examines Microsoft Graph API activity logs from the same 90-day period, focusing on requests coming from the suspicious IPs identified earlier.

  3. Extract and Normalize Paths: The query processes the request URIs to simplify and standardize the paths, making it easier to analyze the operations being performed.

  4. Count Throttling Events: It counts how many times each application (identified by AppId) and operation (identified by the normalized path and request method) has been rate-limited, which can indicate abuse or misuse of the API.

  5. Sort Results: The results are sorted to highlight the applications and operations with the highest rate-limiting counts, suggesting they might be involved in malicious activities.

  6. MITRE ATT&CK Mapping: The query is mapped to several MITRE ATT&CK techniques, indicating that it can help detect activities like web protocol misuse, indicator removal, account discovery, network sniffing, and the use of valid accounts for unauthorized purposes.

Overall, this query helps security analysts identify and investigate potential abuse of the Microsoft Graph API by malicious actors, focusing on activities that lead to throttling due to excessive or suspicious requests.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

BehaviorAnalyticsMicrosoftGraphActivityLogs

Keywords

BehaviorAnalyticsMicrosoftGraphActivityLogsDevicesInsightsThreatIntelIndicatorDescriptionSourceIPAddressRequestUriPathUriSegmentsOperationResourceAppIdRequestMethod

Operators

let|where>ago()extendtostring()containsdistincthas_anyreplace_string()replace_regex()parse_url()extract_all()dynamic()tolower()strcat_array()summarizecount()bysortdesc

Actions

GitHub