Query Details

NEW Microsoft Graph API Identity Protection KQL Detection

Query

// NEW Microsoft Graph API Identity Protection KQL Detection
// https://www.linkedin.com/posts/activity-7194389287620997120-OVjs/

// With the new developments from Microsoft Entra Blog, it is now possible to identify user making an abnormally high number of calls to MS Graph and AAD Graph compared to that user’s baseline, which will help identify both compromised users and insider threats scavenging for intel. As this is an offline detection, it may take up to 48 hours to surface in the reports and aggregate the user graph activities.

let SuspiciousGraphUserIP =
SigninLogs
| where TimeGenerated > ago(48h)
| where RiskEventTypes contains "suspiciousAPITraffic"
| distinct IPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(48h)
| where IPAddress has_any (SuspiciousGraphUserIP)


// MITRE ATT&CK Mapping

// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1071.001 - Application Layer Protocol: Web Protocols
// The detection of suspicious API traffic suggests the use of web protocols for communication, which falls under this technique.
// T1078 - Valid Accounts
// The use of valid accounts to perform suspicious activities, such as accessing Microsoft Graph, can be inferred from the logs.
// T1087.004 - Account Discovery: Cloud Account
// The query involves analyzing sign-in logs and activity logs, which can be related to discovering and using cloud accounts.
// T1070.004 - Indicator Removal on Host: File Deletion
// If the suspicious activity involves attempts to delete logs or traces, this technique might be relevant.
// T1020 - Automated Exfiltration
// Suspicious API traffic might indicate automated data exfiltration attempts.

Explanation

This query is designed to detect unusual activity in Microsoft Graph and Azure Active Directory (AAD) by identifying users who are making an abnormally high number of API calls compared to their usual behavior. This can help in spotting compromised accounts or insider threats trying to gather sensitive information. The detection process is offline and may take up to 48 hours to show results.

Here's a breakdown of the query:

  1. Identify Suspicious IPs:

    • The query first looks at sign-in logs from the past 48 hours to find any entries marked with "suspiciousAPITraffic."
    • It collects distinct IP addresses associated with these suspicious activities.
  2. Check Activity Logs:

    • It then examines Microsoft Graph activity logs from the same 48-hour period.
    • The query filters these logs to find any activity from the suspicious IP addresses identified earlier.

The query is mapped to several MITRE ATT&CK techniques, indicating potential tactics and techniques used by attackers:

  • T1071.001: Use of web protocols for communication.
  • T1078: Use of valid accounts for unauthorized activities.
  • T1087.004: Discovery and use of cloud accounts.
  • T1070.004: Possible attempts to delete logs or traces.
  • T1020: Potential automated data exfiltration attempts.

In simple terms, this query helps in identifying and analyzing suspicious user activities related to API usage, which could indicate security threats.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogsMicrosoftGraphActivityLogs

Keywords

SigninLogsMicrosoftGraphActivityLogsIPAddressTimeGeneratedRiskEventTypesSuspiciousGraphUserIP

Operators

let|where>ago()containsdistincthas_any

Actions

GitHub