KQL Search

Query Details

HomeAI ToolsDevice Query

Analyzing Malicious Microsoft Graph API Rate Limit Count

Query

// Analyzing Malicious Microsoft Graph API Rate Limit Count
// https://www.linkedin.com/posts/activity-7218488532250546178-zAMf/

// Utilizing Sentinel’s BehaviourAnalytics with MicrosoftGraphActivityLogs to pinpoint Entra app IDs that are abusing the Microsoft Graph API and causing throttling due to malicious activities. Once the throttling operation resource is identified, additional KQLs can be further deployed to detect specific use case misuse. 🎯

let AttackerIPs =
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| extend ThreatIntelIndicatorDescription = tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where ThreatIntelIndicatorDescription contains "proxy"
| distinct SourceIPAddress;
MicrosoftGraphActivityLogs 
| where TimeGenerated > ago(90d) 
| where IPAddress has_any(AttackerIPs)
| extend path = replace_string(replace_string(replace_regex(tostring(parse_url(RequestUri).Path), @'(\/)+','//'),'v1.0/',''),'beta/','') 
| extend UriSegments = extract_all(@'\/([A-z2]+|\$batch)($|\/|\(|\$)',dynamic([1]),tolower(path))
| extend OperationResource = strcat_array(UriSegments,'/')| summarize RateLimitedCount=count() by AppId, OperationResource, RequestMethod 
| sort by RateLimitedCount desc

Explanation

This KQL query is designed to identify and analyze malicious activities involving the Microsoft Graph API that result in rate limiting (throttling). Here's a simplified breakdown of what the query does:

  1. Identify Attacker IPs:

    • It first looks at the BehaviorAnalytics table for the past 90 days to find IP addresses associated with threat intelligence indicators that mention "proxy".
    • These IP addresses are considered potential attacker IPs.

  2. Analyze Microsoft Graph API Logs:

    • It then examines the MicrosoftGraphActivityLogs table, also for the past 90 days, to find activities from the identified attacker IPs.
    • The query processes the RequestUri to extract and clean up the path information.
    • It further breaks down the URI into segments and constructs a string representing the operation resource.

  3. Summarize Throttling Events:

    • The query counts the number of times each application (identified by AppId) and operation resource combination has been rate-limited (throttled).
    • It sorts these counts in descending order to highlight the most frequently rate-limited operations.

In essence, this query helps pinpoint which Entra app IDs are abusing the Microsoft Graph API, leading to throttling, and provides a basis for further investigation into specific misuse cases.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalyticsMicrosoftGraphActivityLogs

Keywords

DevicesSentinelMicrosoftGraphActivityLogsEntraAppIDsMicrosoftGraphAPIThrottlingMaliciousActivitiesThreatIntelIndicatorDescriptionSourceIPAddressRequestUriPathUriSegmentsOperationResourceAppIdRequestMethod

Operators

let|>agoextendtostringcontainsdistincthas_anyreplace_stringreplace_regexparse_urlextract_alldynamictolowerstrcat_arraysummarizecountbysortdesc

Actions