Defending Cyber Threats Leveraging Microsoft Graph API

// Defending Cyber Threats Leveraging Microsoft Graph API // https://www.linkedin.com/posts/activity-7201866283464679424-Jf-5/ // Using Sentinel User and Entity Behavior Analytics (UEBA) threat intelligence data to triangulate attacker launching Graph API attacks on your Entra tenant. Prerequisites: Sentinel UEBA and MicrosoftGraphActivityLogs enabled. let AttackerIP = BehaviorAnalytics | where TimeGenerated > ago(90d) | where DevicesInsights contains "ThreatIntelIndicatorType" and SourceDevice == "" | extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription) | where InvestigationPriority > 0 and ThreatIntel contains "hashtag#AttackerIP" | distinct SourceIPAddress; MicrosoftGraphActivityLogs | where TimeGenerated > ago(90d) | where IPAddress has_any (AttackerIP)

Explanation

This query is designed to identify and analyze potential attackers targeting your Microsoft Entra tenant using the Microsoft Graph API. It leverages threat intelligence data from Sentinel's User and Entity Behavior Analytics (UEBA) and Microsoft Graph Activity Logs. Here's a simplified breakdown:

Identify Attacker IPs:
- The query first looks at behavior analytics data from the past 90 days.
- It filters for records that contain threat intelligence indicators but have no source device specified.
- It further narrows down to records with a high investigation priority and those that mention an attacker IP.
- It then extracts a distinct list of these attacker IP addresses.
Analyze Graph API Activity:
- The query then checks the Microsoft Graph Activity Logs from the past 90 days.
- It filters these logs to find any activity from the identified attacker IP addresses.

In summary, this query helps you detect and investigate malicious activities by correlating attacker IP addresses from threat intelligence data with Microsoft Graph API activity logs.

KQL Search

Defending Cyber Threats Leveraging Microsoft Graph API

Query

Explanation

Details

Actions