Query Details

Defending Cyber Threats Leveraging Microsoft Graph API

Query

// Defending Cyber Threats Leveraging Microsoft Graph API 
// https://www.linkedin.com/posts/activity-7201866283464679424-Jf-5/

// Using Sentinel User and Entity Behavior Analytics (UEBA) threat intelligence data to triangulate attacker launching Graph API attacks on your Entra tenant. Prerequisites: Sentinel UEBA and MicrosoftGraphActivityLogs enabled.

let AttackerIP =
BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType" and SourceDevice == ""
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where InvestigationPriority > 0 and ThreatIntel contains "hashtag#AttackerIP"
| distinct SourceIPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any (AttackerIP)


// MITRE ATT&CK Mapping

// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1071.001 - Application Layer Protocol: Web Protocols:
// The query checks for IP addresses involved in suspicious activities, which could be related to the use of web protocols for command and control.
// T1070.004 - Indicator Removal on Host: File Deletion:
// The query looks for threat intelligence indicators, which might include attempts to remove or alter logs to evade detection.
// T1040 - Network Sniffing:
// By analyzing network activity logs, the query could help detect attempts to capture network traffic.
// T1078 - Valid Accounts:
// The query’s focus on MicrosoftGraphActivityLogs might help identify the use of compromised accounts.
// T1020 - Automated Exfiltration:
// The query could detect automated data exfiltration attempts by monitoring suspicious IP addresses.

Explanation

This query is designed to help identify and defend against cyber threats targeting your Microsoft Entra tenant by using data from Sentinel User and Entity Behavior Analytics (UEBA) and Microsoft Graph API activity logs. Here's a simplified breakdown:

  1. Identify Suspicious IPs:

    • The query first looks at behavior analytics data from the past 90 days to find IP addresses associated with threat intelligence indicators. These indicators suggest that the IPs might be involved in malicious activities.
    • It specifically searches for IPs that have been flagged with a high investigation priority and are linked to a "hashtag#AttackerIP" in the threat intelligence description.
  2. Check Activity Logs:

    • The identified suspicious IP addresses are then cross-referenced with Microsoft Graph API activity logs from the same 90-day period.
    • This step helps to see if these IPs have been involved in any activities within your Microsoft Entra tenant, potentially indicating malicious actions.
  3. MITRE ATT&CK Techniques:

    • The query is mapped to several MITRE ATT&CK techniques, which are common tactics and techniques used by attackers:
      • T1071.001: It checks for suspicious use of web protocols, possibly for command and control.
      • T1070.004: It looks for signs of log tampering or deletion to evade detection.
      • T1040: It analyzes network activity to detect attempts to capture network traffic.
      • T1078: It helps identify the use of compromised accounts by examining activity logs.
      • T1020: It monitors for automated data exfiltration attempts by tracking suspicious IPs.

Overall, this query helps in detecting and investigating potential cyber threats by leveraging threat intelligence and activity logs, providing insights into suspicious activities and helping to map them to known attack techniques.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

BehaviorAnalyticsMicrosoftGraphActivityLogs

Keywords

BehaviorAnalyticsDevicesInsightsSourceDeviceThreatIntelIndicatorDescriptionInvestigationPrioritySourceIPAddressMicrosoftGraphActivityLogsIPAddress

Operators

letwhereagocontainsextendtostringdistincthas_any

Actions

GitHub