KQL Search

Query Details

HomeAI ToolsDevice Query

Defending Malicious MS Graph Activity With MS Sentinel Threat Intelligence

Query

//Defending malicious MS graph activity with MS Sentinel Threat Intelligence
//https://www.linkedin.com/pulse/defending-malicious-ms-graph-activity-sentinel-threat-steven-lim-yorjc/

//This article assumed you have already configured your Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal and you have the Microsoft data connector for Microsoft Sentinel (Threat Intelligence - TAXII) enabled and fully configured to receive a good cyber threat intelligence feed.

MicrosoftGraphActivityLogs
| where TimeGenerated > ago(1h)
| distinct IPAddress
| join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP

//Microsoft have released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. 

SigninLogs
| where RiskEventTypes contains "suspiciousAPITraffic"

Explanation

This query is designed to identify potentially malicious activity in Microsoft Graph API logs and suspicious API traffic in sign-in logs using Microsoft Sentinel's threat intelligence capabilities. Here’s a simple summary:

  1. Microsoft Graph Activity Logs:

    • The query looks at activity logs from the past hour.
    • It identifies unique IP addresses involved in this activity.
    • These IP addresses are then matched against known threat intelligence indicators to see if any of them are flagged as malicious.

  2. Sign-in Logs:

    • The query checks sign-in logs for any events labeled as "suspicious API traffic."
    • This type of traffic might indicate that a user account has been compromised and is being used for unauthorized activities.

In essence, the query helps detect and correlate suspicious activities in your Microsoft environment by leveraging threat intelligence and risk detection features.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

MicrosoftGraphActivityLogsThreatIntelligenceIndicatorSigninLogs

Keywords

MicrosoftGraphActivityLogsThreatIntelligenceIndicatorSigninLogsRiskEventTypes

Operators

|where>ago()distinctjoinon==contains

Actions