Defending Malicious MS Graph Activity With MS Sentinel Threat Intelligence
Query
//Defending malicious MS graph activity with MS Sentinel Threat Intelligence
//https://www.linkedin.com/pulse/defending-malicious-ms-graph-activity-sentinel-threat-steven-lim-yorjc/
//This article assumed you have already configured your Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal and you have the Microsoft data connector for Microsoft Sentinel (Threat Intelligence - TAXII) enabled and fully configured to receive a good cyber threat intelligence feed.
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(1h)
| distinct IPAddress
| join ThreatIntelligenceIndicator on $left.IPAddress == $right.NetworkIP
//Microsoft have released a new premium user risk detection in Identity Protection called Suspicious API Traffic. This detection is reported when Identity Protection detects anomalous Graph traffic by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment.
SigninLogs
| where RiskEventTypes contains "suspiciousAPITraffic"
// MITRE ATT&CK Mapping
// Based on the operations and objectives of the KQL code, the following MITRE ATT&CK techniques are relevant:
// T1071.001 - Application Layer Protocol: Web Protocols: The use of Microsoft Graph API can be associated with web protocols.
// T1071.003 - Application Layer Protocol: Mail Protocols: If the Graph API is used for email-related activities.
// T1595.002 - Active Scanning: Vulnerability Scanning: If the IP addresses are involved in scanning activities.
// T1078 - Valid Accounts: Suspicious API traffic might indicate the use of compromised accounts.
// T1587.001 - Develop Capabilities: Malware: If the suspicious traffic is related to malware activities.
// T1589.002 - Gather Victim Network Information: DNS: If the suspicious traffic involves DNS queries.Explanation
This query is designed to identify potentially malicious activities involving Microsoft Graph API by leveraging Microsoft Sentinel's threat intelligence capabilities. Here's a simplified breakdown:
-
Microsoft Graph Activity Logs: The query first looks at Microsoft Graph activity logs from the past hour to identify unique IP addresses involved in these activities.
-
Threat Intelligence Correlation: It then checks if any of these IP addresses match known threat indicators by joining them with threat intelligence data. This helps in identifying IPs that might be associated with malicious activities.
-
Suspicious API Traffic Detection: The query also examines sign-in logs to find instances of "suspicious API traffic." This is a premium user risk detection feature in Microsoft Identity Protection that flags unusual Graph API usage, which could indicate a compromised user account performing reconnaissance or other unauthorized actions.
-
MITRE ATT&CK Techniques: The query maps the detected activities to relevant MITRE ATT&CK techniques, which are a framework for understanding the tactics and techniques used by adversaries. The relevant techniques include:
- Use of web and mail protocols (T1071.001, T1071.003).
- Active scanning and vulnerability scanning (T1595.002).
- Use of valid accounts, possibly compromised (T1078).
- Development of malware capabilities (T1587.001).
- Gathering network information through DNS queries (T1589.002).
Overall, this query helps security teams identify and respond to potential threats involving Microsoft Graph API by correlating activity logs with threat intelligence and mapping them to known attack techniques.
Details

Steven Lim
Released: August 25, 2024
Tables
Keywords
Operators