KQL Search

Query Details

Detect Microsoft Graph API Abuse

Query

// Detect Microsoft Graph API Abuse
// Linkedin Post: https://www.linkedin.com/posts/0x534c_nation-state-attackers-increasingly-abuse-activity-7227945393827815424-QMVG/
// This offline risk detection is reported when abnormal GraphAPI traffic or directory enumeration is observed. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in the environment.

// ** A premium detection requiring Entra P2 license **

search in (SigninLogs, AADUserRiskEvents, AADNonInteractiveUserSignInLogs)
TimeGenerated between (ago(48h) .. now())
and (
RiskEventTypes == "suspiciousAPITraffic"
)

// Reference: https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-api-traffic

Explanation

This query is designed to detect potential abuse of the Microsoft Graph API, which could indicate that a user account has been compromised and is being used for reconnaissance activities within the environment. It searches through logs from the past 48 hours in three specific datasets (SigninLogs, AADUserRiskEvents, and AADNonInteractiveUserSignInLogs) for any events labeled as "suspiciousAPITraffic." This detection requires an Entra P2 license to function.

Details

Steven Lim

Released: August 10, 2024

Tables

SigninLogsAADUserRiskEventsAADNonInteractiveUserSignInLogs

Keywords

MicrosoftGraphAPIAbuseRiskDetectionSigninLogsAADUserRiskEventsAADNonInteractiveUserSignInLogsSuspiciousAPITraffic

Operators

searchinbetweenagonowand==

KQL Search

Detect Microsoft Graph API Abuse

Query

Explanation

Details

Actions