Graph Runner Recon Detection Response
Query
// GraphRunner Recon Detection & Response
// https://www.linkedin.com/posts/activity-7186279751127334912-zjwN/
// We create a Sentinel NRT rule to detect the "Get-GraphTokens" and perform an automation rule of revoking the token. š„
SigninLogs
| where AuthenticationProtocol == "deviceCode"
| where ResourceDisplayName == "Microsoft Graph"
| extend DeviceName = tostring(DeviceDetail.displayName)
| extend TrustType = tostring(DeviceDetail.trustType)
| where TrustType != "Hybrid Azure AD joined" and TrustType != "Azure AD joined"
// MITRE ATT&CK Mapping
// Based on the query, the following MITRE ATT&CK techniques are relevant:
// T1078 - Valid Accounts: The query focuses on authentication logs, which can help detect the use of valid accounts for unauthorized access.
// T1078.004 - Cloud Accounts: Specifically, the query targets Azure AD logs, which are related to cloud accounts.
// T1078.001 - Default Accounts: By filtering out specific trust types, the query might help identify the use of default or less secure accounts.
// T1556 - Modify Authentication Process: The use of ādeviceCodeā as an authentication protocol could be related to attempts to modify or bypass standard authentication processes.Explanation
This query is designed to detect suspicious activity related to the use of Microsoft Graph tokens in Azure Active Directory (Azure AD) sign-in logs. Here's a simplified breakdown:
-
Purpose: The query aims to identify instances where the "deviceCode" authentication protocol is used to access Microsoft Graph, which could indicate unauthorized access attempts.
-
Filtering Criteria:
- It looks for sign-ins using the "deviceCode" authentication protocol.
- It specifically targets access to the "Microsoft Graph" resource.
- It excludes devices that are "Hybrid Azure AD joined" or "Azure AD joined," focusing on potentially less secure or default accounts.
-
Action: When such activity is detected, an automated rule is triggered to revoke the token, preventing further unauthorized access.
-
Security Framework: The query is mapped to several MITRE ATT&CK techniques:
- T1078 (Valid Accounts): It examines authentication logs to detect unauthorized use of valid accounts.
- T1078.004 (Cloud Accounts): It focuses on Azure AD, which involves cloud accounts.
- T1078.001 (Default Accounts): By filtering out certain trust types, it may reveal the use of default or less secure accounts.
- T1556 (Modify Authentication Process): The use of "deviceCode" might indicate attempts to alter or bypass standard authentication methods.
Overall, this query is part of a security measure to identify and respond to potential threats involving Microsoft Graph tokens in Azure AD environments.
Details

Steven Lim
Released: August 5, 2024
Tables
Keywords
Operators