NEW Microsoft Graph API Identity Protection KQL Detection

// NEW Microsoft Graph API Identity Protection KQL Detection // https://www.linkedin.com/posts/activity-7194389287620997120-OVjs/ // With the new developments from Microsoft Entra Blog, it is now possible to identify user making an abnormally high number of calls to MS Graph and AAD Graph compared to that user’s baseline, which will help identify both compromised users and insider threats scavenging for intel. As this is an offline detection, it may take up to 48 hours to surface in the reports and aggregate the user graph activities. let SuspiciousGraphUserIP = SigninLogs | where TimeGenerated > ago(48h) | where RiskEventTypes contains "suspiciousAPITraffic" | distinct IPAddress; MicrosoftGraphActivityLogs | where TimeGenerated > ago(48h) | where IPAddress has_any (SuspiciousGraphUserIP)

Explanation

This query is designed to detect suspicious activity related to Microsoft Graph API and Azure Active Directory (AAD) Graph API usage. Here's a simplified summary:

Identify Suspicious IPs: The query first looks at sign-in logs from the past 48 hours to find IP addresses associated with suspicious API traffic.
Check Graph Activity: It then checks the Microsoft Graph activity logs from the past 48 hours to see if any of these suspicious IP addresses have been making calls to the Graph API.

This helps in identifying users who might be compromised or insiders who are making an unusually high number of API calls, which could indicate malicious activity. Note that this detection process may take up to 48 hours to show up in reports.

Details

Steven Lim

Released: August 2, 2024

Tables

SigninLogsMicrosoftGraphActivityLogs

Keywords

MicrosoftGraphAPIIdentityProtectionDetectionMicrosoftEntraUserMSGraphAADGraphUserBaselineCompromisedUsersInsiderThreatsUserGraphActivitiesSigninLogsRiskEventTypesSuspiciousAPITrafficIPAddressMicrosoftGraphActivityLogs

Operators

let|where>ago()containsdistincthas_any().

KQL Search