Nation State Actors Via Microsoft Graph
Query
// Nation State Actors via Microsoft Graph
// https://www.linkedin.com/posts/activity-7194188372691607552-dtJv/
// IP addresses identified by the Microsoft Threat Intelligence Center (MSTIC) as being linked to state-sponsored entities or cybercriminal organizations are reportedly exploiting the Graph API. As of April 11, Microsoft Graph activity logs have become widely accessible. It is highly recommended to begin aggregating these logs if you haven’t already. The trend of malicious actors utilizing the Graph API as a platform for their illicit activities is on the rise.
let NationStateIP =
SigninLogs
| where TimeGenerated > ago(90d)
| where RiskEventTypes_V2 contains "estsNationStateIP"
| distinct IPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(NationStateIP)
| count
// MITRE ATT&CK Mapping
// The KQL query is primarily focused on detecting suspicious IP addresses and their activities, which can be mapped to several MITRE ATT&CK techniques:
// T1071.001 - Application Layer Protocol: Web Protocols
// The query looks for suspicious IP addresses in activity logs, which can be related to the use of web protocols for communication.
// T1078 - Valid Accounts
// The detection of nation-state IPs in sign-in logs can indicate the use of valid accounts by adversaries.
// T1078.003 - Valid Accounts: Local Accounts
// If the nation-state IPs are using local accounts, this technique is relevant.
// T1078.004 - Valid Accounts: Cloud Accounts
// If the nation-state IPs are using cloud accounts, this technique is relevant.
// T1589.001 - Gather Victim Identity Information: Credentials
// The query might help in identifying attempts to gather credentials through nation-state IPs.Explanation
This KQL query is designed to identify and count activities from IP addresses linked to nation-state actors or cybercriminal organizations, as identified by the Microsoft Threat Intelligence Center (MSTIC). Here's a simple breakdown:
-
Data Source: The query uses two main data sources:
SigninLogsandMicrosoftGraphActivityLogs. -
Time Frame: It focuses on data from the last 90 days.
-
Identifying Suspicious IPs:
- It first filters the
SigninLogsto find IP addresses associated with "estsNationStateIP", which indicates they are linked to nation-state actors. - It then creates a distinct list of these suspicious IP addresses.
- It first filters the
-
Activity Logs Check:
- The query checks the
MicrosoftGraphActivityLogsfor any activities from these suspicious IP addresses within the same 90-day period. - It counts how many such activities are found.
- The query checks the
-
Security Implications:
- The query helps in detecting potential malicious activities by identifying IP addresses that are exploiting the Microsoft Graph API.
- It is aligned with several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These techniques include:
- Use of web protocols for communication (T1071.001).
- Use of valid accounts, both local and cloud (T1078, T1078.003, T1078.004).
- Attempts to gather victim credentials (T1589.001).
Overall, this query is a proactive measure to monitor and respond to potential threats from nation-state actors using Microsoft's services.
Details

Steven Lim
Released: August 25, 2024
Tables
SigninLogsMicrosoftGraphActivityLogs
Keywords
NationStateIPSigninLogsMicrosoftGraphActivityLogsIPAddressTimeGeneratedRiskEventTypesV2MITREATTCKTechniquesApplicationLayerProtocolWebProtocolsValidAccountsLocalAccountsCloudAccountsVictimIdentityInformationCredentials
Operators
let|where>ago()containsdistincthas_any()count