Query Details
Nation State Actors Via Microsoft Graph
Query
// Nation State Actors via Microsoft Graph
// https://www.linkedin.com/posts/activity-7194188372691607552-dtJv/
// IP addresses identified by the Microsoft Threat Intelligence Center (MSTIC) as being linked to state-sponsored entities or cybercriminal organizations are reportedly exploiting the Graph API. As of April 11, Microsoft Graph activity logs have become widely accessible. It is highly recommended to begin aggregating these logs if you haven’t already. The trend of malicious actors utilizing the Graph API as a platform for their illicit activities is on the rise.
let NationStateIP =
SigninLogs
| where TimeGenerated > ago(90d)
| where RiskEventTypes_V2 contains "estsNationStateIP"
| distinct IPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(NationStateIP)
| count
Explanation
This query is designed to identify and count activities in Microsoft Graph logs that are associated with IP addresses linked to state-sponsored or cybercriminal entities. Here's a simplified breakdown:
-
Identify Suspicious IPs:
- It looks at sign-in logs from the past 90 days.
- Filters for events that indicate the IP address is linked to nation-state actors (using the "estsNationStateIP" risk event type).
- Collects a list of these distinct suspicious IP addresses.
-
Check Graph Activity Logs:
- It then examines Microsoft Graph activity logs from the past 90 days.
- Filters for activities where the IP address matches any of the suspicious IPs identified earlier.
- Counts the number of these matching activities.
In essence, the query helps to monitor and quantify the usage of the Microsoft Graph API by potentially malicious IP addresses over the last 90 days.
Details
Steven Lim
Released: August 2, 2024
Tables
SigninLogsMicrosoftGraphActivityLogs
Keywords
DevicesIntuneUserMicrosoftGraphActivityLogsIPAddressCybersecurityThreatIntelligence
Operators
let|where>agocontainsdistincthas_anycount