Query Details

Nation State Actors Via Microsoft Graph

Query

// Nation State Actors via Microsoft Graph
// https://www.linkedin.com/posts/activity-7194188372691607552-dtJv/

// IP addresses identified by the Microsoft Threat Intelligence Center (MSTIC) as being linked to state-sponsored entities or cybercriminal organizations are reportedly exploiting the Graph API. As of April 11, Microsoft Graph activity logs have become widely accessible. It is highly recommended to begin aggregating these logs if you haven’t already. The trend of malicious actors utilizing the Graph API as a platform for their illicit activities is on the rise.

let NationStateIP =
    SigninLogs
    | where TimeGenerated > ago(90d)
    | where RiskEventTypes_V2 contains "estsNationStateIP"
    | distinct IPAddress;
MicrosoftGraphActivityLogs
| where TimeGenerated > ago(90d)
| where IPAddress has_any(NationStateIP)
| count

// MITRE ATT&CK Mapping

// The KQL query is primarily focused on detecting suspicious IP addresses and their activities, which can be mapped to several MITRE ATT&CK techniques:

// T1071.001 - Application Layer Protocol: Web Protocols
// The query looks for suspicious IP addresses in activity logs, which can be related to the use of web protocols for communication.
// T1078 - Valid Accounts
// The detection of nation-state IPs in sign-in logs can indicate the use of valid accounts by adversaries.
// T1078.003 - Valid Accounts: Local Accounts
// If the nation-state IPs are using local accounts, this technique is relevant.
// T1078.004 - Valid Accounts: Cloud Accounts
// If the nation-state IPs are using cloud accounts, this technique is relevant.
// T1589.001 - Gather Victim Identity Information: Credentials
// The query might help in identifying attempts to gather credentials through nation-state IPs.

Explanation

This KQL query is designed to identify and count activities from IP addresses linked to nation-state actors or cybercriminal organizations, as identified by the Microsoft Threat Intelligence Center (MSTIC). Here's a simple breakdown:

  1. Data Source: The query uses two main data sources: SigninLogs and MicrosoftGraphActivityLogs.

  2. Time Frame: It focuses on data from the last 90 days.

  3. Identifying Suspicious IPs:

    • It first filters the SigninLogs to find IP addresses associated with "estsNationStateIP", which indicates they are linked to nation-state actors.
    • It then creates a distinct list of these suspicious IP addresses.
  4. Activity Logs Check:

    • The query checks the MicrosoftGraphActivityLogs for any activities from these suspicious IP addresses within the same 90-day period.
    • It counts how many such activities are found.
  5. Security Implications:

    • The query helps in detecting potential malicious activities by identifying IP addresses that are exploiting the Microsoft Graph API.
    • It is aligned with several MITRE ATT&CK techniques, which are frameworks for understanding and categorizing cyber threats. These techniques include:
      • Use of web protocols for communication (T1071.001).
      • Use of valid accounts, both local and cloud (T1078, T1078.003, T1078.004).
      • Attempts to gather victim credentials (T1589.001).

Overall, this query is a proactive measure to monitor and respond to potential threats from nation-state actors using Microsoft's services.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

SigninLogsMicrosoftGraphActivityLogs

Keywords

NationStateIPSigninLogsMicrosoftGraphActivityLogsIPAddressTimeGeneratedRiskEventTypesV2MITREATTCKTechniquesApplicationLayerProtocolWebProtocolsValidAccountsLocalAccountsCloudAccountsVictimIdentityInformationCredentials

Operators

let|where>ago()containsdistincthas_any()count

Actions

GitHub