[New Rule] Azure AD Graph Access with Unusual User and ASN #6171
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| [metadata] | ||
| creation_date = "2026/05/20" | ||
| integration = ["azure"] | ||
| maturity = "production" | ||
| min_stack_version = "9.3.0" | ||
| min_stack_comments = "azure.aadgraphactivitylogs backports to 8.19.10 only." | ||
| updated_date = "2026/05/20" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies Azure AD Graph (graph.windows.net) requests originating from network sources outside the major | ||
| public-cloud and Microsoft ASNs that legitimate first-party callers normally come from. Adversary tooling | ||
| typically rides on commodity hosting (residential ISPs, VPS providers, anonymisers) which produces an ASN | ||
| distribution very different from the Microsoft / AWS / GCP / Akamai / Cloudflare ranges that dominate | ||
| legitimate AAD Graph traffic. | ||
| """ | ||
| false_positives = [ | ||
| """ | ||
| Users calling AAD Graph from corporate office networks or home ISPs with custom tooling. Tune the | ||
| excluded ASN organisation list to your environment. | ||
| """, | ||
| """ | ||
| Cloud-hosted internal automation running outside the major providers (smaller cloud or colo). Add | ||
| exceptions on the calling user or app ID after validation. | ||
| """, | ||
| ] | ||
| from = "now-9m" | ||
| index = ["logs-azure.aadgraphactivitylogs-*"] | ||
| language = "kuery" | ||
| license = "Elastic License v2" | ||
| name = "Azure AD Graph Access with Unusual User and ASN" | ||
| note = """## Triage and analysis | ||
|
|
||
| ### Investigating Azure AD Graph Access with Unusual User and ASN | ||
|
|
||
| Legitimate AAD Graph callers in most tenants come from a small set of ASNs: Microsoft itself, the major | ||
| hyperscalers (AWS, GCP), and a handful of CDN / edge -networks that proxy first-party traffic. AAD Graph | ||
| traffic originating from outside that set, especially from residential ISPs, generic VPS providers, or | ||
| anonymising networks, is a signal worth a closer look. This rule excludes the common Microsoft / AWS / | ||
| GCP / Akamai / Cloudflare ASN organisations and surfaces everything else. | ||
|
|
||
| ### Possible investigation steps | ||
|
|
||
| - Identify the ASN and the geographic context. | ||
| - `source.as.organization.name`, `source.as.number`, `source.geo.country_name`, `source.geo.city_name`. | ||
| - Identify the user and whether the source matches normal behavior. | ||
| - `user.id` and recent legitimate sign-in geo / network for the same user. | ||
| - Cross-check user-agent and calling client for known offensive tooling fingerprints. | ||
| - `user_agent.original` (`aiohttp`, `AADInternals`, `curl`, etc.) and `azure.aadgraphactivitylogs.properties.app_id` (FOCI / first-party client IDs). | ||
| - Pivot to sign-in logs (`logs-azure.signinlogs-*`) for the same user / source IP to understand how the calling token was obtained. | ||
| - Check tenant-wide blast radius. | ||
| - Are other users in the tenant calling from the same ASN within the window? If so, treat as a systematic intrusion rather than a single account compromise. | ||
| - Confirm the activity is not attributable to authorized testing (red team engagement, penetration test, internal tooling validation) before treating as malicious. | ||
|
|
||
| ### Response and remediation | ||
|
|
||
| - Revoke refresh tokens and active sessions for the calling user. | ||
| - `POST /v1.0/users/{id}/revokeSignInSessions`. | ||
| - Temporarily disable the user if the alert is high-confidence or you need to halt further activity while investigation continues. | ||
| - `PATCH /v1.0/users/{id}` with body `{"accountEnabled": false}`. | ||
| - Check for device registrations created by the user during or around the burst window and remove rogue devices. | ||
| - `GET /v1.0/users/{id}/registeredDevices` and `GET /v1.0/users/{id}/ownedDevices`, then `DELETE /v1.0/devices/{deviceObjectId}`. | ||
| - Do this BEFORE session revocation: device-bound PRTs survive `revokeSignInSessions`. | ||
| - Apply Conditional Access requiring compliant device or trusted network for AAD Graph access for the affected user population. | ||
| - If the ASN belongs to known abusive infrastructure, add it to a tenant block list (Named Locations / CA policy). | ||
| """ | ||
| references = [ | ||
| "https://learn.microsoft.com/en-us/graph/migrate-azure-ad-graph-overview", | ||
| "https://github.com/dirkjanm/ROADtools", | ||
| ] | ||
| risk_score = 47 | ||
| rule_id = "fb935960-d132-4bb5-853d-62f86cccc250" | ||
| setup = """#### Azure AD Graph Activity Logs | ||
| Requires Azure AD Graph Activity Logs ingested into `logs-azure.aadgraphactivitylogs-*` via the Elastic Azure | ||
| integration. Enable the `AzureADGraphActivityLogs` diagnostic-settings category on Entra ID. ASN enrichment | ||
| depends on the geoip / ASN ingest pipelines applied during integration ingestion. | ||
| """ | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Cloud", | ||
| "Data Source: Azure", | ||
| "Data Source: Azure AD Graph", | ||
| "Data Source: Azure AD Graph Activity Logs", | ||
| "Use Case: Identity and Access Audit", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Initial Access", | ||
| "Resources: Investigation Guide", | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "new_terms" | ||
|
|
||
| query = ''' | ||
| data_stream.dataset:azure.aadgraphactivitylogs and | ||
| user.id:* and source.as.number:(* and | ||
|
Contributor
There was a problem hiding this comment. The user.id:* requirement excludes service-principal / application-token access, another companion rule could be interesting to catch it.
Contributor
Author
There was a problem hiding this comment.
|
||
| not ( | ||
| 3598 or 7224 or 8068 or 8069 or 8070 or | ||
| 8071 or 8072 or 8073 or 8074 or 8075 or | ||
| 8987 or 12076 or 14618 or 15169 or 16509 or | ||
| 19527 or 36040 or 36384 or 36385 or 36492 or | ||
| 39111 or 394089 or 396982 | ||
| ) | ||
| ) | ||
| ''' | ||
|
|
||
| [rule.investigation_fields] | ||
| field_names = [ | ||
| "user.id", | ||
| "source.ip", | ||
| "source.as.number", | ||
| "source.as.organization.name", | ||
| "source.geo.country_name", | ||
| "source.geo.city_name", | ||
| "user_agent.original", | ||
| "azure.aadgraphactivitylogs.properties.app_id", | ||
| "azure.aadgraphactivitylogs.properties.api_version", | ||
| "azure.tenant_id", | ||
| ] | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
|
|
||
| [[rule.threat.technique]] | ||
| id = "T1078" | ||
| name = "Valid Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1078.004" | ||
| name = "Cloud Accounts" | ||
| reference = "https://attack.mitre.org/techniques/T1078/004/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
|
|
||
| [rule.new_terms] | ||
| field = "new_terms_fields" | ||
| value = ["user.id", "source.as.number"] | ||
|
|
||
| [[rule.new_terms.history_window_start]] | ||
| field = "history_window_start" | ||
| value = "now-7d" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Akamai and Cloudflare should be included in the query?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kept it to the big 3 for now. If we notice Akamai, Oracle, Cloudflare, IBM Cloud, etc. we will exclude on the first round of tuning.