Elastic Security Detection Rules

Azure AD Graph Access with Suspicious User-Agent

Last updated a month ago on 2026-05-20
Created a month ago on 2026-05-20

About

Identifies Azure AD Graph (graph.windows.net) requests originating from user-agent strings associated with offensive tooling, scripting libraries, or generic HTTP clients. First-party Microsoft components calling AAD Graph identify with specific user agents such as "Microsoft Azure Graph Client Library", "Microsoft ADO.NET Data Services", or "Microsoft.OData.Client". Anything outside that recognised set is either a developer prototyping against the legacy API or an enumeration tool walking the directory.
Tags
Domain: CloudData Source: AzureData Source: Azure AD GraphData Source: Azure AD Graph Activity LogsUse Case: Threat DetectionTactic: DiscoveryLanguage: esql
Severity
medium
Risk Score
47
MITRE ATT&CK™

Discovery (TA0007)(external, opens in a new tab or window)

Permission Groups Discovery (T1069)(external, opens in a new tab or window)

Account Discovery (T1087)(external, opens in a new tab or window)

Cloud Service Discovery (T1526)(external, opens in a new tab or window)

False Positive Examples
Developer activity prototyping against AAD Graph from a workstation may match. Validate via the calling `azure.aadgraphactivitylogs.properties.app_id` and the signed-in user; legitimate developer use is rare in production tenants since Microsoft has been steering callers off AAD Graph for years. Authorized red team or penetration test activity using ROADrecon, ROADtools, AADInternalsor similar tooling can match. Add exceptions on the source IP, signed-in user, or app ID after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
from logs-azure.aadgraphactivitylogs-* metadata _id, _version, _index

| where data_stream.dataset == "azure.aadgraphactivitylogs"
    and azure.aadgraphactivitylogs.properties.actor_type == "User"
    and user_agent.original is not null
| eval Esql.ua_lower = to_lower(user_agent.original)
| where Esql.ua_lower like "*fasthttp*"
    or Esql.ua_lower like "*aiohttp*"
    or Esql.ua_lower like "*hound*"
    or Esql.ua_lower like "*aadinternals*"
    or Esql.ua_lower like "*go-http-client*"
    or Esql.ua_lower like "python*"
    or Esql.ua_lower like "*curl/*"
    or Esql.ua_lower like "*okhttp*"
    or Esql.ua_lower like "*axios*"
    or Esql.ua_lower like "*node-fetch*"
    or Esql.ua_lower like "*go-resty*"
    or Esql.ua_lower like "*bav2ropc*"
    or Esql.ua_lower like "*undici*"
| keep
    _id,
    _version,
    _index,
    @timestamp,
    user.id,
    source.ip,
    source.as.organization.name,
    user_agent.original,
    azure.aadgraphactivitylogs.properties.app_id,
    azure.aadgraphactivitylogs.properties.api_version,
    url.path,
    http.response.status_code,
    azure.tenant_id,
    Esql.ua_lower

Install detection rules in Elastic Security

Detect Azure AD Graph Access with Suspicious User-Agent in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).