Elastic Security Detection Rules

Azure AD Graph Access with Unusual User and ASN

Last updated a month ago on 2026-05-20
Created a month ago on 2026-05-20

About

Identifies Azure AD Graph (graph.windows.net) requests originating from network sources outside the major public-cloud and Microsoft ASNs that legitimate first-party callers normally come from. Adversary tooling typically rides on commodity hosting (residential ISPs, VPS providers, anonymisers) which produces an ASN distribution very different from the Microsoft / AWS / GCP / Akamai / Cloudflare ranges that dominate legitimate AAD Graph traffic.
Tags
Domain: CloudData Source: AzureData Source: Azure AD GraphData Source: Azure AD Graph Activity LogsUse Case: Identity and Access AuditUse Case: Threat DetectionTactic: Initial AccessLanguage: kuery
Severity
medium
Risk Score
47
MITRE ATT&CK™

Initial Access (TA0001)(external, opens in a new tab or window)

Valid Accounts (T1078)(external, opens in a new tab or window)

False Positive Examples
Users calling AAD Graph from corporate office networks or home ISPs with custom tooling. Tune the excluded ASN organisation list to your environment. Cloud-hosted internal automation running outside the major providers (smaller cloud or colo). Add exceptions on the calling user or app ID after validation.
License
Elastic License v2(external, opens in a new tab or window)

Definition

Rule Type
New Terms Rule
Integration Pack
Prebuilt Security Detection Rules
Index Patterns
logs-azure.aadgraphactivitylogs-*
Related Integrations

azure(external, opens in a new tab or window)

Query
text code block:
data_stream.dataset:azure.aadgraphactivitylogs and
    user.id:* and source.as.number:(* and
        not (
            3598 or 7224 or 8068 or 8069 or 8070 or
            8071 or 8072 or 8073 or 8074 or 8075 or
            8987 or 12076 or 14618 or 15169 or 16509 or
            19527 or 36040 or 36384 or 36385 or 36492 or
            39111 or 394089 or 396982
        )
    )

Install detection rules in Elastic Security

Detect Azure AD Graph Access with Unusual User and ASN in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).