Hunt for authorization policy API calls in the Microsoft Graph

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ms_graph_authorization_policy {

  meta:
    author = "Google Cloud Security"
    description = "The authorization policy of Entra ID (User Settings) contains information about who can create applications, invite guest users and more. It's not something that is generally modified or reviewed except by administrators so it's worth knowing who may be requesting this endpoint."
    rule_id = "mr_c6fbfec1-5185-4f7d-aedf-1f23662b547e"
    rule_name = "Hunt for authorization policy API calls in the Microsoft Graph"
    assumption = "Additional tuning of admin consoles and user agent strings may be needed."
    reference = "https://github.com/dafthack/GraphRunner/blob/main/GraphRunner.ps1"
    type = "Hunt"
    data_source = "MS Graph Activity Logs"
    platform = "Azure"
    severity = "Low"
    priority = "Low"

  events:
    $api.metadata.event_type = "NETWORK_HTTP"
    $api.metadata.product_event_type = "Microsoft Graph Activity"
    // by default graphrunner leverages the beta API
    re.regex($api.target.url, `^https://graph.microsoft.com/.*/policies/authorizationPolicy$`) nocase
    //Can be tuned for specific User Agent strings being used - by default GraphRunner does not forge the UA for this action
    //$api.network.http.user_agent = /PowerShell/ nocase
    $api.network.http.method = "GET"
    $api.network.http.response_code = 200
    //Used to filter admin consoles and/or internal Microsoft addresses as needed, the following IP CIDR blocks are part of Azure for instance
    //$api.principal.ip != "10.10.10.10"
    NOT (
        net.ip_in_range_cidr($api.principal.ip, "20.7.0.0/16") or
        net.ip_in_range_cidr($api.principal.ip, "20.22.0.0/16") or
        net.ip_in_range_cidr($api.principal.ip, "20.96.0.0/16")
    )
    //User to filter user GUIDs if needed
    //$api.principal.user.userid != "b4358ba5-03ab-4643-95c0-353f672a6416"
    $api.principal.ip = $ip
    $api.network.session_id = $session

  match:
    $ip, $session over 5m

  outcome:
    $risk_score = 35
    $event_count = count_distinct($api.metadata.id)
    $requesting_user_guid = array_distinct($api.principal.user.userid)
    $requesting_ip = array_distinct($api.principal.ip)
    $user_agent = array_distinct($api.network.http.user_agent)
    $location = array_distinct($api.principal.location.name)
    $principal_userid = array_distinct($api.principal.user.userid)
    $target_application_id_guid = array_distinct($api.target.resource.product_object_id)
    $session_id = array_distinct($api.network.session_id)
    $target_url = array_distinct($api.target.url)

  condition:
    $api
}