detection.wiki

Detection rules › YARA-L

Hunt for the delete method in Microsoft Graph API calls

Severity
low
Type
Hunt
Time window
5m
Match by
ip, session
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Identify when the http delete method is being called within the Microsoft Graph API.

Rule body yaral

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ms_graph_delete_method {

  meta:
    author = "Google Cloud Security"
    description = "Identify when the http delete method is being called within the Microsoft Graph API."
    rule_id = "mr_9e5f6adc-84f9-46f3-bf9e-abe38e14a77b"
    rule_name = "Hunt for the delete method in Microsoft Graph API calls"
    assumption = "Tuning is needed to identify administrative activities as general maintenance that may be logged"
    type = "Hunt"
    data_source = "MS Graph Activity Logs"
    platform = "Azure"
    severity = "Low"
    priority = "Low"

  events:
    $api.metadata.event_type = "NETWORK_HTTP"
    $api.metadata.product_event_type = "Microsoft Graph Activity"
    $api.network.http.method = "DELETE"
    //Can be tuned for specific APIs being used in delete operations if desired
    //$api.target.url = /https:\/\/graph.microsoft.com\/v1.0\/groups\/.*\/members/ nocase
    //Can be tuned for specific User Agent strings being used
    //$api.network.http.user_agent = /PowerShell/ nocase
    //Can be tuned to eliminate Azure IP ranges or other IP addresses
    NOT net.ip_in_range_cidr($api.principal.ip, "20.151.0.0/16")
    $api.principal.ip = $ip
    $api.network.session_id = $session

  match:
    $ip, $session over 5m

  outcome:
    $risk_score = 15
    $event_count = count($api.metadata.id)
    $requesting_user_guid = array_distinct($api.principal.user.userid)
    $requesting_ip = array_distinct($api.principal.ip)
    $user_agent = array_distinct($api.network.http.user_agent)
    $location = array_distinct($api.principal.location.name)
    $target_application_id_guid = array_distinct($api.target.resource.product_object_id)
    $session_id = array_distinct($api.network.session_id)
    $target_url = array_distinct($api.target.url)

  condition:
    $api
}

Detection logic

Fires when at least one $api event in the 5m window.

Events

$api NETWORK_HTTP

  • metadata.product_event_type = "Microsoft Graph Activity"
  • network.http.method = "DELETE"
  • principal.ip cidr_match "20.151.0.0/16"

Correlation

Match key
$ip (principal.ip), $session (network.session_id)
Within
5m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_score15
event_countcount($api.metadata.id)
requesting_user_guidarray_distinct($api.principal.user.userid)
requesting_iparray_distinct($api.principal.ip)
user_agentarray_distinct($api.network.http.user_agent)
locationarray_distinct($api.principal.location.name)
target_application_id_guidarray_distinct($api.target.resource.product_object_id)
session_idarray_distinct($api.network.session_id)
target_urlarray_distinct($api.target.url)