detection.wiki

Detection rules › YARA-L

Hunt for user API endpoint requests in the Microsoft Graph

Severity
info
Type
Hunt
Time window
5m
Match by
ip, session
Author
Google Cloud Security
Source
github.com/chronicle/detection-rules

Identify the use of the user API call to collect a listing of users. This can be chatty due to other commands calling this single API.

Rule body yaral

/*
 * Copyright 2025 Google LLC
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

rule ms_graph_user_endpoint_requests {

  meta:
    author = "Google Cloud Security"
    description = "Identify the use of the user API call to collect a listing of users. This can be chatty due to other commands calling this single API."
    rule_id = "mr_e67d0d46-76ad-4718-95df-5536a154fc24"
    rule_name = "Hunt for user API endpoint requests in the Microsoft Graph"
    assumption = "Focus on PowerShell as part of the User agent or adding IP addresses or applications who call this endpoint should be added to focus this detection."
    type = "Hunt"
    data_source = "MS Graph Activity Logs"
    platform = "Azure"
    severity = "Info"
    priority = "Info"

  events:
    $api.metadata.event_type = "NETWORK_HTTP"
    $api.metadata.product_event_type = "Microsoft Graph Activity"
    $api.target.url = "https://graph.microsoft.com/v1.0/users" nocase
    //UA String could be adjusted to focus more broadly on calls to this API or focus on calls from PowerShell
    //$api.network.http.user_agent = /PowerShell/ nocase
    //May want to filter out IP addresses of admin consoles
    //$api.principal.ip != "10.10.10.10"
    $api.network.http.method = "GET"
    $api.network.http.response_code = 200
    $api.principal.ip = $ip
    $api.network.session_id = $session

  match:
    $ip, $session over 5m

  outcome:
    $risk_score = 15
    $event_count = count_distinct($api.metadata.id)
    $requesting_user_guid = array_distinct($api.principal.user.userid)
    $requesting_ip = array_distinct($api.principal.ip)
    $user_agent = array_distinct($api.network.http.user_agent)
    $location = array_distinct($api.principal.location.name)
    $target_application_id_guid = array_distinct($api.target.resource.product_object_id)
    $session_id = array_distinct($api.network.session_id)
    $target_url = array_distinct($api.target.url)

  condition:
    $api
}

Detection logic

Fires when at least one $api event in the 5m window.

Events

$api NETWORK_HTTP

  • metadata.product_event_type = "Microsoft Graph Activity"
  • target.url = "https://graph.microsoft.com/v1.0/users"
  • network.http.method = "GET"
  • network.http.response_code = "200"

Correlation

Match key
$ip (principal.ip), $session (network.session_id)
Within
5m

Outcome

Fields the detection emits on a match. $risk_score drives alerting; Chronicle surfaces the rest on the detection.

FieldExpression
risk_score15
event_countcount_distinct($api.metadata.id)
requesting_user_guidarray_distinct($api.principal.user.userid)
requesting_iparray_distinct($api.principal.ip)
user_agentarray_distinct($api.network.http.user_agent)
locationarray_distinct($api.principal.location.name)
target_application_id_guidarray_distinct($api.target.resource.product_object_id)
session_idarray_distinct($api.network.session_id)
target_urlarray_distinct($api.target.url)