Entra ID OAuth User Impersonation to Microsoft Graph

Status: production
Severity: medium
Time window: 31m
Group by: Esql.azure_signinlogs_properties_app_id_coalesce, Esql.azure_signinlogs_properties_session_id_coalesce, Esql.azure_signinlogs_properties_user_id_coalesce
Author: Elastic
Source: github.com/elastic/detection-rules

Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078.004` Valid Accounts: Cloud Accounts
Stealth	`T1078.004` Valid Accounts: Cloud Accounts
Lateral Movement	`T1550.001` Use Alternate Authentication Material: Application Access Token, `T1550.004` Use Alternate Authentication Material: Web Session Cookie

Rule body elastic

[metadata]
creation_date = "2025/05/08"
integration = ["azure"]
maturity = "production"
updated_date = "2026/05/21"

[rule]
author = ["Elastic"]
description = """
Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs
in and subsequently accesses Microsoft Graph from a different IP address using the same session ID. This may indicate a
successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session
cookie or refresh/access token and is impersonating the user from an alternate host or location.
"""
false_positives = [
    """
    This pattern may occur during legitimate device switching or roaming between networks (e.g., corporate to mobile).
    Developers or power users leveraging multiple environments may also trigger this detection if session persistence
    spans IP ranges. Still, this behavior is rare and warrants investigation when rapid IP switching and Graph access
    are involved.
    """,
]
from = "now-31m"
interval = "30m"
language = "esql"
license = "Elastic License v2"
name = "Entra ID OAuth User Impersonation to Microsoft Graph"
note = """## Triage and analysis

### Investigating Entra ID OAuth User Impersonation to Microsoft Graph

Identifies potential phishing, session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID and client application. This may indicate a successful OAuth phishing attack, session hijacking, or token replay attack, where an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.

This rule uses ESQL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be
performed to the original sign-in and Graph events for further context.

### Possible investigation steps

- This rule relies on an aggregation-based ESQL query, therefore the alert document will contain dynamically generated fields.
    - To pivot into the original events, it is recommended to use the values captured to filter in timeline or discovery for the original sign-in and Graph events.
- Review the session ID and user ID to identify the user account involved in the suspicious activity.
- Check the source addresses involved in the sign-in and Graph access to determine if they are known or expected locations for the user.
    - The sign-in source addresses should be two, one for the initial phishing sign-in and the other when exchanging the auth code for a token by the adversary.
    - The Graph API source address should identify the IP address used by the adversary to access Microsoft Graph.
- Review the user agent strings for the sign-in and Graph access events to identify any anomalies or indicators of compromise.
- Analyze the Graph permission scopes to identify what resources were accessed and whether they align with the user's expected behavior.
- Check the timestamp difference between the sign-in and Graph access events to determine if they occurred within a reasonable time frame that would suggest successful phishing to token issuance and then Graph access.
- Identify the original sign-in event to investigation if conditional access policies were applied, such as requiring multi-factor authentication or blocking access from risky locations. In phishing scenarios, these policies likely were applied as the victim user would have been prompted to authenticate.

### False positive analysis
- This pattern may occur during legitimate device switching or roaming between networks (e.g., corporate to mobile).
- Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges. Still, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved.

### Response and remediation

- If confirmed malicious, revoke all refresh/access tokens for the user principal.
- Block the source IP(s) involved in the Graph access.
- Notify the user and reset credentials.
- Review session control policies and conditional access enforcement.
- Monitor for follow-on activity, such as lateral movement or privilege escalation.
- Review conditional access policies to ensure they are enforced correctly.
"""
references = [
    "https://www.volexity.com/blog/2025/04/22/phishing-for-codes-russian-threat-actors-target-microsoft-365-oauth-workflows/",
    "https://github.com/dirkjanm/ROADtools",
    "https://attack.mitre.org/techniques/T1078/004/",
    "https://pushsecurity.com/blog/consentfix",
]
risk_score = 47
rule_id = "0d3d2254-2b4a-11f0-a019-f661ea17fbcc"
setup = """#### Required Microsoft Entra ID Sign-In and Graph Activity Logs
This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub.
"""
severity = "medium"
tags = [
    "Domain: Cloud",
    "Domain: Identity",
    "Domain: API",
    "Data Source: Azure",
    "Data Source: Microsoft Entra ID",
    "Data Source: Microsoft Entra ID Sign-In Logs",
    "Data Source: Microsoft Graph",
    "Data Source: Microsoft Graph Activity Logs",
    "Use Case: Identity and Access Audit",
    "Use Case: Threat Detection",
    "Resources: Investigation Guide",
    "Tactic: Defense Evasion",
    "Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "esql"

query = '''
from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index
| where
    (data_stream.dataset == "azure.signinlogs"
     and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
     and azure.signinlogs.properties.session_id is not null)
    or
    (data_stream.dataset == "azure.graphactivitylogs"
     and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
     and azure.graphactivitylogs.properties.c_sid is not null)

| eval
    Esql.azure_signinlogs_properties_session_id_coalesce = coalesce(azure.signinlogs.properties.session_id, azure.graphactivitylogs.properties.c_sid),
    Esql.azure_signinlogs_properties_user_id_coalesce = coalesce(azure.signinlogs.properties.user_id, azure.graphactivitylogs.properties.user_principal_object_id),
    Esql.azure_signinlogs_properties_app_id_coalesce = coalesce(azure.signinlogs.properties.app_id, azure.graphactivitylogs.properties.app_id),
    Esql.source_ip = source.ip,
    Esql.@timestamp = @timestamp,
    Esql.event_type_case = case(
        data_stream.dataset == "azure.signinlogs", "signin",
        data_stream.dataset == "azure.graphactivitylogs", "graph",
        "other"
    ),
    Esql.signin_source_asn = case(data_stream.dataset == "azure.signinlogs", source.`as`.organization.name),
    Esql.graph_source_asn = case(data_stream.dataset == "azure.graphactivitylogs", source.`as`.organization.name)

| where Esql.azure_signinlogs_properties_app_id_coalesce not in (
    "4354e225-50c9-4423-9ece-2d5afd904870",  // Augmentation Loop
    "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",  // Microsoft Teams Services
    "ecd6b820-32c2-49b6-98a6-444530e5a77a",  // Microsoft Edge [Community Contributed]
    "e8be65d6-d430-4289-a665-51bf2a194bda",  // Microsoft 365 App Catalog Services
    "ab9b8c07-8f02-4f72-87fa-80105867a763",  // OneDrive SyncEngine
    "394866fc-eedb-4f01-8536-3ff84b16be2a",  // Microsoft People Cards Service
    "66a88757-258c-4c72-893c-3e8bed4d6899",  // Office 365 Search Service
    "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7",  // Bing
    "d7b530a4-7680-4c23-a8bf-c52c121d2e87",  // Microsoft Edge Enterprise New Tab Page [Community Contributed]
    "6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3",  // Microsoft Application Command Service [Community Contributed]
    "52c2e0b5-c7b6-4d11-a89c-21e42bcec444",  // Graph Files Manager
    "27922004-5251-4030-b22d-91ecd9a37ea4",  // Outlook Mobile
    "bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce",  // Olympus [Community Contributed]
    "26a7ee05-5602-4d76-a7ba-eae8b7b67941",  // Windows Search
    "00000007-0000-0000-c000-000000000000",  // Dataverse
    "6bc3b958-689b-49f5-9006-36d165f30e00",  // Teams CMD Services Artifacts
    "0ec893e0-5785-4de6-99da-4ed124e5296c",  // Office UWP PWA [Community Contributed]
    "fc108d3f-543d-4374-bbff-c7c51f651fe5",  // Zoom
    "01fc33a7-78ba-4d2f-a4b7-768e336e890e",  // MS PIM
    "7ab7862c-4c57-491e-8a45-d52a7e023983"   // Power Automate / Logic Apps Graph Connector
    ) and Esql.signin_source_asn IS NOT NULL and Esql.graph_source_asn IS NOT NULL

| keep
    Esql.azure_signinlogs_properties_session_id_coalesce,
    Esql.source_ip,
    Esql.@timestamp,
    Esql.event_type_case,
    Esql.azure_signinlogs_properties_user_id_coalesce,
    Esql.azure_signinlogs_properties_app_id_coalesce,
    Esql.signin_source_asn,
    Esql.graph_source_asn,
    source.`as`.organization.name,
    user_agent.original,
    url.original,
    azure.graphactivitylogs.properties.scopes,
    azure.signinlogs.properties.user_principal_name

| stats
    Esql.azure_signinlogs_properties_user_id_coalesce_values = values(Esql.azure_signinlogs_properties_user_id_coalesce),
    Esql.azure_signinlogs_properties_session_id_coalesce_values = values(Esql.azure_signinlogs_properties_session_id_coalesce),
    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
    Esql.source_ip_values = values(Esql.source_ip),
    Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),
    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
    Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
    Esql.signin_source_asn_values = values(Esql.signin_source_asn),
    Esql.signin_source_asn_count_distinct = count_distinct(Esql.signin_source_asn),
    Esql.graph_source_asn_values = values(Esql.graph_source_asn),
    Esql.graph_source_asn_count_distinct = count_distinct(Esql.graph_source_asn),
    Esql.user_agent_original_values = values(user_agent.original),
    Esql.azure_signinlogs_properties_app_id_coalesce_values = values(Esql.azure_signinlogs_properties_app_id_coalesce),
    Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct = count_distinct(Esql.azure_signinlogs_properties_app_id_coalesce),
    Esql.event_type_case_values = values(Esql.event_type_case),
    Esql.event_type_case_count_distinct = count_distinct(Esql.event_type_case),
    Esql.signin_time_min = min(case(Esql.event_type_case == "signin", Esql.@timestamp)),
    Esql.graph_time_min = min(case(Esql.event_type_case == "graph", Esql.@timestamp)),
    Esql.url_original_values = values(url.original),
    Esql.azure_graphactivitylogs_properties_scopes_values = values(azure.graphactivitylogs.properties.scopes),
    Esql.event_count = count()
  by
    Esql.azure_signinlogs_properties_session_id_coalesce,
    Esql.azure_signinlogs_properties_app_id_coalesce,
    Esql.azure_signinlogs_properties_user_id_coalesce

| eval
    Esql.event_signin_to_graph_delay_minutes_date_diff = date_diff("minutes", Esql.signin_time_min, Esql.graph_time_min),
    Esql.event_signin_to_graph_delay_days_date_diff = date_diff("days", Esql.signin_time_min, Esql.graph_time_min)

| where
    Esql.event_type_case_count_distinct > 1 and
    Esql.source_ip_count_distinct > 1 and
    Esql.source_as_organization_name_count_distinct > 1 and
    Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct == 1 and
    Esql.signin_time_min is not null and
    Esql.graph_time_min is not null and
    Esql.event_signin_to_graph_delay_minutes_date_diff > 0 and
    Esql.event_signin_to_graph_delay_days_date_diff == 0 and
    (Esql.signin_source_asn_count_distinct + Esql.graph_source_asn_count_distinct) == Esql.source_as_organization_name_count_distinct
'''


[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"

[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"

[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"

[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"

[[rule.threat.technique.subtechnique]]
id = "T1550.004"
name = "Web Session Cookie"
reference = "https://attack.mitre.org/techniques/T1550/004/"

[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"

Stages and Predicates

Stage 1: `from`

from logs-azure.signinlogs-*, logs-azure.graphactivitylogs-* metadata _id, _version, _index

Stage 2: `where`

| where
    (data_stream.dataset == "azure.signinlogs"
     and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
     and azure.signinlogs.properties.session_id is not null)
    or
    (data_stream.dataset == "azure.graphactivitylogs"
     and source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK"
     and azure.graphactivitylogs.properties.c_sid is not null)

Stage 3: `eval`

| eval
    Esql.azure_signinlogs_properties_session_id_coalesce = coalesce(azure.signinlogs.properties.session_id, azure.graphactivitylogs.properties.c_sid),
    Esql.azure_signinlogs_properties_user_id_coalesce = coalesce(azure.signinlogs.properties.user_id, azure.graphactivitylogs.properties.user_principal_object_id),
    Esql.azure_signinlogs_properties_app_id_coalesce = coalesce(azure.signinlogs.properties.app_id, azure.graphactivitylogs.properties.app_id),
    Esql.source_ip = source.ip,
    Esql.@timestamp = @timestamp,
    Esql.event_type_case = case(
        data_stream.dataset == "azure.signinlogs", "signin",
        data_stream.dataset == "azure.graphactivitylogs", "graph",
        "other"
    ),
    Esql.signin_source_asn = case(data_stream.dataset == "azure.signinlogs", source.`as`.organization.name),
    Esql.graph_source_asn = case(data_stream.dataset == "azure.graphactivitylogs", source.`as`.organization.name)

Esql.event_type_case =

ifdata_stream.dataset == "azure.signinlogs""signin"

elifdata_stream.dataset == "azure.graphactivitylogs""graph"

else"other"

Esql.graph_source_asn =

elsesource.`as`.organization.name

Esql.signin_source_asn =

elsesource.`as`.organization.name

Stage 4: `where`

| where Esql.azure_signinlogs_properties_app_id_coalesce not in (
    "4354e225-50c9-4423-9ece-2d5afd904870",
    "cc15fd57-2c6c-4117-a88c-83b1d56b4bbe",
    "ecd6b820-32c2-49b6-98a6-444530e5a77a",
    "e8be65d6-d430-4289-a665-51bf2a194bda",
    "ab9b8c07-8f02-4f72-87fa-80105867a763",
    "394866fc-eedb-4f01-8536-3ff84b16be2a",
    "66a88757-258c-4c72-893c-3e8bed4d6899",
    "9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7",
    "d7b530a4-7680-4c23-a8bf-c52c121d2e87",
    "6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3",
    "52c2e0b5-c7b6-4d11-a89c-21e42bcec444",
    "27922004-5251-4030-b22d-91ecd9a37ea4",
    "bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce",
    "26a7ee05-5602-4d76-a7ba-eae8b7b67941",
    "00000007-0000-0000-c000-000000000000",
    "6bc3b958-689b-49f5-9006-36d165f30e00",
    "0ec893e0-5785-4de6-99da-4ed124e5296c",
    "fc108d3f-543d-4374-bbff-c7c51f651fe5",
    "01fc33a7-78ba-4d2f-a4b7-768e336e890e",
    "7ab7862c-4c57-491e-8a45-d52a7e023983"
    ) and Esql.signin_source_asn IS NOT NULL and Esql.graph_source_asn IS NOT NULL

Stage 5: `keep`

| keep
    Esql.azure_signinlogs_properties_session_id_coalesce,
    Esql.source_ip,
    Esql.@timestamp,
    Esql.event_type_case,
    Esql.azure_signinlogs_properties_user_id_coalesce,
    Esql.azure_signinlogs_properties_app_id_coalesce,
    Esql.signin_source_asn,
    Esql.graph_source_asn,
    source.`as`.organization.name,
    user_agent.original,
    url.original,
    azure.graphactivitylogs.properties.scopes,
    azure.signinlogs.properties.user_principal_name

Stage 6: `stats`

| stats
    Esql.azure_signinlogs_properties_user_id_coalesce_values = values(Esql.azure_signinlogs_properties_user_id_coalesce),
    Esql.azure_signinlogs_properties_session_id_coalesce_values = values(Esql.azure_signinlogs_properties_session_id_coalesce),
    Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name),
    Esql.source_ip_values = values(Esql.source_ip),
    Esql.source_ip_count_distinct = count_distinct(Esql.source_ip),
    Esql.source_as_organization_name_values = values(source.`as`.organization.name),
    Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name),
    Esql.signin_source_asn_values = values(Esql.signin_source_asn),
    Esql.signin_source_asn_count_distinct = count_distinct(Esql.signin_source_asn),
    Esql.graph_source_asn_values = values(Esql.graph_source_asn),
    Esql.graph_source_asn_count_distinct = count_distinct(Esql.graph_source_asn),
    Esql.user_agent_original_values = values(user_agent.original),
    Esql.azure_signinlogs_properties_app_id_coalesce_values = values(Esql.azure_signinlogs_properties_app_id_coalesce),
    Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct = count_distinct(Esql.azure_signinlogs_properties_app_id_coalesce),
    Esql.event_type_case_values = values(Esql.event_type_case),
    Esql.event_type_case_count_distinct = count_distinct(Esql.event_type_case),
    Esql.signin_time_min = min(case(Esql.event_type_case == "signin", Esql.@timestamp)),
    Esql.graph_time_min = min(case(Esql.event_type_case == "graph", Esql.@timestamp)),
    Esql.url_original_values = values(url.original),
    Esql.azure_graphactivitylogs_properties_scopes_values = values(azure.graphactivitylogs.properties.scopes),
    Esql.event_count = count()
  by
    Esql.azure_signinlogs_properties_session_id_coalesce,
    Esql.azure_signinlogs_properties_app_id_coalesce,
    Esql.azure_signinlogs_properties_user_id_coalesce

Stage 7: `eval`

| eval
    Esql.event_signin_to_graph_delay_minutes_date_diff = date_diff("minutes", Esql.signin_time_min, Esql.graph_time_min),
    Esql.event_signin_to_graph_delay_days_date_diff = date_diff("days", Esql.signin_time_min, Esql.graph_time_min)

Stage 8: `where`

| where
    Esql.event_type_case_count_distinct > 1 and
    Esql.source_ip_count_distinct > 1 and
    Esql.source_as_organization_name_count_distinct > 1 and
    Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct == 1 and
    Esql.signin_time_min is not null and
    Esql.graph_time_min is not null and
    Esql.event_signin_to_graph_delay_minutes_date_diff > 0 and
    Esql.event_signin_to_graph_delay_days_date_diff == 0 and
    (Esql.signin_source_asn_count_distinct + Esql.graph_source_asn_count_distinct) == Esql.source_as_organization_name_count_distinct

Exclusions

Top-level NOT(...) conjuncts: predicates this rule actively suppresses.

Field	Kind	Excluded values
`Esql.azure_signinlogs_properties_app_id_coalesce`	in	`00000007-0000-0000-c000-000000000000`, `01fc33a7-78ba-4d2f-a4b7-768e336e890e`, `0ec893e0-5785-4de6-99da-4ed124e5296c`, `26a7ee05-5602-4d76-a7ba-eae8b7b67941`, `27922004-5251-4030-b22d-91ecd9a37ea4`, `394866fc-eedb-4f01-8536-3ff84b16be2a`, `4354e225-50c9-4423-9ece-2d5afd904870`, `52c2e0b5-c7b6-4d11-a89c-21e42bcec444`, `66a88757-258c-4c72-893c-3e8bed4d6899`, `6bc3b958-689b-49f5-9006-36d165f30e00`, `6f7e0f60-9401-4f5b-98e2-cf15bd5fd5e3`, `7ab7862c-4c57-491e-8a45-d52a7e023983`, `9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7`, `ab9b8c07-8f02-4f72-87fa-80105867a763`, `bb893c22-978d-4cd4-a6f7-bb6cc0d6e6ce`, `cc15fd57-2c6c-4117-a88c-83b1d56b4bbe`, `d7b530a4-7680-4c23-a8bf-c52c121d2e87`, `e8be65d6-d430-4289-a665-51bf2a194bda`, `ecd6b820-32c2-49b6-98a6-444530e5a77a`, `fc108d3f-543d-4374-bbff-c7c51f651fe5`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct`	eq	`1`
`Esql.event_signin_to_graph_delay_days_date_diff`	eq	`0`
`Esql.event_signin_to_graph_delay_minutes_date_diff`	gt	`0`
`Esql.event_type_case_count_distinct`	gt	`1`
`Esql.graph_source_asn`	is_not_null	(no value, null check)
`Esql.graph_time_min`	is_not_null	(no value, null check)
`Esql.signin_source_asn`	is_not_null	(no value, null check)
`Esql.signin_time_min`	is_not_null	(no value, null check)
`Esql.source_as_organization_name_count_distinct`	gt	`1`
`Esql.source_ip_count_distinct`	gt	`1`
`azure.graphactivitylogs.properties.c_sid`	is_not_null	(no value, null check)
`azure.signinlogs.properties.session_id`	is_not_null	(no value, null check)
`data_stream.dataset`	eq	`azure.graphactivitylogs` `azure.signinlogs`
`source.as.organization.name`	ne	`MICROSOFT-CORP-MSN-AS-BLOCK`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`Esql.azure_signinlogs_properties_user_id_coalesce_values`	`STATS Esql.azure_signinlogs_properties_user_id_coalesce_values = values(Esql.azure_signinlogs_properties_user_id_coalesce)`
`Esql.azure_signinlogs_properties_session_id_coalesce_values`	`STATS Esql.azure_signinlogs_properties_session_id_coalesce_values = values(Esql.azure_signinlogs_properties_session_id_coalesce)`
`Esql_priv.azure_signinlogs_properties_user_principal_name_values`	`STATS Esql_priv.azure_signinlogs_properties_user_principal_name_values = values(azure.signinlogs.properties.user_principal_name)`
`Esql.source_ip_values`	`STATS Esql.source_ip_values = values(Esql.source_ip)`
`Esql.source_ip_count_distinct`	`STATS Esql.source_ip_count_distinct = count_distinct(Esql.source_ip)`
`Esql.source_as_organization_name_values`	STATS Esql.source_as_organization_name_values = values(source.`as`.organization.name)
`Esql.source_as_organization_name_count_distinct`	STATS Esql.source_as_organization_name_count_distinct = count_distinct(source.`as`.organization.name)
`Esql.signin_source_asn_values`	`STATS Esql.signin_source_asn_values = values(Esql.signin_source_asn)`
`Esql.signin_source_asn_count_distinct`	`STATS Esql.signin_source_asn_count_distinct = count_distinct(Esql.signin_source_asn)`
`Esql.graph_source_asn_values`	`STATS Esql.graph_source_asn_values = values(Esql.graph_source_asn)`
`Esql.graph_source_asn_count_distinct`	`STATS Esql.graph_source_asn_count_distinct = count_distinct(Esql.graph_source_asn)`
`Esql.user_agent_original_values`	`STATS Esql.user_agent_original_values = values(user_agent.original)`
`Esql.azure_signinlogs_properties_app_id_coalesce_values`	`STATS Esql.azure_signinlogs_properties_app_id_coalesce_values = values(Esql.azure_signinlogs_properties_app_id_coalesce)`
`Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct`	`STATS Esql.azure_signinlogs_properties_app_id_coalesce_count_distinct = count_distinct(Esql.azure_signinlogs_properties_app_id_coalesce)`
`Esql.event_type_case_values`	`STATS Esql.event_type_case_values = values(Esql.event_type_case)`
`Esql.event_type_case_count_distinct`	`STATS Esql.event_type_case_count_distinct = count_distinct(Esql.event_type_case)`
`Esql.signin_time_min`	`STATS Esql.signin_time_min = min(case(Esql.event_type_case == "signin", Esql.@timestamp))`
`Esql.graph_time_min`	`STATS Esql.graph_time_min = min(case(Esql.event_type_case == "graph", Esql.@timestamp))`
`Esql.url_original_values`	`STATS Esql.url_original_values = values(url.original)`
`Esql.azure_graphactivitylogs_properties_scopes_values`	`STATS Esql.azure_graphactivitylogs_properties_scopes_values = values(azure.graphactivitylogs.properties.scopes)`
`Esql.event_count`	`STATS Esql.event_count = count()`
`Esql.azure_signinlogs_properties_session_id_coalesce`	`STATS BY`
`Esql.azure_signinlogs_properties_app_id_coalesce`	`STATS BY`
`Esql.azure_signinlogs_properties_user_id_coalesce`	`STATS BY`
`Esql.event_signin_to_graph_delay_minutes_date_diff`	`EVAL date_diff("minutes", Esql.signin_time_min, Esql.graph_time_min)`
`Esql.event_signin_to_graph_delay_days_date_diff`	`EVAL date_diff("days", Esql.signin_time_min, Esql.graph_time_min)`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Entra ID OAuth User Impersonation to Microsoft Graph

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: `from`

Stage 2: `where`

Stage 3: `eval`

Stage 4: `where`

Stage 5: `keep`

Stage 6: `stats`

Stage 7: `eval`

Stage 8: `where`

Exclusions

Indicators

Output fields

Keyboard shortcuts

Search operators

Entra ID OAuth User Impersonation to Microsoft Graph

MITRE ATT&CK coverage

Rule body elastic

Stages and Predicates

Stage 1: from

Stage 2: where

Stage 3: eval

Stage 4: where

Stage 5: keep

Stage 6: stats

Stage 7: eval

Stage 8: where

Exclusions

Indicators

Output fields

Stage 1: `from`

Stage 2: `where`

Stage 3: `eval`

Stage 4: `where`

Stage 5: `keep`

Stage 6: `stats`

Stage 7: `eval`

Stage 8: `where`