Tag
Azure AD Privileged Graph API Permission Assignment
2 rules 1 TTPDetection of high-risk Graph API permission assignments (Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory) in Azure AD, potentially leading to unauthorized modifications and security breaches.
Microsoft Graph API Email Access by Unusual Client and User
2 rules 1 TTPDetects anomalous access to email resources via Microsoft Graph API, potentially indicating a compromised OAuth refresh token or Primary Refresh Token (PRT) being used by an attacker.
Unusual Microsoft Graph Email Access via OAuth Application
2 rules 2 TTPsAn adversary might use a phished OAuth refresh token or Primary Refresh Token (PRT) with a first-party application to access email resources via Microsoft Graph API, particularly focusing on unusual application and user combinations.
Microsoft Graph API Request User Impersonation by Unusual Client
2 rules 2 TTPsDetection of the first-time use of a Microsoft Graph API request by a specific client application ID, user principal object ID, and tenant ID, potentially indicating unauthorized access via phishing, token theft, or OAuth abuse.