THREAT OPS › Threat News › Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap
Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap
<p>AAD Graph Activity Logs are now ingestible into Elastic and usable for threat detection within the <a href="https://www.elastic.co/security/xdr">SIEM/XDR solution</a>. That sentence shouldn't be exciting, but it is. For most of the past decade, this slice of telemetry simply didn't exist as a customer-accessible log stream. Microsoft Graph Activity Logs (the modern <em>graph.microsoft.com</em>
MITRE ATT&CK techniques
- PowerShellT1059.001
Indicators of compromise
- 31d1fa31152c208dfde4feeb6737ca06e030ae53sha1
- df0396ea4a3b0fb25529444166c36c430941d3a6sha1
- 0c15c6c581780d962b33972a8a83263b75fb2d79sha1
- 6f933e04ddbe720898c9ea9c4bae234700a822fesha1
- 4256409e8925a8da016448d1378bc669c2333961sha1
- 6a946179e66c7a952e55a33741c160d6bd83f3b8sha1
- https://aadinternals.com/aadinternals/url
- https://www.invictus-ir.com/news/the-missing-link-aadgraphactivitylogs-finally-arrivesurl
- https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/url
- https://dirkjanm.io/abusing-azure-ad-sso-with-the-primary-refresh-token/url