Threat Research

Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap

Elastic.co
Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap
Elastic now ingests Azure AD Graph Activity Logs into SIEM/XDR, closing a long-standing visibility gap that left AAD Graph enumeration and related adversary tooling largely unseen. The article shows how to enable the logs, generate and analyze traffic with ROADrecon, and detect abuse patterns such as suspicious user agents, internal API misuse, FOCI client mismatches, and 4xx spikes. #AADGraphActivityLogs #ROADrecon #ROADtools #AADInternals #EntraID #Elastic

Keypoints

  • Elastic can now ingest Azure AD Graph Activity Logs into the logs-azure.aadgraphactivitylogs-* data stream with full ECS extraction.
  • Microsoft Graph Activity Logs went GA in April 2024, while AzureADGraphActivityLogs only became available in early 2026, leaving years of blind spots before then.
  • Adversary and research tools such as ROADtools, ROADrecon, AADInternals, MSOLSpray, and Microburst used AAD Graph heavily without producing customer-visible telemetry.
  • AAD Graph remains queryable in many tenants, and the 1.61-internal API version can expose more data than Microsoft Graph.
  • The article explains how to enable the Azure integration, configure Entra ID diagnostic settings, and validate that AAD Graph events are flowing into Elastic.
  • Hunting guidance focuses on fields like user_agent.original, event.action, http.response.status_code, azure.aadgraphactivitylogs.properties.api_version, and related user/client identifiers.
  • Elastic provides detections for suspicious user agents, high 4xx ratios, unusual client/user pairs, unusual ASN origin, ROADrecon-like enumeration, and device-code-to-enumeration sequences.

MITRE Techniques

  • [T1087 ] Account Discovery – ROADrecon “walks every interesting object type in the directory” including users, groups, service principals, applications, devices, roles, and permissions (‘gather walks every interesting object type in the directory’).
  • [T1069 ] Permission Groups Discovery – The tool enumerates directory roles, role assignments, and eligible role assignments to map privileged group/role membership (‘directory roles, role assignments, eligible role assignments’).
  • [T1528 ] Steal Application Access Token – The article discusses phished refresh tokens and stolen tokens being redeemed under unfamiliar clients and used to access AAD Graph (‘phished refresh tokens redeemed for clients the user doesn’t normally use’).
  • [T1078 ] Valid Accounts – Abuse of legitimate OAuth clients, user tokens, and device-code sign-ins enables access using valid credentials rather than exploiting code execution (‘joins a successful device-code sign-in … with directory enumeration’).
  • [T1110 ] Brute Force – Burst 4xx responses and permission-probing behavior indicate repeated attempts against unauthorized endpoints or object IDs (‘403s and 404s as tools walk endpoints they don’t have permission for’).
  • [T1021 ] Remote Services – Adversary tooling remotely queries the graph.windows.net service over HTTPS to retrieve directory data (‘https://graph.windows.net/{tenantId}/{objecttype}’).
  • [T1580 ] Cloud Infrastructure Discovery – Enumeration of tenant details, service principals, applications, and policies reflects discovery of cloud directory infrastructure (‘users, service principals, applications, role assignments, policies, or tenant details’).
  • [T1526 ] Cloud Service Discovery – Calls against AAD Graph collect information about Azure AD/Entra ID objects and services (‘bulk enumeration across every object type’).
  • [T1201 ] Password Policy Discovery – The 1.61-internal API exposes strongAuthenticationDetail inline on the user object, revealing authentication-method details (‘exposes strongAuthenticationDetail inline on the user object’).

Indicators of Compromise

  • [Domain / API endpoint ] Legacy AAD Graph endpoint used for enumeration – graph.windows.net, graph.windows.net/$TID/$obj?api-version=1.6
  • [API versions ] Legacy and internal API versions observed in traffic – 1.5, 1.6, 1.61-internal
  • [OAuth client IDs ] Client IDs referenced for AAD Graph access and device-code flow – 04b07795-8ddb-461a-bbee-02f9e1bf7b46, 1b730954-1685-4b74-9bfd-dac224a7b894
  • [Service principal / resource ID ] Azure AD Graph service principal targeted by Conditional Access and detections – 00000002-0000-0000-c000-000000000000
  • [File / tool names ] Offensive or research tooling associated with AAD Graph activity – roadrecon, ROADtools, AADInternals, MSOLSpray, Microburst, AzureHound, BloodHound
  • [User-agent strings ] User agents used by tooling or highlighted as suspicious – aiohttp, curl, Python, Go-http-client, axios
  • [Log / data stream names ] Elastic ingest targets for the telemetry – logs-azure.aadgraphactivitylogs-*, azure.aadgraphactivitylogs.properties.*

Read more: https://www.elastic.co/security-labs/aad-graph-activity-logs-threat-detection

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint