Listen to this Post

Introduction:
For nearly a decade, security teams have operated in a near-total vacuum regarding direct attacks on the Azure Active Directory (now Entra ID) Graph API. While defenders could observe authentication and broad admin actions, the specific, granular API calls made by powerful reconnaissance and persistence tools like AADInternals and ROADtools remained invisible. The introduction of the AADGraphActivityLogs table has finally closed this gap, bringing the specific operations of these tools into clear view and enabling precise detection.
Learning Objectives:
- Identify the key telemetry differences between the new `AADGraphActivityLogs` and existing logs like
AuditLogs. - Construct KQL queries to detect the precise signatures of the `AADInternals` and `ROADtools` frameworks.
- Implement a proactive detection pipeline using Logic Apps and KQL to monitor for new and emerging API-based attack techniques.
You Should Know:
1. AADGraphActivityLogs: The Core Telemetry Explainer
The wait is over. The `AADGraphActivityLogs` table, available in your Log Analytics workspace, records details of legacy API requests made directly to the Azure Active Directory Graph for resources in your tenant. This is a critical distinction from Microsoft Graph activity logs. While Microsoft Graph is the modern, consolidated API, attackers have long favored the older, less-monitored Azure AD Graph API for specific, stealthy operations like manipulating conditional access policies or service principal credentials without leaving clear audit trails.
This new Schema provides defenders with a treasure trove of data, including the CallerIpAddress, UserAgent, RequestUri, ResultSignature, and crucially, the `AppId` and `ServicePrincipalId` of the actor. By enabling this logging, we can now differentiate between legitimate use of the Graph API and the signature patterns of adversary tools.
Step-by-Step Guide to Enable & Query:
- Enable Diagnostic Settings: Navigate to your Entra ID tenant in the Azure portal. Go to Diagnostic settings and add a new setting to stream `AADGraphActivityLogs` to your Log Analytics workspace.
- Find Frequent User Endpoint Callers: To understand who is interacting with directory objects, run this base KQL query to identify the top callers of the `/users` endpoint:
AADGraphActivityLogs | where RequestUri has "users" | summarize NumRequests = count() by AppId, ServicePrincipalId, UserId | sort by NumRequests desc | limit 100
This can immediately reveal a service principal making an abnormal number of user lookups, a classic indicator of reconnaissance.
- Detect `AADInternals` Usage: The `AADInternals` PowerShell module makes specific calls often not seen in normal admin workflows. Hunt for operations targeting the `servicePrincipals` or `applications` endpoint that result in application credential modifications or additions.
AADGraphActivityLogs | where RequestUri has "servicePrincipals" and RequestUri has "addKey" | where ResultSignature == "204" or ResultSignature == "200" | project TimeGenerated, AppId, UserId, RequestUri, CallerIpAddress
- Detect `ROADtools` Reconnaissance: `ROADtools` is a framework for enumerating Entra ID tenants. Its reconnaissance patterns often involve sequential calls to list all users, groups, and applications.
AADGraphActivityLogs | where RequestUri has "users" or RequestUri has "groups" or RequestUri has "applications" | summarize DistinctCalls = dcount(RequestUri) by CallerIpAddress, bin(TimeGenerated, 15m) | where DistinctCalls > 50
This query identifies an IP address making a high number of distinct API calls to different directory endpoints within a short window, a hallmark of automated enumeration tooling.
2. Proactive Detection Pipeline: Monitoring for the Unknown
While hunting for `AADInternals` and `ROADtools` is essential, the threat landscape evolves daily. Defenders must also adopt a proactive stance to identify new actions and potential zero-day exploits before they are publicly documented. The `AADGraphActivityLogs` table is perfect for this, as its introduction means even benign, new features from Microsoft could be used maliciously before detections exist.
Step-by-Step Guide to Building a KQL Baseline for Anomalies:
A common and effective strategy is to build a baseline of “normal” activity and alert on deviations. This is where a solution that monitors for new table actions across your environment becomes critical.
- Establish Action Baseline: Create a baseline of all unique `OperationName` values (or similar action fields) seen in your logs over a 90-day period. This represents your current “normal” environment.
- Identify New Actions Weekly: On a weekly basis, query the `AADGraphActivityLogs` for the past 7 days. Compare the list of actions seen this week against your 90-day baseline list. Any action in the new list not found in the baseline is a candidate for investigation.
3. Sample KQL for Weekly Report:
let BaselineActions = AADGraphActivityLogs | where TimeGenerated between (startofday(ago(90d)) .. startofday(ago(7d))) | summarize by OperationName; // Adjust property name as needed let NewActionsThisWeek = AADGraphActivityLogs | where TimeGenerated between (startofday(ago(7d)) .. startofday(now())) | summarize by OperationName; NewActionsThisWeek | where OperationName !in (BaselineActions)
This query effectively highlights brand-new types of Graph calls that have appeared in your environment. A large enterprise might automate this using a Logic App to email weekly “new action” reports, similar to the approach detailed by Bert-Jan Pals.
- Proactive Detection Automation with Logic Apps and Sentinel
Transforming a one-time query into a persistent detection is a must for mature security operations. You can automate the above anomaly-detection logic using an Azure Logic App, creating a Force Multiplier for your defense team.
Step-by-Step Guide to Automation:
- Deploy the Logic App: Use the pre-built “Monitor New Actions in Sentinel & Defender XDR (V2)” Logic App from a trusted source like the `Sentinel-Automation` GitHub repository.
- Configure Permissions: The Logic App requires specific permissions to function. You can grant it the `ThreatHunting.Read.All` permission via Microsoft Graph to the Logic App’s managed identity or via a Service Principal with secrets stored in Azure Key Vault.
- Review the Weekly Report: Once deployed, the Logic App runs on a scheduled interval (e.g., weekly) and sends an HTML email report to your SOC team. This report will list any new `TableName` and `Action` pairs seen across your entire Microsoft security graph, including the newly critical
AADGraphActivityLogs.
4. Interactive Response: Investigating a Detected Anomaly
When your proactive alerts or hunting queries flag a suspicious service principal (AppId) in the AADGraphActivityLogs, the investigation shifts to a deeper analysis. This involves pivoting to other data sources to understand the full scope of the compromise.
Step-by-Step Guide for Investigation:
- Pivot to Sign-In Logs: Take the suspicious `AppId` from your initial alert and query the `SigninLogs` to see all authentication attempts by that identity.
SigninLogs | where AppId == "SP_APP_ID_FROM_GRAPH_ALERT" | project TimeGenerated, UserPrincipalName, IPAddress, Status, ConditionalAccessStatus
- Check for OAuth Token Grant: Investigate if the malicious app was granted OAuth tokens via the `AADNonInteractiveUserSignInLogs` table. This can reveal if the attacker is using stolen tokens for their API calls.
AADNonInteractiveUserSignInLogs | where AppId == "SP_APP_ID_FROM_GRAPH_ALERT" | project TimeGenerated, AccountId, TokenIssuer, Resource
- Correlate with Defender for Endpoint: If the `CallerIpAddress` from the Graph logs is not a cloud-only public IP, pivot to `DeviceNetworkEvents` in your Defender for Endpoint logs to find the originating host on your network. This allows you to trace the attack back to potentially compromised on-premises systems.
What Undercode Say:
- Key Takeaway 1: The launch of `AADGraphActivityLogs` is a seismic shift for Entra ID defense, finally illuminating the dark space where attackers have freely operated with tools like `AADInternals` and
ROADtools. Deploy and baseline it immediately. - Key Takeaway 2: Proactive defense is not passive. Combining the deterministic detection of known tool signatures with a dynamic baseline of “new actions” creates a robust detection net capable of catching both commodity attacks and novel zero-day methodology.
Prediction:
This new visibility will force a rapid evolution in cloud-based offensive tradecraft. In the short term, we will see a steep decline in the effectiveness of legacy tools that rely on the Azure AD Graph API. Simultaneously, attackers will likely accelerate their migration to more sophisticated, living-off-the-land (LotL) techniques that abuse the modern Microsoft Graph API in ways that mimic legitimate application behavior, making behavioral baselining and anomaly detection more critical than ever.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Bert Janpals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


