* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Detecting Threats with Mi... # Detecting Threats with Microsoft Graph Activity Logs [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-threats-with-microsoft-graph-activity-logs%2F) [](https://twitter.com/share?text=Detecting+Threats+with+Microsoft+Graph+Activity+Logs&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-threats-with-microsoft-graph-activity-logs%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-threats-with-microsoft-graph-activity-logs%2F&title=Detecting+Threats+with+Microsoft+Graph+Activity+Logs&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-threats-with-microsoft-graph-activity-logs/&ts=markdown) \[\](mailto:?subject=Detecting Threats with Microsoft Graph Activity Logs) Link copied By [Eden Elazar](https://www.paloaltonetworks.com/blog/author/eden-elazar/?ts=markdown "Posts by Eden Elazar") Feb 02, 2025 7 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [Cloud Security](https://www.paloaltonetworks.com/blog/tag/cloud-security/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [microsoft](https://www.paloaltonetworks.com/blog/tag/microsoft/?ts=markdown) [Threat Detection](https://www.paloaltonetworks.com/blog/tag/threat-detection/?ts=markdown) Microsoft Graph API provides developers an interface to interact with various services, including Entra ID and Office 365. It enables programmatic access to organizational data such as user information, emails, OneDrive files, and more, ​​making it a highly powerful tool that can also be abused by threat actors. In October 2023, Microsoft introduced the Graph activity logs which record all HTTP requests made to the Microsoft Graph service in a tenant. They provide a history of all Microsoft Graph API requests, offering visibility into actions performed by users and applications authorized in the tenant. These logs are not collected by default but can be configured to via Azure Monitor's diagnostic settings. In the past, customers had limited visibility into these operations which made it difficult to effectively investigate and respond to incidents. With this data now available, these logs can be valuable for tracking the activity of a suspicious user, identifying anomalous Microsoft Graph API calls by application, and much more. ## **Microsoft Graph API as an Attack Vector** Microsoft Graph API has become a significant attack surface for threat actors granting access to a range of Microsoft services like Entra ID and Office 365. Once an attacker gains an initial foothold in a tenant, they can abuse their permissions to gain unauthorized access to sensitive organizational data such as mailboxes, files in OneDrive or SharePoint, Teams chats, and more. Attacks observed in the past have demonstrated how threat actors have used Microsoft Graph API to perform malicious actions within tenants. In the following sections of this blog we'll analyze an attack flow observed in the wild to highlight the importance of monitoring Microsoft Graph activity logs to uncover attack chains that leverage the Graph API. This example clearly demonstrates how tracking Graph API logs not only gives you valuable context for Graph API operations within your tenant, but also plays a critical role in detecting and responding to potential security threats. ## **​​Microsoft Graph Activity Logs in Cortex** Microsoft Graph activity logs are collected and standardized into cloud\_audit\_logs - a dataset that contains the enriched and normalized cloud logs. The logs contain various fields including application ID, Service Principal ID or user ID, request URI, IP address, user agent, and others, giving you a clear visibility into all requests made to the Microsoft Graph service in your tenant. This visibility enables security analysts to quickly detect and respond to any suspicious activity. Enabling Microsoft Graph activity logs can be done through Entra ID Diagnostics settings, configured to stream to an Event Hub: ![Figure 1. Enabling Microsoft Graph Activity Logs](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-1.png) Figure 1. Enabling Microsoft Graph Activity Logs To collect these logs from Azure, configure the Azure Event Hub log collection through Cortex: ![Figure 2. Creating Azure Event Hub Collection in Cortex](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-2.png) Figure 2. Creating Azure Event Hub Collection in Cortex To access Microsoft Graph data, the XQL query below provides an example of fields found in the Microsoft Graph activity logs: ![Figure 3. Querying Microsoft Graph Data using XQL](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-3.png) Figure 3. Querying Microsoft Graph Data using XQL ![Figure 4. Microsoft Graph Activity Logs in Cortex](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-4.png) Figure 4. Microsoft Graph Activity Logs in Cortex ## **Microsoft Graph Threat Detection in Cortex** With the increase in security threats and a growing number of attacks leveraging Microsoft Graph API, Cortex provides tailored detections to address different attack vectors, which will be demonstrated through a real-world attack scenario. ## **Initial Access** In one use case we observed, the attack began when a threat actor compromised a system-assigned Managed Identity of an Azure virtual machine, by exfiltrating its token through the Instance Metadata Service (IMDS) and abusing it. ## **Tenant Discovery** The attacker used an open-source attack framework and custom scripts leveraging Microsoft Graph API to enumerate the environment, extracting tenant information including users, groups, applications, and more. ​​However, some of their operations were denied due to insufficient permissions. During this process they also performed privilege discovery. The following Microsoft Graph APIs were observed during the enumeration process: * https://graph.microsoft.com/v1.0/organization * https://graph.microsoft.com/v1.0/users/{id} * https://graph.microsoft.com/v1.0/groups/{id} * https://graph.microsoft.com/v1.0/applications/{id} * https://graph.microsoft.com/v1.0/directoryRoles ## **Service-specific Enumeration** Following the enumeration of the tenant, which indicated that the service principal possessed privileged permissions, the attacker shifted focus to a service-specific enumeration, primarily targeting OneDrive and SharePoint. This involved enumerating various OneDrive drives and SharePoint sites. The Microsoft Graph APIs shown below were observed during this phase, covering only part of the attacker's activities: * https://graph.microsoft.com/v1.0/users/{id}/drive * https://graph.microsoft.com/v1.0/drive/items/{item-id} * https://graph.microsoft.com/v1.0/sites/{site-id} ## **Exfiltration** After completing the enumeration sequences, the threat actor proceeded to exfiltrate files from users' OneDrive drives and SharePoint sites. This included the following Microsoft Graph APIs: * https://graph.microsoft.com/v1.0/drive/items/{item-id}/content * https://graph.microsoft.com/v1.0/sites/{site-id}/drive/{drive-id}/items/{item-id}/content ## **Persistence** In the final phase, the attacker created a backdoor by adding a password to an additional Entra ID application using the Microsoft Graph API: * https://graph.microsoft.com/v1.0/applications/{id}/addPassword ![Figure 5. Microsoft Graph Detections in Cortex](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-5.png) Figure 5. Microsoft Graph Detections in Cortex Through an analysis into penetration testing tools leveraging Microsoft Graph along with Azure and Office 365-specific TTPs, we have developed tailored detections, which some include: | **Tactic** | **Detections Names** | | Discovery | Azure enumeration activity using Microsoft Graph API Microsoft SharePoint enumeration activity Microsoft OneDrive enumeration activity Mailbox enumeration activity | | Persistence | Authentication method was added to Azure account Credentials were added to Azure application | | Exfiltration | Microsoft 365 storage services exfiltration activity Azure high-volume data transfer | |--------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------| Figure 6. Microsoft Graph Detections ## **Using Cortex to Investigate Microsoft Graph Activity** The Cortex Query Language (XQL) enables you to query for information stored in a wide variety of data sources in Cortex XDR, including Microsoft Graph activity logs. The following XQL queries can be used for data exploration, as well as for investigation or hunting. ## **Identify the IP Addresses and ASNs Associated with Each Azure Application** This query can be useful for investigating unusual application activity originating from unknown infrastructure, such as unfamiliar IP addresses, or ASNs, which may indicate token theft attempts. ![Figure 7. Querying IP Addresses and ASNs Associated with Azure Applications using XQL](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-6.png) Figure 7. Querying IP Addresses and ASNs Associated with Azure Applications using XQL ## **Identify Azure Applications with Denied Request Attempts** This query can help identify abnormal application denied operations, which are often seen during enumeration attempts. ![Figure 8. Querying Azure Applications with Denied Request Attempts using XQL](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-7.png) Figure 8. Querying Azure Applications with Denied Request Attempts using XQL ## **Identify Successful Changes Made by Azure Applications** This query could assist in investigating changes (modification or deletion) made to resources in the tenant performed by an application suspected of anomalous behavior. ![Figure 9. Querying Successful Changes Made by Azure Applications using XQL](https://www.paloaltonetworks.com/blog/wp-content/uploads/2025/01/word-image-333743-8.png) Figure 9. Querying Successful Changes Made by Azure Applications using XQL ## **Summary** Microsoft Graph activity logs provide detailed records of Graph API calls made within Azure tenants, offering a thorough view of all Microsoft Graph activities in the environment. Collecting and monitoring these logs is essential for identifying suspicious behavior and responding to security threats. Together with Azure sign-in and activity logs, Microsoft Graph activity logs give a complete view of tenant activity. Cortex XDR^®^ and Cortex XSIAM^®^ offer a comprehensive security solution with specialized detections for Microsoft Graph threats, enabling security analysts to effectively detect, respond to suspicious activity while ensuring seamless incident investigation and management. *** ** * ** *** ## Related Blogs ### [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown), [Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown) [#### Demystifying Impossible Traveler Detection](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/demystifying-impossible-traveler-detection/) ### [AI and Cybersecurity](https://www.paloaltonetworks.com/blog/security-operations/category/ai-and-cybersecurity/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Ransomware Attacks: Why Your Endpoint Protection Can't Keep Up](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/ransomware-attacks-why-your-endpoint-protection-cant-keep-up/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### SIEM Replacement Made Easy (Yes, Really!)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/siem-replacement-made-easy-yes-really/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Stopping Cross-Domain Attacks with Cortex XDL + Cortex XSIAM](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/stopping-cross-domain-attacks-with-cortex-xdl-cortex-xsiam/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown) [#### Think You Have Visibility? Think Again.](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/think-you-have-visibility-think-again/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language