IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.

« Suspicious Email Access by First-Party Application via Microsoft Graph Multiple Microsoft 365 User Account Lockouts in Short Time Window »

› ›

Microsoft Entra ID Session Reuse with Suspicious Graph Access

edit

A newer version is available. Check out the latest documentation.

Microsoft Entra ID Session Reuse with Suspicious Graph Access

edit

Identifies potential session hijacking or token replay in Microsoft Entra ID. This rule detects cases where a user signs in and subsequently accesses Microsoft Graph from a different IP address using the same session ID within a short time window. This may indicate the use of a stolen refresh/access token or session cookie to impersonate the user and interact with Microsoft services.

Rule type: esql

Rule indices: None

Severity: high

Risk score: 73

Runs every: 5m

Searches indices from: now-1h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

Domain: Cloud
Data Source: Azure
Data Source: Microsoft Entra ID
Data Source: Microsoft Entra ID Sign-In Logs
Data Source: Microsoft Graph
Data Source: Microsoft Graph Activity Logs
Use Case: Identity and Access Audit
Use Case: Threat Detection
Resources: Investigation Guide
Tactic: Defense Evasion
Tactic: Initial Access

Version: 1

Rule authors:

Elastic

Rule license: Elastic License v2

Investigation guide

edit

Triage and analysis

Investigating Microsoft Entra ID Session Reuse with Suspicious Graph Access

This rule identifies when Microsoft Graph is accessed from a different IP than the one used for the original sign-in, but using the same session ID within 5 minutes. This may suggest an adversary has stolen a session cookie or refresh/access token and is impersonating the user from an alternate host or location.

This rule uses ES|QL aggregations and thus has dynamically generated fields. Correlation of the values in the alert document may need to be performed to the original sign-in and Graph events for further context.

Investigation Steps

Review the user_id, session_id, and source_ip_list. Confirm whether both IPs belong to the same user and geography.
Check for inconsistencies in client_id_list (e.g., unknown apps) or user agents across correlated events.
Investigate recent phishing reports or device infections for the user_id.
Pivot to Entra ID auditlogs to see if a device was registered or privileges were modified.
Review graph_time to determine what action was taken after the sign-in.
Use the session_id to correlate with other logs in the same time window to identify any additional suspicious activity.

False Positive Analysis

This pattern may occur if the user is switching between networks (e.g., corporate to mobile) or using a VPN.
Developers or power users leveraging multiple environments may also trigger this detection if session persistence spans IP ranges.
However, this behavior is rare and warrants investigation when rapid IP switching and Graph access are involved.
If the user is a developer or automation engineer, validate if this behavior was for testing purposes.
If the user is a system administrator, validate if this behavior was for administrative purposes.

Response Recommendations

If confirmed malicious, revoke all refresh/access tokens for the user_id.
Block the source IP(s) involved in the Graph access.
Notify the user and reset credentials.
Review session control policies and conditional access enforcement.
Monitor for follow-on activity, such as lateral movement or privilege escalation.
Review conditional access policies to ensure they are enforced correctly.

Setup

edit

Required Microsoft Entra ID Sign-In and Graph Activity Logs

This rule requires the Microsoft Entra ID Sign-In Logs and Microsoft Graph Activity Logs integration to be enabled and configured to collect audit and activity logs via Azure Event Hub.

Rule query

edit

FROM logs-azure.*
| WHERE
    (event.dataset == "azure.signinlogs" AND source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" AND azure.signinlogs.properties.session_id IS NOT NULL)
    OR
    (event.dataset == "azure.graphactivitylogs" AND source.`as`.organization.name != "MICROSOFT-CORP-MSN-AS-BLOCK" AND azure.graphactivitylogs.properties.c_sid IS NOT NULL)
| EVAL
    session_id = COALESCE(azure.signinlogs.properties.session_id, azure.graphactivitylogs.properties.c_sid),
    user_id = COALESCE(azure.signinlogs.properties.user_id, azure.graphactivitylogs.properties.user_principal_object_id),
    client_id = COALESCE(azure.signinlogs.properties.app_id, azure.graphactivitylogs.properties.app_id),
    source_ip = source.ip,
    event_time = @timestamp,
    event_type = CASE(
        event.dataset == "azure.signinlogs", "signin",
        event.dataset == "azure.graphactivitylogs", "graph",
        "other"
    ),
    time_window = DATE_TRUNC(5 minutes, @timestamp)
| KEEP session_id, source_ip, event_time, event_type, time_window, user_id, client_id
| STATS
    user_id = VALUES(user_id),
    session_id = VALUES(session_id),
    source_ip_list = VALUES(source_ip),
    source_ip_count = COUNT_DISTINCT(source_ip),
    client_id_list = VALUES(client_id),
    application_count = COUNT_DISTINCT(client_id),
    event_type_list = VALUES(event_type),
    event_type_count = COUNT_DISTINCT(event_type),
    event_start = MIN(event_time),
    event_end = MAX(event_time),
    signin_time = MIN(CASE(event_type == "signin", event_time, NULL)),
    graph_time = MIN(CASE(event_type == "graph", event_time, NULL)),
    document_count = COUNT()
  BY session_id, time_window
| EVAL
    duration_minutes = DATE_DIFF("minutes", event_start, event_end),
    signin_to_graph_delay_minutes = DATE_DIFF("minutes", signin_time, graph_time)
| WHERE
    event_type_count > 1 AND
    source_ip_count > 1 AND
    duration_minutes <= 5 AND
    signin_time IS NOT NULL AND
    graph_time IS NOT NULL AND
    signin_to_graph_delay_minutes >= 0

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/
Tactic:
- Name: Defense Evasion
- ID: TA0005
- Reference URL: https://attack.mitre.org/tactics/TA0005/
Technique:
- Name: Use Alternate Authentication Material
- ID: T1550
- Reference URL: https://attack.mitre.org/techniques/T1550/
Sub-technique:
- Name: Application Access Token
- ID: T1550.001
- Reference URL: https://attack.mitre.org/techniques/T1550/001/

« Suspicious Email Access by First-Party Application via Microsoft Graph Multiple Microsoft 365 User Account Lockouts in Short Time Window »