LIVE · cybersecurity feed
azurehigh

Azure AD Graph Activity Logs: Ingestion and threat detection to close the visibility gap

zeroday.news·19d ago
ShareXLinkedInWhatsAppFacebook

Azure AD Graph activity logs are now accessible within Elastic, enabling threat detection capabilities for security teams. Previously, this specific stream of telemetry was largely unavailable to customers for nearly a decade. Microsoft Graph Activity Logs, the newer interface, became generally available in April 2024, but the legacy graph.windows.net surface, frequently targeted by adversary tools, remained unlogged until early 2026.

This development addresses a significant visibility gap that has allowed tools like ROADrecon and AADInternals to operate undetected. These tools leverage the Azure AD Graph API, which, despite being deprecated, remains queryable in many environments. The Azure integration for Elastic now ingests these logs, providing full Elastic Common Schema (ECS) parsing. Key data points such as event action, outcome, HTTP request method, source IP, user ID, and original user agent are extracted as typed, top-level fields. Additional dataset-specific properties are available under `azure.aadgraphactivitylogs.properties.*`.

For years, security defenders have focused on logs related to sign-ins, conditional access policies, role assignments, and OAuth consent grants. However, the underlying directory APIs, which are prime targets for adversary tooling, were largely invisible because customer-accessible logs for them did not exist. Microsoft Graph Activity Logs were introduced first, followed by AzureADGraphActivityLogs in early 2026. This means that for a considerable period, enumeration activities performed using Azure AD Graph were undetectable by Security Operations Centers (SOCs), regardless of logging configurations.

Azure AD Graph is the older REST API for Entra ID directory objects, accessible via `https://graph.windows.net/{tenantId}/{objecttype}` with versions like 1.5, 1.6, and 1.61-internal. Microsoft has been encouraging migration to Microsoft Graph since 2019, with multiple postponements of the retirement date. Despite deprecation, Azure AD Graph continues to function in environments where legacy access paths are still enabled or where applications have not been explicitly blocked. This persistence makes it an attractive target for attackers, especially since adversary tooling has not always been updated to use the newer Microsoft Graph API.

Furthermore, certain internal API versions of Azure AD Graph, such as 1.61-internal, expose more detailed information, like strong authentication details directly on the user object during a directory traversal. This contrasts with Microsoft Graph, where equivalent information might require additional permissions or separate endpoint calls. The lack of a simple, tenant-wide blocking mechanism for Azure AD Graph access, which is managed per-application, means many organizations have not fully disabled it due to dependencies on legacy automation. This phased enforcement by Microsoft, rather than a defender-controlled timeline, has historically allowed for undetected exploitation.

Legitimate Azure AD Graph traffic is typically dominated by a few first-party Microsoft applications, including Microsoft.OData.Client and the Microsoft Azure Graph Client Library. Any traffic deviating from these recognized sources can indicate internal tooling or unauthorized activity, making the logs a valuable resource for threat hunting and detection, provided they are captured.

To ingest these logs into Elastic, organizations can leverage the existing Elastic Azure integration. If the integration is already set up to forward diagnostic settings to an event hub, enabling the AzureADGraphActivityLogs category is the primary additional step. For new setups, the process involves configuring the Azure integration in Kibana, providing Event Hub connection details and a storage account for checkpointing. Crucially, the AzureADGraphActivityLogs diagnostic setting must be enabled within Entra ID's diagnostic settings in the Azure portal.

Once enabled, events are routed to `logs-azure.aadgraphactivitylogs-*`, where the dataset pipeline performs ECS extraction. Verification of data flow can be done by querying for recent events and checking for populated fields like `event.action` and `http.request.method`. To generate test events, users can navigate through Entra ID sections in the Azure portal or execute a loop of `curl` commands to query common object types via the Azure AD Graph API.

The ingested data provides structured fields for hunting, including ECS fields like `event.action`, `event.outcome`, `http.request.method`, `source.ip`, `user.id`, and `user_agent.original`. Dataset-specific properties under `azure.aadgraphactivitylogs.properties.*` offer further context, such as `app_id`, `api_version`, and `actor_type`. This structured data allows for effective pivoting and analysis, enabling the detection of activities such as unusual user agent strings, broad endpoint usage, misuse of internal API versions, mismatches in client IDs, and surges in 4xx HTTP status codes.

azuremicrosoftloggingthreat detectionsiem
ShareXLinkedInWhatsAppFacebook
← Back to latest

More News

view all →
zeroday.news · 2h ago·high

Accenture Confirms Security Incident After Hacker Claims 35GB Source-Code Theft

Accenture has acknowledged a security incident after a threat actor advertised what they claim is stolen internal data. The attacker, using the alias "888", says they took more than 35GB of source code and cloud credentials from the consulting giant and are offering it for sale. Accenture says it has addressed the source of the issue and that its operations were not disrupted.

zeroday.news · 5h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 6h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 6h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 7h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 7h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.