[Meta] Explore Microsoft Graph Activity Logs for Detections

Parent Epic (If Applicable)

https://github.com/elastic/ia-trade-team/issues/272

Meta Summary

Adversaries continue to leverage Microsoft Graph for command and control operations for malicious binaries. However, it is also a target for adversaries as it serves a RESTful API for access to Azure resources such as Entra ID. For this meta, we will setup the integration, ingest activity logs, emulate adversary TTPs and determine plausible detections.

Note: We may also want to think about Entity Analytics and CSPM and how these may help with asset visibility.

Microsoft Graph Activity Logs provide an audit trail of all HTTP requests that the Microsoft Graph service has received and processed for a tenant. Microsoft Graph Activity Logs gives full visibility into all transactions made by applications and other API clients that you have consented to in the tenant. Refer to Microsoft Graph Activity Common Usecases for more use cases.

Tenant administrators can configure the collection and storage destinations of Microsoft Graph Activity Logs through Diagnostic Setting in the Entra Portal. This integration uses Azure Event Hubs destination to stream Microsoft Graph Activity Logs to Elastic.

Estimated Time to Complete

4 weeks (2 weeks for lab setup and exploration, 2 weeks for detections)

Tasklist

This tasklist will grow as we explore, emulate and test.

### Meta Tasks
- [ ] Provide Week 1 Update Comment
- [ ] Provide Week 2 Update or Closeout Comment
- [ ] Setup lab environment and infrastructure
- [ ] Review existing TTPs reported and historical abuse
- [ ] Provide 10 new detection rules
- [ ] Write a blog

Resources / References

We should also sync with https://github.com/elastic/infosec/issues/15196 on findings.

elastic / detection-rules