In my latest blog "Now You See Me: AADGraphActivityLogs" I explore the newly released Azure AD Graph logs and demonstrate how you can detect tools like ROADtools and AADinternals that rely on this API and have been under the radar for defenders so far.
cloudbrothers.info/en/aadgrapha...
KQL hunting queries for the new AADGraphActivityLogs table to detect Entra ID reconnaissance tooling based on UserAgent, RequestUri, and volume.
