Elastic shows how the newly-GA Azure AD Graph Activity Logs close a long-standing Entra enumeration blind spot `[SINGLE-SOURCE]`

Elastic Security Labs published a detection-engineering guide (2026-06-19) on ingesting the newly generally-available AADGraphActivityLogs into SIEM/XDR to catch tooling that has historically been invisible (Elastic Security Labs, 2026-06-19). Although Microsoft deprecated Azure AD Graph in favour of Microsoft Graph, the legacy API remains live and is actively used by ROADtools (ROADrecon), AzureHound and AADInternals for Entra ID tenant enumeration — the classic pre-lateral-movement step in identity attacks. The new log source (available from early 2026) records every legacy-Graph call with UPN, client_id, user-agent, source IP, HTTP method, resource path and response code. Elastic's rules surface ROADrecon-pattern user-agents, anomalous 4xx bursts (permission probing), FOCI (Family Of Client IDs) mismatches that signal lateral movement, device-code-flow auth immediately followed by Graph enumeration, and unusual ASN origins for Graph calls. [SINGLE-SOURCE] — Elastic is a vendor lab, not a national CERT, so the carve-out does not apply; the underlying log source and detections are independently verifiable against Microsoft documentation (see § 7).

Why it matters to us: Entra ID is the identity backbone for Swiss federal and cantonal administrations, EU institutions and essentially every Microsoft 365 tenant, and legacy-Graph enumeration has been a genuine detection gap for years. The concrete action is cheap and high-value: enable AADGraphActivityLogs in Entra diagnostic settings and route them to your SIEM, then build (or import Elastic's) detections on userAgent.original, client_id against your known app registrations, and http.response.status_code 4xx spikes (T1590 Gather Victim Network Information, T1087.004 Account Discovery: Cloud Account, T1078.004 Valid Accounts: Cloud Accounts).